I pointed it at the library's git and let it run from there! I validated all the output (vuln description, risk assessment, exploit poc, patch) before reporting to maintainers
The crux of it is that it's more useful to give someone a harsh truth that will help them grow (in a tactful way, while conveying that you care about them personally) rather than trying to be nice but ultimately not helping them course correct.
When people are so generously out there "helping people grow" in tactful ways, much of the time the benevolent helper doesn't actually know how to do that.
People generally make what they think are rational decisions, it always feels like extreme hubris when someone decides that they know what would be best for someone else. They can't possibly know what reasoning lead to their current course of action. Thats what makes toxic positivity toxic, its people deciding that whatever lead you to have less than a cheerleader level of positivity is irrelevant, your thoughts on the matter are irrelevant, because they know how you should feel about something and want to help you "course correct"
Just to be clear, my comment is talking about toxic positivity in the workplace (I intended to anchor my reply to another related comment) - I agree that toxic positivity regarding other people's more general problems will just minimize their decisions and experiences.
At work however, I've definitely been helped by being given direct advice on things I hadn't even been considering I could be doing better (or doing at all, as a matter of fact). Your take implies a lack of trust in the motive of the other party, which is obviously a deal breaker, and the reason why establishing trust in the first place is required.
What exactly is the valuable service they provide as intermediaries? Why couldn't all taxpayer-funded scientists just publish their (anyway voluntarily peer-reviewed) research on whatever free online platform?
As a taxpayer-funded scientist I publish all of my stuff on arXiv before submitting it to a journal, and it is 100% worthless for my career. If my research is not published in respected journals, other researchers will not bother looking at it, and justly so. Have you tried reading a paper selected at random on arXiv? You'll spend many long hours reading it only to end up realizing that it's garbage (unless you're lucky to realize this from reading the abstract).
Completely agree with your point. But the value here is brought by the reviewing process, which is (at least for CS as far as my knowledge goes) done voluntarily by other researchers, not by the journal itself. So the prestige of particular publishers could easily be shifted towards a free online platform as long as the same people continue to review the publications.
Journals made a lot of sense before the age of the internet, when they actually did have to do a lot of work to coordinate the activity of physically collecting research papers, mailing them for reviews, paying dedicated people for typesetting and so on. Although the cost of all of this has almost vanished now that tools for editing are so accessible and delivery costs are inexistent, publishers still charge ridiculous sums for papers produced mostly from public money simply because of their prestige.
I had actually never checked out any YC demo day presentations, so this post pushed me to do so. I watched about a dozen of them from the latest batches and I must say I did feel that they were very underwhelming.
Sure, I understand that my expectations of how a company looks so early on might be skewed and they have only about 3 minutes, but all the speeches were so templated (stressing ridiculously overhyped market values etc.) that I thought they were really uninspiring. Might be the fault of the VCs who are just looking to randomly jump on the next potentially successful ship endorsed by YC, but I honestly got tired of hearing about the next app that will change the world of X within 10 minutes.
As you mentioned, some of these products have been genuinely amazing and winning lottery tickets that on average bring huge profits to YC, so we should probably look at it more pragmatically rather than expecting them to make the future better.
Completely agree - Gource is also mentioned here and does something similar.
Probably more useful tools are CodeCity and JSCity, that go beyond the layout of the repo and get to the function level, so they are able to give potentially useful insights like coupling or complexity of classes. In any case, there's a long way to go as far as the effort of running these programs actually being worth it.
