1. 2

    I’m always kind of wary of language VM that wasn’t designed for sandboxing being used as a sandbox, even after being restricted to a subset. I’ve seen a few attempts at this that at first looked like using safe restriction, but after a bit of fuzzing or vuln research in the VM, there end up being many edge cases of memory corruption that doesn’t matter when Python is used as an application, but that led to disastrous consequence when used as a sandbox VM.

    In the end, if you want to safely run untrusted code, it’s probably better to either use well tested and designed from the ground-up for sandbox (e.g. Lua) or use proper sandboxing patterns (e.g. secomp, pledge)?

    1. 2

      Yes, you should be wary, here be dragons

      1. 1

        I appreciate the quest to find a suitable safe subset of Python. For language design that works.

        However as you say, the implementation path for the interpreter is not a safe approach. If you rely on finding and patching holes you will never be done. A safe platform starts as something so simple that it is obviously safe. Then you extend it until it becomes useable.

      1. 21

        I definitely share the sentiment. On the other hand it feels bad to make an analogy to the Onion article which is about gun violence.

        1. 11

          Considering the real-world implications of this sort of technical irresponsibility (which include things like “airplanes crashing out of the sky and killing 600+ people”), I think this is entirely the analogy that needs to be made more often.

          It terrifies me that more people in the IT industry don’t realise the real-world implications for their decisions :/

          1. 16

            airplanes crashing out of the sky and killing 600+ people

            I’m not especially impressed with npm either, but I don’t think it’s causing airplanes to fall out of the sky?

            1. 2

              NPM isn’t directly responsible for causing airplanes to fall out of the sky because it’s not being used in obviously-critical / life-or-death systems. The most it can do is ruin lives and thus kill people indirectly (ex., by presenting an attack surface by which bank accounts can be drained, or by being so bloated that, when deployed at scale, it heats up the atmosphere enough to be responsible for the death of a few hundred people from flooding or migration-related-violence somewhere down the line).

              As a general policy, though, treating software problems as potentially fatal (the way we treat law problems as potentially fatal) is pretty reasonable. Anything deployed at scale has the potential to kill indirectly, and everything deployed at google- or facebook-scale probably has. Nothing is preventing individual software engineers from considering these cases, aside from taboos against reminding us of their possibility.

              1. 2

                The most it can do is ruin lives and thus kill people indirectly

                I know someone who works in health informatics, where they provide web-based applications for patient management to hospitals. At least once they had a bug that caused allergy warnings to show up on the wrong patient’s record (such that a nurse might not know that you’re allergic to latex or penicillin). That absolutely could kill someone.

            2. 7

              It terrifies me that more people in the IT industry don’t realise the real-world implications for their decisions :/

              Often, the response to pieces like this tends to be a sort of reckless naivete: “what’s this guy’s problem? They can just fix it!” I think there’s a subconscious belief that the community will self-correct after each breach. This belief ends up being something of a thought-killer because it cuts off thoughts of, “but why did it ever happen in the first place?” My guess is those thoughts are seen as a bit negative/taboo, because obviously the community would never all be wrong about something!

              I’m not sure what the cure for lackadaisical developers is, other than avoiding massively popular ecosystems just to have a better shot at being around people that care.

              1. 6

                The Canadian practice of the Iron Ring ceremony echos your very important point. https://en.m.wikipedia.org/wiki/Iron_Ring

                1. 2

                  While surely virtuous, I doubt this ceremony (And any feel-good manifesto that gets posted here every now and then) have noticeable impact on how engineers deal with the real-world implications of their decisions. Oaths are nothing but fluff when there are no actual controls and consequence.

                  1. 3

                    I think that, as you suggest, the ceremony definitely does not usually result in software engineers feeling the weight of their decisions. I would hope and expect that it does feel that way for, for example, civil engineers. I also think we need to all take responsibility for moving our profession in the direction of greater accountability. We should live in a world where software engineers take this stuff seriously, and taking it seriously as individuals is one important way we can work towards that.

              2. 5

                The implication here is that it’s the result of a systemic flaw that is ultimately preventable.

                1. 12

                  I think the point jjmalina is making is that it’s in poor taste to compare a JavaScript packaging problem to an act of wanton, unspeakable violence.

                  1. 19

                    wanton, unspeakable violence.

                    So, webpack?

                    1. 2

                      A satirical article by the onion (which is the comparison being made) is not an act of violence in any way, shape or form.

                      1. 3

                        The comparison is not between ‘a JavaScript packaging problem’ and ‘a satirical article by the onion’. The comparison is between ‘a JavaScript packaing problem’ and ‘gun violence’. (Both expressed in the form of satirical articles.)

                  2. 5

                    This was exactly my reaction and put me off from reading the article. For those who recognize the allusion, it’s very much a false equivalence to compare CI/CD failures to actual loss of human life. The Onion’s article is a biting satirical commentary on a tragic systemic failure of American culture and legislative bodies. This article is about NPM being insecure. Distasteful.

                    1. 2

                      I just see it as a pattern for a joke. A knock-knock joke can either be a completely harmless joke that a child would say, or an adult could come up with a terribly offensive one.

                    1. 2

                      Even Super Mario Brothers basically uses the same technique. It will never get past drawing the score at the top when Sprite-0-Hit isn’t implemented. Since this feature is mostly only useful for determining a whether the PPU passed a certain position, i highly suspect this is very much intended behaviour.

                      1. 4

                        Have you read the complete article? The undefined behaviour is about writing to the PPUADDR while the screen is rendering to smooth vertical scrolling with split screen. Actually pretty interesting dive into how the NES PPU internally work and shows visual glitch in Zelda that would be explained by the limitation of the undefined behaviour.

                      1. 18
                        1. Bellard is as impressive as always.

                        2. Someone found a use-after-free.

                        1. 8

                          A bit of context on the ‘someone’ for those interested: qwertyoruiop is the individual who created (half of) the Yalu jailbreak for iOS 10, and has contributed to many other big jailbreaking releases for both iOS and other platforms (e.g., PS4).

                          1. 2

                            I don’t understand that use after free. Isn´t that a legit use of js? That is: isn’t the interpreter doing what it is supposed to do? Or not?

                            1. 1

                              use after free is using the content of a pointer after the memory of it was released, allowing writing at any part of the process running the javascript interpreter. It means, that it allow going outside of the javascript sandbox and as such allow for a webpage taking full control of your computer. As any important security bug, it is a way for any virus or malware to install itself on a computer.So definitely it is not a legit use of js.

                              1. 1

                                i was asking if the use after free bug is JS or in the interpreter.

                                1. 2

                                  The bug is in the interpreter here. The JS in the link is a proof-of-concept exploit for the bug.

                          2. 1

                            This is a quick reminder that script VMs are hard to develop, especially for complexe PLT such as JavaScript. Never ever run arbitrary code in those kind of interpreter, even if you believed you hardened it by removing privileged functions or I/Os. FWIW, don’t even try to run to run arbitrary code in widely used engine such as spidermonkey or V8 if they are not sandboxed. RCE still get found every now and then.

                          1. 2

                            Note: WireGuard is a registered trademark of Jason A. Donenfeld.

                            Does that mean Jason Donenfeld can legally sue them for a noncompliant implementation?

                            1. 10

                              It just means they can’t call it “wireguard”, which I suspect is why the name is BoringTun and not something more wireguard-ey. Trademark prevents other people from using your name (or logo or whatever) to make it seem as if something they’re selling came from you. It prevents me from calling my webmail service “gmail”, but it doesn’t prevent me from saying “gmail-compatible” or whatever.

                              1. 3

                                No, that’s not how trademark works. You are thinking about patent and licensing of patented API.

                              1. 5

                                My last attempt at Matrix a year or two ago end up with me giving up try to host a simple homeserver with a few bridge to IRC and Slack. The conclusion was that a 5$ VPS wasn’t enough to share short text message with the internet. Was there good progress on this side? In any case the new client release look pretty good!

