> If the programmers goal is to produce valuable software that works and is secure and easy to maintain then they will gravitate to LLM assisted programming.
Just this week alone I had the LLMs:
- Introduce a serious security flaw.
- Decided it was better to duplicate the same 5 lines of code 20 times instead of making a function and calling that.
And that is actually just this week. And to be clear, I am not making that up to prove a point, I use AI day in and day out and it happens consistently. Which is fine, humans can do that too, the issue is when there is a whole new generation of "programmers" that have absolutely zero clue how to spot those issues when (not if) they come up.
And as AI gets better (which it will) it actually makes it more dangerous because people start blindly trusting the code it produces.
If that's happening then you're most likely not using the best tools (best model and IDE) for agentic coding and/or not using them right.
How an experienced developer uses LLMs to program is different than how a new developer should use LLMs to learn programming principles.
I don't have a CS degree. I never programmed in assembly. Before LLMs I could pump out functional secure LAMP stack and JS web apps productively after years of practice. Some curmudgeon CS expert might scrutinize my code for being not optimally efficient or engineered. Maybe I reinvented some algorithm instead of using a standard function or library. Yet my code worked and the users got what they wanted.
If you're not using the best tools and you're not using them properly and then they produce a result you don't like, while thousands of developers are using the tools productively, does that say something about you or the tools?
Also, if you use an LLM haphazardly and it introduces a security flaw, you as the user are responsible. The LLM is a power tool, not a person.
Whether the inexperienced dev uses an LLM or not doesn't change the fact that they might product bad code with security flaws.
I'm not arguing that people that don't know how to program can use LLMs to replace competent programmers. I'm arguing that competent programmers can be 3-4x more productive with the current best agentic coding tools.
I have extremely compelling valid evidence of this, and if you're going to try to debate me with examples of how you're unable to get these results then all it proves is you're ideologically opposed to it or not capable.
First, I'm using frontier models with Cursor agenic mode.
> Also, if you use an LLM haphazardly and it introduces a security flaw, you as the user are responsible. The LLM is a power tool, not a person.
I 100% agree. That was my point. A lot of people (not saying you, I don't know you) are not qualified to take on that level of responsibility yet they do it anyway and ship it to the user.
And on the human side, that is precisely why procedures like code review have been standard for a while.
But my main objection to the parent post was not that LLMs can't be powerful tools but that specifically the examples used of maintainability and security are (IMO) possibly the worst examples you can use. Since 70k line un-reviewable pull requests are not maintainable and probably also not secure (how would you know?).
Okay, I'm pretty sure we would heavily agree on a lot of this if we pulled it all apart.
It really boils down to who is using the LLM tool and how they are using it and what they want.
When I prompt the LLM to do something I scout out what I want it to do, potential security and maintenance considerations, etc. I then prompt it precisely, sometimes with equivalent of multi page essay, sometimes with a list of instructions, etc. the point is I'm not vague. I then review what it did and look for potential issues. I also ask it to review what it did and if it sees potential issues (sometimes with more specific questioning).
So we are mashing together a few dimensions, my GPC was pointing out:
- A: competent developer wants software functionality produced that is secure and maintainable
- B: competent developer wants to produce software functionality that is secure and maintainable
The distinction between these is subtle but has a huge impact on senior developer attitudes to LLMs from what I've seen. Dev A more likely to figure out how to get most out of LLMs, Dev B will resist and use flaws as excuse to do it themselves. Reminds me a bit of early AWS days and engineers hung up on self hosting. Or devs wanting to built everything from scratch instead of using a framework.
What youre pointing out is that if careless or inexperienced developers use LLMs they will produce unmaintainable and insecure code. Yeah I agree. They would probably produce insecure and unmaintainable code without LLMs too. Experienced devs using LLMs well can produce secure and maintainable code. So the distinction isn't LLMs, it's who is using them and how.
What just occured to me though, and I suspect you will appreciate, is the fact that I'm only working with other very experienced devs. Experienced devs working with JR or careless devs who can now produce unmaintainable and insecure code much faster is a novel problem and would probably be really frustrating to deal with. Reviewing a 70k line PR produced by an LLM without thoughtful prompting and oversight sounds awful. I'm not advocating this is a good thing. Though surely there is some way to manage that, and figuring out how to manage it probably has some huge benefits. I've only been thinking about it for 5 min so I definitely don't have an answer.
