Readit News logoReadit News
bilalq commented on Amazon closing its Fresh and Go stores   finance.yahoo.com/news/am... · Posted by u/trenning
bilalq · 15 days ago
These were absolutely incredible when they first opened up right on until covid. The blue-apron style meal kits they had were actually really tasty and the gimmicky integration with Alexa to tell you the next step in the recipe was actually kind of useful when you were busy stirring a pot or cutting something and too busy to pull out the recipe card. It was like a 7-Eleven, but with the prices of a normal grocery store and higher quality prepared food. Not needing to deal with checkout felt freeing. I substituted many grocery store runs with a quick walk over to the original Amazon Go back in the day.

After covid, it was never the same. Open for shorter windows, closed on Sundays, reduced selection, no more meal kits etc.

I had many friends who worked on Amazon Go, so it's a bit sad to see that work come to an end.

bilalq commented on Get an AI code review in 10 seconds   oldmanrahul.com/2025/12/1... · Posted by u/oldmanrahul
mvanbaak · 2 months ago
I still dont get the idea about AI code reviews. A code review (at least in my opinion) is for your peers to check if the changes will have a positive or negative effect on the overall code + architecture. I have yet to see an LLM being good at this.

Sure, they will leave comments about common made errors (your editor should already warn about this before you even commit it) etc. But to notify about this weird thing that was done to make sure something a lot of customers wanted is made reality.

also, PR's are created to share knowledge. Questions and answers on them are to spread knowledge in the team. AI does not do that.

[edit] Added the part about knowledge sharing

bilalq · 2 months ago
This question is surprising to me, because I consider AI code review the single most valuable aspect of AI-assisted software development today. It's ahead of line/next-edit tab completion, agentic task completion, etc.

AI code review does not replace human review. But AI reviewers will often notice little things that a human may miss. Sometimes the things they flag are false positives, but it's still worth checking in on them. If even one logical error or edge case gets caught by an AI reviewer that would've otherwise made it to production with just human review, it's a win.

Some AI reviewers will also factor in context of related files not visible in the diff. Humans can do this, but it's time consuming, and many don't.

AI reviews are also a great place to put "lint" like rules that would be complicated to express in standard linting tools like Eslint.

We currently run 3-4 AI reviewers on our PRs. The biggest problem I run into is outdated knowledge. We've had AI reviewers leave comments based on limitations of DynamoDB or whatever that haven't been true for the last year or two. And of course it feels tedious when 3 bots all leave similar comments on the same line, but even that is useful as reinforcement of a signal.

bilalq commented on Stacked Diffs with git rebase —onto   dineshpandiyan.com/blog/s... · Posted by u/flexdinesh
swaits · 2 months ago
Definitely let your keybinding keep you from trying out and using a fantastic tool.
bilalq · 2 months ago
I already use Graphite today on top of git. Others are using alternatives like Sapling, etc.

To go back to your question around why people still use these workarounds on top of git, it's because the CLI is just one piece of it. With Graphite, I also get a stack-aware merge queue and review dashboard.

bilalq commented on Stacked Diffs with git rebase —onto   dineshpandiyan.com/blog/s... · Posted by u/flexdinesh
swaits · 2 months ago
Every time I see one of these nifty git tricks or workarounds I find myself wondering, “why not just use jj?”

You get a nicer, significantly simpler interface. You don’t need any tricks. You don’t have to google how to work yourself out of a bad state, ever. And you get near-perfect git compatibility (ie you can use jj on a shared git repo, doing all the same things, and your teammates won’t know the difference).

I’ve wondered if there is a psychological thing here: someone who spent time memorizing all the git nonsense may have some pride in that (which is earned, certainly), that introduces some mental friction in walking away???

bilalq · 2 months ago
I have one and a half decades of muscle memory burned in with inoremap jj <Esc>`^

It's not something I can just shift away from.

bilalq commented on Lambda Durable Functions   docs.aws.amazon.com/lambd... · Posted by u/john-shaffer
bilalq · 2 months ago
This is really exciting. Step functions were a big improvement over SWF and the Flow framework, but declarative workflow authoring sucks from a type-safety standpoint. Workflows-as-code is the way to go, and that was missing from AWS. Can't wait to build on top of this.
bilalq commented on Shai-Hulud Returns: Over 300 NPM Packages Infected   helixguard.ai/blog/malici... · Posted by u/mrdosija
mbreese · 3 months ago
Or require manual intervention to publish a new package. I'm not sure why we need to have a fully automated pipeline here to go from CI/CD to public package release. It seems like having some kind of manual user interaction to push a new version of a library would be a good thing.
bilalq · 3 months ago
This is orthogonal to the issue at hand. The problem is a malicious actor cutting a release outside of the normal release process. It doesn't matter if the normal process is automated or manual.
bilalq commented on Shai-Hulud Returns: Over 300 NPM Packages Infected   helixguard.ai/blog/malici... · Posted by u/mrdosija
timgl · 3 months ago
co-founder of PostHog here. We were a victim of this attack. We had a bunch of packages published a couple of hours ago. The main packages/versions affected were:

- posthog-node 4.18.1, 5.13.3 and 5.11.3

- posthog-js 1.297.3

- posthog-react-native 4.11.1

- posthog-docusaurus 2.0.6

We've rotated keys and passwords, unpublished all affected packages and have pushed new versions, so make sure you're on the latest version of our SDKs.

