Threads for birkelund
-
There’s really a problem with this blog post. I don’t know how it’s technically done but having to wait several seconds every time you display the tab is why almost nobody will read it.
-
It is actually super-high-level web development. Kudos to @tedu for pulling it off.
Pages are progressively enhanced using JavaScript if it is available. If it isn’t, users can still read the page. If JS is available, then UX is enhanced with a realtime loading indicator, much like the ten-pixel-bars top bars that are on many pages.
After all, in this Third Age of JavaScript, we cannot simply trust the browser to render the page. We need to tell the user the progress of that.
-
var delay = 100 switch (progress) { case 70: case 73: case 76: delay = 250 progress += 3 break case 79: delay = 500 progress += 2 break case 81: progress += 14 break default: progress += 5 break }I have to give props for verisimilitude. And for teaching me where to find uBlock Origin’s “disable javascript on this page” function.
-
-
-
I mean, just so we’re all clear, it’s something between a joke and a protest statement, and what you’re complaining about is entirely the deliberate point: it’s a perfectly fine, instantly rendering webpage that’s being “progressively dehanced” by the presence of annoying JS.
-
-
-
-
-
-
What’s really weird is all the markup appears to be there, and the loading is just for…giggles?
-
-
-
When you have a self-signed certificate, you are expected to trust it on first use, and then the web browser remember it.
If the web browser remember the certificate of a website, noone, including a MitM possessing the key of a certificate trusted by your web browser, noone can tamper the connection anymore.
So you suddenly jump from a situation that looks suspicious security-wise, to one that can face the NSA kind of attack vector.
Of course, in the case of a MitM situation, your “accepted security exception” situation (self signed but trusted manually) would turn into a “green padlock” (certificate signed by the MitM) situation, and I doubt many will choose the “padlock with yellow cross” over the “padlock with green check mark”, even if icons barely have any accurate meaning on their own…
Simply wandering on an off-topic… Not actually meaning that Cloudflare should switch to self-signed right now… Oh, wait, Cloudflare are self-signing, they are their own trusted certificate authority…
-
-
Just use links? ;)
-
-
Writing good shell scripts takes a lot of discipline and effort if you ask me. On the long run, after some practice it becomes easier though. I disagree with using
bashidioms everywhere though. POSIXshis sufficiently complex to do everything you need, whill keeping things simple enough so you don’t get surprised by bash’s « cool features ».An example would be rhe
[[ ]]constructs, which can be very misleading:chmod 0400 file.txt # format %a returns permission in octal mode mode=$(stat -c %a file.txt) if [[ "$mode" -eq 0400 ]]; then echo "File is read-only!" fiI think that all the bash features turn shell scripting into a full language, which it is not. Shell scripting should only be some glue between actual programs, where the actual logic is. Another advice I would give is to try to keep every shell script under 100 lines, so they remain manageable and auditable. More lines usually means that the programs you are wrapping are lacking some features, or are hardly composable.
-
Another advice I would give is to try to keep every shell script under 100 lines, so they remain manageable and auditable. More lines usually means that the programs you are wrapping are lacking some features, or are hardly composable.
Yes and no. My current project has several tens of thousands lines of bash, with some scripts in several thousand line long. And those are just calling external programs and piping them forward, doing simple if statements occasionally.
-
An example would be rhe [[ ]] constructs, which can be very misleading:
chmod 0400 file.txt # format %a returns permission in octal mode mode=$(stat -c %a file.txt) if [[ "$mode" -eq 0400 ]]; then echo "File is read-only!" fiNot sure what you mean by
[[and]]being misleading in this case? It’s not the fault of bash that you are comparing0400(an octal number) with400(a decimal number)?-
I mean this:
bash-5.0.3$ [[ '0400' -eq '400' ]] && echo decimal || echo octal octal bash-5.0.3$ [ '0400' -eq '400' ] && echo decimal || echo octal decimalNote: I know and understand what’s going on here. But this is definitely misleading as some people tend to use
[[ ]]without even thinking about it, or understanding how anifblock is supposed to work in shell. For example, I have seen this a huge number of times:grep -q 'foobar' file.txt if [[ $? -eq 0 ]]; then # do stuff fiThis could be (in fully POSIX shell):
if grep -q 'foobar' file.txt; then # do stuff fi-
I would argue that
[[and]]is doing the least surprising thing here because it is actually evaluating the arguments when in an arithmetic context. It’s the same with$((0400 + 1))evaluating to257and not401.Interesting, in zsh,
$((0400))evaluates to400, even though$((0x400))evaluates to1024. Now that’s surprising and kinda buggy! But that’s why I don’t write shell scripts in zsh ;)-
That’s indeed surprising of
