> We don't need to submit a history of our social media accounts before crossing a border
Americans don't have to do that when crossing between states either. Are you saying that Americans' social media histories aren't considered when they wish to travel to Europe?
Curl had a prominent bug bounty programme, has 180k lines of prod code, and is mainly a client app/lib. I would look at other projects before making judgements about mythos on this one.
Don't you want to test mythos against state of the art projects? They are the best chance of making visible what mythos uniquely brings to the table.
We already know that mythos will be branded catnip for sub-SOTA projects. They could have build SOTA secure software development practices last week, last month or last year. But didn't care. What will their experience with mythos tell us other than AI hype can create corporate will to take security seriously?
> Although the council had planned to implement Oracle "out-of-the-box," it created several customizations including a banking reconciliation system that failed to function properly. The council struggled to understand its cash position and was unable to produce auditable accounts. It has spent more than £5 million on manual workaround labor.
Not a great example of a single centralised system. The errors came from trying to write custom reconciliation code between two systems, the ERP and the bank - perfect example of the problems OP raises.
Fair point but AWS is also highly extensible, and i'm not sure about Palantir but i guess it must be too to a point? Maybe it's a classic case of good abstractions vs bad ones
No I mean like, centralization is unfortunately the thing that just works.
I work at a company that thinks extremely deeply about interoperability issues and everybody is on the opposite side: it can be said that we were made as a response to xkcd 927, to try and solve the issue.
I think the company is right in that semantic decentralization with interoperability would be a good end goal, but I think just plain darwinism explains the necessity of the opposite.
I'll add this: Containers aren't as strong of a security boundary as VMs however this means that a successful attack now requires infection of the container AND a concurrent container-escape vulnerability. That's a really high bar, someone would need to burn a 0-day on that.
The bar right now is really, really low - blocking post-install scripts seems to be treated as "good enough" by most. Using a container-based sandbox is going to be infinitely better than not using one at all, and container-based solutions have a much easier time integrating with other tools and IDEs which is important for adoption. The usability and resource consumption trade-off that comes with VMs is pretty bad.
Just don't commit any mortal sins of container misconfigurations - don't mount the Docker socket inside the container (tempting when you're trying to build container images inside a container!), don't use --privileged, don't mount any host paths other than the project folder.
I don't think it's crazy to imagine a misconfigured production environment. I always see these same examples of how "containers aren't really secure" and they're very amateur sins to commit though, as you mention.
AFAIK a comprehensive SELinux policy (like Red Hat ships) set to enforce will also prevent quite a few file accesses or modifications from escapes.
Confusingly, Docker now has a product called "Docker Sandboxes" [1] which claims to use "microVMs" for sandboxing (separate VM per "agent"), so it's unclear to me if those rely on the same trust boundaries that traditional docker containers do (namespaces, seccomp, capabilities, etc), or if they expect the VM to be the trust boundary.
"Yes, Kimi K2.5 is an open source AI model. Developers and researchers can explore its architecture, build new solutions, and experiment openly. Model weights and code are publicly available on Hugging Face and the official GitHub repository."
Our only modification part is that, if the Software (or any derivative works
thereof) is used for any of your commercial products or services that have
more than 100 million monthly active users, or more than 20 million US dollars
(or equivalent in other currencies) in monthly revenue, you shall prominently
display "Kimi K2.5" on the user interface of such product or service.
Correct. (and I know you already know this but just for the record: (Nearly?) Everybody abuses the term "open source" when it comes to models. OSI have a post about it: https://opensource.org/ai/open-weights
Although it is not OSI approved, the license theoretically didn't add any more restrictions beyond attribution, which stays in line with The Open Source Definition.
Correct again -- CC- applies to data, not code -- weights are data, open weights suggests a creative commons approach …
“
CC-BY 4.0
Creative Commons Attribution 4.0 International
This license requires that reusers give credit to the creator. It allows reusers to distribute, remix, adapt, and build upon the material in any medium or format, even for commercial purposes.
BY
Credit must be given to you, the creator.
”
it's annoying the open source term is being cargo-culted around and I hate to say it but that ship looks like it has sailed.
funny that free software people were infuriated by the open source term and now the open source term is being completely misused in another context
Their definition matters more than most, I mean, anyone can define anything however they like. Hell, Windows is open-source, because I said so.
Also, even if it were not for the OSI, this still wouldn't be open source. Because there's no source code available. It's open-weight, which is a different thing. The models weights are, essentially, the "compiled" output. The input and algorithms, we don't know.
Cursor have said they are using Composer through their inference provider (Fireworks). Presumably the MIT is not viral like the GPL, so Cursor, and companies that use Cursor do not need to display Kimi attribution on their products.
It's definitely not what Kimi wanted, but it sounds like this is what is written.
Many EU countries' current obsession with E2EE and age verification is fucked, but we are still (thankfully) a way from the state of the States.
- We don't need to submit a history of our social media accounts before crossing a border
- (Most) of our libraries aren't having to make joint statements about free speech (https://www.orbiscascade.org/free-speech-statement/)
- And regarding free press - https://www.wfae.org/2026-01-20/stars-and-stripes-top-editor...