We're still figuring out how this key got compromised, and we'll follow up with a post-mortem. We'll update status.posthog.com with more updates as well.

bilalq · 3 months ago
You're probably already planning this, but please setup an alarm to fire off if a new package release is published that is not correlated with a CI/CD run.
bilalq commented on Our stewardship: Where we are, what's changing and how we'll engage   rubycentral.org/news/our-... · Posted by u/baggy_trough
ipaddr · 4 months ago
"Unlike open-source projects that are simply distributed “as-is” with no warranties, but similar to other infrastructure projects, these codebases underpin a service operated by Ruby Central, and its canonical clients, relied on by millions of developers every day to securely download and publish gems. "

Are they offering warranties?

What new privacy laws demand them signing some handcrafted legal document?

Is what they did legal?

Couldn't they fork to provide a secure version.

That one guy maintaining so many rubygems is the same guy who is offering a competing software solution that could reduce their profit stream is that the real reason?

bilalq · 4 months ago
I did a double-take when I read that as well. I went and checked the license under rubygems, and sure enough, it's standard MIT with no warranties.

https://github.com/rubygems/rubygems/blob/master/LICENSE.txt

bilalq commented on Keeping secrets out of logs (2024)   allan.reyes.sh/posts/keep... · Posted by u/xk3
bilalq · 5 months ago
This is an excellent write-up of the problem. New hires out of college/bootcamps often have no awareness of the risks here at all. Sometimes even engineers with years of experience but no operational mentorship in their career.

The kitchen sink example in particular is one that trips up people. Without knowing the specifics of how a library may deal with failure edge cases, it can catch you off guard (e.g., axios errors including API key headers).

A lot of these problems come from architectures where secrets go over the wire instead of just using signatures/ids. But in cases where you have to use some third party platform, there's often no choice.

bilalq commented on AWS in 2025: Stuff you think you know that's now wrong   lastweekinaws.com/blog/aw... · Posted by u/keithly
solatic · 6 months ago
There's very real differences between NAT gateways and VPC Gateway Endpoints.

NAT gateways are not purely hands-off, you can attach additional IP addresses to NAT gateways to help them scale to supporting more instances behind the NAT gateway, which is a fundamental part of how NAT gateways work in network architectures, because of the limit on the number of ports that can be opened through a single IP address. When you use a VPC Gateway Endpoint then it doesn't use up ports or IP addresses attached to a NAT gateway at all. And what about metering? If you pay per GB for traffic passing through the NAT gateway, but I guess not for traffic to an implicit built-in S3 gateway, so do you expect AWS to show you different meters for billed and not-billed traffic, but performance still depends on the sum total of the traffic (S3 and Internet egress) passing through it? How is that not confusing?

It's also besides the point that not all NAT gateways are used for Internet egress, indeed there are many enterprise networks where there are nested layers of private networks where NAT gateways help deal with overlapping private IP CIDR ranges. In such cases, having some kind of implicit built-in S3 gateway violates assumptions about how network traffic is controlled and routed, since the assumption is for the traffic to be completely private. So even if it was supported, it would need to be disabled by default (for secure defaults), and you're right back at the equivalent situation you have today, where the VPC Gateway Endpoint is a separate resource to be configured.

Not to mention that VPC Gateway Endpoints allow you to define policy on the gateway describing what may pass through, e.g. permitting read-only traffic through the endpoint but not writes. Not sure how you expect that to work with NAT gateways. This is something that AWS and Azure have very similar implementatoons for that work really well, whereas GCP only permits configuring such controls at the Organization level (!)

They are just completely different networking tools for completely different purposes. I expect closed-by-default secure defaults. I expect AWS to expose the power of different networking implements to me because these are low-level building blocks. Because they are low-level building blocks, I expect for there to be footguns and for the user to be held responsible for correct configuration.

bilalq · 6 months ago
My objections here are in terms of how this manifests in billing. Especially when you consider the highway robbery rates for internet egress.
b

u/bilalq

KarmaCake day2850January 16, 2012
About
@bilalquadri
View Original