Super interesting, mind sharing your exclusions and hooks?

For sure, I put the details here: https://drorspei.com/syncgit

I imagine they are not naive, they're counting on their clients being naive.

> And after seeing how they treat employees for decades

To say nothing of their cars.

> it installs that commit's declared dependencies (which include bun) and then runs its prepare lifecycle script

Again? How have lifecycle scripts not instantly been defaulted off? Yes breaking things is bad, but come on, this keeps happening, the fix is easy, and if an *javascript* build relies of dependendlcy of dependency's pulled build time script, then it's worth paying in braincells or tokens to digure it out and fix the biold process, or lately uncover an exploit chain. This isn't even a compiled language.

If the payload couldn't execute at install time, it would at runtime? Disabling prepare scripts does not seem like an effective countermeasure.

Postinstall scripts have remained an effective attack vector for quite a while – which, ironically, has meant the worm's authors had little incentive to try something else, so it was easier to inoculate yourself. Alas, you're right, it should be pretty simple to bypass this kind of protection, if they haven't already (and seems like they have).

Well at runtime one would hope they're not giving their JS app access to their home folder.

I read this and often think, yes, yes we know, but then I hear juniors at work taking these ideas at face value without considering things like stock splitting and preferred shares.

> This is a very Zuckerbergian take.

No, it's just a common fallacy. If you don't like the guy, isn't "zuckerbergian" an example of helping him live rent free in people's heads?

I'm actually not kidding when I say that Zuckerberg likes that particular fallacy a lot and I've seen him use it. You're right that it's not at all exclusive to him.

Been feeling that energy too, trying so hard to stay at my current big co job for the health insurance. But the draw is pulling me hard.

I've generally assumed that AI would make developers get lower compensation because of the lowered quantity of developers required for the same output, but this raises the possibility of it actually increasing if more developers end up doing their own things instead of entering the broader labor market :)

It could increase compensation by growing the economy. (E.g., perhaps counterintuitively, skilled immigration has this effect.)

the problem is that very few to none SWEs “doing their own thing” will ever make a penny out if it. whatever they do, if it actually makes a little traction, will be cloned and copied in a week by someone else. this whole idea that “we’ll see a 1-person billion dollar startup” is as silly as it gets

But coal's essential as a backup in case of a dead (civilizational) restart.

That seems to be based on the assumption that coal is easily accessible. I'm not sure that's true.

If it weren't for it being OpenAI, this story would not be noteworthy. I think a more interesting story is how many commenters on Hacker News have no idea how discovery or privilege works. Interesting blind spot.

With a duress password, it could have allowed him to destroy it, but that itself would be illegal and he'd likely be found in contempt of court and probably with some other charges related to tampering with evidence. But he wouldn't have had to have read it in court. IANAL