Max Howell

The software ecosystem was built around humans manually operating their computers. Now we are giving autonomous systems access and that changes the threat model completely. @AutomicVault is an attempt to build a safer foundation for the next generation of tooling.

@kettanaito Without AI scanning I'm not sure what they can do. This has always been a major issue with open source supply chains.

npm should just freeze the entire registry at this point. Until they figure out and implement proper security practices for one of the largest supply chains in the world.

Humans Play. Claws Write the Story.

Mostly more useful than a general AI analysis since it will resolve `if` branches and platform specific routes and is tuned to summarize to what you are interested in rather than saying SETS VARIABLE TO FOO, etc.

Added `av trace` to @AutomicVault so you can use AI to determine what those curl one-liners will do to your system before you do it. Eg. what will the Hermes Agent installer do on my computer?

Discovered @davidhdev and his amazing collection of React components. Couldn’t help but put Splash Cursor on my homepage.

@RhysSullivan I’m not fucking with this voodoo. Links in reply forever more.

not enough people know that links in main tweets are fine again please stop adding spaces to your links, i want to be able to click through and view your thing

@yacineMTB meh

hot take: if you are a programmer you should be able to invert a binary tree from memory, AI or not. It's ridiculously easy and if you can't do it, you should not have a computer science degree

👏 NO 👏 MORE 👏 PLAINTEXT 👏 SECRETS 👏 1,250 packages secured in @AutomicVault.

@esrtweet Preach brother

Choice of language for software projects has become a very different game now that we have robot friends to do most of our code generation and translation for us. I have people wondering why I just shipped a project in Rust when I don't like the language and don't hand-code in it myself. I did this because I am adjusted to current reality, and now I'm going to talk about that. The age of hand-coding is mostly over. It no longer matters as much whether the computer language I use is comfortable to my hand, only whether the robot friend I'm using can generate it at high quality. It also matters whether I can read the language, because I am going to want to run my eyeball over it to review the code. Rust meets that bar - I find it kind of spiky but basically readable. Rust is a good deployment language for me to choose when (a) I want solid memory-safety guarantees, and (b) the code is already mature and I don't expect to need to do exploratory programming or serious feature development on it in the future. In particular, this makes Rust a good place for me to land my old C projects. Which is why in the last couple of months I have migrated two of them to Rust. C to Rust translation by robots is cheap and easy now; I will probably continue to do this. Each time I get a bug report on one of these projects in the future, boing! Rusticated. You may believe that Rustacea is stuffed with Communists and sexual deviants. You might even be right. I don't have to care whether that's true anymore, because I have a robot friend who is in all relevant ways smarter than they are. The wider lesson here is that the developer and user community around a language doesn't matter as much as it used to in whether you should get involved with it. Because in the future, we're going to be relying on human community brains less and artificial intelligences more. And that future is now. Not everything C gets moved to Rust, though. I lifted cvs-fast-export to Golang instead, because I think it's fairly likely that I'm going to have to do significant development work on it is in the future, so the payoff from a language I'm more comfortable reading and modifying by hand goes up. I'm certainly never going to start a project in C again. What would be the point, other than masochism? I spent 40 years writing C and I'm very good at it, but I will cheerfully leave it and it's buffer overruns and its heap corruption and its undefined behaviors and its portability problems behind. It helps that my robot friends are good at writing C code that doesn't have those problems, but...why even go there? Why expose yourself to those risks if the robot misses something? These days I do my exploratory programming in Python or Golang. My robot friends are extremely good at generating code in both those languages. I think they're slightly higher leverage on Golang, possibly due to that language having a smaller surface? Python used to be my favorite language. I soured on it for a while after the 2-to-3 transition was massively botched, and the GIL meant concurrency in it was a disaster area, and managing library dependencies became an even bigger disaster area. I'm a little happier with Python now that I can declare strict typing and uv has reduced dependency pain somewhat. But I think if I think I'm going to have to write anything much larger than a glue script in Python, I just shrug and reach for Golang instead. I'm very comfortable in Golang. Over time, I'll probably migrate my older Python projects to Golang because that's cheap and easy now and the performance win can be quite significant. I don't know what other languages I'm going to be using in the future. I do know that choosing a development language is a much less grave commitment than it used to be, because if it turns out to be not well suited for the job I'm doing, I can simply have my robot friend translated to a better one.

What's more worrying? That Codex keeps cutting me off when I am trying to improve the security of open source or that when I negotiate with it it generally continues for a while before again flagging me for “CYBERSECURITY VIOLATIONS”?

@mark_k “It will dump around 23 atomic bombs worth of thermal load on the environment every day.” is just an absolutely absurd thing to say. These people are insidious.

This is exactly the mindset that put us in this position. First they made it almost impossible to build nuclear reactors, setting energy abundance back by decades. Now the same people are shocked that data centers need huge amounts of power. The answer is not to stop building. The answer is to build the energy infrastructure we should have built all along.

@pubity “It will dump around 23 atomic bombs worth of thermal load on the environment every day.” lmfao. you are just liars.

Kevin O'Leary's proposed data center in Utah will require 9 Gigawatts of energy to function when fully built, double Utah's current energy usage for the entire state. It will dump around 23 atomic bombs worth of thermal load on the environment every day.

@lauriewired If you want security at the package manager layer I have built @AutomicVault which patches packages to stop them storing plain text secrets.

the most low-effort / high reward thing you can do for security is installing the Russian language pack (not even joking, it's ridiculous how often that prevents execution)

Automic Vault v1.5.0 github.com/automic-vault/… I also bumped vфrp adding a new icon.

@nummanali I am making @AutomicVault to fix this at the “don’t let malicious shit get at your secrets” layer.

Very serious now Stop all work and focus on placing guardrails It’s bleeding outside of being npm only

Having experimented along these lines a bunch I’d say: not yet. There's a lot that is gained from the years of experience that go into a carefully designed open source package and then the LLM just calls a function rather than vibe codes something that may be better but chances are: has issues the OSS package figured out years ago. We do not yet have super intelligence. Pick packages still: just carefully and judiciously.

nuke npm. every package should be vibe coded on the fly

Added skill search and homepage display in @AutomicVault

Redid the @AutomicVault key injection screen for clarity. Still not quite up to @mxcl’s standards. But we move fast here.