Threads for breck
-
I can’t flag this as spam due to some CSS problem, but this is spam. The pldb.com domain has already been banned and this is a brazen attempt to get around it.
-
Interesting! I didn’t know PLDB.com domain has been banned from Lobsters. Thank you for the information.
I’m not sure if it makes sense to ban a website that is public domain, open source, ad free, cookie free, tracker free, and that you and anyone can
git clone https://github.com/breck7/pldband even host on your own local server or your own mirrorhttps://pldb.com/pages/mirrors.html.Because it may be so hard to ban (it would be like stamping out an idea by burning books), given the above, perhaps the mods should consider building some sort of UP/DOWN voting system, to deal with this huge spam problem, which by my count has gotten as high as gulp, 2 submissions per day?!
-
-
Interesting that the growth data is pretty smooth over time.
I would expect it to be quite noisy due to hype cycles, development of new tooling, and the difficulty of deciding what counts as a notable programming language.
-
I agree. I expected more volatility. The dataset is still not even half complete, of course, so will be interesting to see how it develops. I’ll also make it so you can drill in more.
That’s a good thought on tooling’s impact. 1995 (when web started taking off) was clearly a big year for languages: https://pldb.com/lists/languages.html?filter=1995
It would be fun to look at hype cycles in the data!
-
-
Looks clean and loads quickly. Contrast is a little low due to the light-grey background, but maybe that’s because of my font settings. The selected languages (“Top Languages”) are packed with good highlights and represent a nice cross-section of popular languages that should serve as good entrypoints to the database.
-
-
Public domain products are strictly faster to use than non public domain products. Not just faster, orders of magnitude faster.
While I agree with the general gist of your argument, you’re building a tripod of support and this one seems unsupported. I think most people can figure out the trust and cost legs, but why is PD strictly faster?
-
Very helpful feedback, thanks!
I’ve updated the post;
https://github.com/breck7/breckyunits.com/commit/65bc0aa36eaaa9345350181c444ab0b41c54e434
-
I appreciate the changes, though I’m not sure the updates will carry the day.
When you sum the time savings across all possible use cases of all possible products, you’ll see the orders of magnitude speed up caused by public domain products.
This assumes the time cost of public domain software is effectively zero … that is nonsensical, if for no other reason than, in many jurisdictions, it’s not entirely clear if it is even possible to declare a work to be public domain. If we assume a similarly expansive stance for this thought experiment then you’d have to admit that at least one of the all possible use cases for any public domain product would be one in which the legal system of one (or more) jurisdictions would have to decide on a challenge to the factual basis of the public domain claim. Such a challenge (for instance for SQLite), raised by a sufficiently well-resourced legal team (possibly including the legal team of the jurisdiction itself) could drag on for decades, and might never be decided in the favor of the public domain at all. In that edge case PD software could take an infinite amount of time to use, relative to something less than PD but permissively (if conditionally) licensed.
-
A plan for that: https://breckyunits.com/the-intellectual-freedom-amendment.html
-
-
-
-
-
I’m sorry, but as much as I dislike copyright, I don’t get it.
Trust
You cannot trust non public domain information products. You can only make due. By definition, non public domain information products have a hidden agenda.
What hidden agenda would a software licensed under the BSD-2-Clause have “by definition”, that it wouldn’t have if it was in the public domain?
Speed
Public domain products are strictly faster to use than non public domain products. Not just faster, orders of magnitude faster.
Cost to build
Public domain products are far cheaper to build than non public domain products. Failure to embrace the public domain increases the cost to build any information product by at least an order of magnitude.
Again, I’m sorry but without any attempt at a proof, it is more wishful thinking than actionable information. What sources do you use, what makes you believe that?
-
I think the verbiage can be better around “hidden agenda”. Thanks for the question. Let me explain (and maybe I’ll come up with a tweak to improve the post).
What hidden agenda would a software licensed under the BSD-2-Clause have “by definition”, that it wouldn’t have if it was in the public domain?
Every human has hidden agendas. You can not see inside someone’s brain. I’m not saying most people walk around with evil hidden agendas—far from it. But most people don’t necessarily have your interests at the top of their mind either—why should they, everyone’s got their own problems.
