-
the names are just (flat) types that are implicitly (globally) defined (i love that part).
if the types had behavior or constrained implementation (rather than being statically checked synonyms for Any), you’d need to be able to locate names in your package/namespace system (if you wanted more safety for large systems, maybe you’d do that anyway).
-
I agree with the author’s assessment of Go, but the writing was bad. I wish people would think about whether their usage really makes sense – if you’re not sure, look it up or stay basic.
-
The Nielsen article is good: http://www.nngroup.com/articles/how-users-read-on-the-web/ and clearer than the talk summary.
Not sure about claim that call to action w/ graphic text would be skipped by scanners. If it’s big text, the eye doesn’t need to linger, so it won’t show in eye tracking. I’d want to see user tests showing that the conversion rate is worse for some styles of “huge call to action”. Agree with intuition that if the style is out of place – screaming ‘banner ad’ it will get less attention.
Nice examples. Good hint to put likely error message text in your docs so googling errors finds your official word on how to do things right.
Automatically fixing bad inputs or giving how-to type suggestions inline with an error message is great for users, but you can’t do that for every problem (it’s difficult sometimes) – eventually the user needs to make an informed decision. And for that, while a google-able error message serves as a de facto link if your online docs rank high enough, a real link in the error message is even more reliable (I’d want a tool to validate/maintain such links, though)
-
-
His central, dumb claim: Netflix won’t explore distributing any DRM-free HTML5 video unless they already built an HTML5 DRM system. Leading to the questionable conclusion: therefore everyone should make it appealing for Netflix to build a HTML5 DRM system.
But obviously Netflix can publish DRM-free using flash, html5, or both, as they see fit (which is probably not at all), regardless of whether HTML5 DRM is supported in Firefox.
-
C/C++ would be even faster than indicated because there’s some overhead in Go calls out to C – at the very least the data would need to be locked from GC (or copied). That’s probably less than 10% difference, though.
-
If you have to spend a lot of time breaking lines, either your column limit is too small, or you’re using your language wrong. In other words, the optimal line length depends on the language (I appreciate the desire to standardize across languages, but I cheerfully allow ~100 char lines in C++98).
Your editor should at least display soft-wrapped lines broken on a token boundary and wrapped in a way that respects indentation.
-
Seth Roberts criticizes a Lumosity competitor (Posit) for overinflated claims of permanent improvement and transfer: http://blog.sethroberts.net/2013/03/09/a-few-answers-from-posit-science/ http://blog.sethroberts.net/2013/02/22/questions-for-posit-science/ http://blog.sethroberts.net/2012/11/05/posit-science-does-it-help/
-
‘maps to a hash’ (‘hash’ meaning ‘map’ or ‘hash table’)
‘No, you can’t mix data types, that’s stupid.’
[ [ 1, 2 ], [“a”, “b”, “c”] ] # this is ok'
honestly it’s not that bad. moving a subtree to a different parent in an editor would require slightly more tool support (modify the [tree.paths]) than yaml (move text changing indent appropriately) or json (just move the text)
-
bct
edited
5 years ago
|
link
| on:
"I had a bad experience yesterday with open source, and I wrote a blog post about it"
I’ve written and deleted so many comments about this. Against my better judgement:
I think that much of the interest in this story is due to hunger for drama, rather than empathy for Heather or a real interest in encouraging other OSS developers. Compare the reactions to this incident with the virtual high-fives that Linus Torvalds gets when he says something deliberately mean.
-
all obviously true. it’s not only that the average comment’s value going down. there’s a pronounced selection effect. people with something worth saying know to stay away from the discussion. what’s left isn’t pretty – outrage is very accessible. everyone can contribute.
her sex likely adds more fuel (though i’ve seen little overt focus on it). there’s a lot of teachable-moment potential (as the punishers see an opportunity for heroism).
-
-
That does sound annoying. I guess you’re effectively forced to locally wrap fmt.Print(m) with Debug(m) that calls fmt.Print(m) if you want to avoid the hassle.
-
I’ve run into it in C before with certain compiler flags that complain about unused variables. I’d just wrap the code in an
if (0) {}rather than commenting it out so it’s is still there according to the compiler, but it just never runs. Then once you’re done debugging, rip out the whole block. -
-
-
graehl
5 years ago
|
link
| on:
Using Server Errors to Leak Password Hashes: Blind Error Based SQL Injection
He describes a way of getting information when you can repeatedly run arbitrary SQL, but can only get a single bit (error or no) in response. Solution: don’t let users run arbitrary SQL.
The use case seems to be: you want to back up some small file on a machine you don’t trust much, or send it to a friend who uses this software also. (since it requires a readable password-less private key, there’s no point applying this to any local files). Since this adds no local-file security, I won’t mention the usual issue with unencrypted contents lying around in swap.
It looks like it uses “AES-128 in CTR mode with HMAC-SHA-256” with a random IV. The file length is exposed, but the contents are confidential and tamper-proof.
Looks like a fun “let’s use Go” hobby project. I imagine PGP has this use case pretty well covered (and doesn’t give up your secrets when someone takes your powered-off computer and pokes around).
Here’s the use case:
I want to give someone credentials for a machine (i.e. a shell server), including a password. By default, they send me their ssh public key. I can encrypt to their public key (and with the signing branch, which includes RSASSA-PSS), I can sign the file with my private key. These people generally refuse or can’t be arsed to use PGP, making my life more difficult.
As for no local-file security, there are few good solutions for preventing unencrypted swap issues if you don’t control the machine. I assume this is being sent to someone who is going to read it on their personal machine. Encrypted or not, we automatically lose if they don’t apply proper security to their local machine. If you’re not encrypting your hard drive, for example, most of your secrets are already available “when someone takes your powered-off computer and pokes around”. This program provides security for message traffic, but doesn’t attempt to solve the data-at-rest problem; there are far better use cases for that.
Obscuring message length is difficult without jumping through some hoops for files that aren’t of a given length; generally, it’s not going to be an issue.
Up next, I need to figure out how SSH password-protects files and add support for that in. I have the pieces for ECDSA support (using ECIES for encryption), I just need to actually add them to this code.