Chris Beams: Yeah, it always bears digging into that, because for better or for worse, it’s not always so obvious today. You were saying a few minutes ago in the interview a lot of people don’t really use cash these days; plenty of people just pay via credit card and so on, and in many places there’s a kind of war on cash. You see this with the demonetization policies that are being rolled out in India, and so on. Many countries across the world are basically disincentivizing people to use cash, and there’s a variety of reasons for that, but one of the effects of that is that increasingly in that environment people’s financial transactions are under surveillance, right? It’s possible to know, and indeed known, what you’re spending your money on at any given moment. Probably Visa isn’t sharing that information with anyone, but they can, and again, things can be hacked and so on… And they certainly do, given certain conditions.

So why does it matter? Well, the reason I was explaining that is that we’ve been in this environment for a long time. We’ve all been, not because the U.S. government has been demonetizing the dollar necessarily, but just by choice and convenience, people have just more or less happily moved to using credit cards. I use credit cards, it’s useful stuff; there’s nothing wrong with it, right? But the effect that that has is that we increasingly forget over time “What value did cash ever have? What is the value of a private financial transaction?” and I think it’s useful here to just jump outside of money for a moment and ask the question “What is the value of any private interaction at all?”

[36:15] It’s been a while probably since many people listening to this have sent a physical letter to a friend or a relative, but we’ve probably all done it a time or two… When you send a letter, you put it in an envelope and you seal that envelope. Doing that doesn’t indicate that you’re doing something nefarious, or that you’re breaking any laws, but it’s rather the norm when it comes to sending physical mail. It’s a norm. We’ve grown up in a culture of privacy in that situation, where people would think it quite strange if they just took the whole letter not in an envelope and just slapped a stamp on it. That would feel “Hey…?! Every postal handler from here to Poughkeepsie or wherever it’s going can read my mail? I don’t wanna do that.” That’s the way postcards work, but mostly people don’t write anything of great importance on a postcard, but people do bare their souls, talk about what’s important to them or troubles that they’re having etc. in letters.

If we take that world of communication and communication privacy to the online world, it’s a very different world, right? Because it just happens to be that email, which of course we all use a whole lot, basically never had a good envelope, right? So we live in a culture of openness by default, and we don’t think about it that way; when we send an email, we have this kind of false sense that it’s private, because it’s just going to the person I send it to, but if we know anything from the revelations over the last years - Snowden and all the rest - the writing couldn’t be written larger on the wall that all your emails are belong to us, name an agency.

So we live in a world - I wouldn’t say for better or worse, I would say definitely for the worse, where everything you do online, certainly with email and in many other contexts, is per default non-private, per default open. We see money no different than this. We see digital money, virtual currencies, cryptocurrencies as no different than the kinds of transactions and interactions people have with speech, with written language etc. The fact that I am buying a coffee or sending some money to my brother to take care of his family who’s just in a – we were talking about Houston and Hurricane Harvey before the call started, right? Transferring money to my family to help them out in such a scenario or what have you - that’s just nobody’s business but my own and my family’s.

Actually, one argument for privacy is that it’s a right, and there actually need be no argument for it. It need not be justified any further than “No one has the right to force me or to force anyone to be open.” One ought to have a right to privacy, and that’s actually enshrined in the United Nations statement on human rights and in a number of other contexts, including the U.S. Constitution, and so on.

[39:59] The right to privacy is a long-held tradition, and it just happens to be that we’ve been trending and drifting in this direction, especially as the online world has come to prominence, and things like email, we’ve sort of forgotten about it. We just happen not to be in that private-by-default environment that physical mail used to be, and there’s no reason not to be private when it comes to Bitcoin, and there’s actually every reason TO be private, because well, do we really want, do we really trust (whether it’s) the centralized exchanges…? Generally, they’re just businesses trying to get along, keep customers, keep people happy.

Mostly, there’s nothing nefarious going on with centralized exchanges, but those become information honey pots for other entities, other players - governments, or whomever they may be. People say “I have nothing to hide.” Well, okay. Does that mean that we ought to just open everything up and give all of our data to anybody who might come along and want it for any reason in the future?

That’s a big argument for privacy, by the way - the environment that we live in today, especially very lucky people like ourselves living in the States… I’m from the States, I live in Europe now, but in general, people listening to this podcast will tend to be people who are living in reasonable enough jurisdictions that probably the most draconian versions of crackdowns and so on don’t happen to individuals; that’s not true of everybody else in the world, and it may or may not be true in the future for ourselves, or for our families or for our children. So we can’t predict the future, we don’t know what’s gonna happen, and you don’t need and value privacy sometimes until you absolutely wish that you had had it. So those are a few reasons…

Eric Berry: But I wasn’t. I wasn’t because it didn’t make sense to completely shut it off. I did shut down the platform, I stopped tracking… But I still had developers who trusted me and relied on me to help them get funding. And I had a good friend, Mike Smith, who I believe you know, over at Rollbar, who’s now at GitPrime. I asked him, I said “Are you willing to stick with me? What I can do is you keep providing funding for all of these top-performing sites” – and he looks at them as top-performing, I look at them as needing the most funding. I said “Will you continue to provide funding for them, and I will just take a 15% cut, and that will essentially make it so that we can still do the tracking”, as we were still running it through a tracker… But I didn’t need any of the money. The money was literally just to help the server run. He said, “Absolutely.” He had no issue with that.

So in December I paid out all the remaining money to all of the people that I owed money to, which came to almost $5,000, and then I had an extra thousand dollars of nickles and dimes for all of the other developers that didn’t make enough money to receive that payout, so I made a lump sum donation of $1,000 to the A21 organization for fighting human trafficking. There’s a blog post listing every single developer that participated as a donor in that donation… Because it wasn’t my money; I didn’t consider it my money and I didn’t want it. So in December I talked to a buddy of mine named Freddie Shelton, and I asked him, I said “Hey, are you interested in Code Sponsor? I’ve got all these contracts set up, I’ve got Mike here… Would you like to take it over?” “Sure, absolutely.” So he did, and he kept it going for a month, all the way through early January.

