Threads for Helithumper
-
PyCon US :D
-
I think this is an example of a feature that wouldn’t be heavily disagreed upon if someone added it. It’s a benefit without much downside. that being said I don’t want to be the person who adds it.
So then the question becomes “Why are we having a discussion about the addition of a feature that hasn’t been written yet”. Let’s have that discussion in a PR when someone adds it :D
-
-
Somehow I missed the whole passkeys thing that’s been in dev preview for a year. Yeah, so it’s their soft WebAuthn token. The FIDO alliance now endorses those, calling them “multi-device FIDO credentials” But the interesting part is the whole usage on random PCs thing. According to FIDO FAQ,
An update to the Client to Authenticator Protocol (CTAP) called “caBLE” will leverage Bluetooth LE (BLE) to enable cross-device, cross-ecosystem credential usage.
Turns out work on this has been going for a couple years now. It’s still oddly difficult to find info about caBLE. What’s especially interesting is that they showed some QR code thing on stage. Apparently both QR codes and BLE are involved?? Somehow?
-
I don’t think it’s their soft WebAuthn token, but their hard WebAuthn token using the TPM on the mac. They’ve had it for a few years now I just don’t think many people used it.
-
Not few years, one year of developer preview.
Well.. it’s sort of “hard-ish” in that the Secure Enclave might be used for the operations. But the private keys are synced via iCloud (again, multi-device credential), so they’re not locked in the Enclave.
-
-
I’d say 2 years since it was released at least before July 1, 2020 and that definitely wasn’t a “developer preview”.
-
You are talking about different things. Support for device-specific WebAuthn tokens has been around for several years (I have used this functionality for a while now). Experimental support for ‘Passkey’ (WebAuthn tokens that sync through iCloud Keychain to multiple devices) has been added to macOS 12 and iOS 15. But you have to enable support through the
Developoption in Safari on macOS and something similar on iPhone. This functionality was announced last year in a WWDC session:
-
-
-
-
-
ianloic
11 months ago
|
link
| on:
C++20’s parenthesized aggregate initialization has some downsides
Can we avoid posting this author’s blog posts? Without going into details, his presence in C++ community spaces has caused problems.
-
-
I’m guessing this is in relation to his criminal history. I understand the reason of why not wanting to discuss details and in this case I do understand your concerns. Could we avoid posting this author’s comments?
-
-
-
Subdomains as identity leaks information about the requested path via DNS.
https://example.com/saysbadthingsaboutbadpeopleinpower - DNS request is for example.com, TLS connection prevents request information from leaking
https://saysbadthingsaboutbadpeopleinpower.example.com - DNS gets the requested user
I am fortunate to live in a country where the latter is extraordinarily unlikely to be immediately actionable by law enforcement and my action is protected by well-established law.
Moreover, a path-based identity is better for marketing. Put the company name first so people know “Oh, right, Example, that social media platform,” and not “SomethingIdontreallycarethatmuchabout on Example.”
-
-
-
I’m definitely not an expert, just a curious observer. But if everyone used DNS over HTTPS, would this no longer be an issue? DoH does have some problems though (centralization, can be blocked, SNI leaks, etc), and I’m not sure how widespread it is.
-
-
-
Or DoT or DNS over Tor or any other privacy solution.
Breaking websites is not the solution.
-
-
-
I’m always wary of these “always” and “never” essays.
Instead of going down that route, why not set up a code budget before you begin and stick to it? After all, it’s one thing to spend a couple of coins on some bubblegum on your way to work. It’s something else entirely to invest in condominiums. There are lots of examples in life where we have limited resources and expect a limited return. We use budgets to allocate limited resources to return limited value. Why don’t we treat code the same way?
For my personal work, I budget 50 lines or so of bash to any project. If it goes beyond that, I’m coding in a higher-level language (which I also budget to as a way of keeping track of whether I’m compartmentalizing enough) If I were coding commercially, I’d drop that budget by half or more.
You run into problems with any programming language when the amount of complexity you’ve grasped outreaches your ability to understand it. With signals, string mangling, and the rest, that happens pretty quickly in bash. That doesn’t mean it’s a bad language. These are just risks that need to be managed.
Instead of shunning or loving some language, find a way to guide you to know when enough is enough, ie, it’s time to refactor or move to a different platform. Then stick to it. It’s the people who can’t help themselves but keep taking on more and more complexity in their code over time that are the ones to worry about, no matter what tech they’re using.
