Jarred Sumner: Yeah. No, he’s great. Probably what he’s referring to, I’m guessing, is that we don’t have an implementation of something like npm audit in Bun, which sort of is the thing that’s like – there are 42 security vulnerabilities in your dependencies, or whatever. That’s what it logs. We don’t implement that right now. But on the other hand – so yes, that is a feature that is missing. But on the other hand, we also don’t run post install by default for dependencies, which is very good for security, because this is a very common attack vector that normally, if you want to get a Bitcoin miner on somebody that, then you compromise a package, and then you do a post-install… That’s usually the attack vector, is like post install scripts, or something.

Jack Dorsey: We learned a lot from the solar platform, such that Cash App is going to do something similar. And TBD is entirely a platform. That’s its only reason to be and to exist. So we’re definitely on the track, and we wanna make sure that we’re building more and more platform-type things forever more. Everything that we do in the future should have platform elements.

We’re building a Bitcoin wallet and a Bitcoin miner - we’re building it so that it’s open source; all the code will be available, and the hardware design will be available. Everything about it will be completely open for any developer to use. They don’t need to build on top of it, they can just steal all the code and the idea and just build whatever they want.

Gerhard Lazu: We could do. Or a Bitcoin miner. [laughter] We could. It’s there, we’re paying for it… But you know, to be honest, the reason why this is exciting is because we can spin up on-demand, and we can have maybe more than four CPUs. We only chose four CPUs because of the cost. It just hits the balance nice. But if we could use 16 CPUs on-demand, that would be a lot better. And with Fly machines we can, because they spin up so quickly… You don’t wait minutes for it to come up.

Jack Dorsey: We learned a lot from the solar platform, such that Cash App is going to do something similar. And TBD is entirely a platform. That's its only reason to be and to exist. So we're definitely on the track, and we wanna make sure that we're building more and more platform-type things forever more. Everything that we do in the future should have platform elements.

We're building a Bitcoin wallet and a Bitcoin miner - we're building it so that it's open source; all the code will be available, and the hardware design will be available. Everything about it will be completely open for any developer to use. They don't need to build on top of it, they can just steal all the code and the idea and just build whatever they want.

Shawn Wang: Well, first of all, I’m not the most informed person on security. Probably Feross would be a better person to talk to about this… I’m not optimistic or pessimistic. I’m just kind of neutral on it. I don’t think it’s like a focus of anyone, apart from Feross, who is the founder at socket.dev. [laughter] And his approach is “Let’s just audit everything and give you ten different reports telling you that–” And we have some of these automated audits as well. It’s not clear exactly how venture funding was gonna affect this either way. Obviously, you can have people who are paid better to maintain these repos, but supply chain attacks happen in perfectly well-funded companies as well. It’s not just like someone’s acting out in open source… Which has happened repeatedly, and just puts a Bitcoin miner in a repo, or something like that.

I think it really has to be fixed at the runtime level, or the toolchain level. Deno has an attempt at doing this by locking down the permissions. People are realizing, unfortunately, that it’s just not that useful. You’re just gonna enable all the flags anyway. So it has to be per-module, and as far as I know, nobody’s tackling that, except for a company that I’m hopefully invested in, that might be trying to solve that issue. But it’s kind of an open question right now. I’m not aware of anyone else really tackling sort of per-package permissioning and just reinventing the npm ecosystem. For better or worse, the npm ecosystem is what we have, and therefore the security defaults that they choose - which is none [laughs] - we inherit those decisions.

Jerod Santo: Bitcoin miner…

Nick Nisi: Some things that I’m pretty excited about are Eleventy – I am excited to check that out, and I just wanted to tell you that… And I really get excited every time I get a new LetsEncrypt email about my certificate expiring, and then we’re having to go figure out how to do that again… And I’m like “I should just rewrite everything and throw it on Netlify right, and be done with this whole charade”, because I don’t actually know how to manage a server, as is obvious by me having to shut down a Bitcoin miner that started up online at some point.

Tim Banks: What do you think powered the first Bitcoin miners for old servers? People’s old desktops that [unintelligible 00:43:01.17] stuff like that. The notion of buying it means that when I’m done with it, I can sell it and get some of that money back. Is there a secondary market for it? Absolutely. There’s already a burgeoning secondary market for buying older or used GPUs, and servers, and stuff like that. “Perfect. Let me make some money off of this.” That’s going to be far more economical than giving the money to AWS, because I’m never going to see that again. You know what I’m saying? This is the difference between investing – this is the difference between “I’m going to do this thing as an investment and I’m going to get some money back on it”, versus just giving it away to somebody else. But this is not a day one decision. Day one decision is growth, and it makes perfect sense to be in whatever cloud environments can allow you to grow, right?

