Postgres Manager @ Supabase, Complex systems science, Foresight practice, Research, Nix/Nixos, Elixir/BEAM, Julia, Clojure, Go, Postgresql, PostgREST, Scala
Joined February 2007
- Tweets 10,998
- Following 2,034
- Followers 1,566
- Likes 18,322
813 Photos and videos
Sam Rose retweeted
You can now send binary messages in @supabase
This is a new feature in Realtime. JSON encoding adds significant overhead. Use binary whenever your data is numeric, high-frequency, or densely packed. eg:
◆ Sensor / telemetry streams
◆ Screenshot / presentation streaming
7
16
117
11,619
back into exploring @DeterminateSys nix for an interesting personal project
3
3
282
Looks amazing!
A new blog post before the weekend: testing pg_durable workflows (open-source extension by @Microsoft for #postgresql) dev.to/franckpachot/getting-…
1
106
Today we're also announcing @multigres v0.1 (alpha)
Multigres is a scalable operating system for Postgres that provides high availability and operational simplicity. In a future release it will provide Vitess-grade horizontal scaling.
supabase.com/blog/multigres-…
2
11
101
17,158
Sam Rose retweeted
Jun 3
Elixir v1.20 released! Now officially a gradually typed language: Elixir type checks every single line of code, finding bugs and dead code, without developer overhead (no typing signatures) and extremely low false positives rate. Plus a faster compiler! Links and reports below.
56
307
1,467
116,914
Sam Rose retweeted
May 27
DuckDB Labs becomes DuckLabs. We ended up working on more than DuckDB, i.e., DuckLake and most recently, Quack. It was time to change the company name to reflect this. Nothing else changes – read our blog post for more details.
ducklabs.com/news/2026/05/27…
1
25
179
27,878
Sam Rose retweeted
May 21
Instead of buying the source code of #babashka on the dark web later, you can sponsor the open source project today!
#clojure
1/ We are sharing additional details regarding our investigation into unauthorized access to GitHub's internal repositories.
Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version, isolated the endpoint, and began incident response immediately.
4
20
2,689
Sam Rose retweeted
May 21
"if you're using OSS code and you're not paying for a license with a contract that promises some kind of warranty, you have no supply chain."
If you use Nix or NixOS, I can help you.
(And we do a lot more than RedHat does)
May 21
Supply chain attacks and OSS sustainability go hand in hand. I've semi-seriously joked for years that OSS upstreams should periodically purposely inject full vulns into their code and let downstreams fuck around and find out. Downstreams can pay to get the non-FAFO version.
The not joke part is simply that OSS maintainers aren't a supply chain. OSS maintainers are not responsible for monitoring CVEs (because, they are not a supply chain). OSS maintainers are not at fault when bad shit happens to downstreams, because basically every OSS license (MIT, Apache, GPL, etc.) literally says: the software is provided "as-is, without warranty." You get what you pay for (that is to say: absolutely nothing!)
Now, the joke part is that I do believe there is an ethical obligation to try to prevent harm downstream. But "try" is the key word. So, this isn't a serious proposal.
But, if you're using OSS code and you're not paying for a license with a contract that promises some kind of warranty, you have no supply chain. You (the downstream user of an OSS lib) ARE the supply chain.
To use a metaphor: physical goods have a real supply chain. Car manufacturers, chips, clothes, toys, etc. You have a signed commercial agreement with all your suppliers that promises quantity AND quality and blowback if either are missed. Thats a supply chain.
If someone puts some chips on the side of the road with a "FREE" sign, then you integrate those into a product, then find out those chips are hacking customers, its your fault, not the person who dropped them on the side of the road.
3
7
554
Sam Rose retweeted
May 20
Fork your dependencies, trim them to only your use case, never update unless it breaks for your users. I’ve been vocal about this for 10 years. I’ve always said that updating is way riskier than latent bugs (which can be tracked and CVEs monitored).
If you are updating a dependency, it’s on you to analyze every single commit in the full transitive set of dependencies. If you dont see anything compelling, dont update!
I remember at HashiCorp once in awhile an engineer would try to update a dep or replace a DIY lib with an external one and id always ask “show me the commit we need.” Dont update for the sake of it.
Feeling pretty swell about this mentality with all the supply chain attacks happening.
292
775
8,955
1,185,630
Sam Rose retweeted
i want people to listen very carefully:
you are ALL already CEO of htmx
The position is for life. It is also inherited by your offspring and/or pets.
You may add this position and title to your LinkedIn Profile, because it is true.
May 19
can he give the job to someone else? id take over for a bit
21
13
234
10,389
Sam Rose retweeted
May 14
The whole Anthropic kerfuffle would have gone much smoother if they had been upfront about it.
"Hey, we know this is unpopular, but we are moving programmatic access to API pricing. To easen the transition, we are giving API credits that match your subscription value. We also expect this change to increase capacity, so we are doubling the limits throughout Claude products for the next 2 months".
The reason they made it sound like an upgrade was because the announcement was not for developers. It was for investors and enterprise customers. Impacting devrel is just collateral damage, which is on par for a company which believes coding is going away any time now.
And this is extremely disapointing because they want to position themselves as a company that we should trust. But if they can't be honest about pricing changes, it is really hard to believe them on anything else.
28
47
541
29,669
Sam Rose retweeted
May 13
Have you seen all of the software supply chain security issues recently? I don’t think this is a spike that will die down. This is the new reality, and it points to a simple truth: teams need more control over what runs in production.
2
2
2
477