1. 3

    https://github.com/lobsters/lobsters/wiki#sister-sites also lists other sites using Lobste.rs codebase

    1.  

      Thank you

    1. 5

      Maybe we could just ask @caius to slow it down to a weekly thread and drop the weekend-specific part? That’d cut the issue in half.

      1. 4

        (Amusingly I hadn’t seen this thread until you posted this comment 🙈🙉)

        More than happy to adjust postings based on what people think/want. The weekend posts are a more recent change, maybe 18 months old? It originally was just the week threads every Monday.

        1. 11

          Personally, I like having the separate during-week and week-end threads. Would much rather just offer a tag that folks can filter on if they don’t care for such posts

      1. 5

        Those threads have been around a long time and I’m kind of used to them, but on the other hand I think they should just be tagged “ask”.

        I’ve felt for the last little while that those threads deserve some sort of special status because they are more like chat than stories. Maybe a “community” or “chat” tag is more appropriate.

        Perhaps instead of a new tag you can just hide the stories?

        1. 5

          ask

          I’d rather that’d be used for interesting questions, which is a subset of questions that happens to exclude “what are you doing this weekend?” threads.

          1. 4

            Those threads have been around a long time and I’m kind of used to them, but on the other hand I think they should just be tagged “ask”.

            They’ve been through a couple of iterations in terms of tagging. They were originally tagged with just “ask”, until validation around that tag changed and submissions are now required to add a second tag alongside “ask”. Initially we were tagging them with “ask” and “culture”, around two years ago we changed to using “ask” and “programming”.

            (I’m saying we, because although I try and submit them regularly, I didn’t start submissions way back when and others often submit where I’m unable to so it’s very much a community thread!)

          1. 2

            Mixture of chores/jobs and relaxing with family, absolutely nothing in the calendar.

            • Mow the lawn (this seems to come top of my weekend list frequently 🤔)
            • Test out the Deltenna WiBe HS21 that’s just arrived in the post - 3G failover with fancy antenna inside it for the home network
            • Change the fuel filter on my car, weather depending
            • Play some games with the kids, possibly get out with them
            1. 1

              $work:

              • Continue to pitch in alongside teams with rolled up sleeves delivering features and unblocking each other.

              !$work:

              • Mow the lawn 🙄
              • Make a concerted effort to get back on the bike. It’s the summer after all and I need the exercise.
              • Figure out what I’m doing with my external screens (I appear to have … a lot) and sell the ones I’m not using.
              1. 2

                May I recommend magic mirrors for your screens? I’m preparing to use one of my many surplus screens in a test build.

                1. 1

                  Ooh, there’s an idea. I always think of tablets only for those, but I guess an RPi 0 attached would do the same but bigger. 🤔

                  1. 2

                    Anything that can drive a screen, and any screen you can put right up against the back of the glass (otherwise the screen draws somewhere behind the mirror and the illusion can be broken or headaches can result).

                    I personally have a number of failed laptops that might be able to serve as controlling hardware, or I can use my small collection of single board computers. Have not chosen yet for myself.

                    Also worth knowing: there is a magic mirror squared software project which is heavily webstack but has many modules, and does the software heavy lifting already.

              1. 2

                Honestly, pulling my hair out over a mailing list management supplier. Basically they held onto a whole load of subscriber data after I closed my account. I went to open a new account for a completely different org and they dropped me back into the old one with all the old subscribers names and email addresses (which they’re billing me for).

                Despite my best efforts over the past couple of weeks they’re doing their best to ignore any attempts for me to try and resolve the situation with them. I’m finding it shocking and infuriating just how little they seem to care about it.

                They’re probably holding 100s of thousands of pieces of PII where people have closed their accounts but not cleared out subscriber lists beforehand (probably because nobody ever told them to).

                1. 1

                  😱

                1. 1

                  $work - Usual dance of unblocking others and writing up things before they need it.

                  !$work - Going to visit a friend now lockdown in the UK has lifted somewhat, not that either of us are particularly expanding our respective social bubbles much. Also need to write up how we’re going to sunset one website and redirect to another site for the Sailing Club.