The “BSD-2-Clause” comes with conditions. If you don’t want to follow those conditions, the only way to legally do so would be to seek the permission of the author, who, as a human, of course has a hidden agenda.
Therefore, by definition even a BSD-2-Clause licensed software has a hidden agenda. As I’m assuming that was your best counter, you can follow that the situation is worse as they license gets worse, and most things have worse licenses than BSD-2.
[Not sure if I’ve made a good enough argument, will have to reread this tomorrow]
Again, I’m sorry but without any attempt at a proof, it is more wishful thinking than actionable information. What sources do you use, what makes you believe that?
It’s a fair point. It would be good to build up a big public dataset on this. I think that would make the argument stronger. I have an internal mental dataset from decades of experience but a good ole CSV would be 100x better. I’ve added a commit to that post with a todo and will start that soon.
-
Why must their agenda be hidden, though? Isn’t it possible that people who choose, say, a “copyleft” license like AGPL have a fairly obvious agenda of not wanting modified versions of their software to be run by giant cloud companies without releasing the modified source? That is what such licenses are designed to prevent, so doesn’t it follow that someone using such a license likely just wants to prevent that? Nothing is hidden here, it’s just the right tool for the job.
But if you’re still worried about agendas being hidden in cases like that, would it suffice for the author to have a statement of intent for the software including reasoning around their choice of license?
-
the author, who, as a human, of course has a hidden agenda
Of course, in that sense every human has a hidden agenda. It follows that the author of a public domain work also has one. My point is that, while I cannot see inside someone’s brain, I would guess that those hidden agendas are generally similar whether the software is in the public domain, or licensed under a permissive license.
Edit: by the way, are you familiar with this recent article?
-
It follows that the author of a public domain work also has one.
For sure, but the key difference is that when the product is public domain the author’s hidden agenda is not transferred to the product. The product is free, with zero strings attached back to the author. Even if someone uses a very liberal “license”, say a string 1 micron wide, there is a big difference between 1 and 0.
-
Even if someone uses a very liberal “license”, say a string 1 micron wide, there is a big difference between 1 and 0.
The trouble with that reasoning is that for some of us[1], the 0 is not an option. For example in France, dedicating my work to the public domain is not a thing and using a very permissive license is the best alternative we’ve got.
[1] Perhaps for most of us since, as argued in the article I linked to in a late edit, the situation might not be much better in the US.
-
In the USA, federal agencies cannot hold copyright. For example, when NASA shares photography with us, the data is in the public domain. This might be a good example of a situation where the public domain is superior – NASA is generally considered one of the leaders in space exploration.
-
-
This article is mostly about books but there are lots of exceptions
I believe the real issue is that there’s no “positive” way to declare a work in the public domain in Europe, like in the US for works funded by the federal government. So everything is under copyright until 70 years after the author dies.
-
-
-
-
-
-
Thank you @jmiven for the very helpful feedback.
I just updated the paragraphs about Speed and Cost: https://github.com/breck7/breckyunits.com/commit/65bc0aa36eaaa9345350181c444ab0b41c54e434
-
-
axelsvensson
9 months ago
|
link
| on:
The Power of Indented Heredocs: Markdown, Textile, and BBCode in one file with no escaping
Indentation is one way to avoid escaping. Dynamic quote sequences is another way. Compared to indentation, the advantage of dynamic quote sequences is that you don’t even need indentation, and can therefore cut-and-paste freely with no special editor support for indentation-aware pasting. The disadvantage is that you need to come up with a quote sequence, which can feel less clean than indentation. I tried explaining it here: https://axelsvensson.com/escaping-escaping/
-
Interesting. I think I use a version of “dynamic quote escaping”. For example, I often will save delimited data as “table |” or “table ,” to indicate that the following data is pipe or comma delimited.
Would you say it is equivalent to:
encode(string) => fn(encodedString, escapeRules)Where encode scans the string to be encoded, chooses a safe delimiter(s), and then returns the untouched string along with the delimiting rules?
