“concerns about confidentiality or respect for the persons family” Sooo clearly you didn’t even click the link, given this is a post BY the family to raise awareness of scummy corporate behavior. While discussing mental health and self harm can be distressing, this post seems totally in-line with other HN discussions calling out malicious corporate behavior?

OP has no idea what he's talking about. Passengers masks are for depressurisation events and oxygen supplies last 15 minutes - enough time for the pilots to descend. Pilots have a separate longer lasting oxygen supply. In many (most older?) planes, a single passenger activating their mask will activate the chemical based oxygen supply that feeds all passenger masks.

How will you know that you should change mask?

The mask itself starts to smell. You will start sneezing and also dripping from the nose, but this will stop if you remove or replace the mask.

Also, you start to smell the diesel fumes. The more you wear a clean mask, the more sensitive your nose becomes to mild fumes.

Oh, very cool. TIL. Thanks!

Really that's the problem - Anticheat. Sure, at this point most games work on Linux. The problem is, most people don't play most games. Most people play a handful of games, and where the players go, the cheaters follow. In response, the game studios deploy more and more aggressive anticheat measures, ultimately breaking the tiny minority of people who would've otherwise been able to play the game on Linux/Proton.

Take a look at https://areweanticheatyet.com at some of the biggest games on the planet, and how most of them don't support Linux or Proton.

CVE 10.0 is bonkers for a project this widely used

The packages affected, like [1], literally say:

> Experimental React Flight bindings for DOM using Webpack.

> Use it at your own risk.

311,955 weekly downloads though :-|

[1]: https://www.npmjs.com/package/react-server-dom-webpack

That number is misleadingly low, because it doesn't include Next.js which bundles the dependency. Almost all usage in the wild will be Next.js, plus a few using the experimental React Router support.

As far as I'm aware, transitive dependencies are counted in this number. So when you npm install next.js, the download count for everything in its dependency tree gets incremented.

Beyond that, I think there is good reason to believe that the number is inflated due to automated downloads from things like CI pipelines, where hundreds or thousands of downloads might only represent a single instance in the wild.

It's not a transitive dependency, it's just literally bundled into nextjs, I'm guessing to avoid issues with fragile builds.

why is it not normal for CI pipelines to cache these things? its a huge waste of compute and network.

It's certainly not uncommon to cache deps in CI. But at least at some point CircleCI was so slow at saving+restoring cache that it was actually faster to just download all the deps. Generally speaking for small/medium projects installing all deps is very fast and bandwidth is basically free, so it's natural many projects don't cache any of it.

These often do get cached at CDNs inside of the consuming data centers. Even the ISP will cache these kind of things too.

The subjects of theses types of posts should report the CVSS severity as 10.0 so the PR speak can't simply deflect to what needs to be done.

Unfortunately, CVSS scores are gamified hard. Companies pay more money in bug bounty programs, so there's an incentive for bug bounty hunters to talk up the impact of their discovery. Especially the CVSS v3 calculation can produce some unexpected super high or super low scores.

While scores are a good way to bring this stuff to people's attention, I wouldn't use them to enforce business processes. There's a good chance your code isn't even affected by this CVE even if your security scanners all go full red alert on this bug.

It’s possible to create a scoring system based on actual root cause analysis and impact scores.

Surprised there isn’t more talk about a solution like this or something and more downplaying CVSS.

Downplaying CVSS alone can smell a little like PR talk even however unintentional.

A CVSS score of 10.0 may be warranted in this case, but so many other CVSS scores are wildly inflated, that the scores don't mean a lot.

Regardless it can still provide some context and adjustment cs none.

The above could be seen as spin too, how could cvss be more accurate so you’d feel better?

Next.js is still pretty damn widely used.

And here we see a system that was already stretched to the breaking point BEFORE the shutdown, put under an incredible strain and failing. A more robust system can handle sudden shocks, but when you’ve spent years whittling away at it there’s no slack.

Still seeing issues on the OAuth flow despite a "a fix [having] been implemented". Looks like whatever happened probably trashed the session database since it's forcing Claude Code to re-auth.

The market can stay irrational longer than you can stay solvent.

I don’t think most people are arguing against the concept, or even implementation, of the system as developed. Obviously it’s both a publicity stunt and beta test as they learn how to build and operate a tunnel system like this. The concern is that much of the environmental harm that’s being done (according to the EPA) is repetitive, and that The Boring Company (TBC) actively pledged to hire an environmental inspector three years ago and is now being fined for having not done so. Given that, who knows how many violations that don’t leave a permanent mark are going unnoticed.

Do you think that they are going to ignore environmental laws for JUST this project, or do you think that is their modus operandi? I’d be happy to have a tunnel system installed near my home, even if there’s temporary disruption during the construction process. What I wouldn’t tolerate is active, and unmonitored (by TBC’s insistence on “self-monitoring”), pollution occurring near my home. Fines only cover so much, and un-polluting something after the fact costs far more than the fines that are being levied and, when it comes to pollutants that harm humans (like improper disposal of chemicals from digging, as they have been fined for), you can’t just “undo” the human harm with a fine.

What I think is that environmental review rules are so convoluted that almost any project you would investigate breaks plenty of them. I also don't trust the definition of "environmental" when it comes to environmental regulations. When you hear "environmental" you think dumping toxic chemicals, but in reality environmental reviews have components like a building casting a shadow on a playground for 1 hour a day. And on top of that I don't trust journalists for counts of number of violations. In this case they get to 800 by counting one real violation 700 times:

> The letter also accuses the company of failing to hire an independent environmental manager to regularly inspect its construction sites. State regulators counted 689 missed inspections.

> as they learn how to build and operate a tunnel system like this.

Yes, why do they even do that. Not that they are never any improvements, but this pretty much a solved problem. They have a stupid amount of NIH syndrome, but apply that to the physical world and that always results in fatalities.

There were tens of thousands of riders _when you were there?_ Or there were tens of thousands of riders over the lifetime of the system?

Most videos I've seen recently show a system that, while functional, typically only has a handful of vehicles running simultaneously, each with carrying capacity for one party of up to 3 people.

When I was there. During SEMA, the worlds biggest automotive show.

It’s not that it lowers the maximum voltage that the charge controller/inverter can handle. It’s actually that the panels become MORE efficient in the cold temperatures, resulting in a (potentially unconsidered by end-user) increase in voltage, overwhelming the downstream BoS components.