In that time, I was kind of going through this point in my life where I hate my job, I need to find purpose… I found true purpose in funding open source, but I need to be able to go somewhere that I can do that and get paid for it… And that’s what I did.

[36:15] Over the course of about three months, I’ve been talking to Kevin Owocki, who is the CEO and founder of Gitcoin. Gitcoin is a product that helps developers get paid to contribute to open source funding through bounties. We became friends over the months and he offered me a job to come work at Gitcoin, which I accepted.

Once I got to Gitcoin, I thought “I wonder if I can just pick up where I left off and bring Code Sponsor back in.” So I reached out to Freddie, I said “How’s it going?”, I said “Would you be willing to sell me back the company?” and he did. I gave him some money for the company, and then I brought it in as just my contribution to Gitcoin… Just “Here’s me, here’s what I can bring to the table. I don’t want any money for it.” They paid a few of the expenses that I had for the product, but all in all it was like “Code Sponsor joins Gitcoin as sister companies, but they’re basically one company now”, because we’re all getting our paychecks from the same company, and all that stuff. But my role at that point became “Make this work. Help people through ethical advertising.”

Brendan Eich: [35:47] Yeah, so that’s the really radical idea, and it’s not fully implemented. Brave, with the right opt-in - we wouldn’t wanna surprise users with this, but Brave should be your personal Google; it should be your personal data set and machine learning, which adds value to the data.

You know how people say “Facebook sells your data”? They don’t, because if they did, it would all get quickly arbitraged to a low price, and it’s seasonal enough, there’s enough repeated behavior among users that it wouldn’t be necessary for them to keep selling it. It would be extracted and in bulk. Facebook doesn’t sell all your data. What they do is they say “Come onto our platform and do ads”, or “Come onto our platform and transact in a very limited way with the data.” That’s what Google does with the web. Google is a really brilliant, once-in-a-generation business. They started with search ads - very clean, because when you’re searching, you have strong intent, you’re looking for something, you’re willing to see a promotion, especially if it’s algorithmically well-placed. It could be better than the organic results that Altavista would have found in ‘98. That’s why Google started rising fast then, and they did search ads even then; they were making enough money they got the famous angel investment from Andreas Bechtolsheim. He asked them, “How do you make money?” and Sergey said “Placed results, search ads.” Andreas said, “I’m using Altavista, but they get tricked by pages that put a little dictionary in the HTML comment, and suddenly that page is authoritative for every word in that dictionary, and they get undue search rank in Altavista. What do you do about that?” Larry Page said, “Oh, we take care of that because we count incoming links to do reputation, pagerank.” Then Andreas said, “How much are you making?” This was like ’98, when Sergey and Larry were still I think on Stanford campus. They said, “A hundred thousand a month and growing”, and Andreas said, “Let me go to my car and get my checkbook”, and he wrote a famous angel investment check which paid off very well.

That search ad business is still strong for Google, but search is kind of flattening out. The smartphone is less of a searchy device, it’s more of a social and bespoke search, or custom app experience. Voice is rising, AI is changing things… Search is flattening. It’s gonna be a challenge for Google to keep satisfying Wall-Street’s needs as a public company.

Google also did something clever - in 2008 they bought DoubleClick, because they saw if you didn’t convert all those search ads on the search engine result page, those quality texty result up top that were clearly identified at ads, but sometimes could be better than the organic results – if you didn’t click on those, you went off into the organic results, and you visited publisher sites and ecommerce sites… You kind of got distracted and surfed a bit for fun, celebrity-stalked somebody a bit… Then you came back to your major purchase, but maybe you did it through an ecommerce site and Google had no piece of that action. So they bought DoubleClick, because DoubleClick had a display ad business. They were all over publisher sites, they were on a lot of ecommerce sites. And they had cookies, they could be audience profiles by tracking people across sites.

[38:59] That gave Google a more complete model of the user, from search, through browsing to various sites that DoubleClick had cookies on or other footprint on, and Google’s been integrating things ever since - YouTube’s gotten big… In some way they’re the web, eating their own ecosystem, but they’re also getting a more complete user model.

I think you may have seen, even Chrome will now be mixing your history into the advertising model if you don’t opt out, I believe. Powerful business, but it’s got some downsides. Increasingly, Google and Facebook own 90 cents of every marginal ad dollar spent. Every extra ad dollar being spent this year above last year, 90 cents out of it goes to Google and Facebook. And that’s not a stable setting, even if you don’t mind those two being the new duopoly on search and ads, or social and ads, because Facebook’s coming after Google, and Google’s search business is flat. So there’s a problem there.

Also, there’s a huge privacy problem. People just don’t like being tracked that way. They get retargeted by bad ads, they get creepy ads, ads that make your eyes bleed, parasite pictures, belly fat reducers, wrinkle reducers… And they get malware now. Malware is actually being placed, and has been for a few years. This is kind of an under-reported story, because a lot of it works by being ransomware - it holds your PC hostage, encrypts the disk and says, “Here’s how buy Bitcoin and send Bitcoin”, and it charges not too much. So grandma paid $600 or $1,200 to get her pictures back of her grandchildren, and she’s too embarrassed to admit it.

There was a hospital in Southern California where all the systems in the hospital were thrown by ransomware. That gets you more on the FBI and Interpol radar, but these are criminal gangs hiding in nation-states that don’t necessarily prosecute them. They’re using very sophisticated exploit kits; that’s the payload that downloads and tries a bunch of vulnerabilities.

