Disrespecting the copyright on a multi-billion dollar franchise hardly comes close to the major unethical behavior the trillion dollar companies are committing.
I am more worried about lack of any thought that this one might be a bad idea. If the people going through very selective hiring process can't even figure out that publicising article based on copyright theft is bad idea what is going on with actually impactful decisions?
Exactly. I don't understand why so many people think the maintainer has some obligation to accept the funds even when they aren't comfortable doing so. The terms of engagement changed. The decision changed. If they want to forgo the money, they have every right to forego the money.
The maintainer has no obligation to accept funds. But the maintainer does have an obligation not to post that they "lost their funding" from FLOSS when it is they themselves who have refused it (on whatever grounds).
This isn't a simple grammar mistake by someone who may not use English as their first language. There is a blame game going on here which is the only unethical thing going on in the situation.
> if you are going to do something for a living, make sure it is NOT scalable.
Great advice but difficult to action though.
I mean 10 years back I'd have thought programming is that thing which is not scalable. I had every reason to believe that. It required skill, experience, ability to stay current, grit for debugging hard stuff. Much of it can be automated now.
What can I pick now for a living that is not scalable today that some future technology would automate it just as easily.
I don't believe those numbers will ever come close to converging, let alone bounty prices surpassing black market prices.
It seems like these vulnerabilities will always be more valuable to people who can guarantee that their use will generate a return than to people who will use them to prevent a theoretical loss.
Beyond that, selling zero-days is a seller's market where sellers can set prices and court many buyers, but bug bounties are a buyer's market where there is only one buyer and pricing is opaque and dictated by the buyer.
So why would anyone ever take a bounty instead of selling on the black market? Risk! You might get arrested or scammed selling an exploit on the black market, black market buyers know that, so they price it in to offers.
Even though I agree with the conclusion with respect to pricing, I don't think this comment is generally accurate.
Most* valuable exploits can be sold on the gray market - not via some bootleg forum with cryptocurrency scammers or in a shadowy back alley for a briefcase full of cash, but for a simple, taxed, legal consulting fee to a forensics or spyware vendor or a government agency in a vendor shaped trenchcoat, just like any other software consulting income.
The risk isn't arrest or scam, it's investment and time-value risk. Getting a bug bounty only requires (generally) that a bug can pass for real; get a crash dump with your magic value in a good looking place, submit, and you're done.
Selling an exploit chain on the gray market generally requires that the exploit chain be reliable, useful, and difficult to detect. This is orders of magnitude more difficult and is extremely high-risk work not because of some "shady" reason, but because there's a nonzero chance that the bug doesn't actually become useful or the vendor patches it before payout.
The things you see people make $500k for on the gray market and the things you see people make $20k for in a bounty program are completely different deliverables even if the root cause / CVE turns out to be the same.
*: For some definition of most, obviously there is an extant "true" crappy cryptocurrency forum black market for exploits but it's not very lucrative or high-skill compared to the "gray market;" these places are a dumping ground for exploits which are useful only for crime and/or for people who have difficulty doing even mildly legitimate business (widely sanctioned, off the grid due to personal history, etc etc.)
I see that someone linked an old tptacek comment about this topic which per the usual explains things more eloquently, so I'll link it again here too: https://news.ycombinator.com/item?id=43025038
That is why I said "also", it should not be the only factor.
The conversation was moving between two possibilities only: either collect bug bounties or sell on the black market. I believe most (again: most, not all) security researchers collecting bug bounties right now would not start selling on the black market in case bounties disappeared. They would change their focus to something else to sustain themselves
The market is priced at the point that the most economic for the business. Apple buying an exploit for $100m is not worth it (to apple) vs the potential loss of life of people who might be killed if sold on the black market. Buying an exploit for 1m prevents them being used to jailbreak, is good PR, and is ass covering PR insurance in case an Apple exploit cause loss of life (‘the seller could have sold to us, but instead they sold it to an evil corporation’).
You can work your day job and make $20-500k/yr or pursue drug dealing and make $5-5000k/yr. I don’t think that’s actually a compelling argument for the latter even if the opportunity cost is better.
Drugs are illegal, exploits are not illegal. Selling them to someone associated with illegal activity is probably illegal, but there is a legitimate fully legal exploit market with buyers like intelligence agencies, and an illegal market with buyers that run oppressive regimes and commit genocide.
> Why do none of you understand that this is for Anna's archives official torrents only?
Because you are on the site where people who have no understanding of the domain or the problem still feel it necessary to share their opinion on things they don't understand.
> Yup, there would have been much less Git buy-in if it weren't for git flow
I don't buy this. I've never used git-flow in life. No team I've worked for has ever used git-flow. Yet all of us have been using Git for ages. Git has been hugely successfully independently and different teams follow different Git workflows. Its success has got very little to do with git-flow.
