Software developer at a big library, cyclist, photographer, hiker, reader. Email: chris@improbable.org
25610 stories
·
228 followers

Behind the Scenes at a Secretive Gathering of Rising MAGA Donors - The New York Times

1 Share
Read the whole story
Share this story
Delete

What to Do Before the Trump Administration Takes Office in January | Teen Vogue

2 Shares

Nearly four years after he left office amid a violent burst, Donald Trump has been reelected and will become the next president of the United States. For many marginalized people, a second Trump administration, which begins in January, is a looming threat. During Trump's first stint in office, we watched as he rolled back LGBTQ+ protections, put Supreme Court justices in place who removed the federal right to abortion (which has resulted in deaths), enacted a “Muslim ban” that resulted in Islamophobic violence, and much more.

During Trump's campaign for a second term, he promised similarly draconian measures. He plans to deport millions of people starting on his first day in office, end gender-affirming care for trans youth, deeply change federal oversight agencies like the FDA, and much more.

With the past and his promises for the future in mind, people are preparing for Trump's second term, attempting to guard themselves against a potential erosion of rights. Here's what people are doing, and steps you might consider taking if it feels helpful:

Get a passport

If you don't have a passport, get one; if yours is expiring, renew it now. This step is less about the ability to travel (though that's also handy) than it is about having accurate identification and avoiding hassles that may arise come January. For trans or nonbinary people, getting a passport that reflects your gender is particularly crucial. Trump has signaled that his administration will not be particularly friendly to trans people, so many are updating their identity documents now, in case the new Trump administration eliminates that option.

This content can also be viewed on the site it originates from.

Update all of your identifying documents

Don't stop at your passport. Journalist Erin Reed advises trans people to update all documents with their accurate gender marker now, including state IDs and your social security gender marker. Having these documents can reduce the risk of violence for trans people and allows them access to public spaces that require identification. How and to what extent you can change your gender marker on documents varies by state; see a map of state laws here.

This content can also be viewed on the site it originates from.

Beyond making sure your documents accurately reflect your identity, it's a good idea to make sure your documents are also up to date and in good standing. For non-citizen immigrants, that might mean renewing your DACA status, particularly if it expires in the next year.

Beyond making sure your documents accurately reflect your identity, it's also a good idea to make sure your documents are also up-to-date and in good standing. For non-citizen immigrants, that might mean renewing your DACA status, particularly if it expires in the next year.

Get birth control

Trump has denied that he would sign a national abortion ban, but many experts fear his administration may effectively ban abortion in other ways. And Trump has flip-flopped on his stance toward birth control access, saying he's open to restricting it before walking his statements back. With all that in mind, people are searching for information on emergency contraceptives, getting an IUD, and taking other measures to ensure they have access to birth control for the next four years.

Depending on what kind of IUD you get, they can last as many as eight years, making them a safe and effective long-term birth control option. People have indicated on social media that they're also stockpiling the morning after pill, but it's worth noting that this option is not foolproof and can carry some risks. According to Planned Parenthood, levonorgestrel pills like Plan B that are available over the counter reduce the chance of pregnancy by 75 to 89% if taken within three days after unprotected sex. Also, these kinds of pills may not work if you weigh more than 165 pounds. The morning after pill Ella can work for people who weigh up to 195 pounds, but you need a prescription to access it. Click here for a Planned Parenthood guide to help you figure out what kind of morning after pill is best for you

This content can also be viewed on the site it originates from.

This content can also be viewed on the site it originates from.

Talk to your doctor

Before anti-vaxxer Robert F. Kennedy Jr. is allowed to “go wild on health,” it's a good time to go see your care providers for checkups or outstanding medical needs. According to the Washington Post, Kennedy is “poised to have significant control over health and food safety” in the Trump administration, and is being considered to lead the Department of Health and Human Services, according to CBS News (though he may face challenges in Congressional approval).

It's not clear what influence Kennedy will have and how he will use it, but Kennedy has a long history of spreading anti-vaccine misinformation, and he and Trump have made conflicting statements about their stance on vaccine availability and approval. He's also indicated that he would clear out “entire departments” at agencies like the FDA, according to NBC News. While Kennedy has said he won't take vaccines away, Project 2025 calls for the end of vaccine recommendations from the CDC, and the Washington Post reported that Kennedy could influence how vaccines are approved and who is recommended to receive them.

But if you're one of the millions of Americans who is insured under the Affordable Care Act via American Rescue Act subsidies, none of that matters. According to NBC News, an estimated four million people will lose access to health insurance if Trump doesn't renew the act, which he's reportedly signaled he won't. Whether you stand to lose your insurance or not, it may be a good idea to talk to your doctor about your health care needs before another Trump presidency takes effect. While you're at it, consider brushing up on how to protect your privacy when seeking health care, particularly abortion.

