Changelog News
Developer news worth your attention
Hello again! š
Turns out Android has a secret browser hidden inside the settings that has no history and bypasses parental controls. Donāt tell the kids! Theyāre the only humans sufficiently motivated to follow the 8 required steps to launch it.
Ok, letās get into the news. Audio here. š§
AI has poisoned its own well
The potential for model collapse seems if true; then echo "big"; fi
Tracy Durnell:
I suspect tech companies (particularly Microsoft / OpenAI and Google) have miscalculated, and in their fear of being left behind, have released their generative AI models too early and too wide. By doing so, theyāve essentially established a threshold for the maximum improvement of their products due to the threat of model collapse. I donāt think the quality that generative AI will be able to reach on a poisoned data supply will be good enough to get rid of all us plebs.
I wondered aloud about this when we first discussed Stable Diffusion last September. Back then it was an open question. Now it seems weāre getting some answers and the outlook is not good:
We find that use of model-generated content in training causes irreversible defects in the resulting models, where tails of the original content distribution disappear. We refer to this effect as Model Collapse and show that it can occur in Variational Autoencoders, Gaussian Mixture Models and LLMs.
Since thereās no consistent system for marking up generated content online as computer generated, the toothpaste is already being squeezed from its proverbial bottle.
Because of this approach, 2022 and 2023 will be essentially ālost yearsā of internet-sourced content, even if they can establish a tagging system going forward ā and get people hostile or ambivalent to them to use it.
Everything you need to UnsuckJS
This is a cool microsite from Adam Hill that catalogs the many (20+) JavaScript libraries that progressively enhance HTML and cost 10KB or less to deliver to your clients. āNo build tools, no compilers, and no hassle.ā
Iād love to see it go beyond the basic information and table format it currently has. But still, Iām a huge fan of this āless JSā movement and there are some high quality libraries featured here (and some Iād never heard of!) and having them all in one place is a win.
Related: Too Much JavaScript? Why the Frontend Needs to Build Better
We need more of Richard Stallman, not less
After a big fat disclaimer differentiating the manās philosophy from the man himself, Ploum (a.k.a. Lionel Dricot) writes:
RMS was right since the very beginning. Every warning, every prophecy realised. And, worst of all, he had the solution since the start. The problem is not RMS or FSF. The problem is us. The problem is that we didnāt listen.
What was RMS the most right about, according to Ploum? Copyleft. But his theory had a weakness: copyleft itself wasnāt part of the four freedoms it secured.
Read the piece, which includes Ploumās suggested amendment (one obligation) to RMSā four freedoms of free software. Then think carefully about how you release your future software into the world.
Code-level application performance monitoring
Thanks to Sentry for sponsoring this weekās Changelog News š°
Just because you donāt record a problem doesnāt mean it didnāt happen.
Stay ahead of latency issues and trace every slow transaction to a poor-performing API call or database query. Sentry is the only developer-first application monitoring platform that shows you whatās slow, down to the line of code. But donāt take their word for it. Matthew Egan (Engineering Team Lead at DiviPay) has this to say about it:
Unlike past tools weāve used, Sentry provides the complete picture. No more combing through logs ā Sentry makes it incredibly easy to find issues in our code to deliver a much smoother payment experience and a better overall customer experience.
Learn more right here and try out their interactive sandbox too.
Can you trust ChatGPTās package recommendations?
Hereās a brand new security threat vector:
In our research, we have discovered that attackers can easily use ChatGPT to help them spread malicious packages into developersā environments.
Fun times. Theyāre calling this āAI package hallucinationā and it relies on the fact that ChatGPT (et al) sometimes answers questions with hallucinated sources, links, blogs and statistics. Itāll even generate questionable fixes to CVEs and offer links to libraries that donāt actually exist!
When the attacker finds a recommendation for an unpublished package, they can publish their own malicious package in its place. The next time a user asks a similar question they may receive a recommendation from ChatGPT to use the now-existing malicious package. We recreated this scenario in the proof of concept below using ChatGPT 3.5.
Be careful out thereā¦
š Meme break
This will help you get in the right mindset for Wednesdayās interview with Taylor Troesh, who wrote 11 Ways to Shave a Yak
Eleventy is a side project once again
Eleventy creator Zach Leatherman announced that Netlify is no longer sponsoring the popular static site generatorās full-time development.
Eleventy will continue forward in a reduced (and more focused) capacity. Weāll have to make some tough prioritization decisions which may include deprecation (or community-ownership?) of some of our official plugins (as always obeying semantic versioning principles).
It was super cool that this was able to happen in the first place (we talked to Zach about that on JS Party)! But the times, they are a-changinā and we have no choice but to change with them. Thankfully, Zach is as committed as ever:
Realistically it must be acknowledged that this news is a bit of a setback for Eleventyābut importantly I am still personally very passionate about the projectās continued survival. From the very beginning I had an expectation that Eleventy was a ten-year project and weāre on year six of that timeline.
