ways to UnsuckJS, we need more RMS, package hallucination threat, Eleventy back on the side, defining open source, the Lindy Effect, GCP deserves the side eye & more

You are viewing issue #50 of the Changelog News(letter). Pop in your in your inbox every Monday.

Changelog News

Developer news worth your attention

Hello again! 👋

Turns out Android has a secret browser hidden inside the settings that has no history and bypasses parental controls. Don’t tell the kids! They’re the only humans sufficiently motivated to follow the 8 required steps to launch it.

Ok, let’s get into the news. Audio here. 🎧


AI has poisoned its own well

The potential for model collapse seems if true; then echo "big"; fi

Tracy Durnell:

I suspect tech companies (particularly Microsoft / OpenAI and Google) have miscalculated, and in their fear of being left behind, have released their generative AI models too early and too wide. By doing so, they’ve essentially established a threshold for the maximum improvement of their products due to the threat of model collapse. I don’t think the quality that generative AI will be able to reach on a poisoned data supply will be good enough to get rid of all us plebs.

I wondered aloud about this when we first discussed Stable Diffusion last September. Back then it was an open question. Now it seems we’re getting some answers and the outlook is not good:

We find that use of model-generated content in training causes irreversible defects in the resulting models, where tails of the original content distribution disappear. We refer to this effect as Model Collapse and show that it can occur in Variational Autoencoders, Gaussian Mixture Models and LLMs.

Since there’s no consistent system for marking up generated content online as computer generated, the toothpaste is already being squeezed from its proverbial bottle.

Because of this approach, 2022 and 2023 will be essentially “lost years” of internet-sourced content, even if they can establish a tagging system going forward — and get people hostile or ambivalent to them to use it.

Everything you need to UnsuckJS

This is a cool microsite from Adam Hill that catalogs the many (20+) JavaScript libraries that progressively enhance HTML and cost 10KB or less to deliver to your clients. “No build tools, no compilers, and no hassle.”

I’d love to see it go beyond the basic information and table format it currently has. But still, I’m a huge fan of this “less JS” movement and there are some high quality libraries featured here (and some I’d never heard of!) and having them all in one place is a win.

Related: Too Much JavaScript? Why the Frontend Needs to Build Better

We need more of Richard Stallman, not less

After a big fat disclaimer differentiating the man’s philosophy from the man himself, Ploum (a.k.a. Lionel Dricot) writes:

RMS was right since the very beginning. Every warning, every prophecy realised. And, worst of all, he had the solution since the start. The problem is not RMS or FSF. The problem is us. The problem is that we didn’t listen.

What was RMS the most right about, according to Ploum? Copyleft. But his theory had a weakness: copyleft itself wasn’t part of the four freedoms it secured.

Read the piece, which includes Ploum’s suggested amendment (one obligation) to RMS’ four freedoms of free software. Then think carefully about how you release your future software into the world.

Code-level application performance monitoring

Thanks to Sentry for sponsoring this week’s Changelog News 💰

Just because you don’t record a problem doesn’t mean it didn’t happen.

Stay ahead of latency issues and trace every slow transaction to a poor-performing API call or database query. Sentry is the only developer-first application monitoring platform that shows you what’s slow, down to the line of code. But don’t take their word for it. Matthew Egan (Engineering Team Lead at DiviPay) has this to say about it:

Unlike past tools we’ve used, Sentry provides the complete picture. No more combing through logs — Sentry makes it incredibly easy to find issues in our code to deliver a much smoother payment experience and a better overall customer experience.

Learn more right here and try out their interactive sandbox too.

Can you trust ChatGPT’s package recommendations?

Here’s a brand new security threat vector:

In our research, we have discovered that attackers can easily use ChatGPT to help them spread malicious packages into developers’ environments.

Fun times. They’re calling this “AI package hallucination” and it relies on the fact that ChatGPT (et al) sometimes answers questions with hallucinated sources, links, blogs and statistics. It’ll even generate questionable fixes to CVEs and offer links to libraries that don’t actually exist!

When the attacker finds a recommendation for an unpublished package, they can publish their own malicious package in its place. The next time a user asks a similar question they may receive a recommendation from ChatGPT to use the now-existing malicious package. We recreated this scenario in the proof of concept below using ChatGPT 3.5.

Be careful out there…


😎 Meme break

This will help you get in the right mindset for Wednesday’s interview with Taylor Troesh, who wrote 11 Ways to Shave a Yak

Another day, another yak shave on YouTube


Eleventy is a side project once again

Eleventy creator Zach Leatherman announced that Netlify is no longer sponsoring the popular static site generator’s full-time development.

Eleventy will continue forward in a reduced (and more focused) capacity. We’ll have to make some tough prioritization decisions which may include deprecation (or community-ownership?) of some of our official plugins (as always obeying semantic versioning principles).

