I think “has predictable outputs” is less valuable than “has expected outputs” for most workloads. Dividing by zero almost always reflects an unintended state, so proceeding with the operation means compounding the error state.
(This isn’t to say it’s always wrong, but that having it be an error state by default seems very reasonable to me.)
In practice this isn’t as big of a hurdle as you might expect: Python is fundamentally dynamic, but most non-obfuscated Python is essentially static in terms of callgraph/reachability. That means that “this specific API is vulnerable” is something you can almost always pinpoint usage for in real Python codebases. The bigger problem is actually encoding vulnerable API information (not just vulnerable package ranges) in a way that’s useful and efficient to query.
(Source: I maintain pip-audit, where this has been a long-standing feature request. We’re still mostly in a place of lacking good metadata from vulnerability feeds to enable it.)
The imports themselves may be dynamic. I once did a little review of dependencies in a venv that had everything to run pytorch llama. The number of imports gated by control flow or having a non-constant dependency was nontrivial.
Imports gated by control flow aren’t a huge obstacle, since they’re still statically observable. But yeah, imports that are fully dynamic i.e. use importlib or other import machinery blow a hole in this.
The thing is that almost always isn't good enough. If it can't prove it, then a human has to be put back in the loop to verify and assert, and on sensitive timelines when you have regulatory requirements on time to acknowledge and resolve CVEs in dependencies.
Sure, but I think the useful question is whether it’s good enough for the median Python codebase. I see the story as similar to that of static typing in Python; Python’s actual types are dynamic and impossible to represent statically with perfect fidelity, but empirically static typing for Python has been very successful. This is because the actual exercised space is much smaller than the set of all valid Python programs.
I wouldn’t say that’s particularly idiomatic in modern Python. But even when it occurs, it’s not the end of the world: if it’s a computed getattr, you consider the parent object tainted for the purpose of reachability. This is less precise, but it’s equivalent to what the programmer has expressed (and is still more precise than flagging the entire codebase as vulnerable because it uses a dependency.)
I think this is pretty good advice. I find Dependabot useful for managing scheduled dependency bumps (which in turn is useful for sussing out API changes, including unintended semver breakages from upstreams), but Dependabot’s built-in vulnerability scanning is strictly worse than just about every ecosystem’s own built-in solution.
I think the thing that puts J6 in the "definitely an insurrection attempt" category is the fact that it happened while Congress was exercising its duty to formalize the electoral college vote. We don't have to reach for statistics about how many were armed or wearing costumes (a fact that seems immaterial in any case); the question is sufficiently answered by what they were attempting to stop.
It was explicitly an attempt to influence Pence or congress to not certify the election results, attempting to allow Trump to use his fake electors to change the results in his favor.
It was a naked attempt to change the outcome of the election. What are you not understanding about this?
In 2016 there was an organized, and partially successful, effort to get 37 electoral voters to change their electoral vote to somebody other than whom they were pledged to vote - Trump. It was intended to change the result of the election by forcing a "contingent election", in which the House of Representatives would determine the President, owing to the esoteric nuances of US electoral law.
Would you consider this an insurrection? In your terms it was "a naked attempt to change the outcome of the election."
Calling it partially successful when Clinton lost more electoral votes to faithless electors than Trump did and it had zero impact on the outcome of the election is interesting.
But no, because electors deciding how they cast their votes is a matter of state legislation, not federal, and it is a wildly different thing than the candidate himself trying to install fake electors.
The faithless electors were chosen as part of the political process, and the founders expressly stated that the electors having the freedom to cast their vote was part of the safeguard against mob rule by an uninformed electorate. Hamilton, for example, wrote extensively of this in the federalist papers. This is explicitly one of the reasons why we have the electoral college at all, instead of a popular vote. If anything, I wish they had had the foresight to codify it in the Constitution or Bill of Rights so that states could not prevent it from happening. They wrote extensively of what they wanted the EC to be but did not do enough to make reality match their expectations in a durable manner.
Meanwhile Trump explicitly worked to install a group of illegally selected electors while riling up a mob to attempt to put a halt to the certification.
Trying to compare electors casting their vote based on how the founding fathers envisioned the electoral college as working to a sitting president being involved in a coordinated effort to create and install fake electors, cause the certification of the election to fail by inciting a mob to storm the capitol, and oh, telling Georgia to "find me the votes" is absurd.
It doesn't matter the margin by which Clinton lost. The point of trying to turn the electors is that the US constitution requires a candidate receive a majority of electoral votes. If nobody does, then the House of Representatives gets to determine who becomes President. And they came far closer to overturning the election than some guys rioting around the Capitol did, since there was a viable path towards the goal.
