You keep repeating that he makes his project worse – an active action – while in fact he did not do anything at all, he just refused to change something.
I think the distinction here is they want an app that never NEEDS to be updated, not one that never DOES get updates (which is fair – I'm happy if things just work and are not changed every 2 weeks).
For a security app, it's pretty rational to need to be updated. One of the most common patterns in basically every technological attack is to take a freshly discovered vulnerability and target devices that haven't been updated yet.
It sounds good in theory but signal updates are beyond excessive, sometimes multiple times a day but almost certainly every few days.
Most of the time there is zero explanation for the update. They are just training their users to auto accept updates with no thought about why, which in itself is a security risk.
If signal really is pushing these updates for "security" then it must be one of the most insecure apps ever built. I legitimately can't think of another app or program that updates more frequently... Maybe youtube-dl?
> It sounds good in theory but signal updates are beyond excessive
Those are two different arguments.
Updating too frequently is not equivalent to "doesn't need to be updated." I can agree that they update a bit too frequently but that's nowhere near the argument about never updating.
A program cannot be secure if it does not update. Full stop.
> Most of the time there is zero explanation for the update
There's always a changelog.
If you, unlike most people, are interested it is all open source
That requires the programmer to be omniscient and clairvoyant.
You can get pretty close if you're in a static environment like a machine that never connects to the internet and the hardware never changes and no other software on the machine changes, but neither a phone nor a communication platform allow for that.
I searched so long for a single screenshot, looking at the app stores (in my browser) and Github with no success.
It really is weird not to show a single screenshot when the 4th listed feature is design ("Material You | Extra theme that follows your device palette").
My job requires the whole modern pipeline with Vue front ends, Quarkus services and k8s deployments and it's suitable for what we do in our teams.
But I have dozens of websites I built and am still building today in the way described and it works just as well for me. As a single developer with "simple" websites it's just great to have so little mental load when fixing some small things.
Admittedly I have a small script to upload stuff via ftp (if ssh/rsync is not available), so no FileZilla anymore :)
I, too, settled on a minimalist process for deploying my blog, just build it with a Hugo, copy the files over to a cheap server, and there you go, deployed. It's the right tool for the job (for me).
I thought about that process, too, but it’s more convenient to skip the whole “lots of commits” and GHA loop.
At the moment I’m still mainly fixing and customizing the theme, but I expect that once I actually start blogging instead of fixing the theme and learning Hugo, GitHub actions would make sense again.
> I, too, settled on a minimalist process for deploying my blog, just build it with a Hugo, copy the files over to a cheap server, and there you go, deployed.
Meh. That's over-engineered[1] /s :-)
--------------------
[1] I have a bash script that produces the site from markdown snippets, commits it to a repo and the VPS pulls master periodically.
It seems plausible that an agentic AI will notice that it's running in a Docker container while debugging some unexpected issues in their task and then tries to break out (only with good "intentions" of course, but screwing things up in the process).
Claude or Gemini CLI absolutely will try crazy things after enough cycles of failed attempts of fixing some issues.
They absolutely will, but a non-root user inside docker so far, even when asked, did not result in any damage outside the the docker container. With root it managed to break things, but as user it did not find a way. When I asked it to try more 'fishy' things, codes + claude code both refused; after prompting some more 'but we are testing a security tool ' etc, it just tried very meek things that did not manage to do anything.
It's a fair concern, and I understand where you are coming from. What I can say is that it's not our first rodeo incorporating another OSS product in our family. I tried to summarize it in the post:
> "This proven playbook is the same one that we applied when joining forces with PeerDB to provide our ClickPipes CDC capabilities, and HyperDX, which became the UX of our observability product, ClickStack."
If you research both instances above, the result is that these projects got more traction and adoption overall.
I hope this helps! and thank you for using LibreChat
reply