One last thought that just occured to me: the whole narrative of AI replacing junior devs seemed bonkers to me because there's still so much demand for new software and LLMs don't remotely compare to developers. That said, as an industry I guess we haven't figured out how to mix LLMs and Jr developers in a way that's net constructive? If JR+LLM = 10x more garbage for SR to review, maybe that's the real reason why JR roles are harder to find?
> thousands of developers are using the tools productively,
There's at least one study that suggests that they actually are not in fact working more productively, they just feel that way.
Unfortunately for me personally, Claude Code on the latest models does not generally make me more productive, but it has absolutely led to several of my coworkers submitting absolutely trash-tier untested LLM code for review.
So until i personally see it give me output that meets my standards, or i see my coworkers do so, I'm not going to be convinced. Legions of anonymous HN commenters insisting they're 50 year veterans that have talked Claude into spitting out perfect code will never convince me.
(I spent over an hour working with Claude Code to write unit tests. I did eventually get code that met my standards, after dozens of rounds of feedback and many manual edits, and cleaning up quite a lot of hallucinatory code. Like most times I decide to "put in the effort" to get worthwhile results from Claude, I'm entirely certain I could have done it faster myself. I just didn't really feel like it at 4 on a Friday)
If you consider "skimpy outfits" pornographic that both Facebook and X are worse than TikTok for me. I've seen a few pieces of content I had to report before but not many.
X, on the other hand, has literal advertisements for adult products on my feed and I get followed by "adult" bot accounts several times a week that when I click through to block them often shows me literal porn. Same with spam facebook friend requests.
I think it boils down to a simple fact that trying to police user-generated content is always going to be an up-hill battle and it doesn't necessarily reflect on the company itself.
> Global Witness claimed TikTok was in breach of the OSA, which requires tech companies to prevent children from encountering harmful content...
Ok, that is noble goal but I feel that the gap between "reasonable measures" and "prevent" is vast.
> I think it boils down to a simple fact that trying to police user-generated content is always going to be an up-hill battle and it doesn't necessarily reflect on the company itself.
I think it boils down to the simple fact that policing user-generated content is completely possible, it just requires identity verification, which is a very unpopular but completely effective idea. Almost like we rediscovered, for the internet, the same problems that need identity in other areas of life.
I think you will also see a push for it in the years ahead. Not necessarily because of some crazy new secret scheme, but because robots will be smart enough to beat most CAPTCHAs or other techniques, and AI will be too convincing, causing websites to be overrun. Reddit is already estimated to be somewhere between 20% and 40% robots. Reddit was also caught with their pants down by a study recently, with an AI robot on r/changemymind racking up ridiculous amounts of karma undetected.
I'm not convinced that will fix the problem. Even in situations where identity is well known such as work or school, we commonly have bad actors.
It's also pretty unpopular for a good reason.
There is a chilling effect that would go along with it. Like it or not, a lot of people use these social platforms to be their true selves when they can't in their real life for safety reasons. Unfortunately for some people their "true self" is pretty trashy. But it's a slippery slope to put restrictions (like ID verification) on everyone just because of a few bad actors.
Granted I'm sure there's some way we could do that while maintaining moderate privacy but it's technologically challenging and I'm not alone in wanting tech companies to have less of my personal information not more.
I didn't get a sense the article singled out charter schools specifically rather it just lists it as a alternative place that funds get funneled instead of to neighborhood public schools.
Which brings me to:
> The main reason "private" (in their sense of the word) schools are gaining in popularity is precisely because they are seen as delivering a better education by an ever wider chunk of society.
If you accept that the article is talking about charter schools, then yes, perhaps the narrow focus of the charter could allow for a stronger education in a specialized area could allow for better education in that area.
But, if you accept it as private schools as a whole, then I don't buy that argument fully. The administration has been very clear that the motivation is "anti-woke" and "traditional family values" and nothing to do with education quality. In fact, as someone who went to a religious school in a small town (granted 30+ years ago) I can vouch that my education (especially in science and math) was FAR worse than the public schools at the time and homeschooling quality varies wildly.