Build community

In the face of any challenge, community is crucial. This will be particularly true in the coming years when resources like health care access may change or we experience an erosion of rights. If you don't have a robust community right now, don't worry — it's totally possible to build one. You can seek friends in third spaces, where you can foster social connections just for support and good vibes; you can find like-minded online communities; you can tap into mutual aid efforts; join volunteer efforts in your town or city, where you can meet others and help your community members. Building community doesn't mean you need to have a million friends you talk to every day, it simply means you know where to turn when you need to — whether that's a crisis hotline or the Ravelry message boards.

Brush up on your media literacy

Trump's first presidency delivered us a fractured relationship with the truth, offering space for conspiracy theories and mis- and disinformation to take hold. Ahead of his second stint in office, some have said misinformation handed Trump the presidency, and predicted that our access to reliable, evidence-based information will erode further over the next four years — particularly on social media platforms like X. That means it's more important than ever to be a savvy, discerning media consumer. Organizations like the News Literacy Project and Media Literacy Now offer resources that you can use to arm yourself against misinformation.

Do not panic

Given Trump's promises to make his next term more extreme than his last, it's easy to freak out and feel powerless. We have two months before Trump takes office, though, so rather than panic, now is the time to prepare. Take a deep breath, allow yourself to process your feelings, then get to work.

This content can also be viewed on the site it originates from.

Read the whole story
Share this story
Delete

Being blind in a war zone - by Mariana Lastovyria

1 Share

Editor’s Note: The U.S. embassy in Kyiv suddenly closed today due to what it said was "specific information" of a significant Russian air attack. 

This is unprecedented in the full-scale invasion, so has raised significant alarm bells for us. We are sheltering in our office as we publish today’s issue. 

Help us confront the risks: Support our reporting by upgrading your subscription or hitting the tip jar. 

Upgrade now!

Tip Jar

The darkness frightened me at first. 

I even thought I could see something in it, as my brain struggled to accept that there was a complete void. My imagination began to create outlines of objects: the walls, and the size of the room itself. 

This went on until the first touch made me realize that my brain had been deceiving me — I truly couldn’t see anything.

Walking around in total darkness in a museum designed to help you experience the lives of blind people, I confronted this blankness for only an hour and a half. But thousands of people in Ukraine live by touch for many years.

According to various estimates, there are currently between 70,000 and 300,000 people with serious visual impairments in Ukraine. With the outbreak of war, this number will only increase as Ukrainians face the constant threat of death or disability from landmines and missile strikes. But nobody has compiled these statistics yet.

Struggling to find shelter or respond to air raid alerts, people with blindness are at greater risk of falling victim to Russian attacks. But those visual impairments are only a minority of people with disabilities who have day-to-day struggles heightened due to Russia’s ongoing invasion. By learning about their challenges, we also learn about the kind of society Ukraine is – and what sort of society its most vulnerable want it to become.

Despite the increasing number of people with blindness in Ukraine, the country has yet to fully adapt to this growing need. 

There is currently no systematic governmental support for people with visual impairments in Ukraine. In particular, there are no state-run rehabilitation centers that provide services specifically for individuals who have lost their sight.

The situation used to be better, as the state used to support a voluntary organization, the All-Ukrainian Society of People with Blindness. The organization provides social support and has established libraries, sports clubs, and cultural centers for those with blindness. It also assists people with visual impairments in finding employment. However, after the outbreak of full-scale aggression by Russia, state aid to the organization ceased completely.

Paid subscribers get to finish the story, past the paywall. Consistent, high-quality journalism takes resources! If you’re not already a paid subscriber, upgrade now to read on!

Upgrade now!

Read the whole story
Share this story
Delete

Security means securing people where they are

1 Share

Standard disclaimer: These are my personal opinions, not the opinions of my employer, PyPI, or any open source I projects I participate in (either for funsies or because I’m paid to). In particular, nothing I write below can be interpreted to imply (or imply the negation of) similar opinions by any of the above, except where explicitly stated.

TL;DR: If you don’t bother to read the rest of the post, here is the gloss: being serious about security at scale means meeting users where they are. In practice, this means deciding how to divide a limited pool of engineering resources such that the largest demographic of users benefits from a security initiative. This results in a fundamental bias towards institutional and pre-existing services, since the average user belongs to these institutional services and does not personally particularly care about security. Participants in open source can and should work to counteract this institutional bias, but doing so as a matter of ideological purity undermines our shared security interests.

