Not necessarily; I would very much like to use those features on a Linux server. Currently the Anthropic implementation forces a desktop (or worse, a laptop) to be turned on instead of working headless as far as I understand it.

I’ll give clappie a go, love the theme for the landing page!

Department of Transportation always thinks adding more lanes will reduce traffic.

It doesn't, it induces demand. Why? Because there's always too many people with cars who will fill those lanes.

Citation needed. I've heard this quite often, but so far, I haven't seen proof of the stated causality.

PS: This doesn't mean that better public transportation could deliver more bang for the buck than the n-th additional car lane. But never ever have I heard from anybody that they chose to buy a car or use an existing car more often because an additional lane has been built.

Have you tried the "Reference" section on the Wikipedia article?

https://en.wikipedia.org/wiki/Induced_demand#cite_note-vande...

You've never heard anyone choose to take side streets instead of the highway because of traffic jams? No one ever goes out of their way to avoid heavily trafficed areas?

I don't understand what the point is you're trying to make. When people at t0 take detours because of traffic jams on the direct route, and then at t1, there are less traffic jam on the direct route due to additional lanes, so they decide to take the direct route, then total traffic is down, because they no longer take a detour. Even if they are still part of a newly induced traffic jam.

> Rent a VPS in another country and set up your own personal VPN server on it, and no one will be able to block you.

(machine translation)

How would this ever work with a whitelist? did you even read the post?

How did PYPI_PUBLISH lead to a full GH account takeover?

I'd imagine the attacker published a new compromised version of their package, which the author eventually downloaded, which pwned everything else.

Their Personal Access Token must’ve been pwned too, not sure through what mechanism though

They have written about it on github to my question:

Trivvy hacked (https://www.aquasec.com/blog/trivy-supply-chain-attack-what-...) -> all circleci credentials leaked -> included pypi publish token + github pat -> | WE DISCOVER ISSUE | -> pypi token deleted, github pat deleted + account removed from org access, trivvy pinned to last known safe version (v0.69.3)

What we're doing now:

    Block all releases, until we have completed our scans
    Working with Google's mandiant.security team to understand scope of impact
    Reviewing / rotating any leaked credentials

https://github.com/BerriAI/litellm/issues/24518#issuecomment...

69.3 isnt safe. The safe thing to do is remove all trivy access. or failing that version. 0.35 is the last and AFAIK only safe version.

https://socket.dev/blog/trivy-under-attack-again-github-acti...

I have sent your message to the developer on github and they have changed the version to 0.35.0 ,so thanks.

https://github.com/BerriAI/litellm/issues/24518#issuecomment...

Does that explain how circleci was publishing commits and closing issues?

Don't hold your breath for an answer.

>I am unable to understand how it compromised your account itself from the exploit at trivvy being used in CI/CD as well.

Token in CI could've been way too broad.

>1. Looks like this originated from the trivvy used in our ci/cd

Were you not aware of this in the short time frame that it happened in? How come credentials were not rotated to mitigate the trivy compromise?

The latest trivy attack was announced just yesterday. If you go out to dinner or take a night off its totally plausible to have not seen it.

afaik the trivy attack was first in the news on March 19th for the github actions and for docker images it was on March 23rd

Bifrost is the only real alternative I'm aware of https://github.com/maximhq/bifrost

Virtual Keys is an Enterprise feature. I am not going to pay for something like this in order to provide my family access to all my models. I can do without cost control (although it would be nice) but I need for users to be able to generate a key and us this key to access all the models I provide.

I just deployed it to test it out and this is FALSE. I was able to create Virtual Keys on the free version with no issues.

Please do a double take on the facts, you might falsely deter people.

I don’t believe it is an enterprise feature. I did some testing on Bifrost just last month on a free open source instance and was able to set up virtual keys.

We have tried reaching out to their sales multiple times but never get a response.

First line of defense is the git host and artifact host scrape the malware clean (in this case GitHub and Pypi).

Domains might get added to a list for things like 1.1.1.2 but as you can imagine that has much smaller coverage, not everyone uses something like this in their DNS infra.

This threat actor is also using Internet Computer Protocol (ICP) "Canisters" to deliver payloads. I'm not too familiar with the project, but I'm not sure blocking domains in DNS would help there.

There’s a NixOS MCP, it’s pretty good

Same. I have a full homelab and multiple macs, can’t say I’ve written a line of real Nix code by hand.

If you’re itching to try Nix, now is the time.

Same.

Can't imagine going back to the status quo where my system is the accumulation of terminal commands over time instead of a config file.

Not to mention the non-idempotent python + bash + ssh hell of Ansible, or awful DSLs such as Salt, Puppet, Chef, etc.