                                1. 3

                                  I did the same thing, but with far more system resources and felt it was too much of a nightmare to keep running. A couple things that really made me sad was:

                                  • inclusion of they own init/process management which was deprecated early on but still sometimes used
                                  • publicRooms endpoint is rough because the primary client (riot) makes operators feel like they need to list rooms in the homserver directory for their users on that homeserver to discover…. well those rooms are discoverable via publicRooms enpoint… take a peek here for discussion
                                  • there was an issue that we patched related to enumerating devices where the query could run forever, this literally could kill the homeserver when someone tried to enumerate/verify someone elses devices.

                                  We ran a patched version of synapse for a while where we neutered the endpoints that scared us and limited some of the queries. Ultimately it just became a frustration to deal with so we’ve opted to move to XMPP. The clients are far worse on the XMPP side of things, but the governance has been around longer so the community is far more “healthy”.

                                  I’m now waiting for a few things before thinking of coming back:

                                  • specification to be workflowed past an initial release (the XMPP community certainly knows how to workflow their spec, but the matrix community has been almost entirely a mess on that front)
                                  • implementation of a homeserver by someone who is not a part of the primary matrix team
                                    • it would demonstrate that the specification is digestible
                                    • there are things like identity services and STUN that should be rolled into the homeserver (not be separate code-bases requiring separate sysadmin maintenance)
                                    • synapse was a nightmare mess, the project hailing “success” as a transition from python2 to python3 is laughable… you don’t get to claim you’re doing amazing things when you’ve deliberately taken on tech debt*

                                  *I think Gitlab is doing something similar lately: claiming they are brave to have started with ruby and survived (which I think that they have not survived, they are in the process of attempting to survive… which is ongoing)

                                  1. 1

                                    I just downgraded my homeserver from a 2GB VPS to a 1GB one and it still works fine :)

                                    The big issue with synapse was this, occasionally I had to ssh into the server and run a postgres query to clean up. Haven’t had to do that in a few months.

                                  1. 2

                                    if there is a C api i can bind to, i like ruby for scripting. i’ve even used it to good effect in more heterogeneous projects by exposing functions as command line utilities, and then using ruby to automate those. i like it because it’s an extremely productive language, and because it makes it relatively easy to pull out often-used functionality into higher-level abstractions and libraries.

                                    1. 3

                                      You might like mruby, a mostly-compatible version of Ruby designed for embedding. It’s written, ARAIK, by Matz himself.

                                      1. 2

                                        i’ve been keeping an interested eye on it! not had a chance to use it yet, but it’s definitely my top choice next time i need an embedded language.

                                        1. 2

                                          Works pretty well for what I’ve seen. Hovever, the possibility to exclude some API such as I/O led some software to use it as a sandboxed VM which ended up pretty badly for them. I like Lua for this exact reason, the VM being really simple and made with security in mind allows it to be a pretty good choice to run untrusted script.

                                    1. 16

                                      Having interviewed a lot of people, SQL is one of those things that everyone thinks they know well and very few actually do. In interviews now, if I see them claiming expertise, I ask if they can do something more than “SELECT * FROM foo” because so often that’s all it takes to “know SQL” on your resume.

                                      Good database knowledge can be extremely valuable. I can’t tell you how many times I’ve seen code that makes four or five round-trips to the DB, grabbing data, processing it client-side, and sending it back that could’ve been done in one round-trip with a well-crafted SQL query.

                                      There’s the other side too: I’ve seen some truly awful database designs that have required multiple round trips because the DB designer didn’t understand foreign keys or constraints or whatever.

                                      1. 3

                                        Imo one of the best arguments against relying on ORMs is performance: in some situations a CTE or window function can get you one or two orders of magnitude improvement over a naive orm solution.

                                        1. 2

                                          Nothing prevent you from implementing those edge case in your ORM though. I personally use SqlAlchemy, and I feel like it cover what I need as-is 90% of the time, and the 10% of the time left it gives me the tool to build more complexe queries and even allow me to keep using the “object mapping”. SqlAlchemy supports CTE and Window function!

                                          For even too complexe query, it might also be possible to wrap them into SQL Function and simply map your ORM to this function.

                                          1. 2

                                            Oh, to clarify, I think ORMs are great, I just don’t think it’s great to rely on them. They do 90% of the things for you, but you need to know SQL for the other 10% of cases. Some things aren’t like that, where there’s not such a wildly significant benefit as knowing SQL gives you in this case.

                                            1. 1

                                              This is very true. It’s also helpful to know (in rough terms) what the ORM is doing under the hood, something that’s only really possible if you understand the SQL behind the operations.

                                            2. 1

                                              Yep, Peewee orm also supports things like CTE, window functions, insert/on conflict, etc. The query builders for both libraries are very flexible, but you pretty much have to know SQL and then translate it into the APIs the query builder exposes. For experienced programmers this is no problem, but someone less fluent with SQL is going to have no idea how to use this advanced functionality, regardless of how it is exposed.

                                              1. 1

                                                Definitely! My point was mostly about ORM and “advanced”/performant SQL not being mutually exclusive.

                                                1. 1

                                                  I like ORM or query builders not because I don’t know SQL, but rather because I detest the SQL syntax. I wish there were a better relational language. Maybe Tutorial D in front on Postgres’ storage engine.

                                          2. 3

                                            Depends on how you interview me.

                                            If you sit me down with a pen and paper and tell me to write a complex query…. I might well fail.

                                            If you sit me down with say sqlitebrowser… and an editor side by side, I will rapidly iterate starting from very simple queries (yes, I will start with select * from foo) to as complex as need be.

                                            And yes, I might occasionally refer to the syntax for the gnarlier corners.

                                            But I will get it done pretty rapidly in a single very well crafted query.

                                            Conversely, I’m a true believer in what CJ Date has been saying for decades…. so if you allow me to redesign the table definitions…. you’d be shocked by how simple my queries will be.

                                            1. 2

                                              What would you consider beyond “SELECT * FROM foo"? I don’t touch SQL on a daily basis, but I could throw together a left, right, and full join if I needed to, and I’m aware of how to use subqueries. What SQL skills would someone have in order for you to consider them competent / good at SQL?

                                              1. 4

                                                JOINs, GROUP BY, that sort of thing. If they’re going to be building DBs, understanding indexes, unique constraints, and foreign keys.

                                                If you’re gonna be my lead database programmer/DB admin/DB architect, I’d want to see understanding of good database design (normal forms, good foreign key relationships, good key choices), CTEs, triggers (in your preferred database), being able to spot when a full table scan might happen, understanding when and how to use precomputed values for future queries, and so on.

                                                1. 4

                                                  The use of aggregate functions, defining new aggregate functions, the various joins, the 3VL truth table, grouping, subselects, CTEs, that kind of thing.

                                                  1. 3

                                                    I like asking candidates

                                                    • find me the employee with the highest salary (entire row, not just the salary) - will usually use sub select with max.
                                                    • find me the employee with the second highest salary - expected to use window function but can still get away with two subquries.
                                                    • find me the employee with the second highest salary in every department - expected to use window with partition.

                                                    If you found a guy that thought about equal values ( rank / dense rank / row number ) you know he did some work. Hire him.

                                                    Haven’t touched joins yet.

                                                    1. 2

                                                      I don’t know window function, but believe that I know join

                                                      1. 3

                                                        It’s well worth the time learning window functions.

                                                        As Maruc Winand (who created use-the-index-luke.com and the newer modern-sql.com) says in his talk on Modern SQL there’s life before windows functions and life after windows functions.

                                                      2. 1

                                                        I’d much prefer lateral joins be used in some of these cases.

                                                      3. 1

                                                        I’ve seen no mention yet of EXPLAIN queries (Or similar operation in other RDMS than Postgresql?). Never been doing a lot of SQL in the past, but lately I had to work with some complexe queries over large dataset and most of my learning involved playing with EXPLAIN [ANALYZE], understanding the result and tweak the base query to fix the performance issue. Once you understand that, you can work from there to find the best index, where to place subqueries, set large enough working memory, etc.