-
Not sure I understand the question well enough to answer; what is
fn?.You could certainly create a string quoting function that takes an arbitrary string, scans it to choose a safe delimiter, and uses that to return a quoted form of the string without any escaping. Such a quoting function implemented in plpgSQL could for example function as follows:
quote("abc") => "$$abc$$" quote("ab$$cd") => "$a$ab$$cd$a$"
-
-
-
The diagramming support is one of the things I miss most after moving from gitlab to github.
-
Interesting! Didn’t know GitLab flavored Markdown supported that (and more).
https://docs.gitlab.com/ee/user/markdown.html#diagrams-and-flowcharts
-
Gitea also supports mermaid diagrams.
-
-
-
-
-
I pretend that I don’t care about the social features. I really like that you can follow releases and the reaction option is kinda nice (so people can voice their support on new releases, without any comment noise).
I don’t follow anyone, because that’s just adding a ton of stuff into my feed. But honestly it makes me happy when somebody does give me a “star” and I think it’s ok to have this vague indicator of credibility for projects.
But I do actually search on github first when I’m looking for some kind of software I don’t find directly by using DDG. So the network effect is definitely there. Same goes for inter-project linking of issues or commits. And I won’t be surprised if moving my crates.io source to gitlab would decrease the amount of interaction as much as moving it to my private gogs/gitea instance.
-
-
I’m curious what the social features are? I’ve used GitHub since it came out, but have never specifically noticed this
-
follows. watches. stars. networks. there might be more. Github has been on my radar since it came up and these have long annoyed me. I think one of their early slogans was “social coding” and it was irritating then. Some people really like it though.
-
-
-
For me it was largely about switching of culture of my work, shortly followed by me switching companies.
Personally if I were to start again I think I would utilize gitlab again. While occasionally their solutions lack the polish and simplicity of github, The “whole package” of their offerings is really nice. The only consistent downside is performance of certain UI elements.
-
-
-
A nice thing about HTML (and the reason it was picked up by JSX) is that it has both attributes and children. You can think about
<tag attr=value>children</tag>as equivalent totag(*children, attr=value)in Python-like languages. The aftertext format doesn’t seem to have a good way to represent K-V pairs. It only has tags and children and the children are mixed up because they also describe the text they are modifying. There are a lot of ways to add KV pairs to aftertext, but I would think about how shell does it:tag --attr value $children. Using--attrto mark keys is pretty easy to type (that’s why shell uses it), and simple enough to understand.-
I posted something about this in more detail already, but out-of-line representations are generally not appropriate for streaming parsing, they are much better for building a data structure that is then cheap to modify and serialising that data structure. This is what you want to do for a word processor, it’s not what you want to do for a (read-only) document renderer.
-
I don’t think aftertext is ever going to be used for serious document creation, so probably anything will work. If someone writes a novel in aftertext, the chapters can just be individual files, and it would be fine.
In terms of the selection, right now it’s VERB QUOTE, where the QUOTE is an unmarked selector, but since the selector is mandatory for every verb, I think it would make more sense to do SELECTOR VERB MODIFIERS. So for
Hello 'ello 'ello italic elloYou would instead do
Hello 'ello 'ello "ello" italicNote the quotation marks, which can signal the beginning and end of a selector. Once selectors are a mini-language, you can have other kinds of selectors, like
"ello"[3]or whatever.And going back my point from before you can have attributes, like
Hello 'ello 'ello "ello" italic "ello"[2] bold --class my-class "ello"[3] link href=http://example.com -
-
-
-
I was just thinking it reminded me of Tree Language when I noticed it was rooted in scroll.
The most likely reason why this is a bad idea is that it simply doesn’t matter whether it’s a good idea or not. You could argue that improvements to markup syntax are inconsequential.
It’s good to explore. I feel like the people who argue this will unironically post xkcd 927 in the process.
I’m pulling on a related thread (but with inline markup). I’m curious how you think about semantic v. presentational markup, in this context?
-
I’m curious how you think about semantic v. presentational markup, in this context?