zshbecause the arithmetic expansion$(( ))is the only place (according to POSIX) where octal numbers are to be interpreted by the shell.Interestingly,
mkshdoes the same aszshhere, and express it explicitely in the manpage:Arithmetic expressions
[…]
Prefixing numbers with a sole digit zero (“0”) does not cause interpretation as octal (except in POSIX mode, as required by the standard), as that’s unsafe to do.As for
[[ ]]vs.[ ], this makes sense because[[ ]]is a shell construct, while[ ]is a program (seetest(1)). If the shell where expanding numbers with a leading 0 as octal before passing them to programs, we would be fucked. -
-
-
Note: I know and understand what’s going on here. But this is definitely misleading as some people tend to use [[ ]] without even thinking about it, or understanding how an if block is supposed to work in shell. For example, I have seen this a huge number of times:
grep -q 'foobar' file.txt if [[ $? -eq 0 ]]; then # do stuff fiYes, this is absolutely horrible and stems from the fact that people do not know that all
ifis supposed to do is execute its argument and respond to the return value.Some trivia for geeks:
if [ 42 -eq 41 ]; then ...is actually just executing/bin/[with the four arguments"42","-eq","41"AND"]"./bin/[simply ignores]as syntactic sugar. Example:sh-5.0$ /bin/[ 0 -eq 1 ]; echo $? 1
-
-
-
-
I really dislike websites that don’t even pretend to work without javascript enabled. This site gives you a 100% blank page with JS disabled. They don’t even bother to tell you, hey, we hate your non-JS ways, so you can’t play here. Who cares about accessibility or sanity.
-
-
It’s just a discourse server, and a relatively vanilla one it seems at that. Whether nojs works is probably just however much discourse is designed to support it, and not a decision of npm.
EDIT: Discourse supports nojs fine, zie’s browser is just misconfigured
-
Just to wrap this up, I agree, my browser is sort of misconfigured, I used uBlock Origin with the global setting, and it does not work, nor does imgur, and a bunch of other websites.
I went digging around the various extensions/addons for other options, and I settled on LibreJS[0].
similar to noscript, it allows some JS to run, but unlike noscript it doesn’t automatically trust random corporate websites just to make users lives easier. Plus the UI is a lot easier than noscript, and allows one to easily see the source of the JS(both the URL and the actual JS source code) before whitelisting it..
So I think this is maybe the best of both worlds. imgur and other sites basically work, you can easily whitelist specific things as needed, and by and large most every JS 0day exploit will be a non problem.
Thanks everyone for helping me better understand the crazy insanity that is browsers and JS these days.
-
-
-
-
-
It’s almost like the content of the email is what I’m there for :)
-
-
-
That’s strange, it worked fine for me https://i.imgur.com/lmC3FID.png
-
-
I linked you directly to the image, there is no html let alone javascript on that URL. You can curl it if your browser is misconfigured to just block all imgur domains.
Relevant headers:
HTTP/2.0 200 OK last-modified: Fri, 28 Jun 2019 15:07:43 GMT content-type: image/png date: Fri, 28 Jun 2019 16:08:22 GMT server: cat factory 1.0Cat Factory 1.0, great name for a web server.
-
Imgur has been redirecting direct image links to the main site for a while now (see https://minimaxir.com/2014/02/moved-temporarily/.
I couldn’t reproduce the redirect using curl, but clicking that link on the browser will go with the redirected version.
-
-
From FF, it redirects to the full page, and the image doesn’t display(assuming you have JS totally disabled). Which makes imgur totally broken, the entire point of using a site like imgur is the showing an image.
AKA imgur is totally unusable without JS for anyone in a browser.
The noscript FF extension and others actually do allow some JS to run, by default, to fix broken sites like imgur.
But uBlock Origin, which totally disables JS(if you set it as a global default) imgur doesn’t serve it’s primary purpose of showing an image.
Unless you re-think their primary purpose is to make money, not show images, and then maybe they are doing just fine.
-
-
-
-
-
-
-
disabling JS and just blocking scripts
OK I think what you are saying here is 1st party JS vs 3rd party JS? Or are you trying to say something else?
I’m not really up to speed on JS and browsers, as I basically just leave it disabled all the time unless I really need to see some site that requires it.
I use Ublock Origin, and it’s settings near as I can tell is just all on or all off.
-
-
Not that it’s blocking it specifically, more that js is “enabled”, but just prevented from loading, so the browser hides the
<noscript>blocks as it it normally would.Weirdly though it sounds like uBO should make the browser show noscript tags: https://github.com/gorhill/uBlock/issues/308#issuecomment-417812479 Maybe “that new per-site switch” isn’t what you’re using, zie?
-
Right, I disable JS globally, not using a per-site switch. the per-site switch requires you to at least load the JS once, to even get access to the switch. That is a terrible security position. This story[0] is a good reason why.