The ones we know about from the last year and a half, Angler in particular, used Flash and Silverlight and Java plugin vulnerabilities. Brave turns off plugins by default. The plugins should die, Steve Jobs was right. Thoughts on music - he was right about DRM; thoughts on Flash - he was right about Flash. God bless Steve Jobs. [laughter]

I’m not gonna endorse everything he ever did, but he did two solid things there for the web and for security. These exploit kits now are trying browser vulnerabilities. I’m pretty sure Neutrino is the one that superseded Angler and it’s trying browser vulnerabilities, because every sophisticated endpoint software is endlessly vulnerable, and you have to keep patching it. That’s what Chrome does, that’s what Firefox does, that’s what Microsoft does now… It was one of the lessons of the last 15 years in browsers, that you have to release all the time to keep ahead of the exploits. You have to fuzz-test your codebase with travesty JavaScript-generated JavaScript that finds all the safety bugs.

[42:01] These exploit kits are out there, and they’re coming in through ad exchanges. How do they do it? They actually create fake ad agencies. These are fake businesses, with fake CEOs and CMOs, fake people pictures, bios, and they go and buy ads… They put custom creative ads into ad exchanges. They pay the fees to get into the exchange, and then in real-time bidding processes automated ad exchanges place these ads on publisher pages, sometimes even gateway to other exchanges. They get onto a Chrome ad exchange at a low price, but they can claim to guarantee some conversion or some performance to the publisher who wants to sell the ad space for the ad. And the publishers fall for this every time, because they wanna fill out every space they can with ads, even at the bottom of the page, where the parasite pictures are. And they generally don’t directly sell that to brands or agencies; it’s not good space, so they say “Oh sure, programmatic ad partner. Come on in and own my space and put whatever you want in there.” Programmatic means automated, if it means anything. So he goes and says “Okay, let’s use this ad exchange…” It’s AOL, or OpenEx or Yahoo!…

Pretty soon, you don’t know where those ads are coming from. They’re coming from Russia, but they look like legitimate ads. And here’s the crazy thing - sometimes if you scan their JavaScript, they all come with JavaScript, for tracking pixels to confirm that the ad was viewed, things like that. You don’t see anything overtly bad; you might see some funny little image, a processing loop that maybe is commented innocuously look like it’s doing something to do gamma correction on the image. What it’s actually is taking a graphic decoding of an exploit kit loader from image pixel perturbations. In other words, it’s taken out of the hiding, some kind of signal, a covert message in an image or a picture is being done to hide the guilty code that’s gonna load the Angler exploit kit.

This leads to the New York Times, BBC, AOL and other top sites in late March having ransomware malvertising on their properties. If you think about it, this is actually an outrage, right? Why should world-class online publishers tolerate this? Why should they not control the quality of the ads. Why shouldn’t they have only direct, trusted relationships? Well, as I say, the bottom of the fold, and even the middle of the fold (middle of the page) ad spaces just aren’t as valuable as the top, and even big publishers that have direct sales forces and their own tech teams and do beautiful, custom sponsorship ads…

[44:48] My favorite example, Louis Vuitton handbags on Elle.com. That takes up the bottom half of the frontpage, it looks nice, it’s a trustworthy ad as far as I know - there’s very little third party about it; there’s some tracking… It’s a custom video ad from Questra or somebody, but it’s pretty legit. That’s not the problem. It’s the stuff below that that all the publishers want to fill their space and make a little bit of money. Otherwise, if they leave the space dead, they’re just leaving money on the table. And that leads to malware coming on the pages.

To get back to Brave, we saw this coming. We said ad blocking - even in 2015 when we started - was rising. We started May 2015. We didn’t know that iOS, thanks to Tim Cook, would start making ad blocking easy to use with Safari. They make it an app install model, instead of a browser extension model. They make it content blocking, and it rose quickly to the top of the app store last fall and it became very popular until it saturated short-term demand, and it changed the whole conversation. It made people across the ecosystem - from the marketers who spend on advertising, to the publishers who rely on whatever of that spend is left after all the middle players and the parasites have taken their skim - it made everybody say “Oh no, ad blocking is not going away. It’s not just AdBlock Plus or uBlock Origin. Now it’s iOS. It’s Apple. And Apple had walked away from advertising as a business I think twice. But it wasn’t just because ads are annoying or unaesthetic; that’s a very shallow way to characterize it. Ads are actually dangerous, because they’re over delegated through these ad exchanges, and there’s no contractual relationship.

Doug Crockford knew this. If you remember Doug’s work at Yahoo! with AdSafe, which was a static verifier for JavaScript and was kind of like before Google Caja, which became Secure EcmaScript, AdSafe was Doug’s very picky way of trying to get Yahoo! ads not to contain malware. This has been a longstanding problem, and as I said, it’s under-reported because ransomware - the price the criminals extract is low enough people are embarrassed and they can pay it, get their system back… It’s very hard to track these criminals down. But even ignoring the ransomware threat, just the privacy problem that your data profile is constantly being sucked out of your machine and you’re not benefitting from it, you’re actually suffering from increasingly worse ads, even ignoring the malware; just annoying ads. Retargeting, which is when you get hammered by an ad you’ve already seen… Because it sometimes nags you into buying something you wouldn’t, or in the best case reminds you of something you forgot you do wanna buy. It has a little bit of lift, like a fraction of a percent, and that means that it’s gonna get done; it’s not gonna be left on the table. That money is not gonna be left on the table.

So advertising has become this toxic parasite system, in my opinion. It’s over delegated, there’s too much principal versus agent conflict of interest, there are layers of that, and along with that, there are layers of confirmation bias in the data that’s extracted in the model.

[47:54] They say they have great data, all these ad tech companies; they wanna go public or they wanna get bought by Oracle, and they say they have magnificent data which will increase yield. But if you look year to year, the actual performance of advertising, the so-called yield, doesn’t really go up. Money just goes from one pocket to a different pocket. Publishers are still suffering, and there are long-term negative externalities, like secular trends that are bad for everybody, like the rise of ad blocking and the rise of malvertising.

