1. 4
  1.  

  2. 4

    I’ve had the thirsty-CTO-filing-issues-breathlessly thing happen once. It’s never enough to simply file issues, there’s always this faint entitlement: “can you add $MAJOR_FEATURE? I’m CTO of the best Yelp for dogs app and we need this by next Friday.” The presumption is the maintainer is somehow honored by such a big shot client.

    Nope, nope, and nope.

    1. 3

      I choose to blame github because that’s what I like to do, but really. You stuck stars and issues and pull requests on your project. People are going to use them. There are of course merits to making it easy to contribute, but the flip side is everybody feels entitled to contribute. It may only be a hobby project, but it’s parked right next to serious business moby, too. HN campaigns are how you get changes into docker, so why not this project?

      1. [Comment removed by author]

        1. 3

          I’ve seen this before. Junior programmer who doesn’t know where they stand – after all, they have “users”, or worse, they’ve been programming professionally for a few year. They want users, and validation, because they feel like an imposter, but everyone else programming “just as long as they have” are doing amazing things.

          Then it happens: Something resembling hostility. Someone bites back! this is my safe place, but then… there are others! Quick! Try to turn to public opinion, which of course, is populated by a bunch of other junior programmers who will see themselves in the post, and immediately sympathise (ish) with me. After all, I must be right. I have users.

          Programmer autism at its best.

          So how do we fix it? Can we fix it? There are lots of symptoms:

          And these things are wrong. How can you treat a bug in your code as some kind of personal jab or insult, but can’t also treat a bug you create as a mistake or a failing on your part?

          But I think there’s a bigger issue, and it appears here:

          just because the quirkiness of the API is documented doesn’t mean there isn’t room for improvement. and i’ve seen no documentation/description on why you like this this design decision over other alternatives.

          was not an insult. This person wants your software to be better in ways you’re not thinking about, but because you choose to interpret this as a slight, the cycle continues.

          I don’t have an answer yet, but it’s something I’m definitely thinking about.

          1. 1

            geocar, I’d humbly suggest you don’t know what you’re talking about. Name-calling is not appropriate either (autism).

            • pwiz generated invalid code, but I fixed the bug: see commit
            • peewee is not susceptible to SQLi, all queries are properly parameterized.
            • Peewee supports SQLCipher – which is SQLite with crypto built-in.
            • The crypto issue was just raised with me a couple days ago. The code I used was based on the example from pycrypto’s readme.
            • In the face of ambiguity, Peewee typically will avoid the temptation to make a guess. It’s a matter of taste what you prefer.
            1. 4

              You choose to call what I call bugs, something other than bugs just to make you feel better.

              But they’re still what I call bugs; They are mistakes that you are making.

              You have made a choice to examine my point of view using your definitions to avoid that conclusion.

              peewee is not susceptible to SQLi, all queries are properly parameterized.

              Will you quit programming, if I show you an example?

              1. 1

                Hahaha ok, you win, this is a damn good comment…

                I’d love to see an example of SQLi, so I can fix it.

                Feel free to be more specific about the bugs, too – I have written probably thousands of them over the last 7 years while working on this project…

                Edit: I meant to add, all the stuff that happened in my blog post was a year ago. I’m not trying to sway “public opinion”. In my post I was honest about my motivations for doing open-source. But things change over time. When I created Peewee (back in 2010) I was a Jr developer with 2 years of experience. I had a massive chip on my shoulder. I mean, you’re exactly right about that… Over time, though, people grow, people change. That’s what this post was supposed to be about. That I could see my own motivations more clearly, and that had I understood them better at the time, I would have handled the situation better.

                1. 2

                  So my response to rain1 was not directed at you, even if it was about you (or more specifically: someone like you were seven years ago). More to the point, I don’t mean to cut you down or hurt yours (or anyone else’s) feelings even if that’s what ends up happening. It is an explanation, not an excuse. I’m not going to ask you to develop thicker skin, but I hope you’ll consider that.

                  There’s code that’s worth talking about (hint: consider table names that contain a " character),

                  But then there’s also the process of producing code that is business-correct (i.e. “technically” correct; documented to a standard, etc).

                  But: then there’s also the process of producing code that people want to use, that helps those other people make fewer mistakes and get more done. DJB’s interfaces and Arthur’s “very dense” programming offer clues to solutions here because they’re obtaining incredible success in the first two levels as a result of their work here, but discussing this process is proving very difficult because they fly in the face of “conventional” wisdom. Getting past that is difficult, and for myself as well: I remember a time when I was amused by being technically correct.

                  Yet this is the kind of discussion I’m most interested in having.

                  1. 1

                    I’m not going to ask you to develop thicker skin, but I hope you’ll consider that.

                    Why are you so interested in psychoanalyzing me?

                    Re: double quotes in the table name, I didn’t even know that was a thing but I just tried it out in postgres shell and sure enough, it can be done. I don’t know that I see a vulnerability in peewee related to quotes in table-names, however.

                    producing code that people want to use, that helps those other people make fewer mistakes and get more done

                    Yes, which is why peewee has a nice user-base.

            2. -1

              This person wants your software to be better in ways you’re not thinking about, but because you choose to interpret this as a slight, the cycle continues.