I was sniped into writing encouraged to write this by Seth Larson, following voluminous public discourse about PEP 740 and its recently announced implementation on PyPI.

Many people were concerned about decisions that went into the implementation of PEP 740 on PyPI, and expressed these these concerns in a wide variety of ways. A sampling of shpilkes, from “eminently reasonable” to “unhinged”:

  • PyPI’s sourcing of attestations from large IdPs like GitHub will result in unfair social pressure on projects that do everything right but on their own infrastructure, which includes major OSS projects that run their own Jenkins, private CI/CD, &c.
  • PyPI’s decision to enable GitHub-based attestations before others is effectively a form of vendor bias, and encourages the OSS community to deepen its dependency on GitHub.
    • A sub-variant of this criticism is “intentional,” i.e. “attestations are intended to cause lock-in” versus “double-effect,” i.e. “there’s a risk of vendor dependence, but the goal itself is building out a new security feature for the ecosystem.”

      The former is in effect a way of accusing the people who did this work of having evil motives, while the latter is a reasonable expression that the feature didn’t sufficiently consider vendor dependency.

  • Attestations are just plain bad™ and PyPI should go back to (weakly) tolerating long-lived PGP signing keys since, despite all evidence to the contrary, people swear that these signatures are being verified and form a security boundary somewhere1.
  • PyPI has been captured by the Micro$oft/NSA/Unit 8200 and has developed attestations to complete this year’s $SINISTER_PLOT_TO_BACKDOOR_AND_OR_DESTROY_OPEN_SOURCE.

These concerns range from containing reasonable (and concerning!) inferences to being nakedly factually incorrect. In the interest of establishing a factual baseline, here’s my list of priors:

  1. Trusted Publishing is not limited to GitHub. A persistent form of misinformation around PyPI’s support for attestations stems from misinformation about Trusted Publishing, as the layer beneath it.

    When Trusted Publishing was originally released on PyPI, it originally only supported GitHub. Other providers (GitLab, Google Cloud, ActiveState 2) came a few months later, but are now fully supported as Trusted Publishing providers.

    The reason for this approach (GitHub first, then others) had nothing to do with a sinister Microsoft plot (as was insinuated then), but instead came from the exact same reasoning that will be elaborated in this post: the largest demographic that stood to immediately benefit from Trusted Publishing’s usability and security benefits was on GitHub, so they were targeted first.

  2. Trusted Publishing and PEP 740 are built on open standards. More precisely, both are built on top of OpenID Connect, which allows independent services to federate with each other via claims that are signed with public-key cryptography.

    This underlying technical choice is what made onboarding GitLab, &c., relatively easy: there was no vendor or otherwise closed dependency that needed to be removed or replaced. This remains true to this day.

  3. Adding a new Trusted Publisher and/or attestation source is not hard, but also not trivial. Adding a new Trusted Publishing provider is not as trivial as adding a well-known OIDC discovery URL to PyPI’s codebase: each new provider needs to be reviewed for claim contents, to ensure that the provider’s principals can be distinguished from each other in a way that PyPI can model.

    In other words: it would be catastrophic for PyPI to support an OIDC IdP that can’t distinguish between its users, or permitted claim malleability such that users could impersonate each other.

    Ensuring that each accepted IdP meets these conditions requires a nontrivial time commitment that gets balanced against the expected real-world usage of a given IdP: an IdP with one-to-few users is not worth the tradeoff in review time.

  4. Not everything makes sense as a Trusted Publisher/attestation provider. As a corollary to the point above: it doesn’t make sense (for either PyPI, or individual project maintainers) to attempt to do all package uploading via Trusted Publishing. OIDC fundamentally benefits from scale, and it doesn’t make sense (in terms of operational complexity3 and diminished rewards4) for every individual maintainer to run their own OIDC IdP.

  5. Neither Trusted Publishing nor PEP 740 increases trust in an already-used CI/CD provider. This one can be a little unintuitive, but it follows from existing workflows: if you were already using GitHub/GitLab/&c. to publish with a plain old API token, then you were already trusting your CI/CD provider to securely store that credential (and only use it when you want it used).

    In a broader sense, Trusted Publishing and PEP 740 reduce unnecessary trust in the CI/CD provider, since they force the provider to make a publicly auditable and verifiable claim in order to receive a temporary API token.

This is the baseline, as I see it. Now let’s talk a bit about why PyPI’s initial attestations rollout focused on GitHub (like what happened with Trusted Publishing), and why it was (1) not a conspiracy, and (2) the strategic thing to do. I’ll then end with some thoughts on how we can better address the unfair social pressure case.