                                                    1. 6

                                                      I guess the author has not used truly horrible UIs like Collabnet. I once sent a link to a file to someone on email. It had all sorts of junk in the URL and after a while clicking on the link did not produce the intended result.

                                                      90% of the time I’m on this page, I’m looking for the history button

                                                      Not me. When I am on a page looking at the code, I need to see the code

                                                      And 90% of the time, it takes me 30 seconds to find it. I would love to get a hold of the analytics for how many people star a repository after looking at a random file buried somewhere in the tree

                                                      30 seconds is possibly an exaggeration. But it is possible that the star button is not removed because of PJAX : https://github.com/defunkt/jquery-pjax. It is probably why Github UI seems ( to me at least ) very fast

                                                      Also missing: any way to even get back to the file

                                                      Try the back button on your browser

                                                      1. 8

                                                        Try the back button on your browser

                                                        Sad state of affairs when the back button has been practically killed off by web UIs.

                                                        My personal banks don’t deal with it at all, though the bank I use for my company fortunately does. Lots of governmental sites break or deny when going back.

                                                        Some sites explicitly tell you not to hit back, as if the developers never heard of idempotence.

                                                        Wonder if this started with having html elements with a javascript call to go back?

                                                        1. 0

                                                          90% of the time I’m on this page, I’m looking for the history button

                                                          Not me. When I am on a page looking at the code, I need to see the code

                                                          You are really just saying the same thing. Both the code and the history button are under several rows of UI stuff.

                                                          Try the back button on your browser

                                                          Good luck. It may work on shithub for now, but many sites break catastrophically when you hit the magic destroy^W back button.

                                                          1. 12

                                                            shithub

                                                            I don’t think you should use shithub. At best it is an annoying addition that doesn’t add anything to your statement and at worst it reduce it to a childish rant and shows you don’t want to engage in serious discussion.

                                                            1. 2

                                                              yeah let’s not do the Micro$haft stuff from the late 90s lol

                                                              1. 4

                                                                MICROS~1 is my favourite from that era. But yeah, it’s all dumb.

                                                                1. 3

                                                                  I hadn’t heard that one before, and found a great explanation from a relic of an internet past… https://everything2.com/title/MICROS~1

                                                                  1. -1

                                                                    MICROS~1

                                                                    Ha, this one should be allowed for historic purposes.

                                                          1. 9

                                                            This website it terribly to use on a mobile device. I wish more sites were plain text…

                                                            1. 18

                                                              To be fair, this website is also terrible on desktop.

                                                              Redacted since it’s unneedly harsh

                                                              1. 9

                                                                I’m a co-founder of SmoothTerminal. Sorry about the performance issues - we just launched a UX/UI refresh and none of us noticed the performance issues until yesterday. Are you on Safari? That’s the only place we’ve been able to reproduce the slow scrolling, and there’s some particularly weird behaviour sometimes (safari web inspector claims an element is where it should be, but it’s painted somewhere else entirely). We’re working on it, and I’m embarrassed that it’s bad. Mea culpa.

                                                                1. 24

                                                                  I shouldn’t have been this harsh. Sometime I forget about the human on the other side of the screen. I’m the one embarrassed, sorry about that.

                                                                  I have this issue at its worst on Chrome on OSX. Using it on Firefox/Linux on my desktop is less worse, but scrolling still feel a bit tampered with.

                                                                  1. 20

                                                                    This is one of the reasons that I like lobste.rs, we all occasionally make poorly thought out or harsh comments, but this is one of the places on the internet where people apologize because they think about the person on the other side. Thanks for making the world decent!

                                                                  2. 5

                                                                    Honestly it’s pretty rough to use on desktop as well. The floating ToC blocks the text in its default, expanded position, and on wide monitors the layout is much wider than seems reasonable. The “reader” view in firefox cleans it up nicely – it just gives raw text with a reasonable column width, which is all anyone wants anyway.

                                                                    1. 6

                                                                      Killing TOC, thanks

                                                                      1. 5

                                                                        Thanks for being responsive!

                                                                        1. 1

                                                                          No problem. We saw some performance gains from that and it was definitely broken in safari, but the real performance gains came from the deploy we just performed - we stopped using background-attachment: fix. That was causing extreme redraw churn. Both needed to be done though really.

                                                                    2. 4

                                                                      FWIW, it is pretty difficult to read with JavaScript disabled (using uMatrix). Perhaps you’re applying styles in JavaScript?

                                                                      1. 2

                                                                        This is what I was thinking too. I just gave up and opted for Reader View in Firefox.

                                                                        1. 1

                                                                          We are, and it’s in support of our themes. We should make sure to ship the default theme by default, but my guess is it’s flipped in js and has no good default fallback. Thanks.

                                                                          1. 1

                                                                            We were accidentally shipping all styles over js. We’re prepping a PR that properly sends the stylesheet now. That’s embarrassing.

                                                                            1. 1

                                                                              Stuff happens! Still displays poorly in Firefox with uMatrix, but maybe you’re still working on the PR.

                                                                              It probably looks fine in e.g. elinks or eww.

                                                                          2. 1

                                                                            Mobile Firefox here, I could see the first paragraph but only the background Blue after that, until I switched to Reader View

                                                                            1. 1

                                                                              What mobile OS? is that happening still? I just tried it on mobile firefox on android and it worked fine, but we also just deployed a bunch of tweaks based on the righteous, justified shellacking we got for performance yesterday.

                                                                              1. 1

                                                                                It works much better now, thanks!

                                                                      1. 2

                                                                        Why are bloom filters so often described as using O(1) space? Given a desired false positive rate, you have to use increasing amounts of space to store more keys. The only sense in which O(1) space makes sense to me is that you don’t dynamically resize the bloom filter. Am I missing something?

                                                                        1. 12

                                                                          They’re O(1) space because they do not increase in size relative to the amount of data you’re trying to store. Yes, you can change the filter size based on the accuracy you desire, but it has an O(1) relationship to the amount of data stored.

                                                                          1. 7

                                                                            This is only true if you’re willing to accept an arbitrarily high false positive rate, which is never true. For any given level of false positives, they require more space for a given number of elements.

                                                                            1. 5

                                                                              And yet Big-O notation don’t take in account how you pick the constant size of you structure. Size remains independant of the number of elements you insert.

                                                                              1. 2

                                                                                It is true because of the definition of Big-O. If you insert a new element into a bloom filter, it does not increase in size. The insert operation of a bloom filter has no impact on its size, therefore it is O(1). If you want to build an implementation of a bloom filter that dynamically resizes as part of insertion, then that would have a different complexity.

                                                                                1. 1

                                                                                  You would need to remember the keys (defeating the purpose of a bloom filter) if you were to dynamically resize, since you’d need to rehash the elements that had already been inserted.

                                                                                  1. 3

                                                                                    You can dynamically grow by creating a new one, inserting new records to it, and checking both.

                                                                                    1. 1

                                                                                      Which is kind of my point, it wouldn’t really be a bloom filter, so it would have different complexity.

                                                                              2. 3

                                                                                It’s really O(k), where k is constant, right? We just don’t always write the k, probably because it might be confusing since some algorithms have parameters other than n in play. So even if k is fifty bajillion million, it’s still constant and n (the number of pieces of data you want to process) never comes into it. For a Bloom filter, n is the number of items you add to the set. No matter how many you add, k never changes.

                                                                                1. 1

                                                                                  You can vary the number of hashes independently of the number of bits used. For a given size, raising the number of hashes will initially lower the false positive rate, then lower it (in the extreme case, with enough hashes, every element will have every bit set).

                                                                                  1. 3

                                                                                    I think the point is that you don’t vary the number of hashes or bits. You set them up-front. It’s OK that the probability of a false positive goes up as you add items, that’s the nature of the algorithm.

                                                                                    Wikipedia says basically what I said above, though note that in this case k is actually the number of hash functions. But, again, if you set it and forget it, k is constant.