Edit: As far as
> More specifically the US currently spends more than the vast majority of the world per pupil
I also find this focus on spending per pupil very odd because it doesn't account for cost of living.
And if you dive into the fine print it says:
> Includes both government and private expenditures.
So what if (and this is a completely untested hypothesis) the reason we spend so much per pupil in that chart is being exasperated by the private school system.
Edit 2: after diving into it, that source provided is greatly inflated by private school spending including private colleges (which are insanely expensive). So that same data can also be used to argue the US is really spending too much on private schools not public ones.
Here [1] are the data on spending per student PPP adjusted. It doesn't really change it much at all. US is 6th in the world in spending per secondary pupil. They seem to lack data for primary, but it's not going to be some radically different story one way or the other. The initial link I gave (where US is 5th in the world) offers a breakdown of various spending - I was referencing the first table - which is elementary/secondary only. Also, religious schools in the US (Catholic at least) also substantially outperform public schools by a range that widens over time. [2]
In any case private schools will always perform better than public schools because they can be selective with who they admit. A handful of very bad students can easily derail the education of an entire class, and in public schools it can be somewhat difficult to get rid of these kids. And so I do think things like education vouchers, tax rebates, and other incentives to allow more middle and lower class families access to private education is a very good thing.
Lastly, on the woke stuff. Would you be happy if your child was taught creationism and intelligent design? Probably not. Why? Because it'd be ideologically motivated, rather than educationally motivated. If people want to teach their children that in their own time - more power to them, but it has no place in the classroom. And I'd feel exactly the same if my children were taught that e.g. math is racist, or the contemporary 'reimaginings' of history that mix critical theory and contemporary values, and retrofit them into the past in an antagonistic fashion. We went from a real problem of white washing history, to just inventing these sordid tales that are even further off base.
Thank you on presenting the research. I appreciate that.
To address you points though:
> A handful of very bad students can easily derail the education of an entire class
Private school had plenty of bad apples too. In fact, some kids I went to school with were explicitly there because they were trouble makers and their parents though the nuns would break them (they didn't). In contrast, I've found my daughter's public school to be pretty zero tolerance when it comes to disruptors.
But even if you are right, that is also the strength of public schools. The same thing that makes them unable to turn down the bad apple is also what makes sure kids with special needs or low family means don't get left behind.
> math is racist, or the contemporary 'reimaginings' of history that mix critical theory and contemporary values, and retrofit them into the past in an antagonistic fashion.
Except every time one of those stories come out and you dig deeper it is almost never actually what the media says. It's usually either extremely isolated or taken entirely out of context for sensationalism.
For example, there have been several documented cases of public school teachers teaching creationism, and also that the Civil war wasn't about slavery (despite slavery being specifically mentioned by multiple states when they joined the Confederacy), but I would never represent that as wide spread and try to tear down the whole system over it.
Private schools are, of course, not homogeneous. Some schools will accept bad apples, most won't. Public schools have no choice and you generally cannot expel a child except for extremely serious issues. If you've found a public school without major disruptive issues then you probably live in a high income and/or less urban area which immediately works as an invisible filter on the student body. I went to public school system in an urban low income area - I will never put my own children in such a system, under any circumstance.
As for 'no child left behind' and the woke stuff. I can actually tie both of these together in California. [1] In an effort to increase equity they've essentially hamstrung their own education. They're making Algebra 1 a grade later (meaning less normal path access to calculus), offering "alternatives" to Algebra 2, swapping from a focus on mastery to one on "big picture" understanding, keeping classes integrated regardless of student performance, and generally dumbing down the mathematical education across the board. They want to achieve equity in outcomes, and so they're taking the easy route - lower the ceiling, rather than raise the floor. It's near to certain that outcomes in California will decline significantly over the next decade, but I expect there will also be better grades on average - laying a nice layer of paint on a building that's collapsing.
---
As for the Civil War, imagine the EU had a military and simply refused to accept Brexit, triggering a war. Would the cause of that war have been e.g. immigration (which was arguably the main factor leading to Brexit, and mentioned in numerous official documents relating to Brexit), or would it have been over the rights of EU member countries? Obviously without immigration you don't have Brexit and so you don't have a war. Yet similarly without our hypothetical effort of the EU to impose its will on member countries, you also don't have war. A key point to me is that one issue is variable, while one is fixed.