              I’d like to answer this in two parts.

              This person wants your software to be better in ways you’re not thinking about

              I’m not thinking about them because they are not worth thinking about. A patch to remove quotes around table aliases, which requires the maintenance of a comprehensive list of SQL keywords for all supported relational databases? Shit idea. Using a fancier table-aliasing scheme? The whole point of the library is to avoid worrying about SQL. The library is tiny (hence the name, peewee) and the extra LOC for this kind of thing are also in conflict with the project’s stated goal of simplicity. Calls to get() should throw an error if more than one row matches the given condition? I’m very familiar with that from having used Django, and I’ve already thought about it and implemented it how I saw fit.

              you choose to interpret this as a slight, the cycle continues

              You are correct – and if you read my blog post you hopefully realized that this was the entire point of the post. So yeah…I fucking know.

            3. 2

              crypto problems

              Could you elaborate? As it stands this is FUD and there’s no way for the author to defend against it.

              1. 2

                I’m genuinely confused why this is attracting ‘troll’ downvotes - the claim is not falsifiable, and as such adds noise without signal to the discussion.

                I’m asking for ‘be able to support the claims you make’ to be the standard which discussion here is held.

                1. [Comment removed by author]

                  1. 1

                    That’s linked from geocar’s response to the same comment - the comment I replied to is only 30 words, none of which are links or evidence.

              2. 2

                Hi rain1 – I don’t blame you for not digging into the issues and full context, but would like to explain both your points.

                1. The crypto code I was using is not broken, it is just not as secure as it could be. I was not aware of that until a couple days ago when that particular issue was created. The code the AESEncryptedField is based on is taken almost verbatim from pycrypto’s example code… Will be fixing it in an upcoming release, however. For those looking for better crypto, and who are OK using SQLite, peewee supports SQLCipher.

                2. Peewee is not vulnerable to SQLi because all queries are parameterized. There’s no string interpolation or any other mischief like that.

                3. Re: invalid SQL. Peewee can generate invalid SQL in the sense that you can tell Peewee to join on the same table twice and Peewee won’t “magically” know that the second time you join on the table you want the table to be aliased to another name. So you need to tell Peewee that the 2nd time you’re joining you want to alias the table as something else. It’s not a bug, per-se – it’s just that in the face of ambiguity, Peewee does not attempt to guess in this case.

                1. [Comment removed by author]

                  1. 0

                    so this is all very superficial

                    Why do you wish to contradict me, then, if you barely understand the content or the context of the issues mentioned? Did you stop to think that maybe you would have been better off just keeping your mouth shut? While I appreciate the disclaimer and your being up-front about it, you seem to think that even though you can only speak superficially you will still have something valuable to say. Do you tend to think pretty highly of yourself? Are you a card-carrying member of Mensa?

                    But I’d always be very careful with security stuff. One byte overflows and other stuff you might not think is exploitable, can be exploitable, there’s a history of CVE’s to prove this.

                    Oh, you’re a security expert, thank goodness you’re here! I can’t wait for you to tell me how wrong I’ve been doing everything security-wise.

                    I’m not a cryptography expert

                    Oh, OK. Security expert, yes. Crypto expert, no. Got it.

                    I ended up removing the AESEncryptedField in a commit earlier today. Given the fact that it’s got security issues, better to not include it at all than try to half-ass fix it and lull people into a false sense of security. Crypto’s admittedly not my main thing, and it’s not the job of my library to implement it, either.

                    I believe at least on mysql I could easily write an injection that doesn’t use whitespaces (I’m a bit rusty on this stuff). So if a user could supply a table name, that’d be very likely exploitable (again, not sure how your ORM handles table names exactly, so this might not be an issue [and you shouldn’t let users control it in the first place {but…}]).

                    The user never supplies the table names. The pwiz tool is used by the person who is implementing a tool with the help of peewee. It’s used to get a jump-start if you have a pre-existing database and want to just spit out some bare-bones peewee model definitions to get working faster.

                    I’ll trust your judgment that the invalid table names could not have been exploitable for SQL injection

                    That particular issue was for “pwiz”, a little code-generation tool bundled with peewee. It takes a pre-existing database and does it’s best to spit out the corresponding Peewee model definitions. The issue was that if a table name had spaces, it would produce invalid Python code because Peewee names the Model objects after their tables. So the fix was to ensure that when we see a table name with a space, we don’t auto-generate an invalid Python class name.

                  2. [Comment removed by author]

                    1. 2

                      Peewee supports crypto in three places. The first, and best, is via SQLCipher, which is just a modified SQLite library that supports encryptor – peewee doesn’t handle any of the crypto, it’s all in the database. The next best is the PasswordField object, which uses the bcrypt library for secure password hashing. The last and, as was brought to my attention, least secure seems to be AESEncryptedField. I was following the docs from pycrypto but it seems there are some best practices I was not aware of in terms of padding etc. It may be best to just remove AESEncryptedField and force the user to do it themselves, outside the purview of Peewee…

                    2. 2

                      Ended up deciding to remove the problematic field subclass, AESEncryptedField. When it comes to crypto I’d rather have it right or not at all, and I’m sure users would as well.