0: https://lobste.rs/s/vi8ybf/i_was_7_words_away_from_being_spear_phished
-
-
-
-
-
-
-
-
-
It would also be a way better email if you dropped all the HTML shenanigans.
Composing better emails? Plain text should be number 1 on the list.
-
Personally disagree on this. A proper HTML link is almost always cleaner than “(see link below)”. You can’t underline stuff (you can “put asterisks around stuff” but…). Sometimes you want to just reference an image inline!
There’s a reason that word processors are a big business. Laying out a message nicely aesthetically is valuable for human consumption! The answer to “people always misuse HTML layout” isn’t to get rid of HTML layouts, it’s to teach people how to use it nicely!
-
-
I will admit to preferring plain text, but if HTML is used sparingly, it’s fine. That said…
A proper HTML link is almost always cleaner than “(see link below)”.
This is true, but practically no one does this. Certainly in the 10+ years I’ve been working in corporate environments, no one makes the effort to do a proper link.
The answer to “people always misuse HTML layout” isn’t to get rid of HTML layouts, it’s to teach people how to use it nicely!
That time has come and gone. The only way this is likely feasible is if you change the tools in some way. Teaching people to use something “correctly” when there are a myriad of (easy) ways to use it incorrectly is a losing battle.
-
-
Sorry to be blunt, but I don’t think it’s good that plain text email is such a shibboleth that you can say the equivalent of “I prefer plain text email” without giving any justification or discussion, and it will be the top comment on an article.
There are good arguments against HTML email, there are good arguments that we should support some form of formatting, whether or not it’s HTML (see the sibling post by rtpg). Whichever view is right, I don’t think it should just be assumed without any attempt to argue for your opinion.
-
I’m all for formatting. I regularly use markdown-style formatting in my plain text mails, and I’m an avid user of references[1] for links.
HTML formatting in emails is an abomination. Period. It’s a hack. It causes all kinds of issues; it enables phishing, automatic “read notifications” that you did not approve of and difficulties for people with a need for screen readers, just to name a few. Not to mention the security vulnerabilities in clients that have resulted from trying to support this crap.
[1] Like this.
-
-
I agree but this is not realistic in a world where everyone usees Outlook. I swam against the tides and ran mutt at work for years, until one day I missed a critical update from my manager that used rich text to denote something in red.
IMO This is a lost cause, but feel free to rage against the dying of the light :)
-
-
Alternatively, you can go work somewhere where the managers use mutt. :) https://boards.greenhouse.io/wikimedia/jobs/1623040
-
-
IMO This is a lost cause, but feel free to rage against the dying of the light :)
Don’t worry; I will! https://p.hagelb.org/line.jpg
-
-
It is of course unfortunate that you missed such an important update. This is where it would make sense to use the Subject header to emphasize the importance of the message, such as the use of [URGENT] or [CRITICAL].
I totally agree that this is a lost cause, but yeah, I will continue to fight for the cause :)
-
It is of course unfortunate that you missed such an important update. This is where it would make sense to use the Subject header to emphasize the importance of the message, such as the use of [URGENT] or [CRITICAL].
It had that, but as I said in the post, it was like:
Blahblahblah
<SUPER CRITICAL STUFF IN RICH TEXT COLORED RED THAT MUTT CAN’T SEE>
blahBLAHblahblah.So yeah, no hope at all other than “Don’t use rich text.”
In my work environment, I know of literally maybe 2 people in a team of 150 who use mutt. I don’t know what the stats are for the wider company, but I know it’s a TINY fraction.
Expecting my manager to cater to my needs and preferences to this extent is unreasonable in my book.
-
maybe 2 people in a team of 150 who use mutt
OK, but how many are colorblind?
-
You’re preaching to the choir.
I personally think leaving critical information to the vagaries of color is a mistake, but it wasn’t my call. I just need to roll with the punches and deal with the technology environment I’m given.
Yes, I know, I could go work over at $PERFECT_COMPANY and all manner of things would be well, but having to run Outlook and deal with rich text in my E-mail isn’t enough to blunt what is otherwise a really compelling value prop for me in this job.
-
-
-
-
-
-
A long, long time ago, I had a boss who would say “This Linux thing will never catch on because no one knows how to pronounce it. LIE-nux, LEE-nooks… DEEB-ian, deb-EE-an… it’s doomed.”
He may have been right for the desktop… (-:
-
-
-
-
If you walk around Apple HQ saying “oss ecks” (with the “oss” being the same sound as in “hoss” or “cross”), people get really mad at you. I’ve also been saying “eye oss” for so long I’ve forgotten it was initially a joke, and have probably weirded out a few coworkers after I switched jobs.
-
-
-
Not just consensus, that’s how Apple employees pronounced it in keynotes.
