In go, `go mod init` and `go get go@latest` (both recommended commands), both set a 'go <latest-version>' stanzas. In go, you _must_ set a minimum required version.
If you type 'cargo init', you will get 'edition = "2024"', but no 'rust-version'.
The situation is different because rust does not require a 'rust-version' in Cargo.toml, and in practice most crates do not have one, while in go it is required you specify a minimum version, there's no automation to set it to the true minimum, and most projects update it incorrectly in practice (because the go cli updates it incorrectly for you).
I continue to find Lockdown mode frustratingly insulting. Just give me the individual options (too) darnit.
Like "No facetime and message attachments from strangers, no link previews, no device connections", yes, please, I don't want dickpics from strangers.
"No javascript JIT or shared photo albums" no, I actually do want to be able to see friend's albums, and also want my battery to last longer due to optimizing JS.
How hard is it to keep the Lockdown Mode toggle, but also add "no link previews, no facetime calls from strangers, never join insecure wifi networks automatically" as separate option toggles I can turn on if I just want those?
Okay, if it's that serious than apple should simply turn it on for everyone. Having toggles for Lockdown mode adds complexity and risk.
The number of users who currently know they need to toggle on lockdown, and would be confused by having toggles under it like "Disable JIT, Disable link previews", etc, is approximately 0.
The number of users who would turn on "disable link previews" and be more secure, but won't enable all of lockdown, is at least me, so that's more than 0. By that logic, it follows that splitting it out makes more users more secure, right?
Let me know where I'm wrong there. Do you legitimately think that there's risk of users knowing they need lockdown mode being unable to find it if there's additional settings added? I guess apple can't add any new settings anywhere.
Do you think that more settings means apple is more likely to introduce a bug that impacts security? I guess apple shouldn't be allowed to add any new settings anywhere.
Perhaps it's time to acknowledge you probably don't know what another persons situation is. Instead of trying to tell them what to do, allow them to choose.
No, lockdown mode isn't a feature for you to do random things. It's a feature to keep gays in Saudi Arabia alive. Non-Han Chinese alive in China. Journalists in Mexico alive.
If they have the option to turn off the life saving measure they will. Thats the way it goes. Bc we don't know which one is the life saving measures, and they depend on each other anyway
You guys are incredibly selfish and self centered to be acting this way
The average Non-Han Chinese person doesn't know lockdown mode exists.
If you want to frame it as a life-saving feature, it should be on by default and impossible to turn off, or at the very least should be a required prompt during initial phone setup.
I'm asking for something that will make more people more secure, since I personally know plenty of people who want iMessage security, but for the web to still be functional (i.e. JIT to work).
> If they have the option to turn off the life saving measure they will
Then they'll just turn off all of lockdown mode, like they do now, to see a good friend's photo album. Great.
... I feel like we're talking past each other, and frankly with your tone of voice you're clearly not going to listen to anything anyone says on this, so there's not really any point in having this discussion at all.
> with how good gaming is on non-windows machines now, there isn't much for a home user to get locked-in with
The options for the average user are not linux or windows, but only macOS or Windows. Gaming is abysmal on macOS on any of the current hardware.
That said, I agree with you that there's less-and-less gaming lock-in on windows, but that's because the majority of gamers are gaming on iOS and android.
>That said, I agree with you that there's less-and-less gaming lock-in on windows, but that's because the majority of gamers are gaming on iOS and android.
I don't think you are aware of how much the landscape has changed regarding gaming and Linux.
2% (linux, really 1% steamOS and 1% other linux) and 1% (macOS) makes it sound much less impressive than "2x".
The options for an average user, who does not use steam and is not in the steam hw survey, are just macOS and windows.
The options for a serious gamer who uses steam (a tiny fraction of PC users) is clearly just Windows or SteamOS at this point, or more likely Windows + a steam deck (which is half of the 2% there, SteamOS).
Or just gaming on iOS / android, like most gamers do these days. The steam hw survey isn't really representative of gamers since the vast majority of them game on consoles and phones.
Are people inside apple fighting to drop the mandatory apple account for iOS and various core apple features?
I can buy a thinkpad and install linux on it without once creating a microsoft account. I can buy an android phone supported by GrapheneOS, and use it as a perfectly fine phone without ever creating a google account.
I cannot buy an iPhone without creating an apple account, without getting ads shoved in my face by apple, without them deciding what I can and can't install on it, and them charging me for the privilege of writing my own software.
Microsoft doesn't deserve as much shame here as Apple does since MS isn't requiring their hardware vendors to lock down the hardware to only be able to run Windows (even though they very well could). Apple, with iOS, is.
