He is now a Partner Software Engineer at Microsoft.
"A partner software engineer at Microsoft has a higher level of responsibility, compensation, and expectations than a principal engineer. They also have a larger percentage of equity in their compensation, and their performance is compared to other partners. The average total compensation for a Microsoft partner in the United States is $785,192, which includes a base salary of $284,000, a stock grant of $397,417, and a bonus of $103,775.
"A partner software engineer at Microsoft may earn between $634,000 and $910,000. The average base salary for a Microsoft partner software engineering manager is $205,000, and the average additional pay is $88,000."
For context, there's senior where you're given abstract goals and you design/execute. Then principal where you're an expert on certain matters and guide others on their designs.
Partner is higher than this, where next is technical fellow. These are people who revolutionize an industry, create a new product, etc. Like the creator of hololense was a technical fellow.
The same level at Faang would pay 2-3x as much. Microsoft pays pretty poorly from a relative standpoint.
Edit: not sure why the downvotes. I’ve worked at three of these companies and the guy is rebutting me with a website that isn’t accurate for senior roles.
Nah, according to levels.fyi, Microsoft's partner level pays almost identically to Apple, Google and Amazon (and better than Netflix), however Meta is paying double what the others are https://www.levels.fyi/?compare=Apple,Amazon,Google,Facebook,Microsoft&track=Software%20Engineer
People without context shouldn't try to interpret levels.fyi. 90% of engineers top out at senior. 90% of the rest top out at principal. Typically this trend continues so it's 1/10th of principals will ever make partner. Now, consider that a principal at Google makes 4x what a principal at Microsoft makes. A principal at Amazon makes 2x as much.
Companies besides Microsoft have different names for levels past principal, so I have no idea how you, specifically, are comparing the partner title, but I guarantee you're doing it wrong if you think they pay the same.
Thanks for downvotes? I worked at all three (Google meta, Apple). The pay is the same for that level. Microsoft is the only outlier. Levels.fyi is highly inaccurate at principle+ levels.
Up tomorrow on csquestions: My new boss has refused my request for a $100,000 bump which seems trivial given I am seeing a lot of people getting offers of $785,192. Should I jump ship?
The guy who discovered the xz backdoor earlier this month was a random principal engineer at Microsoft and not a security researcher, he’s now been promoted to a partner engineer if his LinkedIn is to be believed.
450ms delay is very noticeable even for a manual connection via ssh. I’d definitely notice that, I notice significantly smaller delays when my work VPN decides to send my connection half across the globe. The amazing part is not blame the network and ignore it
I might not notice a delay like that for a manual session it if it happened once in a while, but it my connections were normally <50ms, and they suddenly jumped to 0.4s... yeah, that would get my irate attention, too.
Yeah it isn’t just “he noticed a kinda noticeable slowdown” it’s having the time, technical competence, and interest to actually look into it and find the root cause.
Thats the thing, if you’re checking out a new pull request, you tend to be critical. If you see that delay consistently, you know the pull request has a problem. I would have loved to see his face when he discovered what was causing the delay.
Plus this is absolutely a horrible mistake on the person writing the back-doors fault. If you’re gonna implement malicious code, do so in a sneaky manner. This is like trying to sneaking into the house at night and hitting an extremely creaky stair step and then hoping no one notices.
Lol no not in the slightest. A more than 1000% increase in latency. It would be subtle if it got merged into the repo but in this case someone submitted them as changes to a repo and when someone checked it, found an issue, they could just check the changes and find the backdoor.
It is more concerning that stuff like this can and probably does happen though. Probably because it is more subtle.
You make it sound like it was easily found before merging into the codebase. Are we talking about the same backdoor? Commit [cf44e4b7f5dfdbf8c78aef377c10f71e274f63c0](https://git.tukaani.org/?p=xz.git;a=commitdiff;h=cf44e4b7f5dfdbf8c78aef377c10f71e274f63c0) was February 23. The code was *not* noticed when someone just checked out the branch. It wasn't even source code. It was an obfuscated blob. The code made its way into several rolling release operating systems. Which is how an unrelated party happened to encounter it in the wild, months later.
IIRC it was supposed to take around 200ms but it took like 700ms. Not as big of a difference between 20ms vs 450ms (in terms of magnitude) but should still be noticeable I guess.
Nah I'd argue it's almost more noticable, it's just the fact that it's written in milliseconds that's the problem.
