makes sense, thanks for helping to clarify my thinking on this!

If I'm understanding correctly, you're saying "pick the right tool for the job" - baseline analysis starts with premise that thing (pandemic/earthquake) was an isolated, one-off event that *should* be ignored. If you believe otherwise (my question), you should pick a different tool for the analysis?

What's currently thought to be "abnormal" might just be the start of a more variable period, etc?

not a stats expert, but genuinely interested:

Future pandemics may have similar impacts, so wouldn't the right approach be simply including the "abnormal" years?

The result being more variable is a true reflection of the world! If you massage the inputs, how do you defend the conclusions?

between this and nanochat, I'm very tempted to just bunk off work for the rest of the year and dive in....

stupid responsibilities!

I look forward to the post I assume this is leading to for further enlightenment - I've been long puzzled by how seemingly simple/small the code around the giant pile of weights seems to be in practice, these sorts of insights are awesome.

huh, this (cache value, being a pure functional mapping from the input prompt) is a TIL moment for me...

I naively assumed that the point of prompt caching was about restoring internal state of the model...!

In hindsight that assumption seems obviously dumb, given the sizes involved!

Thanks :)

But IMO just as easy to put the server in a secured room with badge access logs, etc, and/or a locked rack in the corner of the office vs under a desk.

I don't think a compromised dev machine is comparable - they should *never* have secrets directly exposed them (vs CI/CD which requires them)...

Yes, SOC2 in my experience is mostly validating that you have a set of policies and controls in place, that you assert are suitable for your business (vs a very low-bar baseline) and that you actually follow them.

So if you want to declare this not a risk, your auditor will probably accept it.

I'd be more worried about the security/supply chain risks:

Assumption: You sell a product to/maintain OSS used by someone important that attacker X wants to compromise.

Threat model: X breaks into your office, compromises your under-desk CI server with subtle malware that backdoors your builds.

Under-desk (vs on-prem server room) also raises physical security questions (e.g. evil maid/cleaner attack) that I would find harder to justify SOC2/ISO controls against.

A CI server is riskier than a dev desktop - it deploys directly to prod, while desktop actions are gated through a review step.

I'd look at it less from a reliability perspective and more from maintenance and security.

Under-desk might be fine if it's well-managed (updated, monitored, etc) but "spare box" has connotations that point away from that...

Is the under-desk runner in your MDM/inventory and regularly updated?

watching with interesting, and intruiged by the idea, but timezones are challenging...

If/when you have an iteration of this that works for UTC+12/UTC+13 (NZ) I would be interested.

added to my queue, but do you know why the transistor share page doesn't link to Spotify?

I had to spend an extra minute manually searching for it in Spotify...

I'm guessing #835 having just done all 3...

I got it 3rd, but purely by guessing/segmenting the 8 remaining words into which 4 seemed most likely to match some weird american grouping - a tactic I have to use frequently!

is "today" for you #834, #835 or #836 ?

Timezones make this hard :)

Yes!

I think this is the next natural opportunity for oncall-optimizer.com to expand into....

noun verb

how/where do you review Claude Code's output without an editor?