Ihar Suvorau

519 posts

Ihar Suvorau banner
Ihar Suvorau

Ihar Suvorau

@suvorau

9 months dad • Undecided programmer • Solo at Bad & Wrong

Estonia Katılım Ocak 2014
254 Takip Edilen74 Takipçiler
Ihar Suvorau
Ihar Suvorau@suvorau·
@Neovim Surprised to see the stream behind a paywall.
English
1
0
3
178
Ihar Suvorau
Ihar Suvorau@suvorau·
@ThePrimeagen Also, > AI will create free/cheap energy, free education, cheaper and better food, homes that build themselves and medicine that makes you as healthy as a 30-year-old when you’re 100. Should we expect free RAM at some point?
English
1
0
6
1.2K
The Stoic Emperor
The Stoic Emperor@TheStoicEmperor·
All internet discourse moves inexorably toward its maximally clickable form.
English
7
9
52
6.9K
gingerBill
gingerBill@TheGingerBill·
I'm sorry to say it again but this is another example of why: Package Managers are Evil. gingerbill.org/article/2025/0…
Andrej Karpathy@karpathy

Software horror: litellm PyPI supply chain attack. Simple `pip install litellm` was enough to exfiltrate SSH keys, AWS/GCP/Azure creds, Kubernetes configs, git credentials, env vars (all your API keys), shell history, crypto wallets, SSL private keys, CI/CD secrets, database passwords. LiteLLM itself has 97 million downloads per month which is already terrible, but much worse, the contagion spreads to any project that depends on litellm. For example, if you did `pip install dspy` (which depended on litellm>=1.64.0), you'd also be pwnd. Same for any other large project that depended on litellm. Afaict the poisoned version was up for only less than ~1 hour. The attack had a bug which led to its discovery - Callum McMahon was using an MCP plugin inside Cursor that pulled in litellm as a transitive dependency. When litellm 1.82.8 installed, their machine ran out of RAM and crashed. So if the attacker didn't vibe code this attack it could have been undetected for many days or weeks. Supply chain attacks like this are basically the scariest thing imaginable in modern software. Every time you install any depedency you could be pulling in a poisoned package anywhere deep inside its entire depedency tree. This is especially risky with large projects that might have lots and lots of dependencies. The credentials that do get stolen in each attack can then be used to take over more accounts and compromise more packages. Classical software engineering would have you believe that dependencies are good (we're building pyramids from bricks), but imo this has to be re-evaluated, and it's why I've been so growingly averse to them, preferring to use LLMs to "yoink" functionality when it's simple enough and possible.

English
15
24
410
35.1K
Armin Ronacher ⇌
Armin Ronacher ⇌@mitsuhiko·
Once again I will point out that it was a massive mistake to not go with min-ver but go with latest semver compatible instead. People argued that you cannot do minver because users would lose out on important security updates. Now we have people upgrade to security issues instead
Andrej Karpathy@karpathy

Software horror: litellm PyPI supply chain attack. Simple `pip install litellm` was enough to exfiltrate SSH keys, AWS/GCP/Azure creds, Kubernetes configs, git credentials, env vars (all your API keys), shell history, crypto wallets, SSL private keys, CI/CD secrets, database passwords. LiteLLM itself has 97 million downloads per month which is already terrible, but much worse, the contagion spreads to any project that depends on litellm. For example, if you did `pip install dspy` (which depended on litellm>=1.64.0), you'd also be pwnd. Same for any other large project that depended on litellm. Afaict the poisoned version was up for only less than ~1 hour. The attack had a bug which led to its discovery - Callum McMahon was using an MCP plugin inside Cursor that pulled in litellm as a transitive dependency. When litellm 1.82.8 installed, their machine ran out of RAM and crashed. So if the attacker didn't vibe code this attack it could have been undetected for many days or weeks. Supply chain attacks like this are basically the scariest thing imaginable in modern software. Every time you install any depedency you could be pulling in a poisoned package anywhere deep inside its entire depedency tree. This is especially risky with large projects that might have lots and lots of dependencies. The credentials that do get stolen in each attack can then be used to take over more accounts and compromise more packages. Classical software engineering would have you believe that dependencies are good (we're building pyramids from bricks), but imo this has to be re-evaluated, and it's why I've been so growingly averse to them, preferring to use LLMs to "yoink" functionality when it's simple enough and possible.

English
14
9
326
44.2K
Jonathan Gorard
Jonathan Gorard@getjonwithit·
...magnitude more bloated than the truly minimal algorithmic representation required to specify that software artifact unambiguously. Likewise for much of human writing, research, communication. By being such efficient decompressors of algorithmic information, LLMs have... (3/12)
English
15
11
478
72.1K
Jonathan Gorard
Jonathan Gorard@getjonwithit·
I think one of the conclusions we should draw from the tremendous success of LLMs is how much of human knowledge and society exists at very low levels of Kolmogorov complexity. We are entering an era where the minimal representation of a human cultural artifact... (1/12)
English
192
489
4.5K
762.4K
Adam Lyttle
Adam Lyttle@adamlyttleapps·
Claude knows I'm in Melbourne based on what it saw outside
Adam Lyttle tweet media
English
15
0
57
8.4K
htmx.org / CFO of I'm All In (same thing)
htmx.org / CFO of I'm All In (same thing)@htmx_org·
6 months until HTMX takes our jobs
Alex Prompter@alex_prompter

🚨BREAKING: Alibaba tested AI coding agents on 100 real codebases, spanning 233 days each. the agents failed spectacularly. turns out passing tests once is easy. maintaining code for 8 months without breaking everything is where AI collapses. SWE-CI is the first benchmark that measures long-term code maintenance instead of one-shot bug fixes. each task tracks 71 consecutive commits of real evolution. 75% of AI models break previously working code during maintenance. only Claude Opus 4 stays above 50% zero-regression rate. every other model accumulates technical debt that compounds over iterations. here's the brutal part: - HumanEval and SWE-bench measure "does it work right now" - SWE-CI measures "does it still work after 6 months of changes" agents optimized for snapshot testing write brittle code that passes tests today but becomes unmaintainable tomorrow. Alibaba built EvoScore to weight later iterations heavier than early ones. agents that sacrifice code quality for quick wins get punished when consequences compound. the AI coding narrative just got more honest: most models can write code. almost none can maintain it.

English
10
11
232
40.8K
Raven
Raven@Ravenismeee·
Men who can cook .. who taught you??
English
6.5K
213
6.8K
1.3M
Ihar Suvorau
Ihar Suvorau@suvorau·
I mean, it's the same problem in any domain all the time: books, furniture, clothing, automotive, entertainment, music, movies, education. More people and companies on the market—less of quality stuff. Perhaps, not really "less", but definitely "harder to find". Noise!
ThePrimeagen@ThePrimeagen

i am convinced that software devs have a speed problem they think the #1 issues is writing code faster... its not. its fixing the code that is already there to stop being utter garbage (as a garbage code connoisseur) quality is really lacking these days, yet quantity has never been higher

English
0
0
0
30

Keşfet

@Neovim @ThePrimeagen @TheStoicEmperor @TheGingerBill @mitsuhiko @getjonwithit @adamlyttleapps @elonmusk