-
I believe that this isn’t an “always” and “never” essay, but rather a list of bad and good practices. In the last section the author covers the scenario you describe (50 line bash budget).
I don’t think any reasonable author would say “never” use bash, however the article points out how it may not be the best choice to use bash in many scenarios, thus “Please stop writing shell scripts” instead of “Do not write shell scripts”. It’s a persuasive essay, not an authoritative, commanding essay.
-
-
https://gchq.github.io/CyberChef/ Run mutations on inputs in your browser. Lots of useful little operations.
-
I find that even when I’m not thoroughly developing tests for my code, I’ll usually have at least a handful of general tests running fairly often just for a sanity check. Having a one-click “Does this run in a semi-reasonable manner” is really useful.
-
Not sure if this is newsworthy. Looks like a fairly standard medium/low security patch. Am I missing something?
-
I’m trying an implementation of this out and I don’t know how performant this was for the author. Nowhere in the article details execution time, but adding (most of) the english language as ORs to a Z3 solver is not very performant. I would be interested in a follow up to the article detailing performance issues / improvements.
-
Screenshots would be pretty boring, it’s just stock Windows 10 with auto-hiding taskbar and no desktop icons on the desktop, XMonad with a very basic config on one laptop and stock Gnome on the other (we don’t talk about the third laptop), so here’s my battlestation. We have:
- Two LG monitors, the big one’s new and it’s 1440p and 144hz. Behind them there’s a two-arm monitor stand. The LG monitor on the side is not VESA compatible so I had to get a bit creative to mount it like that.
- Three mice: the big trackball is a Kensington Expert and it’s for normal use on the desktop, the most normal one is a Razer Deathadder is for videogames and the small trackball is a Logitech Ergo M575, which I normally use at work with the laptop.
- A 90x40cm mousepad, very nice and comfy.
- On the ground, a cheap foot pedal with three buttons that I mostly use for push-to-talk and to take screenshots. I’ve tried using it more actively but it’s a bit awkward.
- A mic arm with a very hacky hook for hanging the headphones (just out of the picture).
- A Raspberry Pi with a passive cooling case under the desktop tower.
I’m planning on moving and getting a new desk, so hopefully there will be some big changes next year. Bonus points for recognizing all the characters :)
-
-
I used to use the Kensington and switched to the logitech ergo, tempted to switch back b/c the ergo causes my thumb to ache whereas the kensington did not.
I wish they would make the new kensingtons with the bearings / wheels from the older models (Kensington Turbo Mouse Pro) where you could spin the ball like you were playing goldentee on your desk.
-
-
Have to second you on that one. I have the Kensington and the M570 and would take the M570 if I had to choose. However, I also purchased a Ploopy Classic last year and it is wonderful. It really knocks both of the others out of the fight for stationary use. It’s the rollers (vs. the bearings on the other two) that really make a huge difference for me.
-
-
-
Throwing mine on the pile: https://imgur.com/a/as7fPJe
Built a desk into my shop when we all started WFH. No screen shot because there’s not much to see: swaywm on Fedora with Alacritty+tmux+NeoVim fullscreen on workspace 1 and Vivaldi fullscreen on workspace 2. Workspace 3 is for Zoom. All of it’s been themed with Dracula.
Hardware is a maxed out System76 Meerkat, Dygma Raise keyboard, old (2010) Logitec MX mouse, and LG 27UD68-P monitor. Hanging on the all behind the monitor is an Intel NUC w/ RTX 2060 for gaming. The display stuck on the ceiling is for the WS-2902C weather station mounted outside the shop.
-
Coworkers: “Where are you located”
sprsquish: Pulls out Banjo -
It’s impressive how much those air filters pull out of the air when they’re strapped onto a box fan like that. I tried it a few years ago out of curiosity and was appalled by how quickly the filter had to be changed. Been using them pretty much continuously ever since.
-
-
-
2022?
-
-
-
I don’t know what you’re talking about. It’s still April 2020. I’ll be back in the office in no time!
-
-
IMHO, this is one of the critical parts of an install script that I see missing constantly. Homebrew doesn’t by default do any signature checks on what it’s downloading. Docker’s install used to be a curl | sh as well.