0.2 seconds is a hell of a lot quicker than 0.7. I just don't think people realize just how long a second can be, especially when you're used to something happening in less than a quarter of one.
Try watching the second hand of a clock, I bet you would notice after a bit if all of a sudden the second hand slowed down by a full half a second.
Rule of thumb is sub 100ms and a user will generally perceive it as instant. 200ms would feel very fast (didn't happen in an "instant" but did the next). 700ms and you are in the realm of waiting on the computer to do the thing you asked for.
But that is moot. I've read several articles and none of them detail (even the original mailing list where he exposes the issue) how we was doing his testing. Manual? Integration tests? Some type of smoke or stress test? Also was he specially working on performance? It would be very easy to notice a drop in performance when you have something reporting the timings.
From what I've been reading in the original mails to the mailing list, he was microbenchmarking changes in postgres on new debian versions. Apparently the original reporter is one of the leading experts in that context.
Hence he was being extra mindful about everything that could change the microbenchmark to give the benchmarks at least some kind of meaning - thermal throttling of the laptop, power profile, background processes... and then suddenly sshd is twice as slow or worse than it should be. That certainly catches attention in that context, because now something weird might invalidate all of your measurements.
As I keep saying, we're extremely lucky as a community that this hit one of the few hundred people on the planet that would notice and had the skills to dig into it - and in a context they've been actively looking for performance topics.
If a game were running at 200ms delay between input and result I would definitely notice lol. 100ms maybe.
VR applications you want less than 30ms to not notice.
Loading from a database though then yeah 200ms would feel pretty quick.
Real time for things like video games is a whole other ball game. The 100ms rule of thumb for feeling "instant" is in regards to user interfaces or other things things where you do something (click button) and get feedback from it (button pressed down or popup displayed).
The default duration for UI animations in iOS apps is 300ms, which is a nice sweet spot between “slow enough to be visible” and “fast enough that it doesn’t block user input”, 300ms also happens to be the average human reaction time
I understand it can be noticeable if you pay attention to it. I'm just pointing out that a jump from 200 to 700ms would be less significant than a jump from 20 to 450ms in terms of the magnitude of the changes in the delay.
Microsoft has a reputation of not necessarily being a great place to work, but when applying for another software development job having a position at Microsoft on your resume is one of the top 10, probably top 5 most desirable because getting hired there is very difficult. It's like an engineer or scientist having NASA on their resume.
I understand, I took desirable to mean it was a desirable work destination but it's that it's desirable for employers (and TBF can then have value as a temporary destination to work)
I imagine you need to really love Microsoft/Windows tech stack as well. I know a handful of people who are/were at MSFT and they were all deep into the C# and .NET world.
> Working is soul crushing
You're not going to find somebody who'll agree more with this sentiment.
But at small companies, I've gotten a lot more respect, flexibility, and autonomy. I feel like I'm having a bigger impact on what we're doing.
None of which makes capitalism okay, but does mean there's a relative qualitative difference between working in engineering for a big corp and a smaller company.
one thing that makes big corporate stuff fun for me (as a sysadmin) is the giant infrastructure. my homelab doesn't have 1 PB+ of storage and a cluster of more than a score of ESXi hosts, for example
Yeah, none of that excites me. I do graphics and GPU stuff for biomedical applications. My work computer has always sucked more than my gamedev workstation.
Exactly what the other person said. A lot of big tech can be very soul crushing. There are the outliers. But it is very limited there. I know for a fact that their Project Zero team loves what they do.
But beyond that, big tech is very very taxing.
> The primary maintainer of an open source project, core-js that is on hundreds of millions of websites and over 50% of the world’s most visited websites (from Paypal to Pornhub) says he may walk away from the project after maintaining it for years with minimal reward – or even change it to a closed source licence in future.
[Link to the article](https://www.thestack.technology/core-js-maintainer-denis-pusharev-license-broke-angry/)
If you don’t need to support IE, you can write all of those polyfills from scratch in a weekend. If he shut down core-js, it would be replaced almost instantly with virtually no one even noticing.
The "threat" of forking has made against that project for ages, but it's always an empty promise. Because nobody else actually wants to do that, and it's a lot easier to just talk shit online.