                                                                                    Bloom filters also have the unusual property that the time needed either to add items or to check whether an item is in the set is a fixed constant, O(k), completely independent of the number of items already in the set.

                                                                                2. 2

                                                                                  You are correct, but people also oddly enough describe a hash table O(1) when it suffers from the same problems.

                                                                                  It’s ironic that most data structure shibboleth statements are at best oversimplifications and at worst lies.

                                                                                  1. 2

                                                                                    Sorry, isn’t a resizable hash-table really amortized O(1) for insert and average O(1) for lookup (assuming the hashing operation is itself constant-time—and if it’s not then it’s still O(m), where m is something like the size of the keys, not the number of keys used)?

                                                                                    1. 2

                                                                                      Absolutely! I don’t know about you but I find that the effects of resizing and the differences between worst case complexity and amortized complexity are rarely, if ever, discussed in the standard algo interview.

                                                                                      1. 3

                                                                                        It does happen in practice too… A long time ago, I remember that a coworker submitted patches to GNU Make for “badly sized hash tables” that led to O(n^2) performance on huge Makefiles. And I was like “huh that happens for real” :)

                                                                                        I think “old-style C” is usually lazy about their hash tables, because it’s hard to write a reusable one, and writing one with the “proper” big-O takes significant effort. Every program has its own.

                                                                                        For example, I think I heard that the initial version of the C linker only considered the first 6 characters. The only reason I can think of this is implementation simplicity, i.e. laziness :)

                                                                                        https://stackoverflow.com/questions/38035628/c-why-did-ansi-only-specify-six-characters-for-the-minimum-number-of-significa

                                                                                        And PHP’s hash function for identifiers was the strlen!!! Which obviously causes a lot of collisions. And it apparently influenced the language design:

                                                                                        https://news.ycombinator.com/item?id=6919216

                                                                                        I’ve been reading a lot of old C code lately, and the difference between theory and practice leaves me amused and occasionally horrified :-/

                                                                                      2. 1

                                                                                        This is super pedantic,and I’m not super sure about this:

                                                                                        Since you can have arbitrary memory, and arbitrary amount of elements in your hash table, to store n elements you need to be able uniquely identify each element, which means an identifier of length O(log n). Reading this identifier takes O(log n), so insertion and deletion are O(log n).

                                                                                  1. 9

                                                                                    This has a problem that may not be immediately obvious: As soon as one of your passwords gets breached you have a public hash of your master password in public that can be attacked via brute force. So one brute forced password leads to access to all of your accounts.

                                                                                    Thus unless your master password is extremely secure (impractical to be bruteforced) this whole concept is very risky.

                                                                                    I wouldn’t recommend such a scheme.

                                                                                    1. 4

                                                                                      I think more problematically even, this scheme also prevents users from effectively changing their passwords on websites where databases get breached & passwords exfiltrated.

                                                                                      To change that password, you have to change the “master” password (or, more realistically, have 2 master passwords) and remember that again.

                                                                                      It doesn’t seem very effective for keeping people safe in the real world.

                                                                                      1. 2

                                                                                        Not true, each password has a “version” which I believe does something like tack on a version number to the scrypt input. A more robust way to do it would be to iterate a random salt input, or to use a one-way hash function on a KDF chain (similar to key ratcheting).

                                                                                        1. 3

                                                                                          The user would now have to remember a version for each website then instead, doesn’t sound very practical. Unless you store it but then the premise of this kinda flies out the window.

                                                                                          1. 1

                                                                                            No, the app remembers it. JS localStorage or similar. Not sure how the other version (ios, etc) handle it.

                                                                                            1. 4

                                                                                              Yes, but as mentioned; this throws out the part that the app doesn’t store anything.

                                                                                              1. 2

                                                                                                Compute secure passwords without storing them [passwords] anywhere

                                                                                                You still have to store the web sites configuration somewhere (Password length, required character, version, etc).

                                                                                                1. 3

                                                                                                  I don’t think in that case you win anything significant over storing the password itself. Using a password database, you can also use custom passwords (ie when you import old passwords or are given passwords) and with a strong vault password it should have equivalent security.

                                                                                          2. 1

                                                                                            So I guess you end up tacking a number to the end of your password and get to remember that, per site. I guess that’s not too bad, but I still wouldn’t call it great.

                                                                                        2. 1

                                                                                          One would have to know that such a scheme is being used to begin to attempt attacking it though which is likely never the case for general website passwords.

                                                                                          1. 3

                                                                                            Unless you see every “required” character in the first characters of a password, until they fix that bug (unless I’m wrong that it works like that, I only read it quickly).

                                                                                            Any password solution which get less robust the more popular it is, is a bad one.

                                                                                        1. 10

                                                                                          Ok because it isn’t documented anywhere (which is crazy) the process is:

                                                                                          raw = scrypt(master pw + domain + username)

                                                                                          index alphabet with bytes of raw to get random chars

                                                                                          also if you use “required” characters, it looks like they’ll all be at the front of the password, which if true is a bug.

                                                                                          Where is the security design doc?!

                                                                                          Also it encrypts with CBC+HMAC with scrypt(master) for the keys for AEAD. “Without storing them anywhere” == in JS localStorage?

                                                                                          1. 4

                                                                                            also if you use “required” characters, it looks like they’ll all be at the front of the password, which if true is a bug.

                                                                                            Doesn’t sounds like a bug to me. If H(x) is secure, so is y + H(x).

                                                                                            1. 1

                                                                                              The password space is much smaller if the required characters can only be permuted at the beginning of the password. If they’re allowed to be permuted anywhere in the generated string, there are many more possible passwords. It’s not necessarily problematically small, but it’s weird to reduce the pw space so much unnecessarily.

                                                                                              Is H(x) a hash? That sentence doesn’t represent what the code is doing.

                                                                                              1. 1

                                                                                                If H(x) has a more than big enough password space, trying to permute the required characters anywhere in H(x) is unneeded complexity for a few extra bits of security.

                                                                                                For what it’s worth, many time simplicity means better security, and in this case if you really want extra password space, just make H(x) better with proven cryptographic functions, don’t waste complexity on homemade algorithm that permute a bunch of characters in the password.

                                                                                                1. 1

                                                                                                  I guess it’s an implementation question. In my mind, my suggested version is simpler/less complex - but that’s me.

                                                                                                2. 1

                                                                                                  I don’t see the issue unless your password length is very limited.

                                                                                              2. 1

                                                                                                “raw = scrypt(master pw + domain + username)”

                                                                                                Although not a cryptographer, I always liked indirection between secrets and public stuff. I’d rather them do something to the password before it’s combined with domain and username. Maybe something with them, too.

                                                                                                1. 2

                                                                                                  That’s what scrypt does. Take the secrets and public stuff, salt them, and hash it into something that’s difficult to find the preïmage for.

                                                                                                  1. 1

                                                                                                    I know what it does. What Im talking about is an operation on the secret first. Then, that is combined with public data in another operation.

                                                                                                  2. 1

                                                                                                    Same (regarding qualifications) but it’s historically not a terrible idea. e.g. If you’re in a context where secrets are compressed next to public values, the compression ratio can leak secrets. But it’s also important to keep things simple, so I guess it depends on context.

                                                                                                1. 5

                                                                                                  Not to be overly criticial, but I’m not entirely sure what problems are solved by this - or, more accurately, why.

                                                                                                  From the bullet points on the website I gather

                                                                                                  GPU rendering for scrolling

                                                                                                  This is not a problem I ever had with any terminal emulator. Anywhere (well, except maybe Windows). I’ve had scrollback buffers be too small, but never had problems actually scrolling. And I have a lot of long-running terminal sessions.

                                                                                                  Threaded rendering to minimize input latency

                                                                                                  In my experience, threads don’t really do anything for non-multiplexed sources such as keyboards. And even for multiplexed sources, they mostly do more harm than good.