I'm not questioning your experience, but how "enterprise" is that experience? Gitflow was no small part of my convincing my company to move off TFVC. I doubt they still use, but it was shallow waters for scared folk.
I strongly doubt that my story, just as much as yours, is unique.
Very weird for you to start a reply like this when we are literally debating it.
> You say "all of us"
Yes, I mean those of who don't use git-flow. That's what I meant by "all of us".
> ignore the primary branching model the vast, vast majority of people use on Git.
Do you live in a git-flow bubble or what? I've been using VCS since the dark ages of CVS. Moved to SVN. Mercurial. Git. Never worked in a team using git-flow. Never used git-flow myself. Never met anyone IRL who uses git-flow. I only read about these things on HN and blogs.
What kind of stats do you have to claim that this is the primary branching model. If I go by my experience, it's a minority branching model that only people living within the bubble care about.
> it's just a historical fact that's not really debatable.
What is a historical fact? That people use git-flow. Nobody is contesting that. What I am contesting is that the success of Git is not connected to git-flow like the grand-grand-parent comment said.
This is one of the most ridiculous comments I've ever read on Hacker News. You really think git became popular because someone wrote up a branching convention for it?
Git became popular because it was one of the first two open source distributed version control systems. Compared to the least-bad open source (non distributed) version control system before, SVN, the native branches and the ability to have a local copy of the whole tree were self evidently a revolution.
(The other one was Mercurial by the way, released at almost exactly the same time as git. Partly git won that race because of the cachet of being written by Torvalds and being used for the kernel, but I suspect mainly it was due to the existence of GitHub.)
Aside from the above, it's also just clearly not true that git flow was particularly common. It's no good claiming anyone that disagrees is in a bubble. We all have access to GitHub! Look for yourself at some random repos (and make sure you sample a few different languages). It will verify my experience of looking at dozens, probably hundreds, of repos over many years: the number of people using git-flow is, to a first order approximation, roughly zero.
If a PR claims to solve a problem that I don't need, then I can skip its review because I'll never merge it.
I don't think every PR needs reviewing. Some PRs we can ignore just by taking a quick look at what the PR claims to do. This only requires a quick glance, not a PR review.
Weirdly, in Firefox 7zip.com is blocked but www.7zip.com isn't.
If you type '7zip' in the address bar and then press Ctrl+Enter to go to the address, you'll get owned, because that key-combo adds the www at the beginning.
Yes, and I think this case gets somewhat more notoriety because the phishing site has the .com domain and the legitimate one has a .org.
Like it or not, .com adds perceived trustworthiness and works as a branding signal, especially in these times of VCs throwing large amounts of money at branding and buying 3 to 6 letter .com domains, but a small project like 7zip cannot afford that kind of expense.
> it just feels so low effort when it's just "look what AI made"
I don't know how many more of these posts will hit HN front page. It's like this forum has been taken over by vibecoder sloppers. what is the intellectual curiosity in "Look, AI made this stuff" if there is not even an analysis of what was done. What are we supposed to learn from it or be curious about? Yet these posts keep hitting the front page everyday.
"Taken over" incorrectly suggests that they weren't already among us. HN has had a significant population for many years now who were unashamed to say they only became software developers for the high pay, had no interest in playing around with computers, coding, or hacking beyond the minimum needed for their career, and never valued or used their CS education. Now these never-wanted-to-be-coders have AI tools that lets them not code and they celebrate AI successes as vindication of their preference for not-coding.
I wanted to share the demo to show what's possible with Claude Code in a short window of time (I only started building this on Friday evening, and I've spent probably no more than 6-7 hours in total this weekend on it).
Point taken on not doing a write-up on this. I think I will write a blog post about my approach and learnings and then share later. I'll let you know once it is up.
I thought it might be worth sharing that I'm a fullstack developer with about 20 years of industry experience, but I didn't study CS at university, I studied Management & Systems instead (Business Studies with Maths, learning about Linear Programming, Time-Series Forecasting, Critical Path Analysis, Monte-Carlo Simulations, and Systems Thinking).
I have a GitHub profile here so you can see all the open source software I've written over the years: https://github.com/paulbjensen.
I'm also the author of Manning Publications' "Cross Platform Desktop Applications", a book about Electron and NW.js. https://manning.com/jensen.
I still write code in my day job, but I'm having a lot of fun creating PoCs with Claude Code in my spare time.
And if that description about a category of HN users who only became software developers for the high pay was referring to me, I thought it would be worth mentioning that my friends at university in London back in 2006 went into Investment Banking as that had the high pay, but I took a different route and became a self-taught programmer.
I never did it for the high pay (it didn't exist in London back then). I did it because I grew up around computers (my dad was a software and hardware engineer), and I realised that I love creating things with them.
Archived copy: https://web.archive.org/web/20260105115129/https://devblogs....
It is very worrying that people with no ethics work for these trillion dollar companies who are supposed to be shaping the technology of tomorrow.
reply