A pretty straightforward solution is to have an isolated service that keeps the private key and hands back the temporary per-repo tokens for other libraries to use. Only this isolated service has access to the root key, and it should have fairly strict rate limiting for how often it gives other services temporary keys.
Yikes, this is a pretty bad vulnerability. It's good that they fixed it, but damning that it was ever a problem in the first place.
Rule #1 of building any cloud platform analyzing user code is that you must run analyzers in isolated environments. Even beyond analysis tools frequently allowing direct code injection through plugins, linters/analyzers/compiler are complex software artifacts with large surface areas for bugs. You should ~never assume it's safe to run a tool against arbitrary repos in a shared environment.
I also ran a code analysis platform, where we ran our own analyzer[1] against customer repos. Even though we developed the analyzer ourself, and didn't include any access to environment variables or network requests, I still architected it so executions ran in a sandbox. It's the only safe way to analyze code.
Yes, but the exploit grants you access to ALL repos, not just the one the PR is in. You could just as well change the config in your own private repo and run coderabbit in it.
Following that logic it would be literally impossible to trust any part of their infra. They had a bad build container, the rest of their stuff was solid.
The level of detail of battles is meant to be low because it's focused in wars not battles. You are not a war general you are a head of government.
There are still plenty of tactics in Civ 4. Units have different bonuses depending on terrain and other factors. You have to plan where the combat takes place and what types units you want to use.
Some unit types have collateral damage (catapult, trebuchet, cannon, artillery, mobile artillery, etc.), and there are similar mechanics with air units, cavalry, etc.
The game is not short of battle tactics just not the board game inspired mechanic of Civ 5+.
The efficiency comparison is interesting, since it starts relatively evenly but quickly dismisses the value of the DOGE approach. Everyone I know who worked at USDS has been talented and well-meaning, but I can't help but feel they've been hamstrung specifically by
1. Methodical improvements mostly work to improve processes as they are. They don't delete processes that shouldn't exist.
2. Agency "empowerment" often means working with a lot of incumbent teams that are simply not suited to digital work and sinks way too much time/energy into stakeholder management.
USDS has done good work, but could have done a lot more if they were actually empowered.
This is true based on the conversations I’ve had with my USDS friends too, but I’m under no illusion that DOGE will actually empower people to do the right things.
Like, as someone who is generally fairly process averse, I’ve come to the conclusion that there is a huge middle ground between too much process that hampers getting things done and no process that leads to decisions that either break things, or worse, set disastrous acts in motion because basic checks or conversations with people who have more context didn’t happen.
I think if there was a good-faith attempt from the DOGE folks to audit and understand certain systems and processes, instead of gleefully dismantling and freezing programs, firing people, gleefully announcing how much money was “saved” (and often with incorrect amounts) and reflexively ripping on how terrible everything is, you’d probably get some cooperation from the people who have had to deal with bullshit bureaucracy. But that isn’t what happened.
What’s happened is akin to throwing the baby out with the bath water, all real security issues being completely ignored, under the guise that 19 year old crypto bros have the work experience, social skills, or common sense to foresee what is happening.
Governments are inefficient. That’s as much a feature as it is a bug. But with USDS in particular, you had people who left high paying jobs to work for the government because they wanted to make things better for democracy and the country. That is decidedly not the goal of DOGE employees, who want to out McKinsey McKinsey when it comes to just slashing and burning.
Unfortunately nuance is dead. I too wish Musk had tried to empower USDS instead of immediately alienating many of the people best positioned to improve things.
Are sweeping layoffs without any serious attempt to retain critical talent going to empower the remaining staff to do their best work? We've seen lots of examples of DOGE cutting loose important people and then flailing to hire them back. What happens when that one person who makes the whole team able to do their jobs gets cut loose? Are you empowered and productive then suddenly?
If DOGE were serious about increasing efficiency they'd be focused on process reforms. Instead they're randomly cancelling contracts, cancelling leases, and letting people go without doing the hard work of analyzing processes or analyzing organizations to figure out where the problems actually are.
It's like their philosophy is "if we cut one of the dog's legs off it'll suddenly become a more efficient runner".
I'm not here to defend DOGE, but you're making the same mistake as the article of assuming the DOGE approach has no merit.
Deleting processes somewhat randomly, then listening for the pain, is a pretty well-known technique for understanding and cleaning up legacy systems. Of course, it should only be used on systems where (temporary) failures are tolerable.
There are parts of the government where that is true, and parts where it is dangerous. The problem on both sides is assuming the same techniques should be applied across the entire government, when some services are indeed life-and-death and others absolutely should be deleted.
The pain you're listening for here is dead veterans, dead trans kids, dead disabled people, starving seniors, people dying from preventable viruses because of vaccine program cuts. The pain you're listening for here is toxic water and food-borne illnesses.