                                                                                                  Supports […] features: “Graphics (images)”

                                                                                                  why?

                                                                                                  unicode, true-color, OpenType ligatures, mouse protocol, […]

                                                                                                  so does urxvt

                                                                                                  […] and several new terminal protocol extensions.

                                                                                                  Not sure this is a good thing. (Insert XKCD about (n+1) Standards here)

                                                                                                  tiling multiple terminal windows side by side […] without […] tmux

                                                                                                  Which would probably (haven’t checked) require me to learn new keybindings.

                                                                                                  Can be controlled from scripts or the shell prompt […]

                                                                                                  Uh, it’s a terminal emulator. I would expect it can be.

                                                                                                  […] even over SSH

                                                                                                  OK, why though?

                                                                                                  […] Kittens, [….] for example, […] Unicode input, Hints and Side-by-side diff.

                                                                                                  I have a strong dislike of introducing unnecessary home-grown terminology and being all cutesy about it, but even so, if Unicode input is a plugin, I’m not sure about this.

                                                                                                  startup sessions, […] working directories and programs to run on startup.

                                                                                                  So, a shell. I don’t know, I thought this was a terminal emulator

                                                                                                  Allows you to open the scrollback buffer […] for browsing the history comfortably in a pager or editor.

                                                                                                  I’m pretty sure my needs are met with history, C-R and .zsh_history

                                                                                                  1. 21

                                                                                                    […] and several new terminal protocol extensions.

                                                                                                    Not sure this is a good thing.

                                                                                                    It is most certainly a good thing, terminal protocol has been stagnant and–until recently–few terminals got off the couch to implement even basic, ancient features like cursor shaping.

                                                                                                    Teaching users to have higher standards, makes life easier for application developers who must target the lowest common denominator. Kitty, iTerm2, mintty, libvte (gnome-terminal, termite, etc.), and libvterm (nvim, vim, pangoterm) have been raising the bar, so the lowest common denominator is now… higher.

                                                                                                    Just like Internet Explorer 6 held back the web, stagnant terminals hold back terminal applications. urxvt is the IE6 of terminals. Isn’t it a bit ironic that iTerm2/Terminal.app (macOS) and mintty (Windows) have more features than any of the terminals you find on desktop unix?

                                                                                                    (Insert XKCD about (n+1) Standards here)

                                                                                                    Doesn’t apply here. Thomas Dickey (xterm/ncurses) sets the standard, except there’s a loophole: the most popular behavior wins (and applications must swallow it, standard be damned).

                                                                                                    The kitty/libvte/iTerm2/libvterm authors have been cooperating, which means “popular”. And I’ve seen successful efforts to “upstream” choices to Dickey.

                                                                                                    libvterm author has compiled a spreadsheet of known terminal behaviors (contributions welcomed/encouraged).

                                                                                                    1. 6

                                                                                                      I love these new behaviours! until fairly recently, I figured I just can’t do some things in a terminal emulator, and then someone went ahead and implemented proper right-to-left support in one of the mentioned terminals. It’s frustrating to think of how long that’s been broken for me.

                                                                                                      I was sharing this with a group so excited to finally have this feature and someone mentioned like, “I learned to read backwards”. Why should we put up with these barriers in technology? I certainly used computers before I knew English.

                                                                                                      1. 2

                                                                                                        It is most certainly a good thing, terminal protocol has been stagnant and–until recently–few terminals got off the couch to implement even basic, ancient features like cursor shaping.

                                                                                                        I’d rather have those programs just start doing proper graphics, and stop trying to use the terminal as a bad graphics protocol.

                                                                                                        1. 2

                                                                                                          Kitty has implemented several extensions, such as colored undercurl (which is now also implemented in libvte).

                                                                                                          Not to mention “just start doing proper graphics” is meaningless and would discard the actually useful properties of a terminal.

                                                                                                          1. 1

                                                                                                            I’ve always felt that the one advantage of the terminal was the ability to easily pipe data from a program to another (which I would consider a property of the shell rather than a property of the terminal) and that terminal UIs were the worst of both worlds: bad at piping and bad at rendering things. I’m sure you have way more experience with terminals than me though, so I’m wondering if you could expand on what you think the useful properties of a terminal are.

                                                                                                      2. 20

                                                                                                        I agree that reading the feature list seems like a confusing mix of shell feature plugged into a tty. However,

                                                                                                        Supports […] features: “Graphics (images)”

                                                                                                        why?

                                                                                                        Why not? Why isn’t there a “standard” yet to output graphics in my tty? Wouldn’t it be nice to ls --thumbnails and have a list of thumbnails for images? icat images? Preview graphviz result? Have a dropdown with a preview when I hover a path in Vim and hit a shortcut? I don’t see why we still can’t do any of this nowadays. I for one would welcome graphics in my terminal.

                                                                                                        1. 4

                                                                                                          As a security minded user I would argue with separation of concerns. Image formats have long been a prime attack vector due to their internal complexities. I would not like a terminal emulator to be concerned with parsing image files, a task which specialized tools still get wrong sometimes. Sandboxing/Jailing the image rendering process would also mean confining the terminal emulator. I also would like a very good terminal emulator, not a pretty meh image viewer with terminal capabilities.

                                                                                                          Continuing down this road, where do you stop? SVGs support animation and scripting, should my terminal emulator pull in V8 or an entire chromium instance to run it? What are the implications of that? (And I’m aware that sadly that is exactly what many developers already do).

                                                                                                          1. 4

                                                                                                            It’s possible to implement graphic support in other ways. Looking at Kitty, the protocol make it so the terminal emulator only require bitmap capabilities. All image parsing is done by the process writing to the tty. SVG support can be done simply by rendering it as bitmap. Animation can be done the same way they are done with text. No need for complexity or trade security for something else when you properly design something.

                                                                                                            1. 1

                                                                                                              That would be a good idea, yes.

                                                                                                              Sadly, good (software) design has become something of an exception these days :)

                                                                                                          2. 3

                                                                                                            I have a strong dislike of introducing unnecessary home-grown terminology and being all cutesy about it, but even so, if Unicode input is a plugin, I’m not sure about this.

                                                                                                            I have found the kittens interface to be the best plugin/scripting interface of any terminal I’ve ever used.

                                                                                                            The unicode input kitty allows you to insert by code point, and search/browse by character name. Think of it as vim’s digraph selector on steroids. It’s pretty cool.

                                                                                                            The kitten system is also simple enough for me to write a quick password manager (using the OS keychain) in 150 lines of python (including a bunch of unnecessary stuff like “press any key to continue” and tab completion). I tried writing an iTerm plugin once, and I gave up quickly.

                                                                                                            Kitty strikes a remarkably good balance between minimal (and low overhead) and fully-featured. I’m not sure it solves any unsolved problem per se, but it strikes a perfect balance for me. I think that’s because I’m not as interested in configuring my terminal as I’d need to be for urxvt to suit me perfectly, but I am interested in playing with very particular things.

                                                                                                            1. 1

                                                                                                              I run Terminology for irssi, despite using XFCE4, because it can display images from URLs overlaid onto the terminal.

                                                                                                              I don’t really love Terminology that much, or maybe it’s gotten otherwise better with eg. tabs since the ancient version I’m stuck with, so it is strange no one else is doing these cool things. Not even as an opt-in thing.

                                                                                                            2. 7

                                                                                                              If you don’t understand, you don’t have to use it!

                                                                                                              Uh, it’s a terminal emulator. I would expect it can be.

                                                                                                              You should read more about what that means:

                                                                                                              https://sw.kovidgoyal.net/kitty/remote-control.html

                                                                                                              1. 6
                                                                                                                […] and several new terminal protocol extensions.
                                                                                                                

                                                                                                                Not sure this is a good thing. (Insert XKCD about (n+1) Standards here)

                                                                                                                Considering that the currently used standard for terminal input still relies on timing for the alt modifier and that it cannot do lossless input (see <tab> and <ctr+i> being the same for example), I’d argue that a new standard is very much needed.