I first thought about this when seeing people’s (especially Golang) NixOS files which included a statement like the following:
src = fetchgit { url = "git://github.com/NixOS/nix.git"; rev = "1f795f9f44607cc5bec70d1300150bfefcef2aae"; sha256 = "1cw5fszffl5pkpa6s6wjnkiv6lm5k618s32sp60kvmvpy7a2v9kg"; }I may be wrong here and there may be signature checks under the hood, but I feel like building this mechanism into the curl | bash would be a huge bonus. I wish more programs (and especially homebrew) did this, but would like to hear if there’s a solid reason why not (there probably is).
IMHO:
curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh?version=X.X.X | inline-md5sum MD5SUM | sh -"would be a much more robust curl to bash as it would include the current version (fully reproducible curl | bash-es) as well as a quick signature check. Heck, you could even have the signatures posted elsewhere or tied to PGP/AGE.-
-
Yes, that’s correct, however unlike NixOS, Homebrew does not provide a signature for itself in an easy manner to perform a signature check. With NixOS it’s either a.) provided right next to the download button or b.) you can perform your own because you are building the ISO yourself.
If you cannot verify the Homebrew installation itself, then it doesn’t really matter if the posted dependencies have signatures because an invalid homebrew installation could do whatever it wants re: Reflections on Trusting Trust.
-
-
IMHO, this is one of the critical parts of an install script that I see missing constantly.
md5 is not, and should not be used as, a meaningful “signature” for authenticity. it might be useful for verifying if the download was not corrupted, but it won’t give any indication of whether the file was tampered with in transit, etc.
-
-
This is good, but it, IMO, should be SHA256 or Blake2 instead, which are considered cryptographically strong unlike MD5.
-
Since this is just a validation script you could theoretically make it generic enough to process a handful of different hash types so that it’s more compatible.
-
-
-
Yeah, but how would that help you run a script where the MD5 was provided :)
-
-
This is always very delightful to read. I really enjoyed the “proof” in 20:09 on page 68 why RSA is the devil’s work. :)
-
I’m not sure what the origin of this is, but I originally saw this almost word for word in 2019: https://www.youtube.com/watch?v=lElHzac8DDI.
Edit: Just realized the author is the same, it’s basically a text form of the linked youtube presentation.
-
-
Could probably be a response in https://lobste.rs/s/ngrid5/rce_0_day_exploit_found_log4j_popular_java?
-
While the triggering event is the same (log4j CVE), I think that the content differs enough to be an independent post.
-
-
This post confused me initially b/c I could swear Filippo worked at Google now. Turns out the article is from 2016. Could the title be edited to match that to clear up any confusion?
-
-
Scrolling with the mouse wheel in KDE’s volume mixer applet scrolls through both devices and levels of devices.
I wonder what’s the good way to solve that one on the UI level. I really like that KDE allows you to scroll both on the volume bars and on the volume icon itself. (Which other systems don’t do)
I guess at least “don’t change volume until position scrolling has finished” check could work… But that may feel as clunky as the typing-timeout-based touchpad disabling.
I like the list and the challenge. I’m sure it will cause more pressure on some long-standing papercut issues. Apart from some really frustrating parts where Linus knows just enough to overcomplicate things and self-sabotage (like the GitHub part), it’s a fun UX study. I’ve had to start using Windows recently for the first time since w2k and I’m making my own list of WTF issues.
-
I need to go back and double check what his issue was, but maybe a modifier key (ctrl perhaps) or a middle mouse click to switch between the two options?
-
It’s basically: if you scroll the list of volume and your mouse goes over a volume slider, you’ll start scroll-adjusting that volume slider instead. You learn to scroll with the mouse on the side of the window quickly.
-
-
-
Nice setup, releasing 1.0.0 on may 15th 2015, and then making new releases every 6 weeks just to release 1.69.0 on 4/20.
It’s not planned - Rust introduced a 6 week cycle on Friday, Jan 9, 2015, and released every 6 weeks after until one version was considered safe to call it 1.0. https://blog.rust-lang.org/2014/12/12/1.0-Timeline.html
I don’t think I’m ever going to be adult enough to not chuckle at this kind of thing.
Oh my god I didn’t notice the date
I hadn’t spotted that either - brilliant!
What’s the symbolism behind 2015-05-15? I know about 69, 4/20, and May the 4th but that one escapes me.
Nothing that I’m aware of, I just meant that it’s 6 × 61 weeks from 1.0.0, making it seem calculated from the start of the 6 week schedule (I don’t know if it actually was).
It’s just fun to have the pattern of 5-15-15 I think.