This whole thread is giving blockchain in 2015 vibes. People were using all sorts of quotes and anecdotes to tell skeptics why they were wrong and in 10 years the entire financial system will be running on blockchain. A certain amount of skepticism and cautious optimism is healthy.
Also, people seem to be missing that "AI Assisted" coding and "Vibe Coding" are not the same thing.
Personally I think the issue with vibe coding is two fold:
1. It is not good at solving problems that are uncommon.
2. It is not deterministic.
Yes, AI can do quality control and testing now. But anyone who has done TDD can tell you that just the mere presence of tests does not itself mean the code is effective or solving the right problem.
Is it getting better? Yes. Do I trust any vibe coded apps built by people who don't know actual code and are treating it like a black box? Absolutely not.
And I say that as someone who has tried pretty much every IDE out there and uses AI assisted coding (on "agent" mode) heavily every single day.
Not OP, but there are many things that I know don't work without trying them. That's not a contradiction. It may or may not be true but it's not a contradiction by itself. You can know reasonable well that something doesn't work by looking at other people who have tried it (sometimes even better if those people are experts and you are not).
When was the last time you actually priced them out?
When they first came up they were pricy but unless you're talking about fancy smart-bulbs with Wifi and color changing, they are not 10x the price. And they empirically last 5-20+ times longer.
So even before you consider that a huge portion of the energy put into incandescence is lost to heat (thereby making it cost MUCH more in electricity), they are still roughly the same price after accounting for lifespan.
Definitely very low resolution, but compared to sites that use a solid color this seems much better. And only requiring one variable is really nice.
The article seems very well thought through. Though for both the algorithm and the benchmark algorithm the half blue / half green image with the lake shows the limitations of this technique. Still pretty good considering how light weight it is.
I did deliberately pick some "bad" examples like the blue+green image, and other multicolor images.
I wanted to add an upload function so people could test any image, then i realised I'd have to implement the compression/hashing in the client. Maybe i should!
When I saw that link I thought maybe it was one of those: "add X to the recommended libraries list" PRs or something like that. But this is wild... it's literally an advertisement.
This is a certificate used to sign and verify add-ons and (I think based on the reading) some DRM features. They did, in fact, release a new one. This is a warning to the people who haven't run their browser updates and don't have the new one.
There is no point in pulling down the certificate, it's only used by Firefox and there shouldn't be any valid use case to patch an old version to use the new certificate, you would just update your whole browser (it would be easier and safer).
Edit: to whoever downvoted me. I was trying to be helpful with an actual interpretation of the article that this story linked to. I was also answering what was a question in good faith, respectfully. So if my reply is factually inaccurate I would love to know how I misinterpreted it as a matter of curiosity.
> its only used by Firefox and there shouldn't be any valid use case to patch an old version to use the new certificate.
While I'm not the person you commented on I can somewhat provide insight into why it may have happened. In short, the sentiment and statement you made is misplaced and false, and neglects two critical things that are common knowledge at a professional level, which you may not be aware of. I'll elaborate below:
First, customized versions of firefox that have been non-insignificantly patched or may have been rebased into a custom tree or fork. Having a certificate hard-coded, creates by design additional work for anyone not following anything except the mainline tree. From a design perspective its known-brittle and lacking any common resiliency feature normally included in such systems. There's a good chance this was intended, sufficient to treat this as malicious compliance. By those who may maintain repositories, this can be perceived as a resource drain attack on said projects that value privacy but who have limited resources to fix the inevitable failures caused by these design decisions.
Mullvad Browser, or Tor Browsers as examples, albeit they have more resources than some of the other browser projects.
Second, many recent updates have been user hostile by Mozilla. A slew of features supporting bulk data aggregation, while also removing toggles that would frequently disable such features has been growing.
Forcing an update removes user choice and agency which they previously had in older versions, with coercive influence. Most importantly at the professional level, a lot of code changes translates into a lot of bugs, failures, and crashes.