                                                                                                                I’m pretty sure my needs are met with history, C-R and .zsh_history

                                                                                                                That has little to do with history which is only about the commands you’ve entered and not their output. With kitty I can open the entire contents of the scrollback in my favourite text editor (kakoune if you’re asking), to do powerful text manipulation, instead of being constrained by whatever primitives the terminal implemented (for example, termite’s limited vim mode). After all the scrollback is just a big buffer of text so opening it in a text editor is particularly suitable.

                                                                                                                1. 1

                                                                                                                  if Unicode input is a plugin

                                                                                                                  That probably refers to something fancy like an emoji picker or something. Definitely not to just typing non-ASCII characters from the keyboard.

                                                                                                                1. 18

                                                                                                                  this is what happens when I click the link https://imgur.com/a/dBxmMmV

                                                                                                                  can we have a discussion about potentially not allowing links to sites that do this?

                                                                                                                  There are all sorts of places you can host your content that don’t do this.

                                                                                                                  1. 11

                                                                                                                    I would fully support banning or warn-tagging crappy sites like medium. In the meantime I highly suggest: https://github.com/yourduskquibbles/webannoyances

                                                                                                                    1. 4

                                                                                                                      You just changed my life

                                                                                                                      1. 2

                                                                                                                        :D

                                                                                                                        I know what you mean, I just discovered it myself a couple of weeks ago.

                                                                                                                      2. 2

                                                                                                                        Disabling JavaScript on medium.com and other blog/news sites also works very well. Though there are some hilarious cases where you get a completely white/empty screen because a website ‘requires’ JavaScript to display any text at all.

                                                                                                                        1. 2

                                                                                                                          I’ve found the blank page issue to happen more often than not. You usually also end up not getting any images (except maybe an unrelated hero image at the top) without JS.

                                                                                                                          Although one example for your argument: disabling all JS on techcrunch makes for the best reading experience on any modern news website. I almost think it has to be intentional.

                                                                                                                          1. 1

                                                                                                                            I’ve found the blank page issue to happen more often than not

                                                                                                                            Really? I get it maybe once out of every 2-3 dozen articles I try to open. Then again, maybe I’ve conditioned myself to recognize and ignore sites that tend to do this.. In any case, it’s their loss since they are likely overpaying some web developer to write and maintain piles of java script just to display text.

                                                                                                                        2. 2

                                                                                                                          There is a medium specific one called Make Medium Readable Again, which I have also found super useful.
                                                                                                                          In addition, it removes the dickbar nonsense.

                                                                                                                        3. 4

                                                                                                                          💯, one question about the flagging guidelines. Is it valid to flag medium links as spam or am I stretching the definition?

                                                                                                                          1. 6

                                                                                                                            Seems to me like a stretch. Like it or not, many people still find interesting content on medium and many times it ends up with good discussion. The platform might be annoying but you can always use plugins or skip it.

                                                                                                                          2. 3

                                                                                                                            Reminds me of Websites in 2018.

                                                                                                                          1. 2

                                                                                                                            On the HN version, syrusakbary chimed in to add they were working on something similar with a focus on maintainability. They also got Ngnix running. Reposting here in case any wasm fans find it interesting.

                                                                                                                            1. 3

                                                                                                                              Their claims seem to be exaggerated. They don’t have fork() or sigaction() working, it’s not a very useful server without them. Wasmjit is also focused on maintainability, I’m not sure what they mean by that.

                                                                                                                              1. 1

                                                                                                                                Wasmjit: it promised something similar to our goals, but after digging and trying to contribute to it we realized that all the architecture-specific instructions were hardcoded into the runtime itself. This meant a very steep process to implement WebAssembly instructions, and a considerable effort when reaching other architectures (basically the same effort as creating an IR engine like LLVM by hand). And sadly, the library didn’t have either a single test.

                                                                                                                                Seems pretty clear-cut to me, though I can’t comment on its veracity.

                                                                                                                                1. 2

                                                                                                                                  I was referring to their claims on “creating the first WebAssembly runtime able to run Nginx” which is exaggerated since they haven’t implemented a whole slew of critical functionality.

                                                                                                                              2. 3

                                                                                                                                They also posted something today about it and a quick comparaison to the other project including wasmjit: https://medium.com/@syrusakbary/running-nginx-with-webassembly-6353c02c08ac

                                                                                                                              1. 5

                                                                                                                                I would argue the point that since Blink Edge was a closed-source blob supported on a small subset of users’ platform, the negative impact of losing it is much much less than say Servo. Could it be possible moving over to Chromium’s engine will make it easier for Microsoft to influence the web since it can push its changes upstream to the most widely used engine and being open-source, they are much easier to be picked up and reproduced by other engine as well?

                                                                                                                                1. 1

                                                                                                                                  I think you mean Edge, not Blink :-)

                                                                                                                                  1. 1

                                                                                                                                    That’s right! Need more coffee.

                                                                                                                                1. 27

                                                                                                                                  I think people talking about inspecting the source before installing dependencies are being unreasonable to some degree.

                                                                                                                                  1. The malicious code was present only in the minified version of the code. I suppose the red flag that tipped the reporter was the lack of history/popularity of the repository in question, but it doesn’t have to be like that
                                                                                                                                  2. It can be released to npm in a way that’s not evident to casually browsing the github repo
                                                                                                                                  3. There isn’t even any guarantee that the code on npm matches what’s on github at all

                                                                                                                                  Meaning the ways to be safe are:

                                                                                                                                  1. Hand-inspect the code in your node_modules directory (including — or especially— those that may be minified); or
                                                                                                                                  2. Don’t use npm at all.

                                                                                                                                  I don’t see these people (nor myself) doing either. From which it follows:

                                                                                                                                  Any company desiring to buy into the so-called “modern” front end development (be it for productivity, performance or hiring purposes) does so by making itself vulnerable to attacks such as this.

                                                                                                                                  I don’t know if that’s a reasonable price to pay to use, say, React, but it sure isn’t reasonable to me to pay that to use Node (versus, say, Golang, which can reasonably be used to build the same kinds of apps using little more than the standard library).

                                                                                                                                  1. 21

                                                                                                                                    The malicious code was present only in the minified version of the code. I suppose the red flag that tipped the reporter was the lack of history/popularity of the repository in question, but it doesn’t have to be like that

                                                                                                                                    One more reason for reproducible builds… minified JS should be treated like compiled code and automated mechanisms should check if it matches the unminified version…

                                                                                                                                    1. 6

                                                                                                                                      This, a thousand times this. I can’t comprehend the reasoning that goes into committing derived code into source control. It’s a pain to remember to update it every time you commit, it’s hard to verify the code matches the original source and just pollutes the history. Diffing is mostly undoable too.

                                                                                                                                      1. 3

                                                                                                                                        I think the reasoning is to avoid build dependency. For some time, it was a usual practice to include Autoconf-derived configure script in release artifacts, so that users can avoid installing Autoconf.

                                                                                                                                        1. 1

                                                                                                                                          Yeah, that’s annoying too (and a lot of projects still do it even though it’s not really good practice), but at least configure scripts don’t tend to/need to change with every single code change like these minified files do.

                                                                                                                                          1. 1

                                                                                                                                            generated autoconf configure scripts are pretty easy to read, I can say there were times I preferred them over the m4 source.

                                                                                                                                      2. 11

                                                                                                                                        It would be really nice if the package repositories (npm/pypi/rubygems/etc) did something:

                                                                                                                                        • try to automatically detect obfuscated code
                                                                                                                                        • stop letting maintainers upload packages from their dev machines, make sure any compilation happens on a public CI environment from a known git tag (this would also encourage non-compiled packages, i.e. just direct snapshots of git tags)
                                                                                                                                        • have some popularity threshold for packages beyond which manual review from a trusted group of reviewers is required for each new release
                                                                                                                                        • (also why not require the git tags to be gpg signed for these popular packages)
                                                                                                                                        • maybe rethink the whole package handover thing, maybe only allowing “deprecation in favor of [a fork]” (i.e. requiring every update to be manual) is good
                                                                                                                                        1. 3

                                                                                                                                          I wouldn’t even check the node_modules output either as package installation can execute arbitrary code (node-gyp, other node bindings producing code)

                                                                                                                                          1. 4

                                                                                                                                            I agree with you!