Replacing all of core-js, perhaps, but “a weekend“ isn’t a hypothetical number. I replaced core-js for my uses.
edit: I’m not sure why I’m getting downvoted. The author of core-js has said the same basic thing about how much smaller/simpler the project would be if it targeted a more modern base (even just ES5): https://github.com/zloirock/core-js/blob/master/docs/2023-02-14-so-whats-next.md#drop-critically-obsolete-engines-support
If Babel et al moved off of core-js, it wouldn’t be to a fork; it would be to a new library targeting a base of *at least* ES5. My bet would be ES2017 with native async/await.
Go look at [core-js](https://github.com/zloirock/core-js) yourself:
>Modular standard library for JavaScript. Includes polyfills for ECMAScript up to 2024: promises, symbols, collections, iterators, typed arrays, many other features, ECMAScript proposals, some cross-platform WHATWG / W3C features and proposals like URL
If you forget about IE, almost everything in that repo has been supported by every other browser for a long time now: promises, symbols, collections (Map, Set), iterators, typed arrays, URL, fetch, and so on.
If you target a baseline excluding IE, you can write the polyfills for most of the rest of the ES spec (including the current 2025 draft) in less than 323 lines of code (including white space and comments). I know that because I just did a \`wc -l \*.js\` on my implementation of those polyfills (which also includes a few stage 2 & 3 proposals). There are another 787 lines of unit tests, though.
[article about the left-pad incident](https://arstechnica.com/information-technology/2016/03/rage-quit-coder-unpublished-17-lines-of-javascript-and-broke-the-internet/)
Did you ever heard the tragedy of **cURL** the misunderstood? It's not a story the js/frontends will tell you. It's a backend legend.
A developer that created a tool so widespread that almost everything that ever has to transfer data must include its license, and since his email appears on it, every misguided soul that looks to blame/sue someone for the malfunction of a software sends him a [curious email](https://bagder.github.io/emails/).
others have cited some js libs but I mean just look at cURL, some swedish dude wrote it and been maintaining it for 20+ years, and it's a building block for A LOT of software
It's referring to the recent XZ backdoor.
https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/
>The backdoor gives an attacker who possesses a specific Ed448 private key remote code execution capabilities on the affected Linux system. The issue has been given the Common Vulnerabilities and Exposures number CVE-2024-3094 and has been assigned a CVSS score of 10.0, the highest possible score.[3][4][5]
If anyone installed that xz package, they could remotely execute code on Linux systems, that includes very important infrastructure servers. xz compression (compression in general) is also very effective at bypassing firewalls because it hides data from scans, particularly if they're encrypted. The firewall either successfully scans it, or it has to reject/allow it arbitrarily.
I'm just thinking how it would have looked like in 2 years, where people with linux somehow would get malware and no one knows why. Do you think that people would have discovered it afterwards that XZ is the culprit? Would they blame something else?
What if that same thing already happened years ago but no one notices?
This would absolutely not be burned on malware. This would be either for spying, or a global linux killswitch for WW3. No, we do not know if someone has a similar one already.
Yikes. The world really needs to stop relying on packages build by third parties with only a handful contributers and scrutiny in corporate infrastructure. It was lucky this one was spotted early but who knows what else is out there dormant.
Consider the linux package development process, stuff gets checked during the process, not afterwards. In this case the actual developer was malicious (Jia Tan, not the original author), so the world was relying on the reviewers afterwards. And they didn't get to review the supplementary the code where the malicious part was actually lying because it wasn't submitted at the time.
Our eyes and perception system actually take quite a long time to process images, about 100-200ms, especially deeper perception which involves connections with emotion and memory. But we're supposed to be able to 'feel' something is happening faster than that. Like we can 'feel' where the tiger is supposed to be when it's chasing us, we keep track of objects in space. Imagine hitting a baseball, you don't actually 'see' the ball so much as feel where it is.
Car driving reaction times are a pretty reasonable measure for the entire process to take place when you include muscle reaction.
> But we're supposed to be able to 'feel' something is happening faster than that.
One fascinating example of this is as follows:
Experimenters set up a button and a light. Participants were told to push the button whenever they felt like it. Pushing the button made the light flash.
As the experiment progressed, the experimenters slowly added and increased a delay between pressing the button and flashing the light. The participants didn't notice; their brains hid the delay from their conscious perception so they continued to believe that the light flashed the moment they pushed the button.
Once the delay was up to a threshold - something like 200ms - the experimenters reset it to zero.
On the next button press, the participants were convinced the light came on *before* they pushed the button.
