Seconded.

Between Pixelmator and Affinity Designer I've officially kicked Adobe to the curb.

This reminds me of my pre-press days where we had a binder full of font sample printouts. Customers would pore over that for hours...

Nothing you do, aside maybe from putting it behind a login, will prevent your content from being ripped off. Its just a sad part of what we have to live with.

> Victims of human trafficking for sexual and labour purposes also find themselves at additional risk.

No, its there...

Git aliases to the rescue:

    pr !open "$(git remote -v | grep origin | grep push | cut -f 2 | cut -d " " -f 1 | sed -e "s|git@\(.*\):\(.*\).git|https://\1/\2|")/pull/new/$(git rev-parse --abbrev-ref HEAD)"

So, does this mean that users hand over permissions to a 3rd party to index internal company systems? So you could read a Confluence instance, or some other kind of wiki, and be a vector for data/security leaks?

Seems like there should be a "talk to your security team" disclaimer... people get fired for granting access like that.

We don't take security lightly, but we don't do a good job articulating how we safeguard things in the product. We'll fix this - thanks for pushing on it.

There are details throughout this post, but I will summarize our high-level approach.

* When we request permissions, we request a minimal set. For example, you can connect Drive with just meta-data access and our access will be scoped accordingly.

* Everything is encrypted. Importantly, it's also encrypted in the data store itself. If our DB was compromised, the entries would not be readable (ECIES, Secp256k1, AES256+CTR). Only exception is the reverse index.

* The operations that involve encryption / decryption of encrypted content live in an isolated layer.

* Token storage follows similar methodology

* We get a pentest and security reviews quarterly

* We also have strict company policies around IT and infrastructure access

That said, we aren't ever at a terminal point in our security story.

Our experience has been that security conscious companies simply turn off ability to connect third party applications.

How do guys afford quarterly pen-tests as a start up?

We are lucky to be a funded company with 5 people and couple of years of runway.

A pen test costs half the monthly salary of an engineer, so it’s an easy investment to rationalize on a quarterly basis.

Not always. The probability of me getting photo verification is inversely proportional to the value of the package.

My $2 item that shipped by itself? Photo. $1300 worth of PC build? No photo, no doorbell, nothing...

Thank you. This industry has a huge failure mode in touting tech used in projects/frameworks without linking out to at least the source so that someone can learn about them. Can't tell you how many things I've bailed on because it was a pile of obscure library references that weren't (to me) worth looking up.

Indeed, there is a skill when doing technical writing of putting yourself in the position of a reader, particularly one who is competent but who doesn't already know the thing that you are trying to explain, or the context. It's not as common as it should be.

To be fair, in this case the linked page is a subdirectory of the main Puppeteer project.

This is also an experimental project. Who here thoroughly documents their experiments? Although to be fair we did announce it at I/O so that calls for more documentation.

Disclosure: Chrome DevTools docs guy

The solution here is clearly to write a new language named "do".