Vedang (fosstodon.org/@vedang)

🚀 Announcing mcp-clojure-sdk: A Clojure SDK for Model Context Protocol Servers! I'm excited to open-source our Clojure SDK for building Model Context Protocol (MCP) servers! github.com/unravel-team/m…

I once criticized CERT-In on LinkedIn and got calls from terrified employers (past & then present) asking me to remove it. I said no and proceeded to change all my employment history to ‘Confidential’ to ease their worries. The reason they panic is because they don’t want to lose their “CERT-In Empanelment”. CERT-In Empanelment is one of the biggest scams in the Indian cyber security industry. CERT-In makes you go through several stages of tests (all worthless btw) and then “certifies” you as an empaneled auditing firm. This status then allows you to bid on government contracts for cyber security projects along with enabling you to serve compliance customers under regulatory bodies. If, for whatever reason, CERT-In decides to revoke this empanelment, the firm would lose majority of its business. That’s how CERT-In keeps all the major cyber security firms in India under their thumb.

I had hacked CBSE's OSM (On-Screen Marking Portal) in February and had reported the vulnerabilities to CERT-In, but they were unable to patch most of them. I've written a detailed blog post about it here: ni5arga.com/blog/posts/hac…

Singapore Minister for foreign affairs talking about building AI brain for nanoclaw I re-read 3 times to make sure I didn't misread his role Respect 🫡

High praise for Mythos from @a_r_karthic ! Makes me wonder what magic benchmarks and environments Anthropic has setup in their training pipeline! :P

@a_r_karthic Well, darn shit :P Thanks for the detailed response. I haven't gotten the chance to try Mythos yet. When it does come out, I'll definitely try it. For now, I'm only referring to coding subscription plans available to the general public, and comparing Opus and GPT.

@vedang I am not even covering the other findings in our eBPF code and some in user space golang proxies, lol. Anthropic is just hard to beat from what I have seen. In Anthropic, we trust!

I don't know about other tasks. BUT, Folks moving to Anthropic for coding work are seriously underrating the value that GPT-5.x family brings to the table. Are GPT-5.x models better than the Opus models? I think yes, though I understand this is subjective. But the subscription plan is objectively so much better! The usage caps are way way higher. The API costs are cheaper. The service is much more reliable. I can use my subscription from any harness I want. Nothing else comes close to the value OpenAI provides, and I don't get why companies are jumping onto the Claude bandwagon.

@hakanderyal I don't have this experience. GPT 5.5 follows instructions reliably. Perhaps less reliably than Opus at large system prompts, but I use Pi and have a small AGENTS.md file. I've never had it deviate from instructions. As for the code, GPT writes better code IME.

@vedang As a heavy AI user, I’ve never managed to get codex work at the same productivity & reliability (code wise) level as Opus. I wish I could as unrestricted subscription usage would solve a lot of problems for me.

@a_r_karthic Yes, deadly

@vedang Are you serious?

@badlogicgames I often feel like I'm just not smart enough to work in tech and hope no one discovers it.

Hello @cerebras . Congratulations on your IPO. Could you please give us Code plan users some clarity? Are you ever planning to upgrade the models on the wafers we have access to? Sincere request to let me know one way or the other, don't leave us hanging.

If you are a mathematician, then you may want to make sure you are sitting down before reading further.

@badlogicgames @nicopreme Why not move the GenAI SDK and Amazon Bedrock stuff into custom provider extensions? Folks who need them can install them via the extension.

People of pi.dev. Supply-chain hardening release. Last week the mistralai package got shai huluded, which gave us a little scare (we were not affected, due to pinning). Starting today, we have the following safe-guards in place: - cut down dependencies to the absolute minimum. Sadly, Amazon Bedrock and Google GenAI SDK are ... not great in that regard. - direct external deps are pinned - the CLI ships an npm shrinkwrap for transitive deps - pi update --self disables lifecycle scripts - new dependency lifecycle scripts require explicit review if we add a new dependency to pi - lockfile changes are blocked pre-commit unless explicitly allowed - scheduled npm audit + registry signature checks run on GitHub, so we get to update dependencies as vulns are detected - 2fa releases, obviously While this is something, it can not prevent everything. If you use 3rd party extensions, you can get shai huluded, just like with any dependency installation that you haven't screened yet. That's not a pi thing, that's an "our industry is deeply fucked" thing. Enjoy the dystopia where everything is terrible!