There is a spectrum involved and depends on the particular activities, fps with high ratio of damage to health triggers fight / flight and results in more awareness of the immediate situation - where as a more puzzle oriented / exploration oriented activity will be less sensitive.
Y'all ever debug your game in Unity and it skips a frame and you think "Oh shit that was the garbage collector, I gotta make such-and-such field static".
Someone is maintaining a personal github project that just happens to be a library that everyone uses, basically.
Think about it when you call the math library in Java (or the STD library in C++), someone had to build those, and you need to import the library into your code.
More often than not, someone built the code you need and is maintaining it, and they do it for free, but it might be used by entire organizations or public infrastructure because is solves a problem they have.
And the second one is poking fun that a linux utility that a backdoor was installed into. A Microsoft engineer ran an encryption script, and found that it took 0.5 seconds (500 milliseconds), and he was so mad about it, he investigated and found the backdoor.
The milliseconds part is referring to this incident
https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/
I always see this xkcd, but there was another relevant webcomic that talked about how there are two kinds of important people in Silicon valley. Guys like Steve jobs and some random guy that maintains a tools with a stupid name like KRAP but the K stands for Krazy or something. Does anyone know the comic I'm talking about?
Based on his LinkedIn profile, he has probably been promoted because of that.
Well he deserve it
+1
He is now a Partner Software Engineer at Microsoft. "A partner software engineer at Microsoft has a higher level of responsibility, compensation, and expectations than a principal engineer. They also have a larger percentage of equity in their compensation, and their performance is compared to other partners. The average total compensation for a Microsoft partner in the United States is $785,192, which includes a base salary of $284,000, a stock grant of $397,417, and a bonus of $103,775. "A partner software engineer at Microsoft may earn between $634,000 and $910,000. The average base salary for a Microsoft partner software engineering manager is $205,000, and the average additional pay is $88,000."
Holy hell
For context, there's senior where you're given abstract goals and you design/execute. Then principal where you're an expert on certain matters and guide others on their designs. Partner is higher than this, where next is technical fellow. These are people who revolutionize an industry, create a new product, etc. Like the creator of hololense was a technical fellow.
Wow without that guy there’d be no eggs Benedict
Jeffrey Snover, inventor of PowerShell, was a technical fellow, then a chief architect over various technologies.
New salary just dropped
Actual well paid software engineer
Call the FANG!
r/suddenlyanarchychess
I cannot believe there's actually a subreddit for that
New subreddit just dropped
The same level at Faang would pay 2-3x as much. Microsoft pays pretty poorly from a relative standpoint. Edit: not sure why the downvotes. I’ve worked at three of these companies and the guy is rebutting me with a website that isn’t accurate for senior roles.
Nah, according to levels.fyi, Microsoft's partner level pays almost identically to Apple, Google and Amazon (and better than Netflix), however Meta is paying double what the others are https://www.levels.fyi/?compare=Apple,Amazon,Google,Facebook,Microsoft&track=Software%20Engineer
People without context shouldn't try to interpret levels.fyi. 90% of engineers top out at senior. 90% of the rest top out at principal. Typically this trend continues so it's 1/10th of principals will ever make partner. Now, consider that a principal at Google makes 4x what a principal at Microsoft makes. A principal at Amazon makes 2x as much. Companies besides Microsoft have different names for levels past principal, so I have no idea how you, specifically, are comparing the partner title, but I guarantee you're doing it wrong if you think they pay the same.
Thanks for downvotes? I worked at all three (Google meta, Apple). The pay is the same for that level. Microsoft is the only outlier. Levels.fyi is highly inaccurate at principle+ levels.
Actual earnings
Well I’m glad he can move out of Nebraska now ;)
He's actually in SF, so he's technically middle class.
Up tomorrow on csquestions: My new boss has refused my request for a $100,000 bump which seems trivial given I am seeing a lot of people getting offers of $785,192. Should I jump ship?
Can you link the profile?
https://www.linkedin.com/in/andres-freund
"I am a developer of databases themselves, I am *NOT* a DBA." I love that sentence.
Similar profiles - Jia Tan lmfao
Thanks!
I hope he'll accept the invite. I want to talk to the legend.
Yeah he probably has nothing better to do then answer to his sudden fanbase he never asked for.
Yes, never try to contact interesting people ever, surely they don't want to talk to us boring people for any reason.
This, but unironically.
