You can theoretically do most things AWS does most of the time, yet people pay premium for it and keep paying for it, even though alternatives are cheaper, simpler and more performant.
I'd bet you that after 20 years OpenAI and Anthropic would still be around and kicking.
You might have a subpar product (for the price) but the reputation and history is what makes people open their wallets.
> I'd bet you that after 20 years OpenAI and Anthropic would still be around and kicking.
Depends. The bigger the bubble, the bigger the pop.
Only a few unicorns from the dot-com bust came out the other side (Amazon, Google, ... anyone else?), and that was a piddling affair compared to this one.
> You can theoretically do most things AWS does most of the time, yet people pay premium for it and keep paying for it, even though alternatives are cheaper, simpler and more performant
It's going to be debated forever whether wiring your own open source tech has a lower development cost than the equivalent AWS bill. For me, that's too broad a statement, as I have seen it go both ways. What is true: There is only some knowledge overlap between maintaining an AWS stack and having your own Prometheus logged, ceph backed set of boxes.
That is not the case with LLMs. At least, not right now. They roughly work the same and are easy to pick up. They are about as straightforward of an interface as it gets, and using them in "advanced" ways could be summarized on an index card. They are relatively fungible.
I don't see a world where OpenAI runs on brand recognition alone. It needs to be more convenient to run than local LLMs. They've done that by buying so much of the worlds hardware that it becomes more expensive to run these things locally.
It’s also a weird argument.
You can only spend your money once, and the affected employees also chose to work for a bell-end like Altman (or Zuck, or Musk)
People can spend money how they wish. SamA is a prick, so I don’t buy from his company. I don’t buy from Microsoft or Oracle either. Giving a company your money is explicitly supporting them and everything they do. Are you going to force me to buy products from people I don’t agree with?
I think it's about whether you trust someone or not. I don't really find Altman trustable. No one should have sole control over AI, but we need to have some trust in the people that are operating it.
I enough 'small' senior developers, project managers, product owners, internal IT people take a small stand against OpenAI products, that can still sum up to a notable impact
And I think that's amazing. I'd like to keep using the subsidized coding tools, especially Codex, since I've given up on Claude. Hopefully the PMF allows the subsidy to continue. Would hate to have to move to the next coding harness again.
This is a legitimate, understandable way to discuss a mixture of abstract and specific things. This is a novel we are referring to, here. The intended audience is very, very broad.
For the most part, doing things right in the given language matters more than change of language. A lot of refactors in Rust (in the coding agent space) I see jump straight to Rust without considering what inefficiencies can be addressed before changing the language.
Having said that, I considered a Go/Rust rewrite of Dirac (https://github.com/dirac-run/dirac) for some modules to support cases when someone wants to run like 30 agents, but it quickly became obvious that, a) while the node event loop is a bottleneck, it is not the sole bottleneck and b) if you have a VSCode extension, you can't totally get rid of TypeScript, so it just becomes the case of bi-lingual project and the maintenance burden that comes with it
Rust is just another language. Sure it's cooler than some langs, to some ppl. Sure.
The author made the choice. Open sourced it (thanks!). So now we all enjoy more options. Saying author did so because "cool" does not sit well with me. It's feels like you get a no-strings attached gift of significant value and then going saying the giver gave it to be seen as cool.
EVERYTHING you use is complicated. The goddamn ATOMS and electronic shells around them are so absurdly complicated that they require quantum computers to even simulate them without approximations.
Everything is complicated, and all humanity has ever done is to try to reign in that complexity (you think about macbook GUI, NOT transistors beneath it).
So, yeah, I fully disagree with what this blog is trying to say. World is infinitely complex - and we are trying our best to make it make sense.
> all humanity has ever done is to try to reign in that complexity
To what end?
“Rachel Carson's Silent Spring, with a single powerful blow, shattered for all time a complex article of fundamental articles of our cultural faith; that the world was capable of repairing any damage we might do to it; that the world was designed to do this, that the world was on our side; that God himself had fashioned the world specifically to support our efforts to conquer and rule it.”
― Daniel Quinn, The Story of B
That's true. This brings to mind an idea by Dr. Tom Murphy about sustainability. Human civilization lived sustainably, or in the same state with little change, in the natural world for tens of thousands of years, with much lower entropy than now.
By definition, any behavior that cannot go on forever, or deep into the future is unsustainable. Of course all life on Earth will end and humanity far before it. Maybe our current level sustainability is causing entropy to accelerate.
I'm not saying either way is better, of course better or worse isn't really even a thing. I just wanted to share my thoughts that may inform what I choose for myself to discuss it with others.