Samuel Goff: So a couple of things. First of all, when it comes to blockchain, specifically Bitcoin and others that are based on proof of work, not proof of stake, I have a real issue with… Because the energy intensity of the computation is so high that you could power multiple countries now. Right? And so what’s happening is a lot of dirty energy sources such as natural gas, coal, oil, things that, where increasingly, it is economically unsustainable, because grid-powered solar and wind have completely leapfrogged them in terms of cost efficiency. If you’re building brand new energy sources right now, by far, you can build anywhere from six to nine times more grid-scale, solar or wind, compared to nuclear, which is the second cheapest, or third cheapest, I should say… But everything else is more expensive by comparison. But the problem is, you go to an oilfield where they have these toxic gases, and they set fire to those toxic gases as a way of making it safe. Well, that’s wasted energy.

So what’s happening here in Texas is a bunch of Bitcoin miners set up in the oil fields, and they’ve harvested that heat energy, what would normally be just waste heat. And that becomes an additional revenue stream for those oil extractors, those oil companies. And so it basically takes what was a dying revenue model, a dying, industry, and it breathes new life into it, and it slows down our adoption of renewables. And it takes – basically, it vastly increases our risk of transforming our environment to a place where it’s going to kill people to go outside, whether it’s due to the extreme heat and humidity, or the extreme cold, because the natural conveyor belt that used to exist has kind of collapsed, or it’s sometimes collapsing.

Nikita Shamgunov: When you give people arbitrary compute, you will be abused, because you can turn free compute to value. You can mine Bitcoin, you can do whatever, you can do DDOS attacks… Like, there’s all sorts of malicious behavior that you can expect on a popular platform. When your platform is not popular, you’re dying for that traffic. And so that is the push and pull.

So on the first subject, it’s harder – so databases are arbitrary compute, but it’s not as obvious as like just having an access to a VM. It’s less arbitrary than a VM access. So I think the level of abuse will be there, but naturally it will be less.

Gary Bernhardt: So Execute Program - very quick summary of what it is, just because some of this is going to be relevant… So it’s an interactive platform for learning programming languages and other tools. The lessons mix text with lots of interactive code examples, which is going to be important, because that code has to run somewhere. So it’s a very unusual sort of infrastructure requirement. It’s been a commercial product for three years, the code has started maybe five years ago in early forums. A maximum of four people have ever worked on it, so this is a small product, although most products in the world are small, even though mostly we hear about the big ones, which is sort of a distortion in the way that we talk about things. And it’s a bootstrapped company. So it makes real money, but it’s small. It’s not a giant unicorn or whatever. So that’s the product we’re talking about.

Here’s the architecture. The primary database is Postgres. I love Postgres. I think it’s great. It can do almost anything you need any database to do, ever, unless you’re at truly huge scale. The backend servers are at Heroku. It’s a monolithic backend. One repo, one server process, that’s it. It has some workers, with a queue, and the workers auto-scale as needed to accommodate load, just like the web processes do. And the workers in the queue are used for things like transactional emails, reminder emails, interacting with third-party API’s where we just want to sort of shield ourselves from those API’s if they’re flaky, or slow, or whatever. We receive one type of incoming WebHook, and that’s from Stripe. And the reason that exists is if we create a subscription and the underlying credit card is later expired or something, then we need to know that, so we can remove that person’s access, because they’re no longer paying. So Stripe hits us with a WebHook for that.

And then we get to the weird part, which is how do we execute the code that the user is putting into these exercises? So we have a fleet of executor VMs that exist only for this purpose. They scale up and down as needed, to handle whatever user load we have, because you know, if there’s a peak, it could be a lot of these VMs, and they’re expensive. And it’s a very difficult process, because they have to be security-hardened, because they’re running completely arbitrary user code, ultimately. And if we don’t harden them, and you know, firewalls and all that stuff, and sandboxes, then people are going to send spam, or mine Bitcoin, or do all kinds of nefarious things.

They also have the wrinkle that as the code is executing, they’re putting tracing information into the queue, which ultimately gets aggregated into the database, so that we can debug things when things go wrong… Because it’s ultimately a distributed system executing arbitrary code; it’s quite a complex problem. And this, of course, is the most difficult part of the architecture.