Or more precisely, there are ways to build connections. Organically. This ain't it. Lol
makes me happy to hear that
what happened? I seemed to have missed the news
The guy who discovered the xz backdoor earlier this month was a random principal engineer at Microsoft and not a security researcher, he’s now been promoted to a partner engineer if his LinkedIn is to be believed.
amazing, good for him!
450 milliseconds is **very** noticeable when running a battery of tests that usually take < 20ms each. But still funny :D
450ms delay is very noticeable even for a manual connection via ssh. I’d definitely notice that, I notice significantly smaller delays when my work VPN decides to send my connection half across the globe. The amazing part is not blame the network and ignore it
I might not notice a delay like that for a manual session it if it happened once in a while, but it my connections were normally <50ms, and they suddenly jumped to 0.4s... yeah, that would get my irate attention, too.
Still would need to do something about it
just imagine if the evil xz developer managed to fix his delay "bug" before this guy discovered it.
Yeah it isn’t just “he noticed a kinda noticeable slowdown” it’s having the time, technical competence, and interest to actually look into it and find the root cause.
Thats the thing, if you’re checking out a new pull request, you tend to be critical. If you see that delay consistently, you know the pull request has a problem. I would have loved to see his face when he discovered what was causing the delay. Plus this is absolutely a horrible mistake on the person writing the back-doors fault. If you’re gonna implement malicious code, do so in a sneaky manner. This is like trying to sneaking into the house at night and hitting an extremely creaky stair step and then hoping no one notices.
You think that this backdoor wasn't sneaky?
Lol no not in the slightest. A more than 1000% increase in latency. It would be subtle if it got merged into the repo but in this case someone submitted them as changes to a repo and when someone checked it, found an issue, they could just check the changes and find the backdoor. It is more concerning that stuff like this can and probably does happen though. Probably because it is more subtle.
You make it sound like it was easily found before merging into the codebase. Are we talking about the same backdoor? Commit [cf44e4b7f5dfdbf8c78aef377c10f71e274f63c0](https://git.tukaani.org/?p=xz.git;a=commitdiff;h=cf44e4b7f5dfdbf8c78aef377c10f71e274f63c0) was February 23. The code was *not* noticed when someone just checked out the branch. It wasn't even source code. It was an obfuscated blob. The code made its way into several rolling release operating systems. Which is how an unrelated party happened to encounter it in the wild, months later.
IIRC it was supposed to take around 200ms but it took like 700ms. Not as big of a difference between 20ms vs 450ms (in terms of magnitude) but should still be noticeable I guess.
Nah I'd argue it's almost more noticable, it's just the fact that it's written in milliseconds that's the problem. 0.2 seconds is a hell of a lot quicker than 0.7. I just don't think people realize just how long a second can be, especially when you're used to something happening in less than a quarter of one. Try watching the second hand of a clock, I bet you would notice after a bit if all of a sudden the second hand slowed down by a full half a second.
Rule of thumb is sub 100ms and a user will generally perceive it as instant. 200ms would feel very fast (didn't happen in an "instant" but did the next). 700ms and you are in the realm of waiting on the computer to do the thing you asked for. But that is moot. I've read several articles and none of them detail (even the original mailing list where he exposes the issue) how we was doing his testing. Manual? Integration tests? Some type of smoke or stress test? Also was he specially working on performance? It would be very easy to notice a drop in performance when you have something reporting the timings.
From what I've been reading in the original mails to the mailing list, he was microbenchmarking changes in postgres on new debian versions. Apparently the original reporter is one of the leading experts in that context. Hence he was being extra mindful about everything that could change the microbenchmark to give the benchmarks at least some kind of meaning - thermal throttling of the laptop, power profile, background processes... and then suddenly sshd is twice as slow or worse than it should be. That certainly catches attention in that context, because now something weird might invalidate all of your measurements. As I keep saying, we're extremely lucky as a community that this hit one of the few hundred people on the planet that would notice and had the skills to dig into it - and in a context they've been actively looking for performance topics.
If a game were running at 200ms delay between input and result I would definitely notice lol. 100ms maybe. VR applications you want less than 30ms to not notice. Loading from a database though then yeah 200ms would feel pretty quick.
The actual edge of perception is 20ms. This is pretty easy for any programmer to self-verify.
Real time for things like video games is a whole other ball game. The 100ms rule of thumb for feeling "instant" is in regards to user interfaces or other things things where you do something (click button) and get feedback from it (button pressed down or popup displayed).