We know we need most of these programs and services! You can make them more efficient, you can identify and cut waste. You don't do that by just making blanket, massive cuts to staff and services and then trying to cobble the pieces back together over the next few years. It doesn't make sense. No sensible person would run a business that way.
Not everyone believes that some amount of human death is acceptable collateral, but essentially everyone behaves as if that were true.
We could save ~47,000 deaths in the next year if we banned cars. Do you think that the deaths of innocent children is an acceptable trade-off for your right to drive? You might not like to think of it that way, but it's just objectively true that this is the trade-off we choose.
If we really care about human lives, why isn't the entire federal budget redirected towards healthcare and medical research? Do you think it's OK to watch children die of cancer just to fund national parks and space probes? If we care about all lives, why don't we spend the entire federal budget on humanitarian aid? What kind of heartless monster would watch children in Africa starve to death just to make their kid's school slightly nicer? If we care about all future lives, why are we squandering resources on consumption now, when compounding returns over centuries could allow those resources to provide vastly greater utility in future?
Everything has an opportunity cost and everything is a tradeoff. We pretend that the status quo has no ugly tradeoffs to protect our sanity, but that's obviously untrue. People die every day because of things we take completely for granted. They die for reasons that are often directly contradictory - I die for want of a regulation that would have prevented a medical accident, you die because of regulatory burdens that hinder the development or dissemination of new medical technology.
Musk might be a mindless vandal or a maverick genius; I am absolutely not intelligent enough to argue that point either way. What I do know is that it would be a miraculous coincidence if the federal government's priorities circa 2024 were so close to perfect that any radical change is prima facie wrong. I have to at least entertain the possibility that we have been stuck in a local maximum and have been squandering massive amounts of potential. A handful of deaths is, in the context of the US economy, actually a very cheap price to pay if you genuinely believe that you can find a fraction of a percentage point of GDP growth.
They're doing this because the expected value on lives saved is positive, not negative.
It's the exact same thing as "defund the police" except applied to the entire government. If policing is net negative, reducing it will save lives. If this government program is inefficient / worthless / net negative, cutting it or disrupting it will save lives.
When you just make stuff up its easy to prove your point, I agree. There's no reason to assume lives get saved because of deregulation, there's no evidence to that, and plenty to its opposition.
I'm not American and haven't done the calculus here. I'm just pointing out that from an outside perspective, what the American right is doing here is +EV in terms of American lives from their point of view, so it's perfectly rational.
If nothing else, the opportunity cost of a few hundred billion saved eventually, even if it's just a small fraction of US total government spending, can be used to save or improve many many many lives.
Hyperbole like "yeah murder more people its good because I can't tell what is good or bad" doesn't help.
This is absolutely true, and I think something that a lot of bleeding heart liberals don't fully understand.
You might be against the death penalty, for example, because you can't bear the thought that the government would put innocent people to death. But some people believe that these are acceptable losses for the gain.
Likewise, you might think that a program that helps prevent violence against a certain minority group would be beneficial. But some people feel that this is a waste of money since it doesn't actually benefit the most people. If you spend money, after all, wouldn't you want to positively affect the most people you could? Everybody else--they are acceptable losses.
If you observed that your argument needs to rest on a false binary choice in an us-vs-others (identity "I am not a liberal") you should take time to step up to meta-thinking. Maybe we have been to long in the culture war?
Some people want us to ridicule compassion. But Why? For Who? For What?
Liberals also support the death penalty but in scenarios where it is less likely to happen. For example if someone doesn’t pay their parking fine it’s possible the situation escalates to a point where an armed government official will kill the person refusing to pay for resisting their lawful commands. This situation might be more unlikely than death penalty for murder or the ‘victim’ might be more responsible for the situation but I think having a hard block against the death penalty because it involves death or is irreversible is hard to defend. I think if you have a sovereign you ultimately have to be comfortable with killing people who oppose the sovereign.
These are some extremely serious claims that I'm going to need to see sources to believe. I'm by no means here to defend DOGE, but what have they done to put the lives of trans kids at serious risk?
Twitter is losing users and is resorting to mob protection racket techniques to get more advertising spend.
Tesla is constantly in the news for all the wrong reasons. FSD fuckups, the absolute disaster of quality control that is the Cybertruck, service delays, parts delays, safety recalls...
SpaceX reportedly has layers of management to protect the actual people who get shit done from Musk's interference. This being the most successful of the companies may possibly be a result of that. https://x.com/yoloption/status/1595213678147764224
Most of his businesses are failures. He has two enormous successes. Unsuccessful businesses eventually fold and go away. That's not an acceptable option for the federal government.
Governments aren’t businesses. They have different incentives and goals. You’re very naive to think otherwise and falling for a pretty common conservative trap.
> Elon's businesses are highly successful running exactly this algorithm.
Oh how nice, but we don't rely on Twitter to look after nuclear weapon stockpiles, warn us about E. coli in food, or fund vaccine development. So it's not really the same is it?