                  Maybe model some 3d bits, having pulled my third car (2003 Mini One) out of “storage” I’ve remembered the phone holder in it fell apart and could do with a shim printed to stop the phone spinning round every time you corner.

                  1. 2
                    • Mowing the lawn if it ever stops drizzling
                    • Writing up incident report for $work based on yesterday’s internet cuffuffle
                    • Bike ride [if it ever stops drizzling, or maybe even if it doesn’t]
                    • Some more exploration of k8s after picking it up last week, and possibly looking at Hashicorp’s offerings again to see if there’s useful bits we can lean on without going full containers/k8s. (We likely don’t have time to fix this before Q4 anyway, so slow exploration and thinking is fine.)
                    • I was going to debug my HomeNAS being offline still, but it appears to have rejoined the network again and looks fine from logs. Upgrade SmartOS on there probably and possible swap the USB boot stick out pre-emptively.
                    1. 3
                      • Partner’s birthday, so celebrating that.
                      • Lockdown is easing slightly more in the UK, although as a family we’re still being stricter than we have to be by the letter of the law. The in-laws are planning to visit but stay socially distant to us in our garden, which will be nice. Haven’t seen them in a couple of months.
                      • Finish printing the initial batch of modifications for my Ender 3 printer which arrived this week. So far I’ve printed a fan cover, want to add things like filament guides to it.
                      • Model some other things I want to print that aren’t just for the printer. It’s a tool, not a self-contained project. Honest.
                      • Finish putting the main car’s dashboard back together after starting to fit an aftermarket head unit a couple of weeks ago. Was supposed to be done for other half’s birthday as a present, but run out of time to meet that, oops.
                      • Bike ride, dodging the showers which are predicted
                      • Mow the grass, as I’ve been putting it off for a month at this point and now it’s practically a meadow. This is going to be fun (not.)
                      1. 2

                        Happy Birthday to your partner!

                      1. 2

                        Halfway through three day project to sort my drive out. First time I’ve properly cleaned it in 2.5 years of living here, it was … dirty. (Block paving. Ugh.) Need to re-sand it tomorrow to finish it off. All the bricks have an actual colour to them now, not just grey!

                        Have also planned a 50 mile ride to-and-roun-the-base-of a local large hill with a friend, which we’re going to attempt tomorrow.

                        1. 3

                          This is really cool, I had to run brew install netcat6 and then use nc6 on a mac to get it working. Normal nc doesn’t support a -6 flag it seems.

                          I might have also broken it sorry. Typed support then ^D, then hit enter a couple of times, then ^C to break out of it. I can ping your host now, but not reconnect with nc. 😰😬

                          1. 2

                            You did, thanks! That’s exactly what I was hoping for as I was building it. I’m using the same tech stack to build another service and wondered if I really understand how it works and turned out I didn’t! I tried to build some mitigations for misbehaving or even malicious clients and still ended up vulnerable to DoS by accident 😎.

                            The problem was with reading from a socket where the incoming stream is closed. I expected the read to return an error when trying to read from a closed stream, but that wasn’t obviously the case.

                            Fixed it in this commit https://github.com/vvilhonen/ipv6shell/commit/417517e54d211fcf320966d3ccfbc163ffddae64

                            Thanks again!

                          1. 2

                            I’m mostly surprised at these results, but having had things like go fmt available when I’ve hacked on golang stuff I’ve entirely[^1] given up being irritated by someone else’s coding style as long as there is consistency enforced throughout the project. And I mean enforced, go fmt or terraform fmt style. 🤣

                            For Ruby I’ve been trying out StandardRB recently, integrated it into a couple of side repos at work to test it out and whilst I don’t agree with all the choices, I don’t disagree with the choices enough to override anything. The consistency wins out over my personal choice.

                            (Interestingly the ones I disagree with the most are things that “spoil” git diffs the most, like trailing commas on all arrays split over multiple lines.)

                            [^1] And by entirely, I mean mostly.