Brave is trying to address this, but not just - I’m being very negative here - we’re not just gonna cure something that’s bad; we wanna make things actively better. We wanna make this anti-Google, personal Google. We want you to be in charge of your data, and that means not only should you not have bad ads or annoying ads or dangerous ads, you should have a piece of the action. You should get revenue, you should be able to control the terms of the economics. And if you don’t want ads, you can donate, and then you can block guilt-free.

Raul Jordan: Indeed. So as it stands today, Ethereum actually runs on what we call proof of work. People have probably hear about cryptocurrency mining - bad for the environment, killing trees, all sorts of things. Basically, the way that Ethereum and Bitcoin work today is they require people around the world to basically run these machines that are specialized computation circuits that use an extreme amount of electricity to basically solve this brute force math problem, and participate in the consensus of the blockchain.

The paradigm is that you’re putting in a lot of real-world electrical power into this system such that it becomes almost impossible that anyone can collectively try to revert that. You cannot revert the Bitcoin or the Ethereum blockchain without having more electrical power than all these people combined that put their effort into it.

So Ethereum is actually migrating to what we call proof of stake; so instead of expanding a lot of electricity, what you’re doing is that you’re instead locking up a lot of Ether, you’re locking up a lot of this cryptocurrency called ETH, and to participate in consensus, you need to put that up for stake. If you do anything malicious, you can start losing that stake. It changes the paradigm. You don’t need this crazy computational thing; it’s just basically anyone can run it on a home server. You can run it on a consumer laptop.

[58:49] Since Ethereum was already proof of work, the transition into proof of stake is very solid, because we can leverage all the security that Ethereum has already over the years into this new paradigm. So we are one of the teams that’s building proof of stake for Ethereum. Ethereum proof of work - the mining, basically - is planned to go away in less than a year, so basically no more shortage of GPUs on the market. You’ll be seeing a lot of really cool stuff happening, estimated I believe to be like 99.98% more computationally effective, and better for the environment. That’s something that we’re excited about, and just keep an eye out on that.

Nader Dabit: Yeah, it was just definitely not expected, but it was very welcome to me, seeing it… Because I was really worried about “Okay, what if I go into this and it’s not what I thought it was?” Or maybe I go into this and I’m able to not really network and create the relationships – or really keep the relationships that I had in the past with people that I really cared about, and I always wanted to continue building those relationships. It is a 24/7 market, but it’s also an accessible market, that doesn’t need anyone to tell you that you can participate or you can’t participate.

[20:14] I think one of the biggest things that is interesting to me around any revolutionary technology is that it really is something that abstracts away something that in the past needed a lot more time, effort, work, and people to kind of make work… And to me, what you’re seeing now, especially if you look at stuff like decentralized finance, where you have these multi-billion-dollar protocols that are doing the same work with about a dozen or two dozen people, that in the past would have taken orders of magnitude more people… So we’re talking about thousands or tens of thousands of people within a traditional banking system to operate the types of operations, combining both software and physical locations and all this other stuff, that are now being done and abstracted away by teams of much smaller people… So that really excited me. The fact that anyone in the entire world can create a wallet and get paid really excited me.

One of the things that really excited me at first, honestly, was also the idea of stablecoins. When I knew about crypto, I only knew about Bitcoin and Ethereum, and that they’d go up and down every day like crazy… But in reality, some of the most interesting stuff is happening in stablecoins. And stablecoins are pegged against another piece of value in the actual physical world. And this isn’t that important for people in the U.S, whose U.S. dollar is very stable, but in other parts of the world, it’s actually really possibly game-changing, because if your currency goes up and down like Ethereum goes up and down, or even more – let’s say that it goes down to almost nothing, like it happens all the time, what if instead you could be able to have a very easy way to get paid and hold on to your value in a currency that stays the same?

I think this has really hit home for me, because I had had a family member that was visiting – or not visiting, he actually had to move from Lebanon to the United States as an economic refugee, because all of their businesses, and even their life savings and stuff ended up being stuck in one of the banks in Lebanon, because of the financial and political crisis that they’re having over there… And having a conversation with him, and seeing how someone’s life can completely be ruined almost by the limitations in centralized authorities. A lot of it has to do with money; people don’t wanna sometimes say that money is that important… Most logical people do, but there are people that will say “Oh, this isn’t perfect, so let’s not even consider it”, and then they’re sitting back on their half a million dollar or a hundred thousand dollar a year salaries, saying that “This solution isn’t perfect yet, so let’s not use it.” Meanwhile, people are literally having to flee their home country and lose all their s**t because the thing that may not be perfect would actually have saved them a lot.

I kind of have gone off on slightly of a tangent there, but that is some of the stuff that I would say interested me about this space when I decided to ultimately make the move into it.

Kevin Ball: So that does put Angular though in the opposite perspective of like the Wiz or Qwik mindset of “Fast by default”, right? Because there I think the idea, if I understood it, was developers are not going to keep up with this stuff. They’re focused on shipping, whatever, they’re focused on shipping, it’s going to be slow. And Qwik and Wiz say “You know what, we’ll take care of that for you. We’ll break everything apart, we’ll go very fine-grained, and it will work fast by default.” So how can you absorb that into Angular while maintaining the stability that you have?

Matthew Ahrens: [24:12] Yeah. And I think most people do. If you care about this data, then you need to be able to have some redundancy with it. So you need the functionality of a volume manager, where you can have multiple drives, and some of them can die, and you don’t lose all your data. And you need to know that the data that the drives give you is correct, so you need checksums. And even just those two basic requirements, there’s not– I mean, there are other technologies that do that. They are much harder to use, typically. And so I think the choices are - if you’re deploying it yourself, ZFS is just so much easier. If you’re making a product, then your customers might not know or care, but building your product on something that’s as capable as ZFS is going to long-term rewards. And the fact that ZFS is under continuing development and improvement, it means that your product has a solid foundation that’s going to keep up with what the future holds for software and hardware storage. That’s just the very basics, right? I think a lot of people even forget about that, because there’s all these other cool, great features of the ZFS that are very exciting, like snapshots. Being able to protect your data with snapshots.