No, that is definitely not well known or time tested technique in anything that actually affects things that matter. You do that when you don't care about consequences. And in this context, not caring about consequences is sociopaths.
Second, you can't just turn on institutions or checks and balances again. Which is who DOGE does it - to cause permanent destruction they will blame on someone else and to cement oligarchy power.
I sincerely don't understand what this proves. You're citing an example of them making a bad cut and having to reverse it. What part of that is an improvement?
But DoGE is more like a PE firm that fires a bunch of people. It is less like a careful founder who hand crafts tough microdecisions that make everyone more efficient. DoGE cares about the balance sheet not the operations.
Yeah I’d say it is PE crossed with the worst management consultants. The actual health of the programs and the food to humanity doesn’t matter. It’s all about some perceived balance sheet as you say with zero care about the fallout from those decisions.
It’s easy to be efficient when you’re no longer providing any programs or services.
To me, what's happening in the US now looks very much like the wave of
hostile-takeovers that destroyed British industry through the 70s and
80s. Adam Curtis "Mayfair Set" documents it well [0].
"Efficiency", which is an empty and practically meaningless word if
you really examine it [1], was the cause celebre then too. And many
of the perpetrators were charismatic and quite loved (Stirling was an
archetypal British hero) up until the damage had been done and the
trickery exposed.
> In short, the idea is to spend time on the floor with your returns team, observing the current process and asking questions to map exactly how you handle returns today. The result is a process map of how you handle different types of returns from end to end.
> 2. Delete any part or process you can
> So look at all the actions you take, question each of them: Question every step: can we remove this? What would happen if we removed this? Would the outcome still be the same? What would be the impact on our KPIs (e.g. customer satisfaction, handling time, and profits)?
I only got as far as step 2 and it's pretty clear DOGE isn't following the steps.
For shakeups, the Deming (14 point) [0] approach that starts with
"watch and learn" (system analysis) has always seemed more mature to
me than "slash and burn" (and see what grows out of the ashes). Musk
is almost the opposite of Deming. Fear and to some extent capricious
randomness seem part of the DOGE formula. There's simply no way even
cursory investigation can have occurred in the time-frame. To me, any
claim that that the programme is evidence-based or rational is
specious. I think the effects are designed to be discombobulating and
foment fear, and that it's purely political.
That's not a good assumption to make for everyone. There are many people who do grow income without growing expenses (see the whole financial independence movement).
I spend about as much now as I did 7 years ago when I made 4x less.
The issue is that for many FIRE people optimizing everything becomes THE main game.
You retire and then you are constantly thinking "how could I do if XYZ happened?".
It's probably better than having to write your own performance review or grind through a job you don't really enjoy, but it's still not what "live your life" is generally supposed to be.
> For most companies, pre-seed SAFEs don't end up much above common.
I'm not sure that is correct.
AFAIK the modern YCombinator post-money SAFE [1] converts to the exact same share class as the VC investment round. The bookface document[2] says "when the company decides to sell shares of preferred stock in a priced round (an 'Equity Financing'), the outstanding safes will convert into shares of preferred stock" and also says elsewhere "then the safe holder will receive shares of Standard Preferred Stock".
I know nothing - so could be completely wrong!!! Complicated stuff LOL
Yeah I personally think the valuation is the least egregious part. If they get sued, they’ll have a defense for how they arrived at that number. It’s not 10x off.
You don't have to take the loan, though. I think I'd prefer to buy the $250 shares at the terrible loan terms than to buy the unleveraged shares at $25,000, which suggests that the loan adds value.
The leveraged shares are essentially an option. If the casino way outperforms expectations, the shareholders will get a huge return on their money (100x return or more). If it meets expectations or loses money, they are out their $250. That fits the profile of what was asked for: if anyone gets very rich off this they want the community to share in the proceeds. Whether 11% "financing" cost is fair or not has very little to do with the cost of funds and everything to do with the volatility of the future returns. If there's any chance the casino doubles or triples or sextuples in value, those shares are very valuable - even though that chance would presumably be offset by a large chance of it becoming worthless.
My biggest problem with this is the transfer pricing issues. Bally's has every incentive to route profits to its other corporate entities and a lot of legitimate opportunities to do so.
> This is a constant risk of being the junior partner in a structure, particularly without an aligned senior partner who would be as adversely impacted by sharp operating as you would be.
This would also be solved by issuing the second class of stock with the same economic rights. Some hedge funds get to invest in it, someone who can assess the appropriate discount to apply for being the junior partner. And if Bally's ever do screw the shareholders, they have the perfect parties for a lawsuit: a sophisticated, well-coordinated operator in partnership with a sympathetic plaintiff.
You're right. I was bucketing the pricing/payout issues into the loan terms but they equally apply if you don't take out the loan.
Obviously there are many better ways to structure this if a sophisticated counterparty actually wanted a good investment opportunity for the community. Sadly that's not in anyone's interest.