You5 can’t force people to care about security

And they shouldn’t have to care. This is the hard truth beneath everything else: most open source maintainers are not security experts (they’re experts in other things, like the projects they maintain), and they don’t want to become security experts. Security is a hump that people get over while attempting to achieve their actual goals.

At the same time, expectations change over time: MFA was a relative rarity a decade ago, and is now mandatory across a wide swath of popular OSS-adjacent services (or mandatory for demographic subsets, such as “critical” package maintainers on NPM and RubyGems).

This sets up a fundamental tension: most maintainers want to just keep doing whatever has always worked, while security is a moving target that sometimes requires universal change.

There aren’t many ways to eliminate this tension, but there are (at least) two ways to ameliorate it:

  1. Make security features into usability features. This was one of the core objectives behind Trusted Publishing’s design: users found the experience of context-switching between PyPI and their CI/CD frustrating, so we found a way to eliminate those context switches while improving the security of the credentials involved.
  2. Delegate some (if not all) responsibility for security to services. The reasoning behind this is intuitive: big services have both the staff and the financial incentive to maintain a strong default security posture, as well as keep up with the latest changes in baseline security expectations. This, too, has a usability angle: it’s just plain easier6 to maintain a project when an external service hums along and provides source control, CI/CD, release management, &c. for you.

For the Python ecosystem, in 2024, that service is overwhelmingly GitHub.

GitHub is the current watering hole

The history of open source on the public internet has long favored a small and stable (but not static), group of watering holes at which the overwhelming majority of projects concentrate.

Past watering holes include SourceForge and Google Code, along with specialized project hosts like Savannah.

Today, that watering hole is GitHub. Using last week’s pypi-data dump:

1
2
3
4
5
6
7
8
sqlite> SELECT COUNT(DISTINCT package_name) FROM package_urls WHERE public_suffix = 'github.com';
378613
sqlite> SELECT COUNT(DISTINCT package_name) FROM package_urls;
447148
sqlite> SELECT COUNT(*) FROM packages;
566404

Of the 447,148 packages that have URLs7, a full 378,613 list <a href="http://github.com" rel="nofollow">github.com</a> in their metadata. That’s 84.7% of all projects that list URLs in their metadata.

By contrast, here are the next 10 most popular hosts:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
sqlite> SELECT public_suffix, COUNT(DISTINCT package_name) AS cnt FROM package_urls GROUP BY public_suffix ORDER BY cnt DESC LIMIT 11;
github.com|378613
gitlab.com|8923
python.org|6012
bitbucket.org|5177
pythonhosted.org|3588
pypi.org|3325
saythanks.io|3247
gitee.com|1375
ya.ru|1274
google.com|1208
headfirstlabs.com|1047

The drop-off is stark: GitLab is #2, but with only 1.99% of all projects8.

This tells an important baseline story: if PyPI builds a security feature that needs to interoperate with source forges or CI/CD providers, then overwhelming majority of its packages can be best served by starting with GitHub.

That doesn’t mean that PyPI should stop with just GitHub, or GitHub plus GitLab, or anything else of the sort. It just tells us where the starting point should be.

This finally gets us to the point of this post:

  1. Most maintainers (reasonably!) don’t especially care about security and, as a corollary, have selected infrastructure and services that compartmentalize most of the boring, operational aspects of open source security (like maintaining a set of trusted committers and a secure CI/CD);
  2. GitHub is overwhelmingly the target of that selection process.

The conclusion: if a new feature needs to interact with services outside of PyPI itself, then the purely practical course to take is to start with the services that will yield the most immediate benefit to the Python community.

Does PyPI have a responsibility to (try and) move the watering hole?

A recurring strain of thought in conversations around PEP 740 (and centralized infrastructure more generally) is whether the ethics of open source impute a similar ethic9 of independence and decentralization.

Or in other words: does PyPI (or OSS more generally) have a responsibility to try and avoid corporate-associated integrations?

I would argue no: PyPI’s primary responsibility is to the community that uses it, both upstream and downstream, and that community is best served by using open standards to interoperate with the services the community overwhelmingly uses.

This does not however imply that PyPI should ignore smaller opportunities for integration, such as adding Trusted Publishing providers for independent GitLab hosts with large user bases, or Codeberg instances, or anything else.

On the contrary: I would like to see PyPI integrate more of these as Trusted Publishing providers, provided that the usage statistics and operational complexity for each actually benefit the community as a whole. Enrolling a few thousand projects on a single self-hosted forge would be great; having to review dozens of forges with under a dozen users would not be. I would like to see a similar thing occur for attestations.