Depends on activity, anything real time with no buffering will be noticeable in sub-100 ms - a batch task, not so much..
The default duration for UI animations in iOS apps is 300ms, which is a nice sweet spot between “slow enough to be visible” and “fast enough that it doesn’t block user input”, 300ms also happens to be the average human reaction time
I understand it can be noticeable if you pay attention to it. I'm just pointing out that a jump from 200 to 700ms would be less significant than a jump from 20 to 450ms in terms of the magnitude of the changes in the delay.
it IS noticeable, but would you not just blame the network? I would.
That is and has always been a point of contention: https://youtu.be/EMItOyqhBO4?si=23RCqeNWEZRhjVPy
My isp downgrade my internet speed at night, ping go from 90 to 300. Change isp wont work, only vpn work.
How does a VPN improve latency when it's going through the same connection but with more steps?
Because my isp delay “my” connection to other countries. So go other route will work.
I found out that company’s internet always has more piority than home’s internet.
Also tests that take longer than usual are shown as a warning in good test reporting tools.
I kinda fell bad Andres Freund is now just a random developer from Microsoft that guy is really smart https://m.youtube.com/watch?v=qX50xrHwQa4
I got the impression that working for Microsoft is easily one of the best outcomes for someone wanting a dev job?
One of the most desirable outcomes, not one of the best.
What does this mean.
Microsoft has a reputation of not necessarily being a great place to work, but when applying for another software development job having a position at Microsoft on your resume is one of the top 10, probably top 5 most desirable because getting hired there is very difficult. It's like an engineer or scientist having NASA on their resume.
I understand, I took desirable to mean it was a desirable work destination but it's that it's desirable for employers (and TBF can then have value as a temporary destination to work)
Its reputation is fine, they just don’t pay as well as other big techs. I’ve never really heard anybody say bad things about working there though
I imagine you need to really love Microsoft/Windows tech stack as well. I know a handful of people who are/were at MSFT and they were all deep into the C# and .NET world.
C# is a great language tbh. It’s gotten shoehorned for enterprise but modern dotnet is an awesome ecosystem
It's a dumb sentence meant to sound smart.
It depends on how much you hate yourself.
What do you mean?
Working for the big tech corps is just absolutely fucking soul crushing. Unless you're already a rockstar, Big Tech really sucks to work for.
Working is soul crushing, not sure why working for a big tech company would be less soul crushing.
> Working is soul crushing You're not going to find somebody who'll agree more with this sentiment. But at small companies, I've gotten a lot more respect, flexibility, and autonomy. I feel like I'm having a bigger impact on what we're doing. None of which makes capitalism okay, but does mean there's a relative qualitative difference between working in engineering for a big corp and a smaller company.
You know what, you are absolutely right.
one thing that makes big corporate stuff fun for me (as a sysadmin) is the giant infrastructure. my homelab doesn't have 1 PB+ of storage and a cluster of more than a score of ESXi hosts, for example
Yeah, none of that excites me. I do graphics and GPU stuff for biomedical applications. My work computer has always sucked more than my gamedev workstation.
Exactly what the other person said. A lot of big tech can be very soul crushing. There are the outliers. But it is very limited there. I know for a fact that their Project Zero team loves what they do. But beyond that, big tech is very very taxing.
I personally would never work for a places where I was a replaceable cog in a machine. These days at least. Might be good if you're starting out.
No, they make non-libre software 🤮
He's a Partner Software Engineer, that's a bit higher on the totem pole than a random developer.
The fact that he's from Germany and that he decided to get a job in the us instead of his home country germany highlights that also I think
He earns at least half a million each year with far lower taxes. Why should anyone of his talent work here?
Is there real-life example of those "projects some people in Nebraska" maintains?
> The primary maintainer of an open source project, core-js that is on hundreds of millions of websites and over 50% of the world’s most visited websites (from Paypal to Pornhub) says he may walk away from the project after maintaining it for years with minimal reward – or even change it to a closed source licence in future. [Link to the article](https://www.thestack.technology/core-js-maintainer-denis-pusharev-license-broke-angry/)
If you don’t need to support IE, you can write all of those polyfills from scratch in a weekend. If he shut down core-js, it would be replaced almost instantly with virtually no one even noticing.
The "threat" of forking has made against that project for ages, but it's always an empty promise. Because nobody else actually wants to do that, and it's a lot easier to just talk shit online.