                            1. 0

                              Always upvote Tom Scott 🤘🏻

                              1. 1

                                Are you sure you want to be handling passwords yourself? Shouldn’t you be using a third-party authentication provider? That way, you run no risk of getting compromised and leaking (reused) passwords.

                                1. 11

                                  Handling passwords is really not that complicated. There are libraries around to do it, and quite frankly, it’s not magic. Just use bcrypt or something similar.

                                  1. 2

                                    I would note that it’s not so much just the handling of passwords, but getting all of the workflows for authentication and session management right too. That’s why I like libraries like Devise for Rails that add the full set of workflows and DB columns already using all best-practices to your application, with appropriate hooks for customization as needed.

                                    1. 2

                                      It’s not only the password in the database, but also the password in transit. For example, Twitter managed to log passwords:

                                      Due to a bug, passwords were written to an internal log before completing the hashing process.

                                      The risk remains, it’s just more subtle and in places you might not immediately think of instead.

                                      1. 3

                                        If anything that’s an argument against “just let someone else do it”.

                                        You can review your own systems, you can organise an audit for them.

                                        How do you plan to review Twitter’s processes to ensure they do it securely, given that they already have precedence for screwing the pooch in this domain?

                                        1. 1

                                          It’s easier in smaller systems.

                                          1. 1

                                            Well, there’s a risk with anything you do when dealing with secrets; you can leak tokens or whatnot when using external services too.

                                            As I mentioned in another comment, the self-host use case makes “just use an external service” a lot harder. It’s not impossible, but I went out of my way to make self-hosting as easy as possible; this is why it can use both SQLite and PostgreSQL for example, so you don’t need to set up a PostgreSQL server.

                                        2. 2

                                          you run no risk of getting compromised and leaking (reused) passwords

                                          You still have to handle authentication correctly, and sometimes having an external system to reason about can expose other bugs in your system.

                                          I recall wiring up Google SSO on an app a few years ago and thinking configuring google to only allow people through who were on our domain was sufficient to stop anyone being able to sign in with a google account. Turns out in certain situations you could authenticate to that part of the app using a google account that wasn’t in our domain (we also had Google SSO for anyone in the same application, albeit at a different path.) Ended up having to check the domain of the user before we accepted their authentication from google, even though google was telling us they’d authenticated successfully as part of our domain.

                                          1. 1

                                            If password hashing is a hard task for your project, I’d argue that’s because your language of choice is severely lacking. In most languages or libraries (where it isn’t part of the stdlib) it should be one function call to hash a new password, or a different single function call to compare an existing hash to a provided password.

                                            This idea that password hashing is hard and thus “we should use X service for auth” has never made any sense to me, and I don’t quite understand why it persists.

                                            I have never written a line of Go in my life, but it took me longer to find out that the author’s project is written in Go, than it did for me to find a standard Go module providing bcrypt password hashing and comparison.

                                            1. 1

                                              And salting! So many of these libraries store the salt as part of the hash, making comparison easy but breaking hard.

                                              1. 1

                                                I would consider it a bug for a library/function to (a) require the developer to provide the salt, or (b) not include the salt in the resulting string.

                                            2. 1

                                              Problem is what provider do you choose to use? Do you just go and “support everyone”, or do you choose one that you hope all your users use, and that you are in support of (I don’t support nor have accounts at Facebook, Twitter, and Google), which narrows it down quite a bit. And what about those potential users that aren’t using your chosen platform(s)? Are you gonna provide password-based login as an alternative?

                                            1. 2

                                              I’ve been through a bunch of certificate hell recently, this is absolutely hilarious to me. Much needed amusement. Thanks (:

                                              1. 3
                                                • Mow the lawn, all of it this time, not the (literal) half a job I did a fortnight ago
                                                • Start removing most of the groupset off my old bike, so when the missing pieces arrive I can “upgrade” the groupset on the new bike entirely. (New bike has 2013 SRAM Rival on, I’m upgrading to mixture of Rival 22 & Force 22 components. Old bike has Rival 22 HRD.) Doubt anything will arrive in post till next week.
                                                • Investigate annoying creak from bottom bracket on new bike, suspect it needs a regrease
                                                • Ride a bike, whichever is left in working condition at this rate
                                                1. 2

                                                  Mow the lawn, all of it this time, not the (literal) half a job I did a fortnight ago

                                                  I’m in this comment and I don’t like it.