Human civilization is often used to describe the last ~ 12k years of us becoming farmers making cities etc.
But way before that, approximately around the time we had both mastered fire and good enough communication skills neanderthals and other homo became the very top of the food chain and started massively altering this planet.
I think scientists in the relevant field call the current extinction period the 4th? One caused by humans.
Sustainable is a "loaded word/concept" of the imprecise language we call English...
For who? How long? For self / others? Externalities?
If Mark Zuckerberg creates a robot army and closed loop food producing system and clone installation that keeps him / his descendents alive till the heat death of the universe on an island in Hawai while 99.999999999999999999% of humans and animals die (some other billionaires on new Zealand etc etc) one could argue it's sustainable for said people but not very sustainable for "humanity"
There is no better way. Better way requires a big man / woman / it in the sky / your shoulder who supposedly knows.
You, me and most people on this forum are just the lucky ones (at least top 40% and most likely average top 3% financially ) who can imagine more than we can achieve in life and hence get philosophical from time to time...
Anyway I see you read / quote a lot of books so yeah recommend you the Derek Sivers book "how to live", he's much better than almost everyone at destillation and has the bonus of not having to sell.
Anyway as a tip: You can use sources / references but proof of authority / reference to authority (doctor this,..) Doesn't really add unless it's about a highly practical field. Can just add a source link at the bottom if you wanna reference his words but ideally the idea can stand by itself.
ovh rocks, they are also far more customer support friendly than hetzner.
Half the time hetzner feels like they are doing you a favor by letting you rent servers from them.
Ovh is way simpler, and openstack integration from them works good enough for most of my needs.
Kinda insane how atrocious docs are tho. No .md markdown format to let agents read stuff yet -_-
They once had offerings for dedicated servers without hard drivers. They did network boot from NFS. So the costs where between a full dedicated server and a virtual one. Sadly it was very badly engineered. Small disk IO was so bad that you basically couldn't run MySQL. I did run a MX. For every mail postfix would complained that the filesystem did run a few secondes in the future. At some point they gave up and stuck a USB stick into every server.
It was dead by thousand cuts and put a bad taste in my mouth. But I have to admit that was a long time ago and I should probably give them another chance.
Can someone more intelligent then me tell me why should I offload my postgres users table to some 3rd party provider? Like what is so hard about keeping that table in my VM on hetzner that I have to give it off to someone else? It's not payments, it's just a few fields of data
SSO, SAML, SCIM, OIDC, OAuth, 2FA, passwordless auth, verification tokens, etc etc, And, variations of each for wildly popular systems you’ll be expected to integrate with but don’t support the exact spec.
For a while at my company, half our support engineers time went to handling random SSO issues that came up in our home built auth system.
I don’t know when we became this lazy. Auth is hard, sure, but putting your users table and sessions behind a vendor API is not something cool. Tell me one feature that is not supported by libraries like OpenIddict (You can build around) or Keycloak?
I think the main argument usually is time savings. Personally I just always do E-Mail and password auth, yea its old and not the shiny new thing, but it doesn't require me to integrate 200 different ways of doing auth.
We should be able to demand users remembering their passwords, I dont like to cater towards users who simply dont want to put in the work to use my product.
Will I lose potential users over this? Yes. Does it feel bad knowing I am in control and wont have to offload to 3rd party vendors? Hell no.
Great for you but that's not the case for a lot of B2B contracts we have. A lot of them require integrating with their SSO, not just for login but for permissions too
Do permissions follow the same model everywhere with SSO or do you now have to set up permission logic everywhere for new customers? Like company A uses "admin" as role while company B uses "management" for essentially the same role?
Same here, Just email + password, no google dependency initially. If more users ask we will think of it. but again you don't need a cloud vendor for all this.
You do you but most businesses if given the option between supporting OAuth to reduce friction on signups, or only supporting password auth, will choose the option that makes them more money.
You don't have to use a 3rd party service for OAuth. You can do it in house.
Yea I know, I just don't want my app to have a google logo on it, or whatever other companies people use to login with. E-mail and password will forever be my go to solution.
I want intentional users not the ones that click "sign up with google", try out the app once and never come back. Also I don't have the time to learn how to properly integrate more auth methods into my app. I want my own user table, I want predictability on how a user model looks and I want to be in control of everything.
If you're a SaaS vendor, you want to make onboarding and logging in as easy as possible and being able to do things like add a "login with google/apple" button or other third party SAML/SSO tooling is one way to do that. Supporting that workflow sucks as it can involve very finicky integrations involving certificate trusts, etc.
Those authentication providers require you to do the same Google/Apple OAuth certificate configuration yourself, and you even have to pay the 99 euros for Apple.