A lot of people nowadays are thinking about ransomware, and “What if somebody has some virus or whatever they call it that encrypts my data or alters my data or deletes it? How do I recover that?” Well, ZFS has built-in snapshots, it takes snapshots every day, every hour. The storage cost of them is very low. You’re only paying for the data that’s different, each snapshot, and the performance impact is basically nonexistent. So you get a lot of protection from accidental or malicious changes to your data very easily, and very low cost in terms of the hardware that you have to pay for it.

Things like compression built-in - I think a lot of people nowadays take this for granted. At least ZFS users probably take it for granted. But it’s not present in all the competing technologies, being able to just turn on compression. We’re using LZ4 compression by default, which is very, very fast. It doesn’t give you the highest compression of ratios, but it means that you can just turn it on and not worry about it. You turn it on and typically performance improves, because you don’t need to read and write as much data to your disk.

And then in more complicated deployments, people look for things like replication. I have data that’s on this machine, I want to get it to this other machine. I could use rsync, and that would probably work just fine if I just need to take one copy of the data one time. But if I need to continually move the changes over, rsync is very, very slow, because it needs to check every file and every block of every file to see if it needs to be sent. And then if you’re using ZFS to begin with, obviously you want to preserve things like the snapshots that you have on the source system, the compression that you have on the source system. So ZFS has these built-in send and receive commands that let you serialize the contents of a snapshot, send it over to another machine, and it preserves all the complicated stuff like ACLs, access control lists. That might be sound files and other esoteric things that might not be used that often, but when they are used, you don’t want to have to worry about “Is rsync preserving them correctly?” or whatever.

Daniel Stenberg: Okay. First, of course, I’m going to keep up with what I do; on a lot of forums I say that you should not use capital X and the keyword when you’re just doing regular Curl stuff, because Curl does the request verb by default. So if you just type Curl in the URL, it will make a get; you don’t have to actually tell it to do a get. If you do curl -d, some data and a URL, it will do a post. But that’s boring.

One of my favorite command line options, that so many people don’t know about - and it may be not always the most useful, but it’s –libcurl. So you make up your fancy Curl command line, do whatever you want, and then you add –libcurl filename.c, and do the same thing again. Then it will generate a template C code for doing the same thing as a program.

Kevin Ball: It depends a lot. I have possibly a slightly skewed version on this, because I have almost entirely worked at companies, or worked as a consultant where in both cases it was very early-stage companies where they did not have super well-defined career ladders… Or as a consultant, where you’re kind of owning yourself.

I think a bigger question is “Is the company organized in such a way and having ambition in such a way that there’s actually the scope for you to keep going up that?” The company I’m working at now had a very senior person decide to leave, and the reason was - this is a very ambitious, extremely talented, top of the field engineer, and the type of engineering scope that he was trying to achieve was no longer available, because we were in a stage where we’ve got a lot of the fundamental… Like, he’s a zero to one guy. He wants to own a thing that’s gonna go from zero to massive. And having done that here, he’s looking for his next version of that, which - that’s totally legit. And as you kind of look up, that’s the type of scope and scale. He’s able to do that because he succeeded, and we’ve got the thing, and it’s working, and we’re rolling.

And there are similar questions around teams. If you want to level up so that you’re leading a team, are there teams for you to lead? Or is that already filled?

Brandon Keepers: The way I see this is that there’s the set of features that GitHub decides to build into the product on one side, and then you have on the other end of the spectrum (if you think about it that way) Marketplace apps, which are things that are profitable products that have enough value that you can go and resell them and build a business around them. And I think in the middle there’s this massive gap of features that are useful to developers, but that aren’t profitable for someone to start a business on, and aren’t interesting for GitHub to build. I think that’s the sweet spot for Probot.

If somebody wants to try and build a business on closing stale issues, best of luck… [laughter] But those are just the type of things – as developers, we shouldn’t have to deal with the overhead of this lack of automation in our lives every day.

[48:10] But some of these things just aren’t profitable, so the way I thought about it and have tried to explain it to other people is like my hope is that this fills in that gap in the middle. Developers get the best experience, you get first-class features from GitHub, great apps from Marketplace partners, and everything in the middle the community can build themselves and share.

Inevitably, I think it is going to force Marketplace people to keep going up the stack, and try and find things that are higher value. I think this is like the story of human progress, where we’re constantly solving one problem that used to be profitable and then now it becomes commoditized and you have to go on and solve the next problem. I think it will have that effect, but I think in the end developers get better tools… And even people building businesses - you’re going on and building more interesting businesses, that are harder to replicate, which I think puts you in a better position.

Jerod Santo: Some of their marketing teams are amazing, too. Red Bull’s marketing, for instance – and Red Bull’s been around for a long time, so they’re not one of these new ones… In fact, when I was younger, Red Bulls were all the rage, but there was no sort of illusion that it was good for you. It was just going to keep you up all – it’s going to give you wings, and you’re going to crash later, but you’re like “That’s alright, I’ve got to study. I’m going to hit the Red Bulls.” But man, some of the stuff Red Bull does… Just associate themselves with extreme sports, and sponsoring extreme athletes, and marketing in a way that’s really, really effective, and quality… So much so that sometimes I’m jealous of some of the stuff they come up with. Just ideas… It’s really cool.

So like that whole side of if your entire business is predicated on you being better at marketing and branding than everybody else, and that’s really where like the battleground is for consumer sales… You can produce some really good marketing campaigns, right? Like, that just brings out some amazing stuff.

