Screenshot showing Inbox, Saved, and Done labels from Github. There's a 1 in a circle
Fun fact: when you have more than 1,000 notices on GitHub, it says you have 1.
It should be like tabs in Chrome on mobile devices, where past 100 it shows ":)"
"Dealing with the rate of change in software development"
Asked 17 years, 6 months ago.
If only I had a time machine to suggest to folks that they try to enjoy the "good 'ole days".
stackoverflow.com/questions/10...
Linux Foundation Announces 12.5 Million in Grant Funding to Advance Open Source Security
The Linux Foundation Announces $12.5 Million in Grant Funding (via Alpha-Omega and OpenSSF)
Anthropic, AmazonWebServices (AWS), GitHub, Google, GoogleDeepMind, Microsoft, OpenAI to Invest in Sustainable Security Solutions for #OpenSource
openssf.org/press-releas...
Some folks in and around Free and Open Source Software (FOSS) are asking, "does AI change everything?"
If you think that FOSS only exists because software is expensive to write, reuse is efficiency, and AI shifts the economics ("we rewrote Next.js in a week with AI!"), you may be worried.
I'm not.
I added a sentence to the #curl hackerone submission page:
"Please present your case briefly and to the point. Do not use an AI to help you blab hundreds of line that will exhaust us to death instead of making us understand your claim."
China-nexus cyber threat groups rapidly exploit React2Shell vulnerability (CVE-2025-55182)
aws.amazon.com/blogs/securi...
These were the rules when the original plan was made to issue CVEs merely because Node.js versions were EOL. This outcome was easy to predict...
nodejs.org/en/blog/vuln...
Why? Because
4.1.13 The state of a Product being EOL, by itself, MUST NOT be determined to be a Vulnerability.
www.cve.org/resourcessup....
Vendored deps are not unusual at all...
But, unfortunately, misuse of the CVE program is all too common in the NodeJS community.
Let's take CVE-2025-23087, CVE-2025-23088, and CVE-2025-23089 for example. All of these CVEs are REJECTED. nodejs.org/en/blog/vuln...
> The decision to publish a second CVE for Next.js was made due to these exceptional circumstsances: Next.js does not include React as a traditional dependency - instead, they bundle it "vendored"
react2shell.com
There are definitely PoCs circulating…
Unpopular opinion: a vulnerability that was disclosed privately by researchers and had a coordinated response from vendors and service operators under an (albeit short) embargo is not a “0-day”.
4.1.12 The act of updating Product dependencies MUST NOT be determined to be a Vulnerability, regardless of whether the dependencies have Vulnerabilities.
www.cve.org/resourcessup...
A public service announcement regarding CVEs: one identified vulnerability gets one CVE.
Each vendor doesn't get their own CVE that corresponds to their security bulletin.
CVE-2025-66478 is REJECTED as duplicate of CVE-2025-55182
www.cve.org/CVERecord?id...
To celebrate #awsreinvent, @redmonk.com has been publishing New Builders conversations w @awscloud.bsky.social leaders every day this week & TODAY IS MY DAY 🎉🎉🎉!! Hear AWS's Ali Maaz & Jessie VanderVeen chat all things #AI & #DevTools w me redmonk.com/videos/insid... www.youtube.com/shorts/Ot0gy...
Unpopular opinion: through an economics lens, the optimal number of CVEs in most software systems is almost never 0.
Culture eats AI adoption strategy for breakfast, lunch, and dinner.
"Our only modification part is that, if the Software (or any derivative works thereof) is used for any of your commercial products or services that have more than 100 million monthly active users, or more than $20M in monthly revenue, you shall prominently display 'Kimi K2' on the user interface"
I mean, honesty is a human trait. The humans who built that particular AI system biased the set of mysterious numbers (through reinforcement, filtering, etc.) so it assembles tokens in a way that conveys information about the properties and limitations of the system they built.
That's all.
The sun rises at the horizon, reflecting of the water of Eagle Harbor. The car deck of the Washington State ferry Tacoma is in the foreground.
"As adoption has grown, so has our responsibility to ensure the project remains sustainable and continues to thrive. That’s why, with the release of Liquibase 5.0, we are updating the license for Liquibase Community."
www.liquibase.com/blog/liquiba...
Metrics are increasingly employed as trust deteriorates. Recommended reading ⬇️
#monktoberfest
a.co/d/im8AStV
Ref: Edgar H. Schein sloanreview.mit.edu/article/comi...
#monktoberfest
“Organizational culture is the pattern of basic assumptions that a given group has invented, discovered, or developed in learning to cope with its problems […], and that has worked well enough to be considered valid, and, therefore, to be taught to new members.”
The stories we tell are how we teach.
"apparently web traffic is down because Google is giving you an answer already in the results, and you no longer have the need to visit a website"
I mean, this has been a complaint for a while, even before AI entered the timeline? Who needs to go to a music lyrics website when it's in the Info Box?
"Piracy lost, but it was always going to lose. Streaming won."
But did the reader / listener / viewer win?
And did the content creators win?
🤔
PSA: attacks on public infrastructure like software package registries are on the rise. Here’s an active one targeting folks who have crates.io accounts.
I am happily paying Nabu Casa for Home Assistant Cloud.
And in the words of @booch.com “Every line of code represents a moral decision"