It was super cool that this was able to happen in the first place (we talked to Zach about that on JS Party)! But the times, they are a-changin’ and we have no choice but to change with them. Thankfully, Zach is as committed as ever:

Realistically it must be acknowledged that this news is a bit of a setback for Eleventy—but importantly I am still personally very passionate about the project’s continued survival. From the very beginning I had an expectation that Eleventy was a ten-year project and we’re on year six of that timeline.

Not that kind of ‘open’

John Gruber weighs in on the preemptive pledge by some Mastodon/Fediverse instance admins to block Instagram’s upcoming ActivityPub-based service:

The whole point of ActivityPub as an open protocol is to turn Twitter/Instagram-like social networking into something more akin to email: truly open. If Facebook were on the cusp of launching a Gmail-like email service, would you preemptively declare that your email server would block them?

Defining Open Source

Turns out that despite ‘open source’ being a globally-understood term-of-art, it’s still remarkably hard to define in simple terms. So, Simon Phipps is taking a crack at it:

This post aims to create a recital-ready definition of open source for use in legislation that embodies the global consensus of its meaning.

He also sets the constraint that he cannot simply refer to the Open Source Initiative because this ‘recital’ is intended to be used by governments that don’t like referring to entities outside their control (go figure). Here’s what he came up with:

Open source software is software released under a license that — by community consensus — grants all rights necessary to use, adapt, share and monetise the software in any way and for any purpose subject only to conditions that can be reasonably satisfied without negotiation with the licensors.

Click through for the rationale. How do you think he did?

Reddit 1.0 was written in Lisp. Read it right now if you want

Shriram Krishnamurthi, after realizing Reddit 1.0’s source code is publicly available:

It’s amazing. You can read the whole thing in one sitting. Even an undergrad could. It’s like the essence of a…Reddit. We took a wrong turn w/ software.

✨ The more you know: The Lindy effect

There was an old folklore amongst New York City media observers in the 1960s that the amount of material a comedian has is constant, so the more TV appearances they make the less future TV appearances they will have. This lore was formalized as Lindy’s Law in a 1964 article of the New Republic.

Benoit Mandelbrot disagreed with this, and re-coined the term in 1984 to mean the opposite. He posited that comedians don’t have a fixed amount of material to spread over TV appearances. “But rather, the more appearances they make, the more future appearances they are predicted to make.”

How does any of this apply to software? Nassim Taleb expanded the Law in his 2012 book Antifragile. Now it is (roughly):

a theorized phenomenon by which the future life expectancy of some non-perishable things, like a technology or an idea, is proportional to their current age. Thus, the Lindy effect proposes the longer a period something has survived to exist or be used in the present, the longer its remaining life expectancy.

Maybe consider this the next time you pick a 3rd-party dependency or SaaS offering…


📡 Other things on the radar

  • try lets you run a command and inspect its effects before changing your live system
  • The Zed team plans to open source Zed on Zed. So they’re building a platform “designed for open-sourcing itself.”
  • Open Assistant is an effort to bring conversational AI to everyone via Apache licensed code and models
  • Revolt is a FOSS Discord alternative. Worth a try if you have open community/closed platform dissonance
  • Scrapscript is a shareable programming language that we’ll discuss in some depth on this week’s show
  • Autolabel is a Python library to label, clean and enrich text datasets with any LLM of your choice
  • Rift is an AI-native language server (and IDE extension) to deploy your personal AI software engineer
  • MDN now has an in-browser playground of their own. A good idea, but maybe a few years late.

⚖️ Opinions worth considering

Jonathan Norris thinks WebAssembly runtimes will replace container-based runtimes by 2030:

The advantages of WebAssembly, with its tight security model, very fast boot-up time, scalability at the edge, much smaller footprints & portability across environments will really drive a shift away from container-based runtimes for things Kubernetes and edge workloads by 2030. There’s a ton of energy around making this happen within the WebAssembly community.

Chris Siebenmann believes everything that uses configuration files should report where they’re located:

As a system administrator I deal with a lot of different programs that use configuration files, most of which have their own normal locations for those files. Sometimes this is a system wide location, sometimes this is a per-user location, and some have both. I’m sure that all of these locations are obvious to people who deal with the particular program regularly, but I don’t (always) do that. Some programs I touch only rarely, and others can be built differently on different systems. Naturally, I don’t remember where their configuration files are located on this system today, so I wind up having to find this out somehow…

Gergely Orosz has decided that GCP deserves the side eye:

Any responsible CTO should now assign a much higher risk to Google shutting down GCP than to Amazon doing this with AWS, Microsoft with Azure, or Oracle with OCI.

Google made ~$180M selling Google Domains, but the damage to its cloud business will be much, much bigger, IMO.

🎧 ICYMI: Recent good pods from us


That is the news for now!

On Wednesday I’m talking yak shaves, system architecture, -10x devs & more with Taylor Troesh. And on Friday Kelsey Hightower joins Adam and I on Changelog & Friends!

Have a great week, forward this email to your peers who might dig it & I’ll talk to you again real soon.

–Jerod