When you have many upstream changes, to control costs you generally keep a local or semi-local repository to manage time cost in support and keeping a foundation you can build upon while staying sane. The software having a kill-switch like this, that's part of your local repository guarantees breakages, and it may not be immediately clear what the problem is (since its hard-coded). Backported security fixes are not uncommon, but the maintainability and time-cost are nullified by a kill-switch. Many view this as a kill switch because its hard-coded. Certificates for security would as a baseline require features for revocation. To my knowledge this isn't possible with these particular certificates.
There's a general rule, the more LOCs you touch, the more likely something is to break, and they've touched quite a lot recently.
Generally speaking, there appears to be quite a lot of effort (which translates into money spent) to embed points of failure within the client, similar to what Google has done in the past with Chrome.
While I appreciate your detailed answer it reads more like a inditement of Mozilla and doesn't actually address why my answer is wrong. I never said pinning coding the certificate is a good idea, you are attacking a straw man. I was simply answering the original commenters question which was:
> Why can't they release a new certificate?
And nothing in your reply indicates why my answer to the question that is actually asked is incorrect.
Also, Certificate Pinning, which is the technique used here is not exclusive to Mozilla. I agree it's brittle but it's not an unusual practice. They also appear to be using certificate chaining (which is often considered best practice for pinning) since they say it is the Root certificate that expired so it doesn't appear to be a naive implementation. And again, even if it was: that's a straw man, I was not arguing for the technical merits of what they did, only answering the question asked.
Do you not remember when Let's Encrypt had a similar issue when a CA Root certificate expired and the certificates stopped working on old devices?
> the sentiment and statement you made is misplaced and false
What "sentiment", I was not making a political statement, I was answering question. And your entire post is attacking the use of certificate pinning and an open source project, which is something I was not arguing for (hence, a straw man) and does not actually refute my answer to the question asked. Furthermore:
> common knowledge at a professional level, which you may not be aware of
ROTFL, this is an anonymous account but I've been in this industry for over 25 years. You are almost definitely running code on your computer that I wrote. Never make assumptions on who you're talking to and use it for a personal attack. It's not a good idea. Also, never make assumptions that something is "common knowledge" -- you must have never managed anyone and if you have a feel sorry for your reports. But regardless, not a single thing you said in your post was new information to me, except maybe that down stream projects may be using Mozilla code for certificate pinning to run Mozilla add-ons and DRM... and if they are, that's on them because a browser is an app not a library.
You asked why you may have been downvoted and I responded in good faith with my opinion based on what you communicated, that opinion is based on principle.
The statements I made are mostly an indictment of Mozilla, but it does include why your statement was wrong if you look carefully at what you wrote, its not about what you were responding to.
Here is the statement you made:
> There is no point in pulling down the certificate, it's only used by Firefox and there shouldn't be any valid use case to patch an old version to use the new certificate, you would just update your whole browser (it would be easier and safer).
Break this down. # AND #. One of the legs doesn't hold. Making this false.
There is no difference in meaning between "should not be" and "no" here aside from marking it as an opinion (should/ought) which can be contradicted by real use-cases.
A strawman argument is where you attack a lesser flawed argument than what was said with the implication or claim that it is the same as the first. This wasn't a strawman argument, it was about exactly what was said despite the gymnastics needed to parse your statements.
The quoted statement was your opinion, and opinion is "sentiment" you relayed. I don't see why you think opinion/sentiment here is associated with politics. It can be misplaced and false at the same time and unrelated to politics.
The information in the post was attacking the fact that Mozilla is attacking and removing resilient design, which is the first thing any operations person will look for. Single points of failure.
Nothing said aside from the fact that you were mistaken in that one small statement you made, can possibly be construed as attacking you.
Even then it is pretty wild to consider observations/statements that serve as basis for a proof by contradiction as a personal attack.
> ROTFL
You asked why, because you missed something. I answered and I really didn't have to.
There are SOP's in professions that are common knowledge. There is no assumption in these cases, and its standard practice to tag or preface statements that are common knowledge for those that may not have it.
On the developer side of the house, it is not unheard of to be siloed and not have common operational knowledge, what was said was reasonable.
Hopefully this sufficiently clarified for you why you may have been downvoted.
> if they are, that's on them because a browser is an app not a library.