Now, I know that’s basically the “GIF argument”, but “OS Ten comes after OS Nine” actually makes sense, unlike “Jraphics Interchange Format” :)
(and now it’s pronounced mac-O-S anyway)
-
-
-
I’ve found that the Canonicalize-family of options are my best friends.
CanonicalizeHostname yes CanonicalizeFallbackLocal no CanonicalizeMaxDots 0This allows me to do stuff like
Host *.domain.tld User ansible IdentityFile ~/.ssh/ansible Host host1 host2 host3 HostName %h.domain.tldSuch a setup allows me to not rely on the system resolver for hostname lookups. It works by canonicalizing hostnames and then re-reading the configuration file. You can see how this is done with
-vand how options are applied. But most importantly, it allows me to easily overwrite the default options for some hosts. Something that does not “just works” without theCanonicalizeHostnameoption.Host gerrit.domain.tld User birkelund Port 29418 KexAlgorithms +diffie-hellman-group1-sha1 IdentityFile ~/.ssh/id_rsa
-
WTF? You have to sign in to read medium articles now? Do they think this will make me read more articles? Sigh, another domain for the shit list.
(Nobody else complaining out of politeness? Or you all signed up already? Or did I just win the A/B lottery?)
(So it seems to come and go. When I’m “lucky”, it says “you’ve already read one article this month. Sign in to read more. Sign in with Google. Sign in with Facebook. Sign in…” but there’s no way to avoid signing in. Switch browsers, no popup.)
-
-
-
It doesn’t ask me to sign in (Safari on iPhone), FWIW.
-
-
-
-
I suggested a title change for the link to add (2014) to it…
-
-
They have a StartCom SSL cert on ipfs.io.
-
-
Now to wait for the sidebar patch to be finished for 1.6…
-
-
karelzak’s patched version of mutt adds notmuch integration making it stupidly fast, even with huge mailboxes. It’s based on the development version, so I think everything in upstream v1.6 is included.
-
Copenhagen, Denmark.
-
alynpost
edited
7 years ago
|
link
| on:
Fix your OpenSSH client for upcoming client advisory: CVE-2016-0777
-
-
This is extremely interesting! I’d like to take a look at the diff–anyone have a link? Given the succinctness of the plege interface, I assume its minimal, but strategic.
-
-
Wow! Thanks for the direct pointers!
-
-
-
Someone please explain this one. I’m going crazy.
edit: BTW - same behaviour on python3 (3.4.4).
-
This is a great showcase for httpd(8) actually. I don’t think I’m the only one who has fought a fight with nginx or apache to get cgit running nicely.
-
Very nice. The lobste.rs interface isn’t too bad on mobile already, but I’d love a native implementation. Great work and I look forward to testing out the beta.
-
-
-
-
-
I actually pushed an update for it recently enough (June 2nd), after someone emailed me with a request. I guess I forgot to push the source to github though.
I swapped to iOS recently, so haven’t been actively developing, because I don’t use it. But I’m happy to update it if people have suggestions
Edit: pushed latest to dev branch ….
-
-
-
Thanks! The invites are on their way!
-
-
Learn You Some Erlang for Great Good is also worth mentioning here then :)
This seems bad? C should copy D’s scope, not Go’s defer.
Why? Because you like it better?
edit: I happen to like Go’s defer, but I have no technical arguments to why it would be or would not be superior to D’s scope feature, so I’d be interested in any such arguments.
Go’s defer is function-scoped. You can’t use it for block-scoped cleanup.
True. However, the proposal here does not rule out block-scoped defers (see 5.1), but leaves it implementation defined whether to allow it.
This code would compile and run successfully with or without block-scoped defers, but it’s good and safe code in one case, and an enormous bug in the other. Is it a good idea to leave that (quite important!) semantic distinction up to the implementation’s discretion?
edit: This isn’t aimed at you, birkelund, but rather a more general observation.
My reading of the spec (see 3.1.4) is that the code would either compile and do the right thing (i.e. cleanup on each loop iteration), or not compile (with an error along the lines of “defer only allowed in top-level function bodies”).
Oh! Interesting, thanks for the clarification.
If I’m reading this proposal correctly, there’s no way to do defer without dynamically allocating memory.
Zig’s defer is better - no dynamic allocations necessary.
Honestly - and I say this as a heavy Go user - Go’s defer mechanism for ‘catching panics’ sucks. D’s scope mechanism provides a much cleaner way to specify in which situation (success/failure) the deferred function should run, as well as providing more granular scopes as someone else pointed out.
With all that said, I think I like Python’s context managers the best, as they provide simple rules to define the scope and allow hiding of state management inside of a library.
On top of that, I never understood why defer needed a function – just give it an expression.