Tim Banks: Now we’re just going to pay more for it, right. And what people say is like “Oh, when you look–” And I’ve done this before when I’ve done contract negotiation. I’ll look at your bill, I’m like, your bill is hundreds of thousands of dollars a month. And it’s going to keep being hundreds of thousands of dollars a bill a month, and it’s going to keep going up. And your idea to save money, it’s like “Oh, well, I’m going to commit to spending this many hundred thousand dollars a month to AWS, so I get a discount on my CPU, with reserve instances, or with a private pricing agreement.” And I’m like, you’ve taken your very large OpEx, and you’re going to try and reduce your OpEx by turning it into a pseudo CapEx. You have functionally bought hardware…

Jerod Santo: [laughs] Okay, so let’s get those numbers up, folks… We’ve gotta keep going up and to the right of the funny channel.

Luis Villa: So one, absolutely correct. We haven’t found an answer, or we’ve sort of found several answers and none of them are great, right? Because it’s gonna depend on things like – well, so one analogy… We sort of got off the analogies track, but one analogy here is Google Book Search, where they said up front, “We are copying all the world’s books.” But we did a lot on the backside, on the user interface, to make it really hard for people to get more than a fraction of the book out at any one time. And we created a whole lot of new value by making all these books searchable.

So a court looked at that and was “Well, yeah, all that copying - very bad.” But all the value that was created and the reasonable steps taken to protect it means that it’s what courts and lawyers literally call a balancing test. The court was sort of so like “Ehmm…”

So that’s one analogy, right? And in that case, as long as the Copilot folks are taking good faith steps, Copilot at least is going to be protected. Maybe if you’re copying a section of a book at a Google Book Search, or a copy of code out of Copilot, you might be in trouble. But Microsoft and open AI will probably be okay. Right? Because it might be like Google Book Search to a court. But there’s a case in front of the Supreme Court right now about Andy Warhol, and there’s some cases in California federal courts about the song Blurred Lines, where like only a handful of notes in the Blurred Lines case was enough to make that song a copyright infringement. Now, a lot of the IP attorneys are horrified by that outcome, because it’s like so small… And to a certain extent, the judge was like “You know what - it just has the same vibe”, and IP lawyers are like “But you can’t copyright vibe”, and the judge is like “Yeah, I can. Watch me do it.”

So code, by the way - Copilot is the easy case. right? Because there’s not much vibe in code… But as soon as we start getting into like DALL-E, that Natalie already mentioned, Midjourney, all these things - okay, well then we get into… And this is where the Warhol case comes in - there’s that Warholy vibe. “Is that protectable…?” And I shouldn’t actually say – I should say, “The Warhol case is not about Warhol’s vibe.” Warhol, in this case, is the copier, not the person being copied. But the same kinds of questions are just going to keep popping up, and we don’t know, Kris, we don’t know yet where these lines are going to be. And, again, the outcomes are going to be different for the company that makes the model and the person who uses the model.

So the one thing that I’ve told people consistently is I think that GitHub is probably actually safe here. I don’t think running Copilot is itself an infringement. I think it’s a lot like Google Book Search. Using Copilot 99% of the time is gonna be fine. But if you’re doing something like clean-rooming somebody’s API, imagine – if you tell Copilot “Hey, I’ve got this API that happens to be somebody else’s API…” And by the way, that company might be using GitHub behind the scenes; we don’t even know… And it starts reimplementing their entire API for you - that’s where, again, the vibes, the balancing might be a lot different.

[54:17] It’s funny, I was having a conversation with a friend who I assumed his company was doing no cleanrooming… And I was like “Oh yeah, well the only thing is as long as you’re not cleanroaming”, and he like literally picks up his phone and texts his CTO, and he’s like “We need to talk tomorrow morning.” Because it turns out this friend’s company was doing some cleanrooming of something with a company that hates them on the other side of it. So that’s where you get into – that’s the other thing, right? A lot of these things are hypothetical, because nobody’s gonna know or care 95% of the time. But I would definitely not use Copilot to reimplement any Oracle APIs. That’s my one other piece of advice to you that you should remember from this podcast.

Brian Kernighan: At some point we need more memory, or more speed than we have. It’s hard to scale up, and so we still run out of resources, or need that exponential growth to keep going, to keep up with what people want.

The other thing that really is the same is that people are the same. We’re complete screw-ups in a variety of ways, we make mistakes, we’re slow, we’re unpredictable in lots of different ways… So programs that programmers - even very talented programmers, working hard - they make bugs in programs, and programs are often hard to change, they have clunky interfaces… And then, you know, most people are good, but there’s always a collection of bad guys, and they’re still very much with us at this point… But interestingly, something that’s different - the bad guys are far away, but can still reach out to touch us through things like the internet. So you know, a lot’s the same, as well as a lot of difference.

Dmitry Jemerov: Well, we actually have been in contact with the Android team for quite a while. Obviously, we worked together on Android Studio, which is based on the IntelliJ platform. So we have had contacts for a long time. We brought this topic every once in a while, like “What would it take to get the Kotlin plugin bundled into Android Studio and they basically answered like “No, not yet. Let’s talk about this later.” And at some point they said “Okay, we are ready to do it, and we are going to do it in a month”, so essentially we had a very short time to set up all the legal stuff that we needed to take care of before this could happen - all the technical stuff to get the plugin bundled. So this was very stressful, right before the I/O, but it was really inspiring for all of us, to see Stephanie presented from the stage and how happy she was presenting it and how happy all the community was to hear “Yeah, this is something that we have been waiting for.”

We did hear from a lot of people that they are not open to trying Kotlin because it’s not blessed; they were concerned that Google was going to do something that would break Kotlin, so essentially they would end up with a broken app with no way to fix that… Even though there was not actually much risk of this happening, because as long as Android was based on the JVM, which is not going to change anytime soon, we could adapt to whatever changes that Google had in mind. But still, people had their concerns and now their concerns are alleviated. They have a guarantee that there’s a partnership that’s going to keep Kotlin up and running.