In this context, I’m happy to have a simple new way to add presentational markup without worrying about cluttering the text, but I’m more excited about an easier way to experiment with new semantic markups, like footnotes or asides.
In terms of semantics though I’m much more excited about a thing upstream of Aftertext working on next.
I’m pulling on a related thread (but with inline markup).
Always excited to see new langs, if you wanted to share.
EDIT: Sorry I think I misread your question, after seeing justinpombrio’s question about semantically meaningful markup (vs presentational). Will address that below.
-
I haven’t “published”, yet. It’ll go up at https://github.com/abathur/wordswurst when I do, but I am shaving other yaks for the past ~month.
I’m not quite sure what it is. For now it is a few DSLs piggybacking on d★mark and CSS. The thread I’m pulling on is about being able to granularly single-source different kinds of documentation (to whatever extent is reasonable). I say it’s a related thread because it’s also focused on getting presentation out of the text (but the semantic markup stays).
(I do have a very small PoC in a test repo with outputs in a CI artifact if you’re really curious. It’s mixed in with samples of 2 other approaches for comparison and the files aren’t really organized, but if you start from wordswurst.nix you should be able to pick out the relevant files. The other 2 approaches have a similar .nix files.)
-
-
-
-
I will stay out of the mater in discussion. Inline formating vs optional appended formating. What I really enjoyed and will point out, is how properly you layed out you idea. What motivate you to write this, and all the clear reasoning for why you built this the way you did. All pros and cons clearly analysied.
I wish software development would have more of this culture. So many useless projects, so much unnecessary overhead that could be avoided if people had a better culture of thinking before opening their IDE. Keep up.
-
-
-
This is why I’m grateful for a lot of academic work (especially in the field I’m interested in: type systems and programming languages). While there are many issues with the academic publishing system, I never cease to be grateful for the level of quality of work you can find there. It’s always extremely helpful to see a comparison to prior work, and a specification sketched out, along with motivating examples etc. I remember reading this post thinking ‘this reminds me of standoff markup’ and then being pleasantly surprised to see that mentioned under a “Related work” section. Props to the OP for doing this!
-
-
This seems to assume there’s a clear separation between the content and the markup, but I don’t think that’s always the case. For example, everyone recognizes that if you remove the quotes from a sentence, you are liable to change its meaning. But the same could be said about a quote block or code block. And to a lesser extent: italics, which change the emphasis of a sentence, but in extreme cases that emphasis can probably dramatically change the meaning of the sentence.
EDIT: Also, hmm, how do bulleted/numered lists work in this system?
-
that emphasis can probably dramatically change the meaning of the sentence.
Great point! Thanks.
I updated the text with `Another problem of Aftertext is when markup is semantic and not just an augmentation. “I did not say that is different from “I did not say that”. Without embedded markup in these situations meaning could be lost.”
Also, hmm, how do bulleted/numered lists work in this system?
Aftertext and lists are currently orthogonal node types in Scroll. That is a footgun. I haven’t given much love to lists yet. There is only basic support, demo’d here
-
-
-
In general, there are two ways of storing formatted text:
- A data structure that contains a sequence of formatting directives and strings.
- A string and a map from ranges to formatting directives.
These are largely interchangeable in terms of expressiveness, some operations are more efficient on one or the other. The second is common in word processors because you can store the strings as twines, ropes, or similar for easy insert and you can make the range elements relative to the start or end of a fragment so you don’t need to update ranges when you update the text.
Most markup languages are a serialisation of the former. This has a bunch of advantages for a medium that is intended for streaming I/O (you can display text as soon as you’ve read it and you can serialise it out by just walking whatever data structure you have). RTF and Word’s OOXML are (more or less) serialisations of the latter kind of data structure.
The down side of the second kind as a serialisation format is that it’s very easy for the formatting and the text to get out of sync. If you insert a character somewhere in the middle of a document all of the formatting directives that apply to ranges after that must be updated. This makes it terrible for human editing, but not too bad if your model is to read an entire document into an in-memory data structure, modify it, and then write it out to disk.
Aftertext tries to avoid this problem in two ways:
- It puts the markup after each paragraph, so you only ever have to update local things.
