Rape is not the only crime people get sent to jail for, and at least some fraction of the US population is capable of seeing the imprisoned as human beings.
I agree nevertheless that inflicting maximum misery and pain on prisoners is popular with a substantial segment of the US electorate, and thus there are negative incentives discouraging even simple fixes like the technology changes wished for in this article.
Rape is just a useful litmus test, because it triggers the "prisoners are irredeemable and deserve to be treated less than human" emotions in most people who don't support rehabilitative justice.
It's easy to say someone who stole a loaf of bread should be rehabilitated, but when asked about a one-off rapist people will show their true beliefs.
It’s a bad litmus test because people are at least capable of making distinctions between classes of crimes and the extent to which rehabilitation is practical. Many might support rehabilitation for e.g. petty thieves (or murderers, since recidivism for homicide is low!) but not rapists.
It’s like conducting a “push poll” using such an emotionally freighted and skewed framing — you’re obviously looking for the answer “nobody supports rehabilitative justice” by emphasizing “BUT WHAT ABOUT RAPISTS”.
> Many might support rehabilitation for e.g. petty thieves (or murderers, since recidivism for homicide is low!) but not rapists.
This would be an example of not supporting rehabilitative justice, as there's no reason to believe this other than emotional reasoning. As a matter of fact, the evidence suggests the contrary - recitivism rates are _lower_ for rape and sexual assault than most other types of crime, including theft: https://bjs.ojp.gov/content/pub/pdf/rsorsp9yfu0514.pdf
> you’re obviously looking for the answer “nobody supports rehabilitative justice”
I never said nobody or anything close to it, that's a straw man you've made up in your head. Obviously, some people truly do support rehabilitative justice, but I believe they are in the minority.
It can be many Zero-Width Space, or a few Hair-Width Space.
You never know, when you don’t know CSS and try to align your pixels with spaces. Some programers should start a trend where 1 tab = 3 hairline-width spaces (smaller than 1 char width).
I’d also add the language to the mix. I know you can write good code with TS/JS, but the dependency surface is just so large, I’m not comfortable with security code written in it yet (maybe at some point). Add that the repositories were created in the past week, so we can’t see the actual dev practice (was it all vibe coded? What bugs were there?).
I hadn’t considered your second point, but even the authors GH account has an AI picture. I have no idea who this person is or what online/HN reputation they have.
Thanks for raising these concerns — totally fair in the context of security tools.
I’m not anonymous, just cautious. I’m a solo builder, and this is a focused identity for the project. In fact, that's why I implemented full supply chain transparency from day one: signed releases, SLSA attestations, SBOMs, and Rekor logs. You don't need to trust me you can see the code for your self.
Ultimately, you're right — if you can't verify it, you shouldn't trust it.
That’s the whole point of the system: zero trust and verifiable cryptographic guarantees.
A "focused identity" with no links to other identities is anonymous by definition.
More importantly, this project is not "zero trust" and calling it such is borderline deceptive.
I can verify the artifacts you're shipping contain the code in the repo (or I could just clone the repo myself), but I cannot automatically verify that your code is non-malicious and free of bugs. That is what I am trusting when using your software, and I have serious doubts about the "free of bugs" part for AI generated software.
I’m right there with you in mistrusting AI generated code but - you also can’t automatically verify that human-written code is non-malicious and bug free.
Cryptography/security is a trust business. Without some kind of personal (or even project) history, I know nothing about you or the project. And if I can’t verify you, I can’t trust you. The rest doesn’t matter much to me.
It means the releases are cryptographically signed using GitHub OIDC, with SLSA v1 provenance and entries in the Rekor transparency log.
That means:You can verify every artifact against its source code i.e I have not tampered with the code post deployment. for example part of the build is a dry-run on the worker build, this is stored as part of the build so you can see / confirm the exact code that was uploaded and this code is signed.
What people mean with "trust" here is whether they trust there are no subtle security issues. While I think "don't roll your crypto" has been somewhat overstated at times (someone has to write crypto), there is certainly some truth in that you need to be very careful writing this code and that mistakes are incredibly easy to make, even for competent developers.
If I were to release something like this then people can see that 1) this is a guy with >20 years of various contributions to open source and he seems like a basically competent guy we can trust (as much as you can ever trust a single person), but also that 2) he's not a crypto guy and there may very well be oversights. Maybe there are none, but you know...
If someone like, say, Filippo Valsorda would release someone like this, then people could see that 1) is basically the same as me, and 2) he's also a well known crypto guy with a good track record. This is not a guarantee there are no oversights, but I would certainly be surprised if there were major ones. I would certainly trust that more than anything I would write.
The whole signing stuff is kind of a red herring IMO. I mean, it's not bad to have I guess, but honestly I don't really care. If anything, focusing to strongly on "box ticking security" so early on seems like the wrong thing to focus on.
Humans also use em dashes — like that. My browser for one automatically creates them on HN if you correctly type a space, two hyphens then another space. Maybe the dude just has good grammar.
We'll find out in an hour, but I bet openai trained em-dashes out of gpt-5 and that will confuse a lot of people. At least you'll be able to write the way you want to...
Yes I do — and that’s not an em dash, it’s two hyphens. You’re not using a manual typewriter, you have Unicode. You don’t make an exclamation point from an apostrophe and a period, do you?
Yep, not disputing the data. Seems we agree: the premise is people go to college with the expectation of higher earning power. The product is earning power, less so "learning", but we don't have to argue semantics.
Now the more controversial stance is we can't say this earning power is causal. That's why specifically I said people buy the gateway ticket into these higher earning jobs. It's self-perpetuating.
I can't disagree with the data, what I can say is people that out-earn non-college people is not _because_ of college. The population represented by non-college goes really down really deep for large variety of socio-economic reasons let's just say.
Liberal democracy's actual function is to convert the will of the people into a functioning government.
If it was actually true that 80% of the population opposed this law, MPs would be falling over themselves to run against it and it would be gone immediately after the next election cycle.
I think it's a dumb law, but I also don't think the UK's democracy is that broken. It's pretty clear a majority of UK voters support or are at least ok with this law.
People who used to post gained knowledge from their profession or hobby. I don't bother posting any of that information on large sites like Reddit anymore, for various reasons but AI scraping solidified.
I'll still post on the increasingly fewer hobby message boards that are out there.
Update: Checked the script, and not only does their official installer not verify the download at all - it immediately executes it.
Therefore, it's trivially possible to RCE someone running this script you are MITMing - block all the HTTPS connections, and then replace the binary in the HTTP connection with malware.
Frankly this vulnerability is so obvious and so negligent that I would never use this tool, which is unfortunate as it sounds like a cool idea.
I feel you’ve missed the point. They’re not trying to use https, they can’t, they are downloading tools that only exist online as https links from a legacy system that only supports http. They simply couldn’t download jack shit and came up with a way to do it.
If you can get the insecure bash script onto the system you can also get a bundle with a more secure downloader (or even better, the binaries to be installed) on the system in the same way. Even if you are limited to copy and pasting ASCII text, shell archives are a thing as are a myriad of other possible solutions that do not involve downloading a binary over plain HTTP without any verification.
I think you've missed the point. Even on systems where HTTPS is normally available an attacker in the middle can trivially cause their official installer script to download and run malware by just blocking a few HTTPS connections.
This is the DEFAULT fallback behavior in their installer - not something that only happens on legacy machines.
If I install a project from GitHub on the airport WiFi I'm assuming that the authors know what they're doing and I'm not potentially getting silently MITMed. And when I find out the authors don't know what they're doing to this extreme extent, I note down to never use their project.