> I cannot buy an iPhone without creating an apple account
You can both buy and use an iPhone without creating an Apple account. You are limited to the built-in apps, but those built-in apps cover most common use-cases.
Most people wouldn't want to do this, of course. But you can.
I know the logic on what I’m about to say is not that tight, but…
For some reason, creating an account with Apple doesn’t feel like opening a can of worms like it does with Microsoft.
I know exactly what I’m getting when I open the one with Apple, and I have visibility into it from the settings of every device, feels secure and I never get emails or spam associated to it.
The Microsoft account is another story. It’s a black box, I don’t know what they are collecting, I know that even if it looks like a square today, it’ll be a hexagon tomorrow, and a triangle the next day. They’ll change the product name, merge with some other crap, etc. to access it, you’ll have to remember what the service was when you created it. Live? Hotmail? Outlook? Are they the same as my windows account? Who knows.
It’s just not trust worthy IME.
I don’t have an issue with creating an account, I have an issue not knowing why I need it or what I get from it.
Most common use cases are social media, messaging (WhatsApp, Messanger, Telegram, no one is using SMS anymore), ID apps, payment and banking apps.
You could skip social media, but without the others you would basically have to carry around a second phone or be severely handicapped just trying to live a normal life.
Beside all of that, the idea that a $1000 iPhone is usable without an account because you can SMS and check emails is laughable disingenuous.
Being unable to install an alternate app store or sideload my own apps means I need an apple ID to use the computer I purchased.
Again, android phones with GrapheneOS or windows machines with linux let me use my hardware fully without creating any advertising-ridden-evil-corporate-company's account, including building and running my own apps.
I can't even build my own code for iOS, let alone run it, without an apple account (and paying apple money).
> windows machines with linux let me use my hardware fully without creating any advertising-ridden-evil-corporate-company's account
Does Windows machines with Linux here mean WSL2 on Windows? I think the problem people have had with Microsoft accounts is exaclty that they need to use a Microsoft account to use their computers and they don't like it.
If it instead means Linux machine (not sure what Windows has to do with it), then I think people are genuinely happy to have the freedom to use their hardware as they see fit without asking for permission or updating Microsoft or Apple.
You can use an Apple computer without an Apple ID and build your own code on it, but that does seem to be a holdout from the old days when Apple had products like the II Plus and System 9. It feels like they're moving towards the Microsoft model of /mandatory/ accounts even for their desktop OS.
I mean installing linux, not WSL. I can install linux without ever thinking about a MS account on most windows laptops.
Apple restricts their iDevice computers to only run iOS, with no option to install linux.
Microsoft _could_ require that lenovo or dell lock down secureboot such that linux cannot be installed, but they don't (not to mention microsoft surface pros can run linux), so apple is clearly doing more to restrict my freedom with their devices than microsoft is with theirs.
Ok, that's all I meant, you can use the phone without logging in. Yeah you need it for the App Store. Well even if the App Store let you download as guest, the real problem would be that the phone doesn't let you download from elsewhere (mostly).
There is also the ability to build code on your Mac and run on your phone without paying, but pretty sure at least one step in that requires a free account. Guess you could download, build, and run open-source apps that way.
I use both, almost on a daily basis, but spend most of my time in Linux (Arch btw).
Both of them deserve equal amount of shame because they're both trying to do the same, force you to have an online account associated with a local user profile, either directly or indirectly.
Not sure why it has to be a contest who "we should shame the most" or whatever, how about saying both of them suck when it comes to this?
They're trying to make it very clear they're not speaking on behalf of Apple Inc, despite having worked (or working) there.
Big companies like to give employees some minimal "media training", which mostly amounts to "do not speak for the company, do not say anything that might even slightly sound like you're speaking for the company".
He said, "pypi doesn't block upload on scanning"; that's part of where the latency comes from. The other part is simply the sheer mass of uploads, and that there's not money in doing it super quickly.
I agree that's a bad idea to do so since security scanning is inherently a cat and mouse game.
Let's hypothetically say pypi did block upload on passing a security scan. The attacker now simply creates their own pypi test package ahead of time, uploads sample malicious payloads with additional layers of obfuscation until one passes the scan, and then uses that payload in the real attack.
Pypi would also probably open source any security scanning code it adds as part of upload (as it should), so the attacker could even just do it locally.
I suppose my argument is that pypi could offer the option to block downloads to package owners until a security scan is complete (if scanning will always take ~45-60 minutes), and if money is a problem, money can solve the scanning latency. Our org scans all packages ingested into artifact storage and requires dependency pinning, and would continue to do so, but more options (when cheap) are sometimes better imho. Also, not everyone has enterprise resources for managing this risk. I agree it is "cat and mouse" or "whack-a-mole", and always will be (ie building and maintaining systems of risk mitigation and reduction). We don't not do security scanning simply because adversaries are always improving, right? We collectively slow attackers down, when possible.