Been thinking about what an "agent-native cloud" actually needs to look like. Mentioned this, and @Vercel's CEO replied that it'll be them. Cool! Here's the spec they (or @Cloudflare, or some startup not yet invented) actually have to hit. It won't be @awscloud. Thread...

@_swanand @ponnappa @akshatc LOL business debt. But very accurate.

@ponnappa @akshatc I’ve been calling it business debt for a while instead of tech debt

Good time to repost this. Now everyone agrees that cost of building code is effectively zero. However they are still not rethinking their priors about whole software. They think in terms of tech debt and security issues. Those are going away too. Just a matter of time.

I think it’s first-mover advantage more than anything else. It’s why people were using ChatGPT even when Claude[dot]ai was better for general chat. Just like ChatGPT has become synonymous with AI chat, CC has become synonymous with agentic engineering. OpenAI has the better product for both AI chat and agentic engineering (Codex mac app is genuinely good, and CC has become vibe-coded slop). We’ll see if that lets them overcome the enterprise mindshare that Anthropic seems to have cornered.

@badlogicgames @_gannon_ Yes, Mario. Please tell us how you know.

@_gannon_ the skills "standard" is also a crime against computing. ask me how i know.

Claude Code agent files have YAML frontmatter. Claude Code seems to have implemented it's own vibe coded YAML parser, and allows invalid YAML. Now people demand pi also parses YAML in the same broken way as Claude Code does. Glorious. github.com/earendil-works…

The reactions of many researchers on finally being held responsible for having read the very paper they submitted are... something.

There are two related, but distinct, problems with MTTR maximalism. 1. The distribution of recovery times could be heavy-tailed, and so the empirical mean could be far from the true mean. 2. Some failures are unrecoverable (e.g. durability loss).

I strongly believe there are entire companies right now under heavy AI psychosis and its impossible to have rational conversations about it with them. I can't name any specific people because they include personal friends I deeply respect, but I worry about how this plays out. I lived through the great MTBF vs MTTR (mean-time-between-failure vs. mean-time-to-recovery) reckoning of infrastructure during the transition to cloud and cloud automation. All those arguments are rearing their ugly heads again but now its... the whole software development industry (maybe the whole world, really). It's frightening, because the psychosis folks operate under an almost absolute "MTTR is all you need" mentality: "its fine to ship bugs because the agents will fix them so quickly and at a scale humans can't do!" We learned in infrastructure that MTTR is great but you can't yeet resilient systems entirely. The main issue is I don't even know how to bring this up to people I know personally, because bringing this topic up leads to immediately dismissals like "no no, it has full test coverage" or "bug reports are going down" or something, which just don't paint the whole picture. We already learned this lesson once in infrastructure: you can automate yourself into a very resilient catastrophe machine. Systems can appear healthy by local metrics while globally becoming incomprehensible. Bug reports can go down while latent risk explodes. Test coverage can rise while semantic understanding falls. Changes happens so fast that nobody notices the underlying architecture decaying. I worry.

It isn't unexpected that the focus of the Bun Rust rewrite is on the anti-Zig side more than anything, since the internet loves to hate. What is unexpected and unfortunate is that leadership within Bun hasn't tried to steer the conversation away from that at all. There are so many positive and interesting takeaways from this and I'm not really seeing any of them pushed as the primary message. A positive thing that hasn't been talked about at all is how far Bun came thanks to Zig. And even if you dump it now, its meaningful for how good Zig was to even build a product to this point and impact by any metric. I would've loved to see anyone in leadership say this. On the interesting side is how fungible programming languages are nowadays. Programming languages used to be LOCK IN, and they're increasingly not so. You think the Bun rewrite in Rust is good for Rust? Bun has shown they can be in probably any language they want in roughly a week or two. Rust is expendable. Its useful until its not then it can be thrown out. That's interesting! There's been a lot of talk about memory safety and no doubt Rust provides more guarantees than Zig. But I'd love to see a better analysis of why Bun in particular suffered so much rather than take the language-blame path. How could engineering as a practice been more rigorous to prevent this? What were the largest sources of crashes other programs should watch out for? How does Rust prevent them? How could Zig theoretically prevent them? That's interesting. I know the official blog post hasn't come out yet from Bun. But they're smart enough to know that that PR would stir up controversy the moment it opened, or they should've been. And plenty in the company have been tweeting and writing about it. Its somewhat telling to me in various dimensions what they chose to talk about first. I tend to think I'm pretty good at corporate PR/comms (especially when it comes to developer audiences) and I think appealing to the negative is never the right long term strategy; it does work to get short term eyes though.