I wanted to refute you but you're right. It's not a security benefit. With GQL the server is supposed to null out the fields that the user doesn't have access to, but that's not automagic or an inherent benefit to GQL. You have the same problem with normal REST. Or maybe less so because you just wouldn't design the response with those extra fields; you'd probably build a separate 'admin' or 'privileged' endpoint which is easier to lock down as a whole rather than individual fields.
I'll explain again, because this is not what I'm saying.
In many REST frameworks, while you define the return object type that is sent back over the wire, by default, if the actual object you return has additional fields on it (even if they are found nowhere in the return type spec), those fields will still get serialized back to the client. A common attack vector is to try to get an API endpoint to return an object with, for example, extra error data, which can be very helpful to the attacker (e.g. things like stack traces). I'd have to search for them, but some major breaches occurred this way. Yes, many REST frameworks allow you to specify things like validators (the original comment mentioned zod), but these validators are usually optional and not always directly tied to the tools used to define the return type schema in the first place.
So with GraphQL, I'm not talking about access controls on GraphQL-defined fields - that's another topic. But I'm saying that if your resolver method (accidentally or not) returns an object that either doesn't conform to the return type schema, or it has extra fields not defined in the schema (which is not uncommon), GraphQL guarantees those values won't be returned to the client.
No, according to the commonly accepted definition of open-source.
Whenever anybody tries to claim that a non-commercial licenses is open-source, it always gets complaints that it is not open-source. This particular word hasn’t been watered down by misuse like so many others.
There is no commonly-accepted definition of open-source that allows commercial restrictions. You do not get to make up your own meaning for words that differs from how other people use it. Open-source does not have commercial restrictions by definition.
Where are you getting this compendium of commonly-accepted definitions?
Looking up open-source in the dictionary does include definitions that would allow for commercial restrictions, depending on how you define "free" (a matter that is most certainly up for debate).
"Open-source" isn't a term that emerged organically from conversations between people. It is a term that was very deliberately coined for a specific purpose, defined into existence by an authority. It's a term of art, and its exact definition is available here: https://opensource.org/osd
The term "open-source" exists for the purposes of a particular movement. If you are "for" the misuse and abuse of the term, you not only aren't part of that movement, but you are ignorant about it and fail to understand it— which means you frankly have no place speaking about the meanings of its terminology.
Unless this authority has some ownership over the term and can prevent its misuse (e.g. with lawsuits or similar), it is not actually the authority of the term, and people will continue to use it how they see fit.
Indeed, I am not part of a movement (nor would I want to be) which focuses more on what words are used rather than what actions are taken.
> people will continue to use it how they see fit.
People can also say 2+2=5, and they're wrong. And people will continue to call them out on it. And we will keep doing so, because stopping lets people move the Overton window and try to get away with even more.
There's no authority that will punish you for misusing legal terms of art, or engineering terms of art— in everyday speech like this discussion— either. The vibe this gives is frankly "I just learned trademark exists and I think I'm very smart now".
> people will continue to use it how they see fit.
And whenever they do so, this pointless argument will happen. Again, and again, and again. Because that’s not what the word means and your desired redefinition has been consistently and continuously rejected over and over again for decades.
What do you gain from misusing this term? The only thing it does is make you look dishonest and start arguments.
Prescriptivists about language always lose in the end. That is the only point I am making. Words mean what people use them for, not what you want them to mean.
I am not misusing the term, but people are, according to your standards. And it is easy for them to do so, because "open source" was poorly named to begin with.
imo this is a hill people need to stop dying on. Open source means "I can see the source" to most of the world. Wishing it meant "very permissively licensed" to everyone is a lost cause.
And honestly it wasn't a good hill to begin with: if what you are talking about is the license, call it "open license". The source code is out in the open, so it is "open source". This is why the purists have lost ground to practical usage.
> imo this is a hill people need to stop dying on.
As someone who was born and raised on FOSS, and still mostly employed to work on FOSS, I disagree.
Open source is what it is today because it's built by people with a spine who stand tall for their ideals even if it means less money, less industry recognition, lots of unglorious work and lots of other negatives.
It's not purist to believe that what built open source so far should remain open source, and not wanting to dilute that ecosystem with things that aren't open source, yet call themselves open source.
> Open source is what it is today because it's built by people with a spine who stand tall for their ideals even if it means less money, less industry recognition, lots of unglorious work and lots of other negatives.
With all due respect, don't you see the irony in saying "people with a spine who stand tall for their ideals", and then arguing that attaching "restrictions" which only affect the richest megacorporations in the world somehow makes the license not permissive anymore?
What ideals are those exactly? So that megacorporations have the right to use the software without restrictions? And why should we care about that?
Anyone can use the code for whatever purpose they want, in any way they want. I've never been a "rich megacorporation", but I have gone from having zero money to having enough money, and I still think the very same thing about the code I myself release as I did from the beginning, it should be free to be used by anyone, for any purpose.
You should stand up for your ideals, but dying on the hill of what you call your ideals is actually getting in the way of that.
Because instead of making the point "this license isn't as permissive as it could/should be" (easy to understand), instead the point being made is "this isn't real open source", which comes across to most people as just some weird gate-keeping / No True Scotsman kinda thing.
"No True Scotsman" is about specifically about changing the rules to exclude a new example you don't want to permit. The rules haven't changed, and the attempts to violate the requirements aren't new. Proprietary licenses continue to be proprietary. Open Source continues to not allow restrictions on commercial use.
ultimately you have to imbue words with meaning, otherwise it is impossible to have a discussion. what i said about no true scotsman was false, i was just trying to prove a point.
> Open source means "I can see the source" to most of the world
well we don't really want to open that can of worms though, do we?
I don't agree with ceding technical terms to the rest of the world. I'm increasingly told we need to stop calling cancer detection AI "AI" or "ML" because it is not the 'bad AI' and confuses people.
If you are happy that time is being spent quibbling over definitions instead of actually focusing on the ideal, I'm not sure you care about the ideals as much as you say you do.
Who gives a shit what we call "cancer AI", what matters is the result.
Is it? The actual SOTA are not amazing at coding, so at least for me there is absolutely no reason to optimize on price at the moment. If I am going to use an LLM for coding it makes little sense to settle for a worse coder.
I dunno. Even pretty weak models can be decently performant, and 9/10 the performance for 1/10 the price means 10x the output, and for a lot of stuff that quality difference dosent really matter. Considering even sota models are trash, slightly worse dosent really make that much difference.
Fair. Mostly the argument is, if all you need is to iterate on output to refine it, you get 10x the iterations, while lesser quality, its still a aspect to consider. But yes, why bother eine coding when they do make so many mistakes.
Bonkers fraud checks that flagged my ISP charges every month for several months in a row. And some other stuff I don't remember, but I'll continue to hold the grudge anyway because there's 9 other top 10 national banks. Or at least 8, cause I'm not using Wells Fargo either (they dinged me a phone teller fee when I called in to let them know I was fixing an overdraft) ... Wells Fargo doesn't do a lot of attractive credit card offers though, so that's less of a hardship than ignoring Chase.
Right, but I think that was the author's point: many of these activities are seen by their participants as "productive", rather than just "this makes me happy". That was a specific point of the post.
The article explained it fairly well. Re-iterating the credit card churning example: people will spend a lot of time optimizing their credit card spend, to end up with maybe a few hundred dollars in savings per year. Working 10 hours of overtime a year nets more and takes less time/mental capacity, for example. But it is fine to do this anyway if you let go of the "I'm saving money" schtick and just embrace that you like maximizing points on spend.
Because if so that is no security benefit at all, because I can just... request the fat fields.