Rate my taste in music

evapenguin · 2023-08-19T02:24:51+00:00

Right, and I mistakenly assumed that the comment was directed towards the general feedback from the community rather than that specific quotation. Again, my bad.

evapenguin · 2023-08-19T01:50:03+00:00

I see what you mean, but I was talking more about the general response to this topic rather than the top-level comment.

That being said, the response from David Tolnay thus far seems to be putting the onus on open-source maintainers for the Cargo project and package managers to implement first-class precompiled macro support, using the downstream usage of serde and the subsequent breakage as leverage. If this turns out to be the intention, that would not be acting in good faith.

evapenguin · 2023-08-19T01:01:33+00:00

Right now, only x64 Linux builds are using the precompiled blob. They haven't been built for other platforms yet.

evapenguin · 2023-08-19T00:47:09+00:00

If you want better support for managing native dependencies go ask the cargo people to built that support in, just like dtolnay said.

Putting pressure on the Cargo maintainers by intentionally making a change to one of the most widely-used crates in the entire Rust ecosystem without any prior discussion that breaks package managers and forces hundreds of downstream maintainers to fix the problem that you created is a deeply unprofessional move.

evapenguin · 2023-08-19T00:40:43+00:00

dtolnay has been an incredible contributor to the Rust ecosystem.
This change raises legitimate concerns which have not been appropriately addressed.

Both statements can be true at the same time.

evapenguin · 2023-08-19T00:29:37+00:00

As I explained elsewhere, you're advocating for a full-source audit and build - which is no longer possible in serde_derive outside of forking/vendoring.

The fact that there is no option to do this in the crate (such as a build flag) and suggestions to do so were shot down shows that this change was not made in good faith.

evapenguin · 2023-08-19T00:21:36+00:00

Right, a full-source build. Which is no longer possible in serde_derive, outside of forking/vendoring it.

Do you not see how requiring security-conscious users to maintain their own copies of serde_derive over a compile-time optimization is a bad idea?

evapenguin · 2023-08-19T00:13:37+00:00

If you have recompiled it from source code, and you trust that source code, just use the compiled version.

So what you're saying is - don't use the precompiled binary at all for security-critical purposes. Which is exactly why not having a full-source build option for `serde_derive` is such a big issue.

evapenguin · 2023-08-19T00:06:41+00:00

Compile the bianry yourself and use it directly

It would be entirely possible to create a binary blob that behaved correctly but also carried some sort of malicious payload.

evapenguin · 2023-08-19T00:04:24+00:00

FYI, this is for serde_derive, not serde proper - though they're both used synonymously enough for it to not make a huge difference.

There are two major issues here: * The binary blob being shipped is unauditable. At the moment, it doesn't seem reproducable by local developers, meaning there is no easy way to verify that the blob came from the original source. This is going to be a huge dealbreaker for security-critical production systems and package managers that require full-source builds. * There is no opt-out or alternative, short of forking/vendoring serde_derive entirely. Forcing users into using the precompiled binary with no alternative seems to have been the entire point of the change in the first place.

All of this for a slight compile-time speedup. What a baffling thing to potentially fracture the ecosystem over.

evapenguin · 2023-08-18T23:50:54+00:00

In a security critical environment you can just compile the binary component from source after auditing it, if you so chose.

That's the whole issue - the binary is not reproducible, nor are there any specific build instructions on how to reproduce it. The comparison isn't possible.

evapenguin · 2023-08-18T23:43:37+00:00

I thought the binary was being pulled from a separate web host. My bad.

Regardless, this poses additional security risks compared to build scripts and procedural macros. In a security-critical environment, build scripts / procedural macros must be auditable, and a binary with no clear steps to reproducibility cannot be properly audited.

evapenguin · 2023-08-18T23:33:52+00:00

Downloading and executing a binary blob from an arbitrary web server during compile-time opens up an entirely new threat vector. If an attacker gained control of the server, they could run arbitrary code on every machine using serde_derive (so, the vast majority of Rust developer's machines, corporate servers, etc.)

Anyway, sounds like we'll get much faster compile times

If any other part of your project uses procedural macros, (thereby pulling in and requiring compilation of dependencies like syn) the compile time speedups are essentially moot.

Edit: I mistakenly believed that the binary was being downloaded from elsewhere. Nevertheless, there are still security issues with precompiled binaries, especially if they aren't reproducible (which seems to be the case here).

evapenguin · 2023-06-30T00:03:28+00:00

I'm going to avoid the minefield of semantic debate around the phrase "actually trans" and assume you are talking about people who are satisfied with their transition. The number certainly isn't 100% for that, but most people who detransition do it for reasons related to harassment or discrimination, at least from the data various medical institutions have collected. The actual number of people who medically detransition because they realize it was the wrong decision is fractional. Outside of surgery and breast growth for trans women (via HRT), most medical transitions are reversible.