SAML/SSO is indeed finicky, but the problematic part (mapping attributes) is often done by IT teams, ESPECIALLY if you use a third-party provider.
Technically true, because Google's core product is ads. Also fundamentally wrong, because Gmail serves as a massive source of ad targeting information, in addition to being a high-engagement canvas to display those ads.
> For a while at my company, half our support engineers time went to handling random SSO issues that came up in our home built auth system.
fwiw, we also have entire staff dealing with SSO issues among our employees and users, despite relying on external services to handle auth.
A problem domain as complex as authentication is bound to habe issues of some sort. But I am not sure if I would be so fond of „outsourcing“ something as integral to my services as the access to these services
There is a trust component for sure, but a business requires assessing the value of time against revenue. I can say for our org that using an off the shelf solution like Clerk saves us time and money and we believe the risk is very small relative to the savings. Maybe the cost for you is not large right now, but when you've got 20 enterprise customers all asking for specific OIDC integrations configured with Private Link, custom domains, and private clusters, an auth solution starts looking mighty fine.
Why pay someone to build a house? I’m sure you could do it yourself…but that doesn’t mean that is the best use of your time in all cases. The analogy is basic but apt; not everyone needs or wants to run (or create) every mechanism. I don’t do all of my own hosting either and it’s not because I couldn’t, it’s that it isn’t worthwhile in my cases.
To expand a bit more: if a business is faced with a choice to save some money by increasing risk, having people who’s job it isn’t managing and supposedly securing that information, or to have a third-party who job is literally to handle and worry about those things, who carries independent insurance, and who is on the hook if they lose customer data, and in exchange the business is simply taking the risk of associating with business that could do a poor job — which of those options sounds more appealing from a business sense? It’s a lot easier to blame someone else than earn back trust for your own major mistakes because you tried to write your own software to save a little money.
If you’re implying that people should __always__ roll their own services and never vendor out non-core parts, the security industry would love to learn where you work.
> Okay, so… what are those cases? I’m also curious.
If you're willing to make a third party SaaS's uptime the ceiling for your own org, you can delegate auth. Github might not be a good choice for SSO.
If you're not threatened by per-user-per-month fees, you can delegate auth.
If your threat model is compatible with a third party having visibility into your user's network location and the frequency and duration of their activities across your org, you can delegate auth. (Okta will probably not inform your competitor that your main sales guy is in North Carolina this week and has logged in from the conference room wifi of your competitor's main client.)
If you can trust the third party to not allow an interloper to bypass your requirements, you can delegate auth.
For starters, if I'm a "house builder" by trade, then yeah, I am going to build the house myself. Otherwise, why should the client pay me, and not the guy I'm subcontracting?
Secondly, there is no such thing as a "house builder" profession. It consists of a lot of different trades people, some of them having legal power to sign off your house build (for example an electrician). Now, we could try to push for something similar in software engineering, and say require you to have an "authentication engineering certificate" in order to handle code related to auth, and only a person holding the certificate can allow such code for production use. But I'm pretty sure all the vibe coders and tech bros will cry how unfair and bureaucratic the system is.
But of course the entire SWE profession is based on grifting, and extracting as much money as possible from the customers while cutting the costs. If you are so afraid to save passwords to a database, then at least don't call yourself a software engineer.
You're not a house builder, you're a widget maker who needs a house to live in. Auth is almost never your startup's core competency or offering. Spending one of your very valuable five engineers on the auth tarpit while you lose deals because SSO is hard could be life and death for you.
It’s humorous that these conclusions are that the only option is SaaS or write it yourself, while my comments were about not doing things yourself, not that a SaaS is the only answer. Interesting that is how you felt the need to take it.
People are rarely as clever as they think they are at preventing others from doing something, while others only need to find one thing wrong. “Write it myself” is about the dumbest answer to that problem if you do not have the same level of resources to commit to that specific problem as can be solved by someone else.
Not really a hot take to state something so…basic..but you’re welcome to conclude what you like.
Don't you wanna level up your career to become an architect? You can draw a box, call it "User Management" and slap "Clerk" or some other SaaS on it, and assume it's managed for you. This allows you to shove whatever requirements you want in that magic blackbox as you feel "it doesn't bring value" for you to implement.
Because auth is a productivity tarpit. Anything plan on doing with auth looks simple but almost never is. Homegrown auth can easily sunk half of your dev and support teams.
Of course, we're not talking about email/password with "remember me" checkbox kind of auth.
I wonder if it is not people being notoriously lazy or clueless at an astonishing degree. How often do you hear that password were saved in plaintext? Surprisingly high in this day and age.
People not knowing what salt and pepper is... Vulnerabilities almost as if on purpose...
