while the comment you reply to is borderline insane,

you're taking from a very privileged position in terms of media consumption. the media that criticizes the genocide and the blackflag on oct 7th is very niche and you seem to consume it exclusively. the message is very different within mass media.

you're really trying to vibe architect?

Gotta make a living somehow

this manages to be even worse. since it's setup full of holes to usable (eg reaching out on the filesystem), you get the worst of random binaries without isolation, plus the dead end for updates you get in practice when dealing with hundreds of containers outside of a professionally managed cluster.

Actually, you get better isolation and resource restrictions due to cgroups v2, no mixture with host packages, and the full library stack ships with the application. When the application container is updated, so are the associated packages.

it's a stretch to "executing a script with a build user" or "from a validated distro immutable package" to "allowing something to download evergreen code and install files everywhere on the system".

A vanilla python can write files, edit ~/.zsh to create an sudo alias that executes code next time you invoke sudo and type in your password.

uv installing deps is hardly more risky.

That's sneaky. Do any code scanners check for that class of vulnerability?

Scanning for external dependencies is common but not so much internal private libraries.

https://linuxsecurity.expert/compare/tools/linux-auditing-to... shows a few.

I've used Tiger/Saint/Satan/COPS in the distant past. But I think they're somewhat obsoleted by modern packaging and security like apparmor and selinux, not to mention docker and similar isolators.

Code scanners cannot protect you from code execution on your machine.

Exactly. this is the margin aws trives from.

they sell "you don't need a team"... which is true om your prototype and mvp phase. and you know when you grow you will have an ops team and maybe move out.

but in the very long middle time... you will be supporting clients and sla etc, and will end up paying both aws AND an ops team without even realizing.

amazing how nobody even know about ECC these days.

see so many series B+ companies running DB and storage without a care in the world.

reminder that stallman was cancelled from the eff with adhominem attacks. and we are back to calling free software (which would prevent things like the article) as Open-Source (which ia just donations to google and meta)

nobody robbed my house in years. i still lock the door.

it's so banal to check host keys.

oh it very much is. they just act and bill like it's not.

corruption requires costs you cannot verify after delivery. for construction it's the exagerated foundation which they only actually deliver what's needed and pocket the difference. for software it is the hundreds of rewrites that may or may not have happened and are now in the past.

> corruption requires costs you cannot verify after delivery.

No, that is plain fraud. Corruption is paying so that no one notices or cares about the the costs that can't be justified after delivery.

i guess your pedantry is right. it would be much more expensive to pay for corruption without the "safety" of some well executed fraud... but now it's open season and nobody even have to care about looking innocent anymore.