The GPL has the intent and obligations spelled out. When you make and demonstrate a pattern of abuse through destructive or diminishing changes contrary to the GPL over time, you may risk violating it.
Taking actions that create the imposition of cost on legally protected rights within the GPL or inducing torturous interference through vexatious behavior is highly problematic and a question for the lawyers (IANAL).
Sentiment that its on the downstream maintainers to fix issues created upstream is highly problematic.
The fact you not once in your reply acknowledge that certificate pinning and bundling trusted root CA public keys is actually common knowledge in desktop and mobile app community makes me thing you didn't even consider my reply.
I was simply explaining why for a desktop app pulling down the new certificate doesn't make sense because updating an app to update the pinned certificates is SOP for apps that use pinning.
> A strawman argument is where you attack a lesser flawed argument than what was said with the implication or claim that it is the same as the first. This wasn't a strawman argument, it was about exactly what was said despite the gymnastics needed to parse your statements.
No it literally was not. It was so much not what I said I wonder if you are replying to a completely different post. And rather than acknowledge you may have misinterpreted me, you are doubling down.
Also, that definition of straw man is wrong. It can also be -- as it is in this case -- attacking an argument the person never even made in the hopes it will bring the debate onto your terms.
But, I'm not attacking the straw man back, once again, at no point did I advocate for certificate pinning in open source apps nor make any comment on GPL or Mozilla.
My post was simply a statement on how to update apps that use certificate pinning. Reading any more into it than that is you injecting context that is not there.
Have a good day. My post is net positive votes now. I will not be replying to this conversation further.
But according to trod1234 it is "common knowledge" you shouldn't do that... so Google and Mozilla must both be idiots.
In fact, Google's Android network article has a section specifically on how to add it to their mobile apps[1].
Any app that follows that article and has a root key expire will need to push an update if they don't have backup pins. And the only way to do that is... as I said in my original reply up top... update the entire app the cert is pinned too.
There are literally hundreds of sources I can find. Including the other reply to the post I replied to... which says the same thing as me but for some reason isn't being trolled.
The links you provide do not properly support what you say, imply, or claim.
The three links I provide below contradict the claims that are objectively discern-able. The rest is ignored.
What I actually said is common knowledge in the field and best practice, more importantly its not just me saying it; it is well known in industry, see [1][2][3].
There is no need for any further correspondence here.
Now, I didn't read the source code, but Mozillas wording implies they use a custom pki to sign extentions.
Given that most (all?) root programs only certify host names or email addresses (S/MIME), it is reasonable for Mozilla to run a custom pki for this. And that neccesarily requires shipping/pinning the root certificates.
Actually this whole discussion is moot, because Firefox uses (and ships with) the Mozilla Root Program. So it can not not pin certificates, because that is the whole point of a root program.
You contradict your part here. I'm not sure if you meant to because the rest of your post sounds like it is saying Mozilla needs to pin if it's using a custom signing mechanism.
> Firefox uses (and ships with) the Mozilla Root Program
> can not not pin certificates
Shipping with a certificate store is by definition, pinning. So not only can it but your own post states it is when it says "and ships with".
1. Most of those articles refer to Public Key Pinning (HPKP), which is not the type Mozilla used. There is more than one type of pinning.
2. Once again... and I'm tired of repeating this... that's a straw man because never once in my original comment did I say pinning as a good idea or advocate for it.
3. With #2 in mind, seeing as my position was not for or against pinning, sending me articles about how bad it is just proves it is common enough use to warrant mainstream articles. Though again, moot, because I wasn't arguing it is common so another straw man.
From your source:
> Certificate pinning, the practice of restricting the certificates that are considered valid for your app to those you have previously authorized, is not recommended for Android apps.
At no point did I say this is not the case. I am aware of the limitations of pinning. Doesn't change the fact of my original post -- which is correct and has not been refuted in a single one of these replies -- Mozilla distributes the root public keys with their app (as does Google as proven by my citation) and the way to upgrade it is to install the newest version.
That last sentence is ALL my original post said and one of your replies or the other persons once addressed that statement, you're all addressing these ridiculous straw men that I never actually said.
You show a troubling self-referential incoherence in the things you claim and communicate in your responses that belies your credibility entirely.