Justin Garrison: It comes down to that trust, right? If you trust your defensive end to always get the blitz… Like, I’m gonna roll to his side every time. It’s not even a question of like “Hey, this person is always going to make that block.” And Amazon is always going to keep that service up. That’s something that you build that trust over time. But if they get injured, or if they have an off week or something that - hey, guess what? My trust just dramatically goes down. This isn’t like a “Hey, I understood you were off for a little while. I don’t know how long until you get back to where you were.” That trust is really, really hard to regain once you lose it. Once you get blindsided from the back, that’s a problem. And those are the things that you really need to be careful of as someone who works in sort of these high-trust environments.

Same thing with security. Security is a super-high trust – if I have security scanning tool, and I get a breach at my company, I’m going to be looking somewhere else. This is just like “Hey, guess what - that trust is gone. I’m not even going to give you a second chance. I can’t have that news.” Those sorts of things.

There’s some things that – when you need uptime, you need uptime. And if you’re relying and you move everything into the cloud, and you say “Actually, I pick US East 1, and it’s not the best. Let me go over to US West 2. Maybe that one’s better. Maybe go somewhere else.” And at some point, you’re just going to keep moving things around to find where you have more trust.

Jerod Santo: I definitely wanted to ask you about this 99% developers concept, and it kind of plays into something, Adam, that Kurt from Fly talks about… I think he calls them blue collar developers, or the ones that get forgotten and left behind, and that aren’t targeted by a lot of the sexy startups. The big dev tools are going after this certain group of online developers, influencer developers… People probably, honestly, who listen to shows like the Changelog, they try to keep up with what’s going on, and adopt new tools and stuff… There’s a lot of us that don’t have – some of us assume that they have, right? And so there’s a whole set of people for who the future hasn’t arrived yet, so to speak, right? And a lot of them are being ignored my tool creators. Is that a decent gist of your synopsis there?

Solomon Hykes: Yeah. Well, there’s two things there. Me personally - there’s definitely a lot of things I would do differently. And I think Docker as a company - I’m so happy that it gets a second chance. And this is a real second chance. I’ve seen the numbers… Docker is a really successful business now. So now it’s up to them to keep going. But I’m really glad, because - boy, was that a missed opportunity. I think Docker at least was a new Red Hat or VMware, and that’s pretty big already. And I say “at least”, because I think it could have been more. But we made a bunch of very avoidable mistakes, and I’ll go into that.

So there’s a sense of failure, for sure, and trying to learn from them, and do better the next time. Me personally, separately, I do think in terms of the opportunity for Dagger - those two things are separate in my mind. I think Docker was wildly successful in adding a layer of standardizing something, and creating out of thin air a whole ecosystem that’s building tons of amazing things on top of that standard. And now, because Docker and the whole ecosystem around it, including of course the Kubernetes universe, but it goes way beyond Kubernetes in my mind… There’s just – it’s so massive. Now, all these opportunities appear to solve the next stage of the problem. That’s kind of how I think about it. And Dagger is entirely built on containers. So it’s 100% impossible that Dagger would exist if Docker didn’t pave the way first. So really, for me it’s like finishing what we started, you know?

Chris Benson: [34:06] For a moment, I want to ask you to stop being an attorney, and be a speculator here. I want you to kind of blue sky it; like, where can this possibly go, or what are the different paths? What’s your gut tell you in terms of how this plays out? Because you’ve described multiple ways in the last few minutes where the whole system can essentially collapse under its own weight. Not just one way; you’ve done it several different ways where that can happen… Which isn’t surprising, because over the episodes of the show we keep talking about the rapid change that all this is bringing in AI; it’s the most fascinating moment in human history, in my view, and you’re describing the weight of all the structure of the past in terms of the legal considerations unable to keep up with what’s going on now, and it’s only accelerating. Where do we go from here? What does that mean?

Bill Dally: That’s a really good question. The short answer with the future of AI is continued rapid innovation. I expect to continue to have to stay up late every night, reading papers on archive, and even then not be able to keep up with what’s going on. But if you look at how that rapid innovation is happening, I think it’s along several different axes.

The first axis I think is breadth of applications. I think we’ve only began to scratch the surface of how AI is affecting our daily lives, how we do business, how we entertain ourselves, how we practice our professions… I expect more applications of AI to be occurring every day, and those applications to present unique demands - the type of models we need, how we curate training data, how we train the networks with that data and so on.

The next axis I would say is one of scale. Scale of both model size and datasets. We’ve seen this in areas like computer vision, in speech recognition, in machine translation, where over time people collect larger data sets, to have the capacity to learn those datasets they build larger models. That really raises the bar for the performance you need to train those models on those large datasets in a reasonable amount of time.

And then finally, the axis that’s probably most exciting to me is coming up with new models and new methods that basically increase the capability of deep learning, to be more than just perception, to basically give it more cognitive ability, to have it be able to reason about things, to have longer-term memories, to operate and interact with environments… A lot of the work in reinforcement learning we find very exciting along that axis.

[27:52] Seeing this constant innovation on all three of these axes - our goal with our platform is to evolve to meet these needs; to meet the needs of newer applications, to meet the needs of larger scale and more capable models and methods… And there’s a couple ways we need to do that. One is to continue to raise the bar on performance. To train larger models and larger datasets requires more performance, and Moore’s Law is dead; we’re not getting any more performance out of process technology, so it requires us to innovate with our architecture, with our circuit designs to do that… And we’ve done that generation to generation. If you look at the performance from Kepler, where we started working on deep learning, to Maxwell, and Pascal, Volta and now Turing - we’ve been able to really increase by large multiples deep learning performance on each subsequent generation, in the absence of really any help from process technology. We expect to continue doing that.

The next thing we need to do is we need to make it easier to program, so that people who are not experts in AI, but are rather experts in their domain, can easily cultivate a dataset, acquire the right models and train them. We do that through our tools; we support every framework. We have TensorRT to make it easy to map your applications onto inference platforms…

And then we also have training programs. We have a Deep Learning Institute, where we basically take people who are application experts and train them so that they can apply deep learning to their application.