If pypi charges money, python libraries will suddenly have a lot of "you can 'uv add git+https://github.com/project/library'" instead of 'uv add library'.
I also don't think it would stop this attack, where a token was stolen.
If someone's generating pypi package releases from CI, they're going to register a credit card on their account, make it so CI can automatically charge it, and when the CI token is stolen it can push an update on the real package owner's dime, not the attackers, so it's not a deterrent.
Also, the iOS app store is an okay counter example. It charges $100/year for a developer account, but still has its share of malware (certainly more than the totally free debian software repository).
60-70% for a politician or political position is high. For believing in reality it's low.
If you asked "Do cigarettes contribute to lung cancer", you'd expect 95%+. Our evidence for climate change is on-par with that, and yet the rich have run a wildly successful campaign to cast doubt on it for years.
If people really appreciated the gravity of it, we would not have trump, a demonstrably anti-climate president who has rolled back green policies and
slowed decarbonization, and even ran on it.
Apparently spiting the "other side" is more important than our planet's long term habitability.
> If you asked "Do cigarettes contribute to lung cancer", you'd expect 95%+. Our evidence for climate change is on-par with that, and yet the rich have run a wildly successful campaign to cast doubt on it for years.
By the ruling class, yes of course. Not society at large. Citzens overwhelmingly favor action. The numbers don't lie.
Unfortunately people have been fooled into ignoring reality and this emotion and outrage being used to make them believe that it's not politically possible, and it's their fellow citizens who are to blame. That's probably the biggest and most insidious part of the climate disinformation campaign.
> If people really appreciated the gravity of it, we would not have trump, a demonstrably anti-climate president who has rolled back green policies and slowed decarbonization, and even ran on it. Apparently spiting the "other side" is more important than our planet's long term habitability.
Yes absolutely the current state of politics is most assuredly a result of western society's transition from building consensus on reason to building consensus on feelings.
With e2e encryption, the signals you have are pretty minimal.
Let's say a 40 y/o man finds a phone on the ground, sees a name stuck on it, googles "name + town" and finds the facebook of a 12 y/o girl, and messages "Hey I found this phone, do you recognize it? <photo>"
With e2e encryption, you can't easily tell the difference between that and a creep.
This thread is advocating that exactly that case should result in a police visit with the assumption of guilt.
Imagine no e2e for a moment for FB. Policy can be smart enough to pick up that this communication is not represntative or normal. That's part of detection.
Second, a single message to someone on a random phone is not going to flag anything.
Third - there is no assumption of guilt. Not even an arrest is assumption of guilt.
Finally - those are extraordinary corner cases. They will happen, but the get resolved the moment the guy says 'oh, I found this phone' - because that will be 100% clear in that context.
Obviously - things can go awry. Meta flag something as bad, sends it to police - they do not follow procedure, or don't apply something correclty and arrest a guy at his place of work. But in the scenario you described, its literally not a problem - there are 'common sense checks' through the whole thing. The algo, the human making the notification to the police, the police, the judge if a warrant is required. People are not going to be arrested because they found a phone and texted their niece - if that happens, then we have another set of problems.
We can 100% have our 'friendly community' with Facebook.
Now - with an e2e thing like Signal, well, yes, it could theoretically be a problem, but the likelihood of some rando finding a phone, that's not locked, and being able to text some other 12 year old, an effectively 'pose' as their 'contact' - well that's a rare case scenario.
Ideally the TSA at each airport would measure it and release it. They should be measuring it anyway since they should both have efficiency targets for how much of a delay they introduce, and also so that they can show data about how much or little inconvenience they cause when DOGE finally comes to cut one of the actually utterly useless government expenditures.
Since the TSA doesn't seem to be releasing this data though, apple or google could spy on GPS and motion data for individuals to estimate when people entire the line and pass through security, and derive a better-than-nothing estimate. It does seem like the government refusing to do something, and apple/google stepping in and doing a government-like thing is a norm, so even though I'm joking I wouldn't even be that surprised.
If you type 'cargo init', you will get 'edition = "2024"', but no 'rust-version'.
The situation is different because rust does not require a 'rust-version' in Cargo.toml, and in practice most crates do not have one, while in go it is required you specify a minimum version, there's no automation to set it to the true minimum, and most projects update it incorrectly in practice (because the go cli updates it incorrectly for you).
reply