Your perception of the electoral college is somewhat biased. The college itself serves a practical purpose - elections in the US are extremely decentralized by design. States can do pretty much whatever they want, only later constrained by various constitutional amendments. So when a state A gives you a number, that number does not necessarily mean the same thing as when state B does the same. The electoral college normalizes election results by requiring each state to convert their numbers into a common format. And instead of relying on the Federal government trying to deal with millions of votes, it's only 538.
Similarly, the scheme in support of Trump was not only not illegal, but even anticipated by the electoral count act which made it such that if the House/Senate disagreed with votes included or excluded by the Vice President, then they were free to overrule it by a simple majority vote. The VP's role was then later changed to a purely ceremonial one in a new law passed in 2022, largely to prevent this angle in the future.
And you're still trying to compare mechanisms that exist within the system and are codified with someone attempting to operate entirely outside of it. And no, they weren't far closer at achieving their goal - they didn't get anywhere near the number of required faithless electors and were never going to get anywhere near the required number of faithless electors. Meanwhile, attempting to delay or totally obstruct the certification allowed for several pathways that Trump and his team viewed as potentially viable. Hell, just convincing Raffensperger to do what Trump wanted him to do would have also gotten him most of the way there.
And yes, obviously part of the point of the EC is dealing with a smaller number of votes instead of every vote. None of that is a counterargument to what I said. Again, the founding fathers literally wrote about how faithless electors were a feature and not a bug in their eyes. There's a reason they had the 'Hamilton Electors' moniker.
So if someone emailed Pence and said they would stab him if he certified the election would that be an insurrection? They are attempting to influence him to change the result of the election.
Surely the level of organization and possibility of success need to be taken into consideration? Otherwise every moron with a social media account or a sign could be guilty of insurrection.
Congresspeople either intimidated or emboldened into rejecting some or all of the state electors to annul the actual electoral result and declare Trump the 46th president. We know this was the outcome Donald Trump's wanted because he said so several times.
I assume the individuals that brought zip ties had more specific plans for the elected officials they didn't approve of.
It wasn't a well-planned insurrection but neither was Yong Suk Yeol's
Wearing costumes establishes costumes and illustrates the joviality of at least a portion of the attendees of the event. It would be odd to say that it is immaterial that you went to a concert or a restaurant or any place really, and lots of people were dressed as Vikings, or as SWAT, etc.
"Majority" could mean a few things; I wouldn't be surprised if the majority of discovered memory bugs are spatial, but I'd expect the majority of widely exploited memory bugs to be temporal (or pseudo-temporal, like type confusions).
“on its face” is doing the heavy lifting here. Banking is highly regulated but you don’t need government permission to open new branches. The food supply chain is heavily regulated but you don’t need government permission to start new restaurants.
The supply of medical care, from operating rooms to doctors themselves, is heavily controlled by the state. There are billions, perhaps trillions of dollars that would flow into reducing the cost and increasing the availability of high quality medical care in the US if this were not so.
The demand is through the roof and will continue to rise. But the right to supply is only handed out to cronies.
> Banking is highly regulated but you don’t need government permission to open new branches.
The closer economic unit would probably be a bank itself, and to my understanding you do effectively need the government’s permission to open one of those.
All of those are normal things for operating any business, and are not limited in the usual case.
Liquor licenses notwithstanding.
There is no default-deny for getting a business license or opening a restaurant in a commercially zoned area, anyone can do it. Licensing and permission aren’t quite the same thing.
It also doesn't work on desktop Safari 26.2 (or perhaps it does, but not to the extent intended -- it appears to be trying to download the entire response before any kind of content painting.)
I think this is great advice. One thing that I think is simultaneously trite and under-appreciated is the degree to which writing itself drives strong memory formation, even if the notes themselves aren’t particularly good or detailed. I’ve been keeping technical notebooks for about a decade now, and I’ve found that I can open up to almost any page and remember exactly what I was thinking when I scrawled on it. By contrast, things I write in Obsidian need much more context (i.e. detail) to remind me what I was thinking.
> under-appreciated is the degree to which writing itself drives strong memory formation, even if the notes themselves aren’t particularly good or detailed.
That link demonstrates that he deserved a domestic abuse charge, not that he was a communist. I think the latter is still a smear, insofar as the (speculated) author is seeking justice through any avenue afforded.
(I should note that I have never particularly liked or cared about Feynman or any of the 20th century cult-of-personality physicists.)
(This isn’t to say it’s always wrong, but that having it be an error state by default seems very reasonable to me.)
reply