Annoyingly, npm audit relies on github's advisory DB, which is currently incorrectly flagging all versions of these packages, not just the compromised ones.
What do you mean irritatingly? Do you mean that you think 'grep -r "_0x112fa8"' is not enough or are you irritated that npm audit is flagging as if it was compromised?
I'm irritated because I expected to find at least one compromised file, but there were none. It may be, though, that we only use the affected packages as transitive development dependencies, in which case they are not installed locally. But a sliver of doubt remains that I missed something.
I've given a few talks at semi-big conferences, and I've always worked hard on the "entertain" part - I think it's really important.
BUT (and it's a big but), it adds a second axis of subjectvity.
Already, I'm out there talking about a thing which I think is "interesting" and "worthy" subject matter of other peoples time. Now, I'm adding "and is delivered in an entertaining way".
For me - that's humour - both in the delivery, and in the slides I show. But - like anything - it doesn't always land.
And, when it doesn't -- it's a very very long awkward talk. I've been on speaking circuts where a conference goes to multiple cities (same country), and the talk went down very well in one city, and bombed in another. Things like timing matter (after lunch sucks).
Also, The author lists the requirements as "inform, educate and entertain" -- and I'd add -- "in that order". I've cut things from my talk because they were funny (IMO), but ultimately didn't support the content of the talk enough. After all -- This is a tech talk, not a standup routine.
All three are very hard to do well -- but I do agree with the author in that's it's the speakers job to do all three.
My team is worried about that too. We've been a java and spring shop for years. We're looking at micronaut, it's similar enough.
When I had someone from another team take a look at broadcom and what they could do to spring, they said the licenses are permissive, it will be fine. Likely not that simple.
- Shorter support windows, with longer support available for purchase (VMWare actually introduced this, but Broadcom can weaponize it)
- Then Enterprise Spring, which has additional features
- Then some other license shenaningans.
Hazelcast recently made the move where CVE security updates are only released into the OSS ecosystem quarterly - whereas the enterprise model gets them as soon as they're ready. In OSS, you have to rebuild and patch yourself.
That's a special kind of evil, which has Broadcom DNA all over it.
If the employer is allowed to use an AI proxy for their company, does that make it viable for candidates to deploy an AI proxy / avatar to go through the early stage of the process?
That'll truly give the efficiency that these employers crave - let's both speak once our AI counterparts have deemed we're a match.
reply