Perhaps it is actually not THAT hard but just like error handling, people don't want to do the unsexy parts and want to delegate those tasks to someone else perhaps.
There must be a behavioral pattern there...
We are speaking about incidental complexity vs. essential/inherent complexity.
Inherent complexity is dealing with an XML format that is prone to vulnerabilities because people don't know how to parse properly or the protocol was badly spec'd back in the day in the case SAML for instance.
Or ill-defined scopes, etc...
Having had the chance to try and implement libraries to interface with those systems a couple times, most people agree that implementations are far from perfect or streamlined. We call this incidental/accidental complexity.
I must as intelligent as you because I also never understood why things like supabase even exist. I believe this shows how much front-end dev world is detached from how things can simple and secure by default.
Do you say the same about AWS RDS. Are you saying VMs is all you need and it is a doddle for anyone with FE only experience to set up, maintain and scale.
Yeah you’re a bit confused. Supabase has nothing to do with frontend other than providing SDKs and some frontend components to integrate with their backend.
I would disagree here. You probably need OAuth with popular social services and implement username, password or OTP-based auth overall. For an MVP, you don't need to care about more details beyond this; it is hardly 10% of the entire effort, if not 5%.
Social logins, email logins, password resets, multi-tenant, organizations, many to many users to organizations, etc etc. Not necessary for MVP, but can definitely be painful hacking in later if the MVP hits.
What you are talking about is in a large part authentication. You can do authentication using an external service and still have your user table locally. You can also do authorization locally with a local session table while leaving authentication to a SaaS.
Indeed it depends of course. Though I don't find it fair for those requirements to be presented as table-stakes and required, as my original parent comment seems to have done.
Not as big as the debt you will get from having to implement it all yourself. And it's not like he's suggesting you use cobol - there is not an issue of finding people who can work with both rails and django, so the popularity isn't really relevant.
I am just as confused as you. My 2c: For a broad range of requirements, running your DB directly and managing auth with Django or similar is easier. Perhaps at enterprise scale, this changes.
That's what they did. They migrated to Better Auth, which stores everything in your DB. It's the equivalent of Django auth for the Typescript ecosystem.
People are very scared of messing up authentication and getting hacked. They would rather offload that responsibility to a third party and not think about it.
Unfortunately this is a common premise and on surface its a good idea too to let a expert in particular domain handle it. Where it gets muddy is when this third party are themselves learners and just see this as a good business opportunity
I roll both of these at work, from auth to cashless payments to regular online payments. It's not as hard as people make it out to be. Probably a lot harder at big companies with huge attack surfaces and attention though.
The only project where this was the case that I didn't hate it was at a former employer, and it gave the responsibility of securing users to Auth0 and minimized our PII and attack surface, since even the login page was not hosted or controlled by us. Worse case you somehow hacked our users and got some free entree reward they had, otherwise good luck trying to get very little data.
It allowed us to do SSO for small one-off marketing / campaign focused sites. I could give a specific login URL and it would always log you in if you were already logged on.
It feels like a good idea when you are early on in building your product and what matters is quickly iterating on the core features that define your product.
It’s not just the table, it’s also the auth and many other things that you know you will need but you would prefer to focus on other stuff.
Almost always you start by saying that you will replace that when the time comes and you have proved you have a product and now it’s time to actually build the real thing.
Some teams do that and some other, never migrate away and that’s how the GTM of companies like Clerk works.
I'm working at a tiny non-IT company. Outsourcing this work and the security of not having my non IT trained coworkers being able to touch the server is great (but a VM would do the same ofcourse, while costing money).
Most of all, we currently don't even need paid tiers of supabase since our software is so small.
Given, I feel if you run supabase at a big company you are either lazy and probably have too much budget to spend on useless costs.
Some people enjoy vendor locked managed services for their core infrastructure. Typically this decision is made when building from zero to one in resource constrained environments, and the long term play is to move to your own table/db when it becomes sustainable to do so. The only reason to move to a managed service after having done the work to setup self owned systems is when you need to either a) CYA or b) reduce headcount
The tl;dr of the article is that there are auth specific features that are not differentiated but that users expect. Just like you might outsource pieces of functionality like data storage and message sending to specialized servers/libraries/applications, you can do the same with authentication.
The article could use some improvements, tbh, it is 2.5 years old.
You can theoretically do most things AWS does most of the time, yet people pay premium for it and keep paying for it, even though alternatives are cheaper, simpler and more performant.
I'd bet you that after 20 years OpenAI and Anthropic would still be around and kicking.
You might have a subpar product (for the price) but the reputation and history is what makes people open their wallets.
reply