- It uses a copy of the text itself as a range marker.
The first of these is quite a nice property, though it has the side effect that markup can’t span a paragraph boundary (and so it can’t express things like a global style for paragraph indent). The second is that it’s ambiguous consider the following toy example:
aftertext Hello 'ello 'ello italics ello italics elloThis renders as “Hello ’ello ‘ello”. There’s no way currently that I could see of saying ‘the second match of this expression’. One could easily be added (e.g.
italic@2 ello) but than falls back to the original problem: if you add any text to this paragraph that contains a marked-up substring then you need to update all of the formatting for this block.All of that said, the author says that this is an experiment to demonstrate the power of the tool. There is a huge value in the second form of markup language for things that are intended to be edited by tooling and it’s great to see that the back end can support things like this. I wouldn’t recommend this specific representation but it’s a great (simple) tech demo for the back end.
-
Well framed context and restatement of Aftertext.
I’d expect if this proves useful something like a
globalAftertextnode type would be added.Your
'elloexample is a great example and a footgun I just hit. Since each directive has its own scope, I imagine I might add some properties to directives, such as:aftertext Hello 'ello 'ello italics ello index -1 italics ello
-
The logical extreme of this is proletext: https://www.templetons.com/tech/proletext.html
(tldr: HTML encoded in whitespace at the end of the line. Not practical except as an intermediate format where you can’t guarantee that the audience has a parser.)
-
So clever^! I had not seen that before. It reminds me of the Whitespace esolang except with a sensible use case.
He also links to “Out of band encoding for HTML” — https://www.templetons.com/tech/oob.html — which is a different way to address the same problem Aftertext tackles except using a “cursor” approach instead of text selectors.
Will update. Thanks for helping flesh out my references in new directions.
^ For the time. Nowadays not practical, as you say.
-
-
Visually it reminds me of
troff(1)directives. -
-
pushcx
Sysop
1 year ago
|
link
| on:
Hypothetical Timing Attack on MariaDB Through Lobste.rs Password Reset
I’m prepping for a work meeting in an hour I can’t miss, but I’ve taken the afternoon off to rush finishing the fix for this. @355e3b has free time before then and has jumped into to help. Sorry to be vague about the in-progress security issue, but I trust y’all understand how that goes. I’ll leave a response to this comment in a few hours with full info.
In the meantime I’ve made the rate limiting much stricter. I’m sorry for the inconvenience and will revert as part of the fix.
-
So, the thing I was talking around is that the potential vulnerability was potentially much worse and we were trying to be thorough about it. Hunter (@355e3b) and I dropped as much as we could to finish that work today.
To start, there was some kibitzing in chat, so to be explicit: we do think this was a potentially a viable attack. An attacker could register a VPS at Digital Ocean to minimize network jitter, the dominant factor in this attack. (Other things that might introduce jitter can multiply the cost of the attack but don’t fix it.) We already see regular probing from other DO VPSs.
A few weeks before soatok’s report, some of that probing prompted me to implement some rate limiting to deal with unrelated abuse that prevented effective abuse of this potential vulnerability. This was easy to extend to password resets. An attacker who can only test four tokens per minute isn’t going to get very far.
Since this was reported, I was concerned that this kind of network timing attack could be used against other tokens. The most important of these is called
session_tokenand is used to authenticate logged-in users on every request. Because this is every possible endpoint and not just the password reset flow, this would not be subject to the rate limit of 4 req/min and could lead to account takeover. We assumed this was a viable attack and Hunter wrote an in-depth mitigation for it.This afternoon I worked on finishing the mitigation and testing the attack, which required a bigger block of time than I previously could to devote to it. I was unable to get the timing attack to work against
session_token(usually pretty straightforward on localhost!) and pulled my hair out for a bit. Eventually I recognized that the attacker can’t execute the attack againstsession_tokenbecause Rails stores the session as an encrypted, serialized value in the cookie. The session cookie isn’t the value of thesession_token, it’s an encrypted blob that can’t be edited by an attacker without being invalidated. It’s a little embarrassing that I conflated the two, but I don’t much mind making an error in the direction of being over-cautious.In short, I was uncommunicative because I’d been proceeding the last couple weeks on a much more paranoid footing than was needed. My thanks and apologies to Hunter for his wasted effort; I’m sorry I didn’t have the time to write a proof-of-concept to test this first.