In sum: PyPI shouldn’t (and doesn’t) pick winners, but it should (and does) pick battles to fight and the order in which it fights them.

Social pressure

There’s a flip side to all of this: despite effusive attempts to emphasize that attestations are not a “trusted bit” and that consumers shouldn’t treat them as a signal of package quality or security, we are almost certainly going to see people (and companies10) do exactly that.

In practice, that means that maintainers who do everything right but not in a way that’s currently legible to the attestations feature are going to receive annoying emails, issues, &c. asking them why they’re “less secure”11 than other packages.

In the medium term, I think the way to address this is to:

  1. Support email identities for attestations, since PyPI already has a notion of “verified” email to cross-check attestations against.
  2. Continue to widen the number of Trusted Publishing providers and enable attestation support for each, within reason.

Those two, combined, should address the overwhelming majority of the remainder: people who can’t (or simply don’t want to) use Trusted Publishing, and those who do but can’t yet. I’ll be working on those.

Discussions: Mastodon Reddit Bluesky

Read the whole story
Share this story
Delete

Saturday Morning Breakfast Cereal - Climate

2 Shares


Click here to go see the bonus panel!

Hovertext:
We had a thing with A City on Mars where a lot of people couldn't disagree without assuming Secret Motives.


Today's News:
Read the whole story
Share this story
Delete

What if My Tribe Is Wrong?

1 Share

I wrote in the past about how I'm a pessimist that strives for positive outcomes. One of the things that I gradually learned is is wishing others to succeed. That is something that took me a long time to learn. I did not see the value in positive towards other people's success, but there is. There is one thing to be sceptical to a project or initiative, but you can still encourage the other person and wish them well.

I think not wishing others well is a coping mechanism of sorts. For sure it was for me. As you become more successful in life, it becomes easier to be supportive, because you have established yourself in one way or another and you feel more secure about yourself.

That said, there is something I continue to struggle with, and that are morals. What if the thing the other person is doing seems morally wrong to me? I believe that much of this struggle stems from the fear of feeling complicit in another's choices. Supporting someone — even passively — can feel like tacit approval, and that can be unsettling. Perhaps encouragement doesn't need to imply agreement. Another angle to consider is that my discomfort may actually stem from my own insecurities and doubts. When someone's path contradicts my values, it can make me question my own choices. This reaction often makes it hard to wish them well, even when deep down I want to.

What if my tribe is just wrong on something? I grew up with the idea of “never again”. Anything that remotely looks like fascism really triggers me. There is a well known propaganda film from the US Army called “Don't Be a Sucker” which warns Americans about the dangers of prejudice, discrimination, and fascist rhetoric. I watched this a few times over the years and it still makes me wonder how people can fall for that kind of rhetoric.

But is it really all that hard? Isn't that happening today again? I have a very hard time supporting what Trump or Musk are standing for or people that align with them. Trump's rhetoric and plans are counter to everything I stand for and the remind me a lot of that film. It's even harder for me with Musk. His morals are completely off, he seems to a person I would not want to be friends with, yet he's successful and he's pushing humanity forward.

It's challenging to reconcile my strong opposition to their (and other's) rhetoric and policies with the need to maintain a nuanced view of them. Neither are “literal Hitler”. Equating them with the most extreme historical figures oversimplifies the situation and shuts down productive conversation.

Particularly watching comedy shows reducing Trump to a caricature feels wrong to me. Plenty of his supporters have genuine concerns. I find it very hard to engage with these complexities and it's deeply uncomfortable and quite frankly exhausting.

Life becomes simpler when you just pick a side, but it will strip away the deeper understanding and nuance I want to hold onto. I don’t want to fall into the trap of justifying or defending behaviors I fundamentally disagree with, nor do I want to completely shut out the perspectives of those who support him. This means accepting that people I engage with, might see things very differently, and that maintaining those relationships and wishing them well them requires a level of tolerance I'm not sure I possess yet.

The reason it's particularly hard to me that even if I accept that my tribe maybe wrong in parts, I can see the effects that Trump and others already had on individuals. Think of the Muslim travel ban which kept families apart for years, his border family separation policy, the attempted repeal of Section 230. Some of it was not him, but people he aligned with. Things like the overturning of Roe v. Wade and the effects it had on women, the book bans in Florida, etc. Yes, not quite Hitler, but still deeply problematic for personal freedoms. So I can't ignore the harm that some of these policies have caused in the past and even if I take the most favorable view of him, I have that track record to hold against him.

In the end where does that leave me? Listening, understanding, and standing firm in my values. But not kissing the ring. And probably coping by writing more.

Read the whole story
Share this story
Delete
Next Page of Stories