1.  

    I think the target audience is different. Interactive BOM is designed for people who build the boards, while this is designed for people using the boards.

    1.  

      IHBOM’s primary use is for people soldering their circuits. You get an order of 10s-100s of little bags from DigiKey or Mouser or whomever each with some small qty of components, and then have the challenge of trying to remember where on this pcb a 5n6 0402 inductor was meant to go - IHBOM makes that an absolute breeze and I use it all the time.

      Pinion is more for documenting the physical/electrical interface of your PCB for others. API rather than build instructions, if you like.

      1.  

        The JavaScriptCore[1] interpreter is hand-written portable macro assembly that generates around 30 KiB of machine code that fits in L1 i-cache on most systems. Their tier-1 JIT is incredibly simple: it just copies and pastes the chunks for the small opcodes inline and inserts jumps to the large ones. The vast majority of JavaScript code runs on one of these two implementations, things only get promoted to the third and fourth tiers after being identified as very hot code paths. Unless you’re running canvas-based games, the odds are most JavaScript that you see executing in Safari is in the interpreter or baseline JIT.

        [1] The JS implementation in WebKit that Chrome replaced with v8.

        1.  

          S7 scheme, which is interpreted, claims similar performance to guile (which is jitted) and chicken scheme and sbcl (which are compiled).

          1.  

            I don’t very much care about what Microsoft’s browser does because I don’t use it, but I’m very much interested in spreading the idea that there’s good reasons to use simple, maintainable software even if it isn’t the fastest.

            1.  

              No and it’s never getting them, but oh well, eq is in lodash.

              1.  

                His “assume syscalls fail capriciously”, no they don’t, they fail for very sound and well defined reasons

                Defensive security means assuming that all components of a system will fail; that includes the ones you wrote, the ones you didn’t write, and even ‘untouchables’ like hardware memory protections and the os kernel. Sure, there are reasonable limits; but looking at the return value of a syscall is a reasonable sanity check that guards against both kernel bugs and bugs (or misunderstandings!) in your own code; and the cost (when compared with the cost of the syscall itself) is negligible.

                1.  

                  http://copy.sh/v86/

                  I don’t know whether to be amazed and impressed or whether I should vomit on my keyboard.

                  1.  

                    They are a big company doing many different things. It saves a lot of heartache to ditch the goodie/baddie scale and consider each activity on its merits. And in this case I think they’re onto something good. I for one would sacrifice 10-50% JS speed to rule out an entire class of common security bugs.

                    1.  

                      They are:

                      • Giving schools free copies of their office package in order to maintain their OS and productivity software dominance on the desktop.
                      • Lobbying public sector heavily to get locked into Azure.
                      • Using their dominant position to get the whole public sector as well as kids and students onto Teams and O365 with a recurring subscription.
                      • Cross selling One Drive heavily on their non-enterprise Windows editions.
                      • Showing ads and install bloatware in their non-enterprise Windows editions.

                      They want nothing else than total platform dominance and they don’t care about the little people, obviously. The question is, do you consider total dependence of our administrations and of the less-well-off on them a goodie?

                      1.  

                        the problem, as the article says, is that we have no copyleft license that applies to entire distributed systems, and it would be nice to. not so much a problem with the agpl as an explanation of why it is not the license the OP was wishing for.

                        1.  

                          My cognitive dissonance is off the charts these days with Microsoft. Are they the goodies?

                          1.  

                            That is neat!

                            This sounds like a more structured solution like the query comments mentioned above by @viraptor.

                            From what I know: MySQL is also working on query attributes. Similar to connection attributes, but for queries. This comes very close to the Query Bands feature (without the workload manager part).

                            1.  

                              I know it’s ok and usable in most cases. But there will be some number crunching micro-benchmark which is 50 times slower, even if not representative. And I expect that’s the one that will make the headlines. Rather than “slightly slower more secure alternative available”, I expect “Chrome and Firefox finally available on iOS, up to 50x slower”.

                              Maybe I’m totally wrong. But I honestly think that would stop Google from going with it.

                              1.  

                                I was aware of the trick with the SQL Query comment. At trivago, we also use this a lot. I was not aware of any library explicitly doing this. Thanks for the hint! For all others, here you can find the library basecamp/marginalia.

                                I can second the usefulness of this trick, especially during an audit, replication, and slow query logs. Similar to connection naming, it is close to zero engineering effort. Assuming here that you craft your SQL queries by hand rather than using a DBAL. In the case of a DBAL, this might be a bit more tricky to sneak in SQL comments.

                                1.  

                                  Author here.

                                  I share your happiness. The design of the database is on one side. The design of the application is another. I have seen many systems that have several different use cases for the database connection (like @zie describes with -web and -fetcher. However, I have not seen different database connections to the same database with different users. Often they share the same database connection pool.

                                  1.  

                                    Author from the article here.

                                    I agree with you, what you describe should be the standard, and it has even the security benefits. Using your own username is also the workaround, once a system doesn’t support connection naming at all. However, worked in several companies has seen many more systems, I can tell you that this is even often considered as “overhead”.. Why? Because here often Dev and Ops don’t play together. Dev is adjusting their DB calls. Ops want to avoid adjusting the permission of the user every release, …. You know the game. Sad, but true.

                                    Admitting that connection naming is not implemented in these environments either.

                                    But I am with you. I would even go one step further and advocate for every application document their DB commands. Like currency-conversion-app-web is doing only SELECT and INSERT. This would enable (dev-)ops to limit the permission of the single user to exactly these operations. Rarely, I have seen this, even in Open Source Software.

                                    1.  

                                      Yeah, that doesn’t sound great. I don’t use Django; I’m not sure why it uses cookies for this. I guess that a HttpOnly cookie is a bit better since you can’t read it if you have a script injection problem or something.

                                      I just use a hidden form element and to the best of my knowledge it’s never caused any issues (certainly not where they had to contact support and clear cookies). This seems “good enough” to me, especially if cookie-based CSRF solutions can break in non-obvious ways.

                                      1.  

                                        We do not need licenses that force you to open your tooling around open source components. Those scripts are often highly personalized to the environment and user; even setting that aside they regularly shift across a team, evolving as different people use it.

                                        1.  

                                          But it isn’t 50X worse, their own testing on a performance oriented benchmark shows about a 50% performance regression, and that seems perfectly acceptable for not having to worry about a whole type of memory bugs that could potentially expose private information to attackers. Most JavaScript is used for presentation improvement rather than heavy computation, so most users wouldn’t see a huge degradation in experience. Besides there’s a whole market out there who doesn’t care about performance that much, but cares a lot about security: corporations. It’s cheaper for a company to throw an extra grand to buy a faster laptop that makes up for the lost speed than dealing with a huge data leak.