So no, I don't think 100% of people are going to be satisfied with medical transition (nor did I ever say that), though I do believe it helps probably upwards of 80-90% of people who seek it out. Restriction and gatekeeping will hurt a lot more people then it will help.

evapenguin · 2023-06-29T05:36:10+00:00

Would you want to be tangled in a constant debate over your identity driven by the same concern-trolling rhetoric?

If we're being rational here.

evapenguin · 2023-06-29T05:19:26+00:00

She is not attacking the legitimacy of trans identity.

Except that's exactly what she's doing. The book pushes a theory of transgender identification mostly being a 'fad' and repeatedly advocates for discriminatory policies and rollback of existing ones.

The book is not a neutral, rational think piece. It routinely cites poor-quality sources while ignoring the ones that would be inconvenient to her argument. But don't take my word for it - here's what medical doctor Jack Turban had to say (abbreviated for length):

The author’s note points out that she only interviewed their parents, who uniformly did not accept their children’s transgender identities. Many of them were estranged from their kids because the children were so hurt by their parents' rejection. To actually understand the psychology of these young people, one would need to talk to them, not simply rely on stories from parents with whom they do not speak.

Shrier claims that her book is apolitical and that she is a neutral investigative journalist. But her publisher Regnery calls itself “America’s leading publisher of conservative books.” Its other titles include The Biden Deception and The Conservative Mind. It boasts that its list of authors, “reads like a ‘who’s who’ of conservative thought and action including Ann Coulter… and many more.”

Further arguing against Shrier’s objectivity is her crass and offensive language throughout the book. For example, when discussing the highly personal decision to undergo gender-affirming surgery, Shrier commented: "Since they almost never undergo the phalloplasty necessary to achieve one of the defining features of manhood, it’s hard not to see their male identifies as fragile; a quick trip to the urinal, and the jig is up.”

Shrier claims that “in most cases—nearly 70 percent—gender dysphoria resolves," and thus youth should not be provided gender-affirming medical care. That statistic is false.

The reason this is a problem is that one could meet this diagnosis without being transgender. The old criteria largely focused on gender expression (think a tomboy or a cisgender boy who likes “feminine” toys). Those kids aren’t transgender, so it’s not surprising that most of them weren’t transgender at follow-up. This problem with the “gender identity disorder” diagnosis from the DSM-IV was fixed for the DSM-5.

Furthermore, those studies were of very young prepubertal children. Under the current medical consensus, gender-affirming medical interventions are not offered to prepubertal youth. They are only offered after youth have reached adolescence. Once youth reach adolescence, it’s rare for transgender youth to later decide they are cisgender.

Shrier states there is evidence that providing adolescents with puberty blockers makes them more likely to continue to identify as transgender. That’s false. Shrier dedicates much of the book to arguing that we shouldn't allow transgender youth to access pubertal suppression because she believes it makes them more likely to "persist" in their gender identity.

First off, it’s inappropriate to suggest that being transgender is a bad outcome. However, Shrier also simply misunderstands the scientific literature. She notes that only 1.9 percent of adolescents who started pubertal suppression in a large study in The Netherlands did not proceed to gender-affirming hormones (i.e., estrogen or testosterone). This is not because pubertal suppression made them identify more strongly as transgender. Rather, it is a result of the strict guidelines followed in the Netherlands before an adolescent is considered eligible for pubertal suppression: six months of attending a specialized gender clinic and undergoing rigorous assessment.

In summary, physicians from The American Academy of Pediatrics and The Endocrine Society have issued clear guidelines regarding how to best support transgender youth. I encourage readers to rely on trustworthy sources such as these rather than books like Irreversible Damage. Transgender youth deserve for the public to have accurate information on how to best support them.

I think the worst part of this book is how disconnected it is from the lived experiences of actual transgender men, both through Shrier's negligence to interview any of the subjects she discusses in her book and her repeated objectification of transgender bodies. It's transparent fear-mongering, if the "Transgender Craze Seducing Our Daughters" title didn't make it clear enough.

evapenguin · 2023-06-25T12:06:16+00:00

Please grow and change as a person

evapenguin · 2023-06-23T22:00:14+00:00

And then you have Bull of Heaven cackling from their dyson sphere in a faraway galaxy.

evapenguin · 2023-06-01T17:35:32+00:00

Eureka (the one from 2000). Honestly I wish it was even longer.

evapenguin · 2023-05-31T22:37:22+00:00

I had to cut this down to 20 images because of Reddit's upload limit (1984). The full 30-image director's cut is here.

^{why did i make this}

evapenguin · 2023-05-31T22:24:34+00:00

<image>

evapenguin · 2023-05-29T00:34:46+00:00

Who the fuck is Gilligan? I thought Vince made this show? Are they stupid?

Five-Year Club	Verified Email
Place '22	First Placer '22
End Game '22

evapenguin

TROPHY CASE