So it’s Postgres, a single backend, workers with a queue, Stripe WebHooks coming in, and executor VMs. That’s basically the architecture… Which I think is like – this is pretty normal, I would say. Well, the executor VMs are weird, because it’s a specific property of our problem space. But I think this design is pretty normal and not particularly complex.

Mat Ryer: I wonder if we’re gonna end up in a situation like with Bitcoin miners, where we’ve got all these machines that are just spending all the time crunching through, fuzzing stuff… [laughter] When we’ve got Fuzzcoin.

Todd Gamblin: We’re not allowed to mine Bitcoin on these machines; it’s not legal to use government machines to mine for Bitcoins, but even if you did, it wouldn’t be worth it. If you look at what people are using for Bitcoin mining, a lot of that is custom chips; they’re very low power and only do hashing… So you’ll do way better investing in that than you will in one of our machines. I think at some other compute centers people have been fired for trying to mine Bitcoin on the machines.

Nick Nisi: Mine’s gonna be in Bitcoin.

Mikeal Rogers: It’s a whole ecosystem. There’s a bunch of other blockchains as well, there’s chains that are very compatible, versus ones that have some difficulty with compatibility… It’s important here to separate what is a technical limitation because we just haven’t figured out what to do yet, but there’s an incentive to fix it, versus issues that are actual incentive problems. The players in this industry don’t want to do this, so it’s not going to happen. There have been things floated to do in Bitcoin that would be good for the people that use Bitcoin, but maybe not good for the miners… So that stuff in Bitcoin is probably not gonna happen, and may happen in some of these other chains that are being created.

Transaction fees - there’s nobody who wants all the transaction fees to be super-high, actually. The business model here is to mine new tokens, and the utility of those tokens is somewhat affected by how difficult they are to transact… So there’s a real incentive to try and get that down over time, rather than up, because that’s just not where you’re making money; nobody is making money on that. They wanna get it down.

The same thing with the power consumption. Nobody wants to pay extra power bills. Everybody’s trying to get the power consumption down. It’s just literally a technical problem that we’re iterating towards.

And Flow, for instance, like we just talked about, and NEAR Protocol for that matter - they already use proof of stake, and use way less power, and they have much lower transaction fees. Not because of that… Because of other reasons, mostly.

Anyway, if you look at the ecosystem as a whole, you don’t really have a transaction fee problem because you have all these other chains that you can use that have very low transaction fees… And if an asset gets to a certain price, you can actually move it to Ethereum. And not every protocol has worked out exactly what this is, but one of the really popular things right now is called Polygon; it’s the sidechains that are Ethereum-compatible, which means that they look more or less like Ethereum. And so if you ever want to transfer an asset from there to Ethereum, you can.

So there you can create assets for sub-penny, do all these transactions, and if some of them get to be like a million dollars and you really wanna put them in the more secure, stable, broadcasted network, you can then move them to Ethereum and pay that transaction fee. And I think the way to look at this evolving is that the way that you have to scale it is through more decentralization, not more centralization. So the solution is not to get everything into Ethereum and make Ethereum so good that it has sub-penny transaction fees, and is doing a billion ops a second, or something; that’s not realistic. It’s fine to just have these sidechains and to have the assets move around.

Protocol Labs, Juan Benet who started the company - he’s always had a lot of vision about how this stuff works in the future and about this protocol interop, and we’ve been working on standards and protocols that are just open source, open protocols that we implement. A lot of people, I think, for a long time, thought that we were over-engineering. They tended to be like “Oh, why don’t you just do your own custom thing, like we’re doing over in this chain?” And we were like, “Because it’s not about your chain, it’s about the compatibility between the things”, right?

Adam Stacoviak: I thought it was like in Silicon Valley, Jerod, there’s a two and a half second song that Guilfoyle plays every time Bitcoin is not profitable enough to continue to mine.

[01:00:55.06]

“That’s the song “You Suffer” by Napalm Death.”

“Oh, yeah? That’s a whole song. It’s like a second.”

“It’s an alert, whenever the price of Bitcoin dips below a certain value; it’s no longer efficient to mine. When it comes back up, it is. So I need to know when it breaks that threshold, so that I can remotely toggle my rig at home.”

“Okay… Any idea how often that might happen?”

”Bitcoin is very volatile, so…”

“This is so loud…”

“A lot?”

“Good. Alright. Well, maybe turn it down, or something.”