                                                  1. 3

                                                    I mowed ours for the first time this year! “Yay”….

                                                1. 7

                                                  @caius Thanks for posting these threads, I think having a periodic community light “what’s up” thread lends a comfy feeling to the community.

                                                  This weekend I tricked bash and feel like I got away with murder (read: dumb clever hack), so I’m writing a post about it.

                                                  I’m still working on my typing and poking at clojure with babashka – I’ve recently found out about the pods protocol and am looking at that.

                                                  1. 1

                                                    No problem, someone else (who I’ve forgotten - sorry!) started it a while back and I just filled in when it got to the afternoon of UTC and no-one else had posted it. There’s a few of us that’ll make sure it goes up, lovely and organically un-organised.

                                                    I like them for similar reasons too :-)

                                                  1. 5

                                                    which lead you to having to parse the code mentally to work out what it’s testing

                                                    I truly do not understand this viewpoint. Someone help me to understand this. Why is that in a test-suite, english is more readable than code?

                                                    Why don’t we write the entire application this way?

                                                    I see the “refactored” code as harder to work out what it’s testing. What are the steps required to publish a new post? To me, the english methods just add indirection that makes it harder to understand the behavior under test.

                                                    1. 1

                                                      Admittedly for such a small example it does abstract too much away from the understanding what you need to do to publish a post. When you get into filling out a form being 35+ lines of code to fill in various fields however, it’s a lot of noise in the test, especially if it’s the same for 3-4 scenarios. Even if it’s limited to one scenario though, using the domain language in a readable method can be simpler to reason about. ie, “I fill in the form for a valid US company” or “I fill out the form as a valid UK company” when that means 2-3 fields differ means reading the longer form fills_in :x, with: :y and diffing them mentally makes it harder to spot either flow issues, or behaviour bugs I find.

                                                      The main suite I’m thinking about for this is one where request specs were retrofitted entirely to a 6-9 month old application and written entirely as scenarios without anything but just capybara or rspec methods called. Coming back to them a month or two later they’re basically indecipherable and we ended up rewriting them anytime the frontend or code behind the forms or our understanding of the business logic changed. And occasionally in rewriting the tests we’d miss something that was understood when the original test was written but because it was hidden in the middle of other “filling in form” or “checking results” code, we didn’t understand the intent of why it was checking that and missed it in the new tests.

                                                      Like everything in programming, I don’t think there is a golden answer to this, and there are definitely places where this is entirely an abstraction too far. I think there is a place for it (maybe not with that specific implementation 😜) and perhaps reaching for something like Cucumber with the explicit step definition split away from the BDD specifications is the answer because you know you’re reaching for that level of abstraction at that point.

                                                    1. 2

                                                      https://caiustheory.com/ and a timely thread too - I just published my first post of 2020 😁

                                                      Now to write four more before 2021 and beat the last couple of years worth of posts in count.

                                                      1. 2

                                                        $work: First day working from home, tbh I never quite liked that. I feel so much better working in an office, my head seems to need a clear separation between work and home.

                                                        $home: I feel I should really take more notes, and document better. I compared a couple of apps and set up jrnl.sh some time ago, but never made it a habit. I was researching what screen I was going to order for my new pc, but since the whole corona thing I’m wondering if I should order or wait for a bit and see how the economy will react in the longer run.

                                                        1. 1

                                                          I used to struggle massively with the transition from work -> home when I was in the same house. Finding something I could bind my “work” time to was useful. Currently I’m lucky enough to have an office that I can mostly ignore if I’m not doing $work and that’s enough separation for me. Previously I’ve done things like get changed or swap jumper/hoody at the end of the work day as a way to tell my brain, “we’re done with work now buddy”. Still a struggle though.