mrdanack.bsky.social

Gen Z has become the most active cinemagoing demographic. “What’s especially notable is how strongly they value the shared, communal aspect of the experience, reinforcing that theaters continue to play an important role as a social destination for younger audiences.” (Source: variety.com/2026/film/box-…)

Wow. I’ve just received a threatening letter from Ben Delo’s solicitors Addleshaw Goddard. They are claiming, among other things, that it is unlawful to publish information about Delo’s conviction for an anti-money laundering offence in the US. They also say I cannot publish their letter. An extract is below. Is Delo going to get his solicitors to threaten everyone who mentions his conviction? How is this not a SLAPP? @sra_solicitors @DanNeidle

Chainguard's CEO published a post this week arguing that scanners are "working against an adversary that's already beaten them" and that "the Axios attack was pulled hundreds of thousands of times before a single scanner flagged it." This is factually incorrect. Here's the timeline, all publicly verifiable: plain-crypto-js@4.2.1, the malicious payload, was published to npm on March 30 at 23:59 UTC. @SocketSecurity AI flagged it as malicious at 00:05 UTC. Six minutes. The first compromised Axios version wasn't published until 00:21 UTC, 16 minutes after we'd already flagged the attack. All this version did was add a dependency on the package we'd already caught. Socket customers with AI malware blocking enabled had installs blocked automatically during the entire three-hour exposure window. No CVE required. No luck required. This was independently corroborated by Snyk, Huntress, Orca Security, and InfoQ each of whom published their own analyses of the attack. Calling scanning "theater" while getting the facts of the year's biggest scanning success story wrong doesn't strengthen the argument. Scanners and hardened images aren't competing answers. They're complementary layers. The industry needs both. I agree with part of the post's broader argument. The trust model for open source consumption needs work. I've been maintaining npm packages with billions of cumulative downloads for over a decade. I know what's broken. But you don't fix the trust model by dismissing the defenders who are actually catching attacks and protecting the community. When we catch a malicious package, we report it to the registry and get it taken down. That protects every developer, not just our customers. Their proposed alternative, rebuilding packages from source, doesn't address the attacks that actually matter. The Axios attack was a maintainer account compromise that poisoned the source. xz-utils was a malicious maintainer who spent two years building trust and poisoned the source. Building from source just rebuilds these attacks faithfully. The most consequential supply chain attacks walk right through this model. Building from source doesn't stop bad source. And you don't fix this problem by declaring open source dead while your company's entire product is built on top of it. A Harvard study estimated the demand-side value of widely used open source at $8.8 trillion. The people maintaining that infrastructure are mostly unpaid. When they get targeted by nation-state actors, the answer should be to fund, support, and protect them, not warn enterprises away from their packages so you can sell a replacement. Open source is under attack because of how much value it creates. That's an argument for investing in it, not writing its obituary. Back to building.

@SkinnyTuna

Hey @stillawake - here is an attempt to put things clearly, regarding the Housing IT programme, and the "transformation programme" setup in secret. cc @bristol_citizen