A breakthrough in C/C++ dependency management
44 points by lcamtuf
44 points by lcamtuf
I know this is satire, but the progression of things is pretty stark:
It's like the line from "The Big Short" regarding mortgage bonds: "You read them? No one reads them. Only the lawyers who put them together read them."
What sort of inconceivable thing today will we be doing in 10 years? Maybe all code is AI generated and never read by a human.
It used to be a practice among emacs users to install code directly from emacswiki (which doesn't even require an account to edit pages), which is one of the few options for software distribution I can think of that's even less secure than the current state of the world. The modern practice is the "install stuff from people's forges, or one of the package managers that basically just pulls from forges", but afaik in practice there aren't many dependencies and the ones that exist mostly tend to be one of a few "missing batteries in the elisp stdlib" libraries.
It used to be a practice among emacs users to install code directly from emacswiki (which doesn't even require an account to edit pages), which is one of the few options for software distribution I can think of that's even less secure than the current state of the world.
At least no one would ever run critical national infrastructure in emacs.
The same happened to regular users.
2005: providing your real name on the internet is dangerous, use nicknames!
2026: it’s fine to tell them your name, where you live, and literally anything else about yourself!
More like “Real Names are mandatory for account creation” these days.
But yes, these progressions from unthinkable to common have a surprising number of occurrences.
More like “Real Names are mandatory for account creation” these days.
Is that the case for anything other than Facebook and LinkedIn?
Linux & other open source projects require a name for Signed-off-by, quoting from the kernel docs:
It is imperative that all code contributed to the kernel be legitimately free software. For that reason, code from contributors without a known identity or anonymous contributors will not be accepted. All contributors are required to “sign off” on their code, stating that the code can be distributed with the kernel under the GPL.
"Known identity" is open to interpretation, and no one is going to make sure it's your legal name, but I think the expectation is at least to use your preferred name so you're identifiable as the copyright owner should any legal issues arise.
Besides obligations, loads of people use their name/initials as their online name by default.
Good pushback, I meant to say “increasingly” but elided it for brevity.. the ones on the top of my head: Nextdoor (obviously needed because it verifies your address for neighbourhood-based interactions), Airbnb (government ID required for hosts and guests), Uber/Lyft and most gig platforms (legal identity for drivers, increasingly the case for riders too), Quora (historic real-name policy, loosely enforced now), Strava (required by terms, not strictly enforced), PayPal/Venmo/Wise/Coinbase and other payment/crypto platforms (full KYC required by law), Threads/Instagram/WhatsApp (Meta’s authentic identity policy), TikTok and YouTube (real names not required for normal accounts but mandatory for monetisation), Bluesky and X/Twitter (optional paid verification tied to ID), and historically most major South Korean sites (national ID verification was legally mandated until struck down in 2012).
Just waiting to see these installation instructions in the wild
$ curl -s "https://trustmebro.example.com/install-prompt.md" | sudo claude --dangerously-skip-permissions
I proposed adding the --bash option to curl to streamline things. Instead of curl | bash, you'd just do curl --bash, which is fundamentally safer.
In the spirit of the article, perhaps piping from a URL directly is the way forward.
$ <"https://example.com" bash
This adds the benefit of allowing surprising behavior such as
$ INPUT="https://sneaky.example.com"
$ <${INPUT} bash
No no no no, curlbash is outmoded. In the Age of Autonomous© AI® Agents™, you want a SKILLS.md that gives the agent of your choice the necessary skill to use this wonderful software.
Just a markdown document in the repo, and the agent's skill manager can install it, and automatically augment every compilation with it. Wonderfull innit?
What sort of inconceivable thing today will we be doing in 10 years? Maybe all code is AI generated and never read by a human.
I'd argue that "all code is AI generated and never read by a human" is not inconceivable today. It's the reality for some (many?). You wouldn't catch me doing it today, but in 10 years? Perhaps.
Fun fact: Godbolt/Compiler Explorer has similar (albeit more limited) functionality:
Q: Can I include a file from an url?
A: Compiler Explorer has the ability to include raw text to your source, by abusing the #include directive.
#include <url_to_text_to_include> ...(See this link a live example: https://godbolt.org/z/Pv0K0c)
Note that the URL has to allow for cross domain requests for this to work.
Unfortunately the example in the OP does not work on Compiler Explorer, presumably because of the noted caveat.
Interestingly, bash does something similar, faking a system device: cat </dev/tcp/smtp.google.com/25. Unfortunately, it's not a real OS feature, so it doesn't work in other programs.
FreeBSD used to have a portal filesystem that did this. It never worked for more than IPv4 and was never updated to remove the giant lock, so was removed a while (10 years?) ago.
It's also how plan9 does networking. I go back on forth on whether I like it or not. On one hand, you get network transparency in all programs for free. On the other, all your programs now need to be aware that they're network transparent and handle whole new classes of error.
Heh you could maybe mount a FUSE filesystem there to make it work for all programs?
The bash thing works for things that only care about file descriptor numbers and not about filenames.