Dave Rupert: Yeah, fully tricked out PCs, that mine Bitcoins, and…

Safia Abdalla: [23:55] Yeah, transient dependencies. Thank you, Mark. I think that’s always going to be a little unsolvable, just because at that point you’re – like, if someone truly wants to figure out an export, they will, and it’s very hard to be proactive about those, to a certain extent. There’s a lot of safety checks you can do, and tasks and validations and stuff like that, but I think if somebody really wanted to do something malicious using some transient dependency, they could… But I think it’s unfair to ask people to check those deep down dependencies, but it is fair to have them be aware of how Create React App works, what’s being loaded, and the general architecture of the project. That’s a reasonable ask… And what it’s using just as top-level dependencies. Anything deeper than that I think that’s where you need to have automated tools doing the checking, and just pray that people in the world are good and won’t try to mine Bitcoins all the time.

Adam Stacoviak: I would probably say I don’t have a clue… I don’t have a clue what the next big thing might be. There’s indicators of what’s big, of what’s shaking out there… I know there’s a lot of attention around cryptocurrency, there’s a lot of attention around Web 3, and decentralized web, but they’re waiting for the killer app/apps to really break it open… I think it’s very focused on – the same with Bitcoin or cryptocurrencies, it’s very focused on the tech… And you can’t reach mainstream really if you’re just so focused on the tech. I think that’s the hard thing happening there. I think that’s the bigger things really taking place currently. Well, those are unproven grounds. That’s where the pioneers are kind of hanging out; that’s where the proverbial gold is being mined, because that’s where the rush might take place, is in this new thing.

Oddly enough, Silicon Valley - again, they were building the web we deserved, right? They were building a decentralized web, built upon an algorithm that was all about compression… And that’s what it was about. And I think in many ways decentralized is becoming a more prominent thing, and I think that’s where you’ll see a lot of new and exciting things happen.

Spencer Kimball said it really good on the last episode, “There’s nothing new under the sun in terms of tech. It’s just reuse and redo’s.” That’s kind of where we’re at.

Tim Coulter: Yeah, sure. The short version of it is when the Bitcoin boom hit in 2013 when it went from $5,000 to $1,000, I got into cryptocurrency after that, and got really excited about what it is and what it could do. In early 2014 I started mining, I mined on a bunch of different altcoins at the time now worth nothing… It was a fun experience for me, and I did it mostly on the side. I was working for startups and have worked for startups my whole career coming out of college, and the startup I was working at I eventually got laid off, and by that time I had been doing other work in cryptocurrency, I had built an application on my own time to track all of the price data for a bunch of different trading pairs; basically, every trading pair on ever exchange available at the time. I was trying to aggregate all those and eventually sell that data…

In any case, that whole thing got me in interested in the blockchain world itself, so when I got laid off from this company, I told myself “You know what, I’m gonna go work in blockchain.” So I searched around, I eventually found a post on angel.co, and that led me to consensus. That was around April of 2015. The post was actually for a web designer job. Excuse me, not web design, a graphic designer job… And I can’t actually do graphic design, but I sent them a message anyway and said “Hey look, I could try this. I’m really excited to work in the blockchain world, I’d love to work with you”, and they responded the next day.

[04:13] The rest from there is kind of history, but as far as Truffle is concerned, my past history in software development is actually in the software testing world. In college – I have a software engineering degree, but I worked a lot with a professor in software testing, and that was big in the software testing community… So when I came out of college, I used that network to find jobs in the software testing world.

What that means is that for most of my career, effectively 8 years leading up to coming into the Ethereum world, I was doing developer support. This is everything from performing manual testing, to writing software testing frameworks around new technologies. When I came to Ethereum, it was very clear that there were no tools at all; you had a compiler and a JavaScript library for interacting with the Ethereum blockchain, and that was about it. From there, it seemed very easy to fall back into this developer support role, and I ended up building tools through the Ethereum ecosystem.

Brian Behlendorf: Oh, it’s very generalized. You could use it for all sorts of digital assets. You could use it as a cryptocurrency system if your currency are things like, you know, frequent flier miles, or loyalty points, or carbon emission credits, or other types of currency.

What’s distinctive about Ethereum and Bitcoin is that they are currencies whose total volume is limited by the hash rate; it grows a little bit, and eventually all of them will be mined.

Preethi Kasireddy: Yeah, sure. That’s a great question. I’ll be honest, one of the things that I’m always excited by are problems that are not figured out, and blockchain is definitely one of them in the sense that there is this amazing technology that got created, but the actual applications and use cases have yet to be created, and there’s so much room for creativity and innovation. I’d say that’s one of the main reasons why I’m so attracted to this industry… Because I naturally have the entrepreneurial spirit, I wanna solve unsolved problems, and that’s one of the reasons why I’m gravitating to it. But at a more fundamental level, I think the technology itself is super interesting.