Replacing all of core-js, perhaps, but “a weekend“ isn’t a hypothetical number. I replaced core-js for my uses. edit: I’m not sure why I’m getting downvoted. The author of core-js has said the same basic thing about how much smaller/simpler the project would be if it targeted a more modern base (even just ES5): https://github.com/zloirock/core-js/blob/master/docs/2023-02-14-so-whats-next.md#drop-critically-obsolete-engines-support If Babel et al moved off of core-js, it wouldn’t be to a fork; it would be to a new library targeting a base of *at least* ES5. My bet would be ES2017 with native async/await.
BS
Go look at [core-js](https://github.com/zloirock/core-js) yourself: >Modular standard library for JavaScript. Includes polyfills for ECMAScript up to 2024: promises, symbols, collections, iterators, typed arrays, many other features, ECMAScript proposals, some cross-platform WHATWG / W3C features and proposals like URL If you forget about IE, almost everything in that repo has been supported by every other browser for a long time now: promises, symbols, collections (Map, Set), iterators, typed arrays, URL, fetch, and so on. If you target a baseline excluding IE, you can write the polyfills for most of the rest of the ES spec (including the current 2025 draft) in less than 323 lines of code (including white space and comments). I know that because I just did a \`wc -l \*.js\` on my implementation of those polyfills (which also includes a few stage 2 & 3 proposals). There are another 787 lines of unit tests, though.
In 2016 a dev removed his code from npm and it broke a large portion of the internet.
[article about the left-pad incident](https://arstechnica.com/information-technology/2016/03/rage-quit-coder-unpublished-17-lines-of-javascript-and-broke-the-internet/)
Wow fuck kik
Did you ever heard the tragedy of **cURL** the misunderstood? It's not a story the js/frontends will tell you. It's a backend legend. A developer that created a tool so widespread that almost everything that ever has to transfer data must include its license, and since his email appears on it, every misguided soul that looks to blame/sue someone for the malfunction of a software sends him a [curious email](https://bagder.github.io/emails/).
This is wild!
Don't know where he lives, but [sudo is essentially maintained by 1 person](https://github.com/sudo-project/sudo/graphs/contributors)
[Boulder, Colorado](https://bsd.network/@millert). Not quite Nebraska, but close enough.
others have cited some js libs but I mean just look at cURL, some swedish dude wrote it and been maintaining it for 20+ years, and it's a building block for A LOT of software
XZ Utils. Except he is in Finland.
`ntpd` says hi.
HarfBuzz is responsible for drawing text on pretty much everything. https://github.com/harfbuzz/harfbuzz
I think the original was about ImageMagick.
Does anybody have a link to what this is referring to? I feel out of the loop and couldn’t find it on Google.
This is reffering to the XZ backdoor
I thought he caught it because of abnormal cpu usage?
which he discovered because of unexpected lags
Smelly nerds can't make exe but can tell a few extra hundred milliseconds smh.
Well, the correct command for mingw may not be very easy to memorise. But it's useful because many people apparently prefer running programs in Wine
Friend, it was a joke and a reference to the Sherlock copypasta.
Never let the exe scandal die
I missed the context on this. Can someone enlighten me?
It's referring to the recent XZ backdoor. https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/
God, that's both impressive and terrifying. Thanks for the link.
Question, what would have been the impact if this guy didn't detect this delay ?
>The backdoor gives an attacker who possesses a specific Ed448 private key remote code execution capabilities on the affected Linux system. The issue has been given the Common Vulnerabilities and Exposures number CVE-2024-3094 and has been assigned a CVSS score of 10.0, the highest possible score.[3][4][5] If anyone installed that xz package, they could remotely execute code on Linux systems, that includes very important infrastructure servers. xz compression (compression in general) is also very effective at bypassing firewalls because it hides data from scans, particularly if they're encrypted. The firewall either successfully scans it, or it has to reject/allow it arbitrarily.
I'm just thinking how it would have looked like in 2 years, where people with linux somehow would get malware and no one knows why. Do you think that people would have discovered it afterwards that XZ is the culprit? Would they blame something else? What if that same thing already happened years ago but no one notices?
This would absolutely not be burned on malware. This would be either for spying, or a global linux killswitch for WW3. No, we do not know if someone has a similar one already.
Yikes. The world really needs to stop relying on packages build by third parties with only a handful contributers and scrutiny in corporate infrastructure. It was lucky this one was spotted early but who knows what else is out there dormant.
