I agree with you, and don’t really have any answers :)

US will try its best to block technology, including open source projects.

You can’t block open source projects from anyone. That’s the entire point of open source. For a license to be considered open-source, it must not have any limitations as to who can use it.

Yeah, it really depends on how much you trust the vendor.

Google? Say what you want about the company, but they’ll never intentionally serve malware.

Random company with no track record where we don’t even know who is maintaining the code? Much less trustworthy. The polyfill . io repo is currently owned by a Github user called “polyfillpolyfill” with no identifying information.

Third-party CDNs make less sense these days though. A lot of hosting services have a CDN of some sort. Most sites have some sort of build process, and you usually bundle all your JS and CSS (both your code and third-party code, often as separate bundles) as part of that.

deleted by creator

with mails that dont correspond to the original authors,

Oh! I didn’t realise this. Do you have an example?

You’d be surprised how much code people blindly reuse without even looking at it, especially in JavaScript. A bunch of it is from projects owned by random individuals. The JS standard library is ridiculously small, so nearly all JS apps import third-party code of some sort. One JS framework can pull in hundreds of third-party modules.

It’s much less of an issue with languages like C# and even PHP, where the first-party libraries are often sufficient for building a small or mid-sized app.

Most licences require derivative works to be under the same or similar licence

Some, but probably not most. This is mostly an issue with “viral” licenses like GPL, which restrict the license of derivative works. Permissive licenses like the MIT license are very common and don’t restrict this.

MIT does say that “all copies or substantial portions of the Software” need to come with the license attached, but code generated by an AI is arguably not a “substantial portion” of the software.

I expect it’s going likely to be used to train some Chinese AI model.

Even if they do that, the license for open source software doesn’t disallow it from being done.

My favourite part is that the developers that currently own it said:

Someone has maliciously defamed us. We have no supply chain risks because all content is statically cached

https://github.com/polyfillpolyfill/polyfill-service/issues/2890#issuecomment-2191461961

Completely missing the point that they are the supply chain risk, and the fact that malicious code was already detected in their system (to the point where Google started blocking ads for sites that loaded polyfill .io scripts.

We don’t even know who they are - the repo is owned by an anonymous account called “polyfillpolyfill”, and that comment comes from another anonymous account “polyfillcust”.

Reposting my comment from Github:

A good reminder to be extremely careful loading scripts from a third-party CDN unless you trust the owner 100% (and even then, ownership can change over time, as shown here). You’re essentially giving the maintainer of that CDN full control of your site. Ideally, never do it, as it’s just begging for a supply chain attack. If you need polyfills for older browsers, host the JS yourself. :)

If you really must load scripts from a third-party, use subresource integrity so that the browser refuses to load it if the hash changes. A broken site is better than a hacked one.

And on the value of dynamic polyfills (which is what this service provides):

Often it’s sufficient to just have two variants of your JS bundles, for example “very old browsers” (all the polyfills required by the oldest browser versions your product supports) and “somewhat new browsers” (just polyfills required for browsers released in the last year or so), which you can do with browserslist and caniuse-lite data.

In this case the script wasn’t bundled at all - it was hotlinked from a third party CDN. Adding malicious code instantly affects all the sites that load it.

The output differs depending on browser (it only loads the polyfills your browser needs) so it’s incompatible with subresource integrity.

This will have been pulled in as a dependency in many projects and the site either works or does not based on the presence of the bundle.

This wasn’t bundled. People inserted a script tag pointing to a third-party CDN onto their sites. The output changes depending on the browser (it only loads the polyfills needed for the current browser) so you can’t even use a subresource integrity hash.

why Domino’s shouldn’t just charge less when they can afford to.

Ideally they would charge less, but people are willing to pay the higher prices, so they charge the higher prices. We live in a capitalist society, and they’ll increase the prices as high as the market can bear.

A lot of companies increase their prices but have coupons that bring the price down. Easy way for them to make more money, as people that like the product will continue to buy it, and not every customer will use the coupons.

I don’t understand why this is a bad thing? Open source code is designed to be shared/distributed, and an open-source license can’t place any limits on who can use or share the code. Git was designed as a distributed, decentralized model partly for this reason (even though people ended up centralizing it on Github anyways)

They might end up using the code in a way that violates its license, but simply cloning it isn’t a problem.

Is it hosted on New Pied Piper?

tl;dr there were two leaks: A Microsoft employee had compiler issues and attached the code to a publicly-visible bug report, and Microsoft’s public symbol server had debug symbols for the library (which makes it a lot easier to reverse engineer and debug the production build in a debugger).

Did the employee that accidentally leaked it think that the public developer community was an internal bug tracker? Strange. I wonder if Microsoft do actually use the same site for both internal and external bugs and the employee just selected the wrong category when posting. Seems like an unnecessary risk.

Venmo and CashApp

Why would you use either of these when Zelle exists and is built into your bank’s app?

Third-party money transfer apps are very rare in a lot of non-US countries, because people just transfer money using their bank account. They’re only popular in the USA because US banks were so far behind in terms of technology compared to the rest of the developed world.

They didn’t have a reason to switch to USB-C, and several reasons to avoid it for as long as possible. Their old Lightning connector (and the big 30-pin connector that came before it) was proprietary, and companies had to pay a royalty to Apple for every port and connector they manufactured. They made a lot of money off of the royalties.

You can enable a persistent connection to get alerts directly without relaying them through Google, but then you need to have a connection to your Home Assistant server all the time (eg by using a VPN or by exposing it publicly)

I don’t see anything in that article that says that Google store the contents of the notification. It just says that they link push tokens to emails, which is true - they have to know who to send the push notification to.

In any case, if you don’t want Home Assistant notifications being relayed through Google, you can use a persistent connection so that the app connects directly to your Home Assistant server.