                                                                                                                                            People seems to like to hit on npm, but I don’t see how the core issue is different than say Pypi, Cargo or Go (Other than the issues you raised). I personnaly take easy and simple dependancies management over C/C++ fragmented package management because most of my project are not security critical anyway or my threat model doesn’t include targeted code injection in my stack.

                                                                                                                                            I find it annoying when people look at those issues and some fault is put on the maintainers. Maybe the issue is not that one of your application’s thousands of dependancies compromition, but the fact that your risk management for your wallet application relies on thousands of unvetted dependancies…

                                                                                                                                            Meaning the ways to be safe are:

                                                                                                                                            I guess a first start would be to gather a bunch of useful and common repositories and ensure they and all their dependancies are well vetted and signed by the maintainers for each release and prevent any new dependancies from being pulled in without proper review and ensuring those dependancies use the same process. Documenting and enforcing such process for a subset of widely used dependancies would allow to trust a few organization and avoid to code review any dependancies I pull in in my own project. I guess most distribution core repositories has similar process like Arch maintained packages vs AUR.

                                                                                                                                            1. 8

                                                                                                                                              Pypi absolutely has the the same potential issues, though in practice I think the dependency trees for popular projects are way smaller than what you get in the node ecosystem. So you’re much less likely to be hit by a transitive vulnerability. To me this is one of the advantages of a fairly comprehensive standard library, and a relatively small number (compared to node, at least) of popular, high quality third-party libraries that get a lot of eyeballs.

                                                                                                                                              1. 11

                                                                                                                                                On top of that, a lot of Python code is deployed to production by system engineers. Often it’s vetted, built, tested and baked in by distributions - and the same is true for other non-web languages.

                                                                                                                                                javascript, on the other hand, is more often deployed by the upstream developer and thrown at web browsers straight away without any 3rd party review.

                                                                                                                                                1. 3

                                                                                                                                                  Definitely! But that somehow happened to be this way. It would be nice to look at the social side as to why Python ended up this way while nothing prevented it from ending up like NPM. Maybe some key aspect of the tooling drive the trend one way or the other or it might be just the community (Python being much older and the tooling has seen a lot of changes over the years).

                                                                                                                                                  I would be looking forward to a someone doing a graph analysis of a few package repositories across languages and find some way to rate them and put some risk on packages. How many and how deep does their dependancies go? How many of them are maintained by external maintainer? Sounds like I found myself a new week-end project…

                                                                                                                                                  1. 12

                                                                                                                                                    Python has a decent class library. Good libraries that have general use migrate back into that class library, in some fashion or another. Thus, third party libraries don’t have to have long dependency chains to do anything.

                                                                                                                                                    What NPM forgot was that this was the fundamental idea that made package management useful. This stretches back to the early days of Java, at least, and I’m sure you can find other similar examples. By having a rich class library which already provides most of what you need, you’re simply going to layer on dependencies to adapt that framework to your specific business needs. Java, .NET, Ruby, Python- they all have that going for them. JavaScript simply does not. So half the Internet unwittingly depends on leftpad because a dependency of a dependency of a dependency needed it, and there wasn’t anything in the core library which could do it.

                                                                                                                                                    1. 1

                                                                                                                                                      Maybe some key aspect of the tooling drive the trend one way or the other or it might be just the community (Python being much older and the tooling has seen a lot of changes over the years).

                                                                                                                                                      I think this is a big part of it — Python’s tooling is generally less capable than the Node ecosystem’s.

                                                                                                                                                      To this day Pip doesn’t have a dependency resolver, so the result of installing a dependency tree with conflicts at the transitive dependency level isn’t an error, but an arbitrary version getting installed. You can only have a single version of a Python module installed, too, because they are global state. Contrast with how npm has historically (still does?) install multiple versions of a package, effectively vendoring each dependency’s dependency tree, transitively.

                                                                                                                                                      Additionally, publishing Python packages has long been messy and fraught. Today there is decent documentation but before that you were forced to rely on rumors, hearsay, and Stack Overflow. Putting anything nontrivial on PyPI (e.g., a C extension module) is asking for a long tail of support requests as it fails to install in odd environments.

                                                                                                                                                      I think the end result was a culture that values larger distributions to amortize packaging overhead. For example, the popular Django web framework long had a no-dependencies policy (if dependencies were required, they were vendored — e.g. simplejson before it entered the standard library).

                                                                                                                                                      Regardless of the reasons for it, I think that this is healthier than the Node culture of tiny dependencies with single contributors. More goes into distributing software than just coding and testing — documentation, support, evangelism, and legal legwork are all important — but tiny libraries have such limited scope that they’ll never grow a social ecosystem which can persist in the long term (of course, even Django has trouble with that).

                                                                                                                                                      1. 1

                                                                                                                                                        You can only have a single version of a Python module installed, too, because they are global state.

                                                                                                                                                        That’s actually a pretty good point I think. I have fought myself a few time against Pip due to conflicting versions. It does benefits library with fewer dependancies.

                                                                                                                                                  2. 1

                                                                                                                                                    While I’m not generally a fan of it, I think minimal version selection that’s planned for the future go package manager would make this attack spread much more slowly.

                                                                                                                                                1. 41

                                                                                                                                                  Wow, that’s pretty terrible.

                                                                                                                                                  On the other hand, I can’t help but to feel sorry about Dominic, we all make mistakes, this public shaming is pretty violent.

                                                                                                                                                  I guess we should sometimes take some time off to read the license before using a library:

                                                                                                                                                  THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

                                                                                                                                                  (F)OSS is not a consumer good.

                                                                                                                                                  1. 11

                                                                                                                                                    I agree that shaming people is toxic and unproductive. No one wants to be shamed and no one is perfect.

                                                                                                                                                    But I see another dimension to the negative responses Dominic has received. Non-hierarchical, self-governing communities like open source software are organized by social norms. Social norms work through peer pressure - community members conform to the norms of the community not because they are compelled to by law but because it would cost them standing in the community not to. This isn’t inherently good. Some norms are toxic and self-policing via peer pressure can lead to shaming. What I see in some of the critical comments addressed to Dominic is an attempt to establish a clear social norm about what to do when you are ready to abandon a package. The norm is desirable because it increases the general level of trust. Even if the landscape is generally untrustworthy, you can have some confidence that people aren’t handing their packages off to strangers because it’s the norm not to do that. The desire for some norm here, whatever it is in the end, is reasonable.

                                                                                                                                                    Ending the discussion with “don’t worry about it Dominic, everyone makes mistakes, and anyways you’re not liable for it” signals to everyone that they’re not responsible for the consequences of what they do. In a strictly legal sense, that might be true. Even then, I’m skeptical that the warranty clause would cover negligence in the distribution of the software rather than the software itself. But in either case, don’t we want a community where people do feel responsible for the actions they take and are open to receiving feedback when an action they’ve taken has a bad result? This dialogue can occur without shaming, without targeting anyone personally, and can be part of the same give-and-take process that produces the software itself.

                                                                                                                                                    1. 7

                                                                                                                                                      Blaming people in any security issue is toxic, no matter what happens. In any organization with paid people where you should expect better, the most important rule of a post-mortem is to remain blameless. It doesn’t get anyone anywhere and doesn’t get remotely close to actual root cause. Instead of asking about why Dominic gave away a critical package, people should be asking why some random maintainer were able to give away a critical package.

                                                                                                                                                      Ending the discussion with “don’t worry about it Dominic, everyone makes mistakes, and anyways you’re not liable for it” signals to everyone that they’re not responsible for the consequences of what they do.