This has not gone unnoticed, I gave you quite a bit of rope and you did not disappoint.
You have at some point willfully blinded yourself, and you missed and by extension failed to comprehend the conversation subject matter, or you are doing this intentionally with malice to extract cost on volunteers.
Your choice to ignore salient points, dissemble, improper use or comprehension of working practice and vernacular, and the fact that you communicate incoherently communicates to those watching that you are doing so with intention, the longer and more frequently you do it.
We communicate all the time whether we know it or not. Communicating incoherently and ambiguously communicates another message altogether since human beings are consistent psychologically; unless they are extremely unwell in which case they shouldn't be talking about extraneous things at all.
Negligence is inconsistent. Malice and malevolence are not. Loss with Negligence is intent, and given sufficient activity shows malevolence.
There are consequences for doing such things, none immediate. The main consequence is when you do this sufficiently broadly open societies become closed societies as they become destabilized. They become destabilized because you attack the underpinning of open society creating dynamics extracting cost, its an overt act.
Toleration disappears, and this is how Hitler came to power.
The Bolsheviks tried to capitalize on a distressed Germany following many of the same tactics you demonstrated to impose cost and move the masses, which gave Hitler all he needed to come to power and do horrifying things. There are a growing number of parallels between Hitler and Trumps actions.
The rule of law, broke down to rule by law overnight. Society ceased protecting anyone. What did Hitler do? The first thing he did was killed the Socialist and Communists by political leftist affiliation. The instigators. Millions of them and their families, and children. Then he went on as history shows dwarfing this to a mere footnote.
They had no warning, the lists were made in advance based on actions and participation following Machiavelli. Hitler rose to power because the Bolsheviks tried to impose cost to try and takeover, in the process paving the way to their own destruction (and many others). They were not alone in that but they gave him everything he wanted.
We live in a surveillance society. Acting like an enemy of society by committing subversive overt acts whether you recognize it or not is going to endanger you later.
This is an earnest warning. It should be clear that tolerance has just about completely dried up for this behavior, as evidenced by DOGE, and the fact that approval ratings for democrats are at an all time low, while the exact opposite is at an all time high. DEI is a form of Maoism, and they are stripping it out of government. These type of things change overnight, and the perceptual blindness that made you unable to follow the conversations here will disadvantage you whether you know it or not.
It won't be up to you to decide when it gets to that point. Its decided for you based on your past actions, and fueled by surveillance that are beyond the pale of the STASI's wettest dreams, targeting guilt by association.
This is why you should strive to be clear and concise in what you mean without engaging in many of the fallacy based methodology linked most recently to communism like you did.
You might think its inconsequential, but you won't know that's not the case until its too late, and this is a public forum that is archived. AI could be trained to look for this. Think about it.
There are several ways to upgrade Root CA signed PKI issued certs on all endpoint devices that become expired seemlessly notouch without reinstallation of a bundle in design. Mozilla and Google don't do this not because they are idiots but because it benefits them at the loss of the user.
The best practice is to have a pool of several PKIs that are each signed at the top by a different root CA and using CT Logs, Domain Check Validation, etc to migrate them as needed without reinstall or outage. This was included in material I linked that you say you read but didn't comprehend or address.
You aren't a professional. The support that you link does not support what you say which itself is impossibly ambiguous; intentionally so.
It is a conversation that started with a simple post that was just pointing out that you had to download a new version the way Mozilla implemented the pinning.
I never said it was a good idea, I never made a political statement, I never said there wasn't a better way to do it with current PKI technology. I simply explained the way it had to be done the way Mozilla implemented it and I have to deal with rants talking about Hitler. And you call me unprofessional?
Just this week alone I had the LLMs:
- Introduce a serious security flaw.
- Decided it was better to duplicate the same 5 lines of code 20 times instead of making a function and calling that.
And that is actually just this week. And to be clear, I am not making that up to prove a point, I use AI day in and day out and it happens consistently. Which is fine, humans can do that too, the issue is when there is a whole new generation of "programmers" that have absolutely zero clue how to spot those issues when (not if) they come up.
And as AI gets better (which it will) it actually makes it more dangerous because people start blindly trusting the code it produces.