I think earlier you were saying how blockchain is interesting as a digital currency… I’d go a little bit further than that and say I actually don’t get excited by digital currency per se, because digital currency is just one application of the blockchain. There’s so many other applications that I think have potential that haven’t been created yet, and I’m more excited about those applications. In my opinion, it’s really hard for the current currency system in any nation – for example, take the U.S. For cryptocurrency or digital currency to replace fiat currency, that would take a lot. The government has a really tight control over the monetary policy and I just don’t see what benefits digital currencies provide today that would make people switch over, that would make the government friendly to this, and so forth… Because in the end, what digital currency is - it’s completely decentralized, completely open, completely censorship-resistant, which is not something any government really wants.

So for me, I’m more excited by what else blockchain enables. At a fundamental level, blockchain is a decentralized technology where it’s maintaining a ledger of transactions or basically state changes, and the state changes are cryptographically secure because they are maintained by something called the consensus process. This consensus process in Bitcoin or Ethereum is called proof of work, where a bunch of miners are there and they run a bunch of complex computations to validate these transactions, and they get paid for validating this blockchain. So the entire chain is decentralized, it’s trustless, because there’s no need to trust any central party to maintain this database or this ledger, and then it’s completely censorship-resistant because you can’t have really any central authority trying to censor it… And it’s completely secure, because it’s cryptographically secure. So with those primitives you can do just so much on top, and that’s kind of what I’m excited by.

Adam Stacoviak: That makes sense. That’s a good way to put it, because they’re still coins, when you think about the name, the term - they’re meant to signify currency of some sort; some sort of worth, some sort of value… But they’re obviously not physical; you can’t touch your Bitcoin. Maybe you could, if you’re really lucky, but I don’t know…

But they’re just simply things you happen to take ownership in - Mikeal, you own yours, I own mine, Rachel you own yours - and once you exchange that value for something else, it translates. So it’s like stock in a way too, because you buy it at a certain price, and it may be worth something worth, or potentially less.

Eric Berry: But I wasn’t. I wasn’t because it didn’t make sense to completely shut it off. I did shut down the platform, I stopped tracking… But I still had developers who trusted me and relied on me to help them get funding. And I had a good friend, Mike Smith, who I believe you know, over at Rollbar, who’s now at GitPrime. I asked him, I said “Are you willing to stick with me? What I can do is you keep providing funding for all of these top-performing sites” – and he looks at them as top-performing, I look at them as needing the most funding. I said “Will you continue to provide funding for them, and I will just take a 15% cut, and that will essentially make it so that we can still do the tracking”, as we were still running it through a tracker… But I didn’t need any of the money. The money was literally just to help the server run. He said, “Absolutely.” He had no issue with that.

So in December I paid out all the remaining money to all of the people that I owed money to, which came to almost $5,000, and then I had an extra thousand dollars of nickles and dimes for all of the other developers that didn’t make enough money to receive that payout, so I made a lump sum donation of $1,000 to the A21 organization for fighting human trafficking. There’s a blog post listing every single developer that participated as a donor in that donation… Because it wasn’t my money; I didn’t consider it my money and I didn’t want it. So in December I talked to a buddy of mine named Freddie Shelton, and I asked him, I said “Hey, are you interested in Code Sponsor? I’ve got all these contracts set up, I’ve got Mike here… Would you like to take it over?” “Sure, absolutely.” So he did, and he kept it going for a month, all the way through early January.

In that time, I was kind of going through this point in my life where I hate my job, I need to find purpose… I found true purpose in funding open source, but I need to be able to go somewhere that I can do that and get paid for it… And that’s what I did.

[36:15] Over the course of about three months, I’ve been talking to Kevin Owocki, who is the CEO and founder of Gitcoin. Gitcoin is a product that helps developers get paid to contribute to open source funding through bounties. We became friends over the months and he offered me a job to come work at Gitcoin, which I accepted.

Once I got to Gitcoin, I thought “I wonder if I can just pick up where I left off and bring Code Sponsor back in.” So I reached out to Freddie, I said “How’s it going?”, I said “Would you be willing to sell me back the company?” and he did. I gave him some money for the company, and then I brought it in as just my contribution to Gitcoin… Just “Here’s me, here’s what I can bring to the table. I don’t want any money for it.” They paid a few of the expenses that I had for the product, but all in all it was like “Code Sponsor joins Gitcoin as sister companies, but they’re basically one company now”, because we’re all getting our paychecks from the same company, and all that stuff. But my role at that point became “Make this work. Help people through ethical advertising.”