The other thing I’ve been doing the last few weeks has to do with the “sister sites” that have adopted the Lobsters codebase. Lobsters is a site that’s open source for transparency, not to help start and run other sites. It’s really rewarding to see the code used this way, but nobody has the spare attention to run that potential project. Mostly this means we don’t take feature requests, but in this case it also means we don’t have a way to contact the site admins. There is no mailing list or forum, even for security issues. I’ve been in the process of finding admin emails and collecting translators (many sister sites aren’t in English) so we could notify them before the vulnerability was published. If you recently got a DM from me asking you to play translator, you can ignore it, I’m proceeding from here in English for urgency’s sake.
Now that I’m confident there isn’t a worse vulnerability I’ve reverted the temporary stricter rate limiting. I’m sorry to anyone I inconvenienced, I know if you read the site by opening several stories as tabs you probably hit this.
I think all the exciting bits are over, but am happy to be corrected if any volunteer spots something I missed, or any other issue. My email is on my profile.
My thanks to soatok for alerting about the potential vulnerability.
-
-
-
As someone who runs an (intentionally-single-threaded, but multithreaded in prefetching upstream stories) fetch loop before skimming all the stuff in a text editor, a separate thanks for the transparent and friendly throttling implementation. To say the least, not all emergency-throttling implementations are so clear with the exact changes in the fetcher one needs to do. Thanks.
-
I know if you read the site by opening several stories as tabs you probably hit this.
I did indeed hit this! I thought it was strange, and just figured it must have been my fault and I must have had a VPN going that was using a popular IP. Didn’t think about it much but glad you explained it.
-
-
-
-
-
It can be helpful to build the UserMethod first, expose it in a Command Palette or via Keyboard Shortcut Interface, and only if it then proves to be useful, design it into the GUI.
This is not far from standard macOS practice: Everything the user can do belongs in the menu bar, each menu item is handled somewhere by a method, and those methods follow a conventional pattern. Only the most important commands also appear in always-visible UI, like a toolbar button, and some others may be progressively disclosed. But the menu bar is the index.
-
-
I think you’d call them action methods. The target-action pattern is one way they’re called. The token “IBAction” identifies action methods for you to wire up in Interface Builder. Targets can be particular objects or the first responder, and the responder chain is implicit beyond that target.
For example and IIRC, the Copy menu item will be bound with the target-action pattern to the -copy: action on the first responder target. When you select Copy from the menu or type ⌘C, the event dispatch will first call the view with typing focus, then if it doesn’t respond (doesn’t implement that method) it recurses to its next responder (superview, usually). A variant of this check is also done when you open the menu. The Copy action will be enabled only if some object on the responder chain responds to -copy:.
-
-
-
I actually quite like this. I’ll repeat my own understanding if it, because I think the underlying insight is a little under-expressed and thus I had to read the second half twice before I realized what was actually being suggested:
-
When considering your application API, be thoughtful about maintaining, ideally, a three way distinction between private functions, public functions, and user-facing functions (this is the yeah, duh section)
-
Ensure that the set of user-facing functions is available at runtime via reflection.
This is the part that I didn’t get at first- the language about ‘distinguishing’ them is a bit ambiguous and might suggest simply a restatement of (1). But the examples make it clear that the article is about the advantages of being able to enumerate and inspect the set of those distinguished functions, which is a more specific and clarifying notion.
-
So much pldb content, so little engagement from or with the community. Consider giving this a rest?
Yes! I agree. I was just so eager to get feedback on this latest change, as if you think about it, it could develop into something interesting down the line.
Never doubt the power one small Internet stranger can have on changing the world. I can’t tell you how many times I’ve almost given up, but then I get some random commit or an email from a lobsters or reddit or hn user and it gives me the motivation to keep going just a little longer.