Yes, I do see. You’re conflating what has no meaning to you with what has no meaning at all. They aren’t the same thing, though.

You’ll need to provide all the sites you visited immediately after each of the ones you searched. Your origin header will give that info away freely. So if it’s in the query parameters of the URL, then you go to Facebook, it’s as easy as {k: v for k, v in (pair.split("=", 1) for pair in response.headers["origin"].split("?", 1)[-1].split("&"))}

Are you Elon Musk? If not, disregard. Otherwise, hey, fuck you.

Can’t say as much about submarines, though.

You’re confusing what I mean. Of course you can make fictitious meaning out of anything. But all meaning is created. All of it. No meaning is discovered.

To say there is no meaning, it represents the depth of ingenuity rather than the depth of reality. Everything has meaning. For example, it might mean something about the past that lead to these circumstances, the potential futures, potential present intentions or lack thereof…

Whether or not you think the meaning fictitious is another topic altogether. If you’re saying there is no meaning, and so therefore any meaning must be fictitious, then you’re just prematurely shutting the door on every perspective which disagrees with yours.

Only works until you find yourself in the same debt spiral that royally fucked Rome, Spain, and plenty of others.

Printing money causes inflation, debasing the currency. You have to raise interest rates to slow down borrowing. But now, we can’t raise interest rates because the debt is too massive… raising would cause mass defaults. Not raising means the bubbles keep growing and the value of the currency collapsing.

You could run a tight budget, but that’ll never happen. The left will win on taxing the rich for social programs, but taxing the rich won’t be enough == more printing. The right will win on tax cuts for the rich, which == more printing. Anyone outside this paradigm won’t get public support.

You could purposefully debase the currency as well. Transfer wealth into other assets and then legislatively increase the value of those assets before finally tethering USD to those. Like with stablecoin or gold, maybe both.

You could do what Japan did and let inflation run its course. That’s also political suicide.

Everything means something because meaning is created, not discovered. They can be greedy, idiots, and still know how to come out on top of a failing empire.

I really think there’s a lot more to this than meets the eye. There being winners implies there being losers also. If the ultra wealthy can come out on top, it leaves the rest of the US with a debased currency on bottom.

Is gold up 2x since 2 years ago, or is the US Dollar loosing its purchase power at a rate not seen since 1970s (Nixon took USD off gold) and 2008-11 (global housing crisis)?

Suddenly, Elons stock-performance based bonus benchmarked at $1T makes some sense…

Anyone else concerned that the AI bubble is actually an everything bubble, and more or less represents the devaluation of the US dollar? We have a lot of debt, we can’t necessarily keep raising interest rates to slow down spending (as that would make the debt’s impact far greater), and so they’re printing money onto the deficit. Meanwhile, you have the White House eye balling cryptocurrency, letting banks hold it alongside gold, … what does all of this mean?

Vibe coding is a self perpetuating feedback loop of hallucinations. The more complex the project gets, the worse the problems. The agent reads its own prior code, which biases it to the prior approach. That bias just pushes issue further, buries them deeper, and you don’t find out until the product is done enough to actually look at it.

I knew a guy who wanted his vibe coding project to display the page count in a PDF. I showed him a super simple python script to do it, but it wasn’t usable for him because his shitty implementation was so unmanageable, so grotesquely over and under engineered at the same time, … he rather spent hours trying and failing to get the AI agent to implement my feature for him.

These might be apples and oranges, but how does NextCloud compare to Seafile?

Maybe if by “developed” you mean capitalistic.

I like mailsac. Any user handle and no signup.

Littering?

It is, up until the point it’s used as a status symbol. Then we ought eat the rich.

G-GE-GET-GET F-GET FU-GET FUC-GET FUCK-GET FUCKE-GET FUCKED-ET FUCKED-T FUCKED-UCKED-CKED-KED-ED-D

Again we’re talking past each other. I’m sure those results are available and I’m aware docker doesn’t verify signatures automatically, but I’m asking how that necessarily makes docker insecure in spite of best practices being implemented. It’s about pinning yourself to trusted digests and having a verification process (like time) before updates. Why would you need authorship verification in that case? If there’s a good answer to that, I’d consider alternatives too. I’m just saying I don’t think it’s inherently insecure over this, and at face value It boils back down to the classic: don’t download untrusted software.

You’re making big claims on security here, like “cannot be done,” and each time you do I feel like we’re talking past each other a bit. I never claimed you can verify that the person who pushed the container had access to a private key file. I claimed you can verify the security of a container, specifically by auditing it and reviewing the publisher’s online presence. Best practices. Don’t upgrade right away, and pin digests to those which can be trusted.

When you pin a digest, you’re not going to get a container some malicious agent force pushed after the fact. You pinned the download to an immutable digest, so hot-swapping the container is out the window. What, as I understand, you’re concerned with is the scenario that a malicious actor (1) compromised the registry login beforehand, (2) you pinned the digest after hand, and (3) the attack is unnoticed by you and everyone else.

I’m trying to figure out under what conditions this would actually occur, and thus justifies the claim that docker pull is insecure. In a work setting, I only see this being an issue if the process to test/upgrade existing ones is already an insecure process. Can you help me understand why I should believe that, even with best practices in place, Dockers own insecurities are unacceptable? Docker is used everywhere and I’m reluctant to believe everyone just doesn’t care about an unmanageable attack vector.

You’re talking about authorship. Sure. But if you verify the container yourself as secure and pin the digest, what’s the issue?

What are you talking about, “yeah that’s the insecurity I’m talking about.”

I didn’t mention an insecurity and neither have you. Would you mind being a little more clear than “Docker pull is insecure?”

Frankly, I was expressing confidence in dockers security. It goes without saying though, any user can do insecure things like download from untrusted sources. That’s not dockers problem though, it’s the users.

Edit: I see now that you added “it’s the download that’s not verified.” Integrity is verified, so I assume you mean authorship (via signing)? I guess you’re saying that, if admin credentials are stolen from a container publisher and the thief force pushes malicious code into the registry under a pre-existing tag—then you would be exposed to that?

Even in that case, though, a digest cannot be overwritten. Tags can. So you’d just pin the digest to avoid this one attack vector?

You can verify the checksum to ensure the contents pulled are exactly the same as what was published. You can also use a private container registry.

How exactly would docker pull be any more insecure than something like pip install? Or, really anything… Let’s go with your preferred alternative, how are you going to get it on your machine in a more secure way than docker provides?

Docker uses TLS with registries, layers and manifests have cryptographic digests, checksums, and you can verify the publisher yourself. Push it into your own registry if you want, or just don’t use latest.