                                                                                                                                                      By putting blame on Dominic, people are not taking responsibilities. The main issue is that many core libraries in the JavaScript ecosystems still depends on external, single-file, non-core, likely unmaintained library. People who should take responsabilities are the ones who chose to add a weak single point of failure by depending on event-stream.

                                                                                                                                                      1. 2

                                                                                                                                                        It depends what you mean by blame. If you mean assigning moral responsibility, especially as a pretext for shaming them, then I agree it’s toxic. I think I was clear that I agree this shouldn’t happen. But if blame means asserting a causal relationship between Dominic’s actions and this result, it’s hard to argue that there isn’t such a relationship. The attack was only possible because Dominic transferred the package. This doesn’t mean he’s a bad person or that he should be “in trouble” or that anything negative should happen to him as a consequence. A healthy social norm would be to avoid transferring packages to un-credentialed strangers when you’re ready to abandon the package because we’ve seen this opens an attack vector. Then what’s happened here is instructive and everyone benefits from the experience. And yes, ideally these dilemmas are prohibited by the system. Until that is the case, it helps to have norms around the best way to act.

                                                                                                                                                        1. 1

                                                                                                                                                          I understand you don’t condone the attacks and shaming going around. However I would argue that even if you agree that the blaming is toxic, that building some social norm around it is better than nothing, I believe that even hinting that it was somehow Dominic’s fault is a net negative.

                                                                                                                                                          The attack was only possible because Dominic transferred the package.

                                                                                                                                                          This is exactly what I’m condoning. By looking at individual and their action you scope the issue at that level. The attack was taking over a dependancy. It is possible to do so in so many way, especially for packages such as Dominic’s. This time it was a case of social engineering, next time it might as well be a case of credential hijacking, phishing or maintainer going rogue.

                                                                                                                                                          A healthy social norm would be to avoid transferring packages to un-credentialed strangers when you’re ready to abandon the package because we’ve seen this opens an attack vector.

                                                                                                                                                          I would say pushing this rethoric is actually unhealty and only lead people to rely on those social norm and use it as an excuse to disown their accountability. It would be much healthier to set expectation right and learn proper risk assessment about dependancies management.

                                                                                                                                                          Then what’s happened here is instructive and everyone benefits from the experience. And yes, ideally these dilemmas are prohibited by the system. Until that is the case, it helps to have norms around the best way to act.

                                                                                                                                                          The same issue have come up so many time in the past few years, especially in the NPM ecosystem, it should be well past the “learn from the experience” and I believe it’s time the relevant actors actually move toward a solution.

                                                                                                                                                    2. 17

                                                                                                                                                      I’ve done a similar thing before. After leaving the Elm community, I offered to transfer most of my repos over to the elm-community organisation. They accepted the most popular ones, but not elm-ast (and maybe one or two others). A few months later I received an e-mail from @wende asking if he could take over so I took a look at his profile and stuff he’s done in the past and happily gave him commit access thinking users would continue getting updates and improvements without any hassle. Now, @wende turns out to be a great guy and I’m pretty sure he hasn’t backdoored anyone using elm-ast, but I find it hilarious that people somehow think that maintainers should be responsible for vetting who they hand over control of their projects to or that they could even do a good job of it OR that it would even make any sort of a difference. Instead of trusting one random dude on the internet (me) you’re now trusting another.

                                                                                                                                                      Don’t implicitly trust random people on the internet and run their code. Vet the code you run and keep your dependency tree small.

                                                                                                                                                      1. 25

                                                                                                                                                        Vet the code you run

                                                                                                                                                        Or trust well-known, security-oriented distributions.

                                                                                                                                                        keep your dependency tree small

                                                                                                                                                        Yes, and stay away from environment, frameworks, languages that force dependency fragmentation on you.

                                                                                                                                                        1. 4

                                                                                                                                                          Or trust well-known, security-oriented distributions.

                                                                                                                                                          That too! :D

                                                                                                                                                          1. 3

                                                                                                                                                            and stay away from […] frameworks

                                                                                                                                                            I wouldn’t say that as absolutely for the web. I suspect that things would likely go a lot more haywire if people started handling raw HTTP in Python or Ruby or what have you. There’s a lot of stuff going on under the hood such as content security policies, CSRF protection and the like. If you’re not actively, consciously aware of all of that, a web framework will probably still end up providing a net security benefit.

                                                                                                                                                            1. 5

                                                                                                                                                              Please don’t quote words without context:

                                                                                                                                                              […] that force dependency fragmentation on you

                                                                                                                                                              Frameworks and libraries with few dependencies and a good security track record are not the problem. (If anything, they are beneficial)

                                                                                                                                                              1. 2

                                                                                                                                                                I interpreted “Yes, and stay away from environment, frameworks, languages that force dependency fragmentation on you.” as (my misunderstandings in brackets) “Yes, and stay away from [(a) integrated development] environments, [(b)] frameworks, [(c)] languages that force dependency fragmentation on you.” with a and b being separate from the “that” in c.

                                                                                                                                                                I apologize for the misunderstanding caused.

                                                                                                                                                            2. 2

                                                                                                                                                              Isn’t it the case that reputable, security-focused distributions acquire such status and the continuity thereof by performing extensive vetting of maintainers?

                                                                                                                                                              The responsible alternative being abandoning the project and letting the community fork it if they want to.

                                                                                                                                                              1. 1

                                                                                                                                                                Or trust well-known, security-oriented distributions.

                                                                                                                                                                Then how do You deal with things like that: “The reason the login form is delivered as web content is to increase development speed and agility” ?

                                                                                                                                                                1. 2

                                                                                                                                                                  As a distribution? Open a bug upstream, offer a patch, and sometimes patch the packaged version.

                                                                                                                                                                  1. 1

                                                                                                                                                                    That’s a good idea in general but sometimes the bug is introduced downstream.

                                                                                                                                                            3. 9

                                                                                                                                                              Most proprietary software also comes with pretty much the same warranty disclaimer. For example, see section 7c of the macOS EULA:

                                                                                                                                                              https://images.apple.com/legal/sla/docs/macosx107.pdf

                                                                                                                                                              I mean, have we held accountable Apple or Google or Microsoft or Facebook in any substantial ways for their security flaws?

                                                                                                                                                              1. 4

                                                                                                                                                                In many other products accountability is enforced by law and it overrides any EULA. And that is tied to profit in the broad sense: sales or having access to valuable customer data & so on.

                                                                                                                                                                Software companies got away with zero responsibility and this only encourages bad software.

                                                                                                                                                                1. 1

                                                                                                                                                                  And how have we enforced that by law for those companies, regardless of what those EULAs have said? When macOS allowed anyone to log in as root, what were the legal consequences it faced?

                                                                                                                                                                  1. 3

                                                                                                                                                                    other products

                                                                                                                                                                    e.g. selling cars without safety belts, electrical appliances without grounding…

                                                                                                                                                              2. 2

                                                                                                                                                                It is a security disaster given how easy it is for js stuff to hijack cookies and sessions.

                                                                                                                                                                1. 1

                                                                                                                                                                  It really isn’t if a well thought out CORS policy is defined.

                                                                                                                                                              1. 12

                                                                                                                                                                I find Safari’s “Reader View” to be acceptable most of the time, although it’s nice to see someone taking Medium back to what it was regardless.

                                                                                                                                                                1. 17

                                                                                                                                                                  Firefox has the same feature which I use extensively without any issues.

                                                                                                                                                                  1. 5

                                                                                                                                                                    I find myself usually just sending long Medium pieces directly to Pocket, and then I’ll read them later on my phone during a spare moment.

                                                                                                                                                                    The Pocket reformatter gives up too easily in my experience but does an adequate job at Medium (only really breaks pull quotes).

                                                                                                                                                                    1. 5

                                                                                                                                                                      On mobile the reader mode is a blessing. Instead of accepting the cookie policy, closing the app bar at the top, closing the other modal windows and then reading, one click and it’s all gone, clear text, large font an no distractions.