Government isn’t perfect but I’d be interested to know what alternative you propose?

Responsible for what? If the government does not mandate any behavior, what basis does it have to incarcerate anyone?

Those are only punishments, which are shown to not work. Solutions are needed

so you are not proposing anything real then? I can pull "magic indestructible backup solution" out of my arse, too :(

No propositions at this point. I have no idea how to fix the problem.

Is it? It would be incredible if the government didn’t have specific requirements for critical infrastructure.

Say you’re an energy company and an incident could mean that a big part of the country is without power, or you’re a large bank and you can’t process payroll for millions of workers. They’re ability to recover quickly and completely matters. Just recently in Australia an incident at Optus, a large phone company, prevented thousands of people from making emergency calls for several hours. Several people died including a child.

The people should require these providers behave responsibly. And the way the people do that is with a government.

Companies behave poorly all the time. Red tape isn’t always bad.

Bundler already does this.

  # From a specific branch
  gem 'my_gem', git: 'https://github.com/user/my_gem.git', branch: 'development'

  # From a specific tag
  gem 'my_gem', git: 'https://github.com/user/my_gem.git', tag: 'v1.2.3'

  # From a specific commit (ref)
  gem 'my_gem', git: 'https://github.com/user/my_gem.git', ref: 'a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0'

Yes, I know bundler does that. But I thought we were talking about urn instead of uri. Seems I was mistaken.

If supply chain integrity is the issue specifically for Shopify, couldn’t they run their own private, internally facing gem repository and whitelist everything that goes there? It’s not a requirement to use the public rubygems.

They probably thought it would be easier to takeover rubygems than ensure every dev and every machine for every possible ruby tool could be and is pointed at the internal gem repository.

Let's be paranoid for a moment. What if there's a supply side attack on a gem used by Homebrew. That's basically installed on every dev machine, auto-updates automatically/silently, could have sudo, that no one would care or even know how to point at a private gem repository.

It was my understanding that they wanted to use Nix to solve this problem.

I too am scratching my head at this. If the problem is the outside community could be a risk, just do not drink from the firehose. Have processes in place to slowly vet and bring the outside world indoors.

Then again, that is not a very web scale suggestion.

I dont understand how "well let's just manage the entire ecosystem" could help this problem.

That's not what I said. I was responding to the parent comment's statement that "I’m assuming there’s a ton of reputational risk in this move" by noting that, in relative terms, this likely isn't something people are paying attention to outside a very, very narrow universe.

Wild, abundant and loud

You might want to reread that page.

“1,000,000,000,000, i.e. one million million, or 1012 (ten to the twelfth power), as defined on the short scale. This is now the meaning in both American and British English.”

You're very right. I was confusing trillion and billion.

Not defending it… but Australia has done this for decades.

https://en.m.wikipedia.org/wiki/Pacific_Solution

Most famously on Nauru https://en.m.wikipedia.org/wiki/Nauru_Regional_Processing_Ce...

and it is absolutely fucked that we do it

As Colbert said… Reality has a well known liberal bias.

The fixation on being anti-woke is deeply disturbing, considering the origins of the term.

Hush now, go back to sleep...

Dell as the name of the laptop itself makes no sense. Like Apple replacing ‘MacBook’ with ‘Apple’.

I’ve used this for a side project. Coupled with Litestream for backups it’s awesome.

I would 100% recommend.