Not that kind of āopenā
John Gruber weighs in on the preemptive pledge by some Mastodon/Fediverse instance admins to block Instagramās upcoming ActivityPub-based service:
The whole point of ActivityPub as an open protocol is to turn Twitter/Instagram-like social networking into something more akin to email: truly open. If Facebook were on the cusp of launching a Gmail-like email service, would you preemptively declare that your email server would block them?
Defining Open Source
Turns out that despite āopen sourceā being a globally-understood term-of-art, itās still remarkably hard to define in simple terms. So, Simon Phipps is taking a crack at it:
This post aims to create a recital-ready definition of open source for use in legislation that embodies the global consensus of its meaning.
He also sets the constraint that he cannot simply refer to the Open Source Initiative because this ārecitalā is intended to be used by governments that donāt like referring to entities outside their control (go figure). Hereās what he came up with:
Open source software is software released under a license that ā by community consensus ā grants all rights necessary to use, adapt, share and monetise the software in any way and for any purpose subject only to conditions that can be reasonably satisfied without negotiation with the licensors.
Click through for the rationale. How do you think he did?
Reddit 1.0 was written in Lisp. Read it right now if you want
Shriram Krishnamurthi, after realizing Reddit 1.0ās source code is publicly available:
Itās amazing. You can read the whole thing in one sitting. Even an undergrad could. Itās like the essence of aā¦Reddit. We took a wrong turn w/ software.
āØ The more you know: The Lindy effect āØ
There was an old folklore amongst New York City media observers in the 1960s that the amount of material a comedian has is constant, so the more TV appearances they make the less future TV appearances they will have. This lore was formalized as Lindyās Law in a 1964 article of the New Republic.
Benoit Mandelbrot disagreed with this, and re-coined the term in 1984 to mean the opposite. He posited that comedians donāt have a fixed amount of material to spread over TV appearances. āBut rather, the more appearances they make, the more future appearances they are predicted to make.ā
How does any of this apply to software? Nassim Taleb expanded the Law in his 2012 book Antifragile. Now it is (roughly):
a theorized phenomenon by which the future life expectancy of some non-perishable things, like a technology or an idea, is proportional to their current age. Thus, the Lindy effect proposes the longer a period something has survived to exist or be used in the present, the longer its remaining life expectancy.
Maybe consider this the next time you pick a 3rd-party dependency or SaaS offeringā¦
š” Other things on the radar
- try lets you run a command and inspect its effects before changing your live system
- The Zed team plans to open source Zed on Zed. So theyāre building a platform ādesigned for open-sourcing itself.ā
- Open Assistant is an effort to bring conversational AI to everyone via Apache licensed code and models
- Revolt is a FOSS Discord alternative. Worth a try if you have open community/closed platform dissonance
- Scrapscript is a shareable programming language that weāll discuss in some depth on this weekās show
- Autolabel is a Python library to label, clean and enrich text datasets with any LLM of your choice
- Rift is an AI-native language server (and IDE extension) to deploy your personal AI software engineer
- MDN now has an in-browser playground of their own. A good idea, but maybe a few years late.
āļø Opinions worth considering
Jonathan Norris thinks WebAssembly runtimes will replace container-based runtimes by 2030:
The advantages of WebAssembly, with its tight security model, very fast boot-up time, scalability at the edge, much smaller footprints & portability across environments will really drive a shift away from container-based runtimes for things Kubernetes and edge workloads by 2030. Thereās a ton of energy around making this happen within the WebAssembly community.
Chris Siebenmann believes everything that uses configuration files should report where theyāre located:
As a system administrator I deal with a lot of different programs that use configuration files, most of which have their own normal locations for those files. Sometimes this is a system wide location, sometimes this is a per-user location, and some have both. Iām sure that all of these locations are obvious to people who deal with the particular program regularly, but I donāt (always) do that. Some programs I touch only rarely, and others can be built differently on different systems. Naturally, I donāt remember where their configuration files are located on this system today, so I wind up having to find this out somehowā¦
Gergely Orosz has decided that GCP deserves the side eye:
Any responsible CTO should now assign a much higher risk to Google shutting down GCP than to Amazon doing this with AWS, Microsoft with Azure, or Oracle with OCI.
Google made ~$180M selling Google Domains, but the damage to its cloud business will be much, much bigger, IMO.
š§ ICYMI: Recent good pods from us
- On The Changelog: weāre talking to Adam Jacob about his mission at System Initiative to rebuild DevOps
- On JS Party: Eric Clemmons joins for a formal(ish) debate. The question: Is print debugging good enough?
- On Practical AI: The guys take a step back to look at how generative AI fits into the wider landscape
- On Changelog & Friends: Our old friend Brett Cannon is here to help alleviate our pip install anxiety
That is the news for now!
On Wednesday Iām talking yak shaves, system architecture, -10x devs & more with Taylor Troesh. And on Friday Kelsey Hightower joins Adam and I on Changelog & Friends!
Have a great week, forward this email to your peers who might dig it & Iāll talk to you again real soon.
āJerod