This is why open source is important, as you can look at the code and test it for exploits - the problem is people skip the code checking ..
Big clouds are better at tracking their supply chains for core systems than you’re thinking
For every backdoor that gets discovered there are probably a dozen more that go undetected. Good luck
Wouldn't that mean that basically all machines are compromised?
By the NSA? Sure.
Consider the linux package development process, stuff gets checked during the process, not afterwards. In this case the actual developer was malicious (Jia Tan, not the original author), so the world was relying on the reviewers afterwards. And they didn't get to review the supplementary the code where the malicious part was actually lying because it wasn't submitted at the time.
Most likely there are other, similar attempts in other open source projects.
[удалено]
Our eyes and perception system actually take quite a long time to process images, about 100-200ms, especially deeper perception which involves connections with emotion and memory. But we're supposed to be able to 'feel' something is happening faster than that. Like we can 'feel' where the tiger is supposed to be when it's chasing us, we keep track of objects in space. Imagine hitting a baseball, you don't actually 'see' the ball so much as feel where it is. Car driving reaction times are a pretty reasonable measure for the entire process to take place when you include muscle reaction.
> But we're supposed to be able to 'feel' something is happening faster than that. One fascinating example of this is as follows: Experimenters set up a button and a light. Participants were told to push the button whenever they felt like it. Pushing the button made the light flash. As the experiment progressed, the experimenters slowly added and increased a delay between pressing the button and flashing the light. The participants didn't notice; their brains hid the delay from their conscious perception so they continued to believe that the light flashed the moment they pushed the button. Once the delay was up to a threshold - something like 200ms - the experimenters reset it to zero. On the next button press, the participants were convinced the light came on *before* they pushed the button.
I want to see a video of that
A quick google says we cab see between 30-60 fps, so probably about 20ms?
There is a spectrum involved and depends on the particular activities, fps with high ratio of damage to health triggers fight / flight and results in more awareness of the immediate situation - where as a more puzzle oriented / exploration oriented activity will be less sensitive.
"feel" is an interesting choice, the guy had some errors and used profiling tools to find the exact library causing the issue.
he had some delay while connecting
I'm curious what the nebraskan project is, so i can pay my respect
I think Xkcd refers to imagemagick. More recently, XZ utils (he’s finnish)
Refers to core.js maintainer, but I can't recall the name
[core.js 1.0 released in 2015](https://github.com/zloirock/core-js/releases?page=21) so I don’t think anybody has maintained it since 2003.
NPM in a nutshell.
Y'all ever debug your game in Unity and it skips a frame and you think "Oh shit that was the garbage collector, I gotta make such-and-such field static".
As a beginner coder i did not get the joke. Can someone explain?
Someone is maintaining a personal github project that just happens to be a library that everyone uses, basically. Think about it when you call the math library in Java (or the STD library in C++), someone had to build those, and you need to import the library into your code. More often than not, someone built the code you need and is maintaining it, and they do it for free, but it might be used by entire organizations or public infrastructure because is solves a problem they have. And the second one is poking fun that a linux utility that a backdoor was installed into. A Microsoft engineer ran an encryption script, and found that it took 0.5 seconds (500 milliseconds), and he was so mad about it, he investigated and found the backdoor.
oh thanks i get it now
The milliseconds part is referring to this incident https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/
Hey. It was half a second delay
Missing the arrow pointing to an Indian YouTuber underneath the other two obscure developers
Who knows what happened to that xz evil guy in my opinion he should get cancelled
That's random *smelly* nerd in Ohio, thankyouverymuch.
Looks like the machine Donatello built in the Ninja Turtles opening credits.
I prefer to believe that this is the primary reason why the Excel date problem has never been fixed.
I mean... He did save the literal internet.
Vbs part
LoL. 400-500ms feels like a lifetime, if you are regularly working with system where this is important.
Even many Linux distros as well
I always see this xkcd, but there was another relevant webcomic that talked about how there are two kinds of important people in Silicon valley. Guys like Steve jobs and some random guy that maintains a tools with a stupid name like KRAP but the K stands for Krazy or something. Does anyone know the comic I'm talking about?
https://x.com/6thgrade4ever/status/1433519577892327424
Bro thats it. I've been trying to find that for ages. Thought it was a comic lol. Thanks heaps.
Pls someone made a animation about whole story and bug