Then the final way we want our platforms to evolve is to remain flexible. The deep learning world is changing every day, and so we don’t wanna hardwire too much in and not be able to support the latest idea. In fact, we think it would inhibit people coming up with the latest idea if the platform that everybody is using was too rigid. We wanna make it a very flexible platform, so that people can continue to experiment and develop new methods.

Aimee Knight: I’m always very careful… People who wanna get into it – I’m very cautious of making sure you get into it for the right reasons. It’s very much a career - especially in web - where you always have to keep up on what’s going on… Somebody gave me the advice, and take it for what it’s worth, but I think there’s a lot of truth to it - be very careful about moving into the industry if it’s not something that you would find yourself doing as a hobby, too. Like, you need to take a break and you don’t want it to consume you… But it moves so fast that – I’m very careful how I say that, but…

Jerod Santo: Yeah. Well, that would be cool. Let’s see - well, all the links to all the things… I’ve got Galaxies, Evan Bacon, Tamagui… I’ve found it, Tamagui. React Strict on Expo, of course… And we’ll link up Simon’s YouTube channel as well. Is that the best way probably just to keep up generally with what’s going on in the React Native world? Because I assume you’re posting videos a lot of when the new architecture gets adopted, or when this brand new native [unintelligible 00:56:17.00] thing that’s going to change the world goes official… Like, you’re dropping videos a lot, right?

Nick Nisi: [laughs] It’s when to keep going and when to give up, I think.

Shawn Wang: This is the speculative part, in the sense of like - I don’t know what I’m talking about, because I haven’t built a WASM project yet… I just try to keep up to date on what’s going on.

[52:03] The thesis is - and I actually highly encourage everyone to check out Gary Bernhardt ‘s talk on The Birth and Death of JavaScript, because he actually predicted WASM before WASM. He called it a different thing. I think he called it Metal. But essentially, most people may not have heard that WebAssembly is not just a buzzword or a trend; it’s actually a formalized fourth language of the web. As the W3 committee has put in this press release, the first three languages are HTML, CSS and JavaScript, and the fourth will be WebAssembly. In other words, it’s gonna be supported for an extremely long time; essentially, as long as the Worldwide Web exists, WebAssembly will be supported. But it is only five years old. In other words, while we’re in the third age of JavaScript, WebAssembly is in its first age, which means it’s still forming its speck, people can still figure out what they can do with it… There’s no ecosystem built up around it. There’s just a lot to get to where JavaScript is today. But I think people are already exploring what is possible.

Everyone talks about Figma, but there’s a really good InfoWorld article on the rise of WebAssembly that is actually talking about the non-famous examples. Disney streaming uses WebAssembly as a sort of cross-platform solution… There’s a lot more in there… I just picked Disney because everyone has a Disney subscription, especially if you have kids…

Safia Abdalla: I think a big part of bringing in third-party dependencies is about risk management and how much risk you’re willing to have in your application… Because I’m not going to say that we’re going to live in a world where you get access to free open source packages that are always secure and mostly bug-free, with reliable and well-versioned APIs… Well, we might be able to, if people fund that, but we’ll be discussing that later, so stay tuned… But yeah, I think a big part of it is just like what are your organization’s and your own risk management techniques for a codebase?

One of the interesting things that kind of like struck me about the event-stream issue - and I think a couple of other things - is there’s usually such a huge time span between when people realize that something fishy is going on, and then when it actually becomes mainstream news… In the case of event-stream, for example, there was a five-day gap between when somebody was like “It seems like there’s some malicious code in here” and when it was actually discovered what the malicious code was and how it was impacting users, and how it worked, and all that. In those five days there was not a ton of engagement, at least not as much as there was after those five days.

I found it interesting that very few people who had installed event-stream or had it as a dependency were watching the repository on GitHub. Admittedly, it can get a little noisy, but it’s one of those things where I feel like for me as an open source maintainer, people’s engagement with third-party dependencies ends at install time, and they’re not willing to participate in technical discussions about the future of the project, or just keep up to date on what’s going on and what’s being merged, who’s doing the merging, and develop a personal understanding of the project… And I feel like that’s the distinction between you installing a dependency and you installing an open source package, as I do think you have to engage with the open source part of it to be able to effectively use it in your own code.

Kris Brandow: Yeah. I mean, all three of the big cloud providers have Kubernetes systems, product offerings, so… That right there is great. Yeah, I mean, it’s exciting to see other companies doing investment. Also, I think that helps kind of with what we were talking about before, where there’s just less of a risk of like one company being able to do something that might deal a critical blow to Go… Because now if Microsoft over the course of the next few years really establish themselves as a big contributor to Go, then if there ever is a risk of Google saying “We don’t want to do this anymore”, there’s an obvious successor, there’s an obvious company to pick the language up and keep going with it.

Louis Pilfold: I don’t know, a few people have tried to do stuff with LLMs, and no one’s got any particularly amazing results yet. It’s not my area of expertise, so I can’t speak with authority here, but I think it’s just that we don’t have quite enough content to be able to reliably put out good answers yet. But from my point of view, I’m not very invested in improving that yet… And the reason for that is – there’s a lot more activity now since v1, but there’s so much activity that we can’t keep to keep up. And if someone is going to ask a question, like “How do I do X Y, Z?”, I don’t want them to go to an LLM. I want them to ask us, because they’ll get a good answer straight away, I’m confident. And then we know who they are… And they started to feel like they’re part of this community, rather than being like “Gleam is this tool, and I learn about it through talking to this AI model, and I’m not actually in any way invested in the community.” I want people to go “Oh, wow, I asked, and not only did I get an answer, these people were really nice. Okay, well, I’ll hang out here more”, and then they get more engaged, and more involved… And I think they’ll stick around for longer.

Tuhin Srivastava: It feels like the job before the last job… [laughter] If that makes sense. No, it’s been crazy. I think the last two years for everyone here have probably been a bit of a whirlwind… And you guys are pretty on top of current things, and machine learning and AI, and I imagine, just like for you guys, it’s hard to keep up at times with what’s going on.