Threads for nogweii

  1. 14

    For those who are not in the know and are otherwise likely to skip over due to a too-quick reading of the title, here’s some additional context (included in the link itself, but summarized here):

    • This is not about Wikipedia being funded
    • Abstract Wikipedia is a new project
    • It’s an ambitious one, with highly technical requirements
    • These technical requirements are risky, per a report

    I didn’t even know about Abstract Wikipedia, and appreciate it’s vision. Not sure if it’s really that useful, though. And the very real technical concerns suggest it’s, at best, ahead of it’s time. At worst, an unfortunate example of the complexity of representing the sum of human knowledge and experience in code.

    1. 1

      As somebody who created a bunch of interlingual pages for English WP, I would have loved to have some sort of abstraction for managing them. I seem to recall working on a bunch of pages for individual Japanese kana, for example, and you can see for yourself that those pages have many similar parts which could be factored out using some abstractive system.

    1. 3

      I wonder if the version numbers above 120+ will un-freeze that part of the User-Agent.

      1. 2

        This is an interesting resolution to a open source software case. No monetary compensation, even for legal fees. Instead, a disclaimer must be added everywhere mentioning that the products (Houdini 6 and Fat Fritz 2) are derived from open source software and that they are not allowed to distribute them or any other derivatives for a year. Futhermore, they must hire a “Free Software Compliance Officer”.

        Quite a different result than previous lawsuits I’ve heard about. It seems that the Stockfish authors care more about the recognition and continued sanctity of the license rather than punishing ChessBase.

        1. 2

          indeed, that’s why I posted it here despite not being sure if it was relevant and confirmed by the initial downvote :)

          I used to hate the copyleft licenses because of their viral nature but having seen companies leeching the work of open-source developers, I’ve come around to using MPL 2 for libraries and GPL 2 for applications.

        1. 31

          Regardless of how someone feels about these changes, they seem to be well implemented and alternatives readily provided through the use of standard formats. It’s nice to see these sorts of changes being communicated clearly and with plenty of time.

          1. 30

            I especially like the “and if you don’t like it, here’s how you can take all your data with you when you go”

            1. 14

              This kind of grown-up attitude & approach is alone sufficient in significantly raising my interest in the platform.

              1. 4

                It’s a really nice platform. I use it exclusively for personal projects now, and I’m loving it. I haven’t done much collaboration on the platform, so I can’t say much about that, but otherwise it’s great.

                I know Drew kind of built a reputation for himself, and think what you want of him, but he’s doing right by FOSS with Sourcehut, I feel.

          1. 4

            This is spam, it’s just a corporate blog post bashing a self-hosted tool and promoting itself: a commercial alternative.

            1. 2

              The thing is that author of this article is also main contributor to Bors-NG.

              1. 1

                Also, notice how sloppy people are about quality dollars. There is no discussion of “how much does it cost when it happens”, “how often does it happen”, and “how much does it cost to prevent it”. I suspect that it is not worthwhile except for the largest of large projects.

              1. 21

                I disagree with the response, assuming that the original question was using the original icon font (Font Awesome) as a supplement for their buttons. That is, buttons and other UI elements were composed of a combination of both icon and text. I think that is a likely interpretation given that they have hidden the icons from screen readers.

                In that situation, I think that it’s perfectly acceptable. The ambiguity is mitigated (if not entirely removed) by the text next to the icon. Even with the “risk” that the emojis look out of place compared to the rest of the website, I think it’s still fine. (I’m also of the opinion that websites should conform more to the client’s OS rather than fight against it. That websites should blend in with the rest of the native applications rather than look distinct.)

                1. 14

                  I agree. The answer is responding to a strawman. The question wasn’t if replacing text with emojis was a bad idea, but rather if it was a good idea to replace icons with emojis.

                  Secondly, the response is commenting that older devices or OS might not have the required support, but the question does specify that this is an internal app, so presumably they have control of what devices and what versions of OS the app will run on and can make a decision based on that.

                  Thirdly, the answer is conflating bad design and emoji use. The question is asking if a button with an emoji, for example [✔ OK] would work well as an interface, yet the answer manages to present this as an example where that could be misinterpreted:

                  often 👥 will misinterpret emojis that their peers 📦️➡️ to ➡️👥. ➡️👤 do ❌ 🙏 to have a sudden misunderstanding between 🆗 ➕ apparently also 🆗 emoji like this: 🙆;

                  And finally, they seem to believe the emojis would be inserted in the middle of text strings instead of being consistently formatted as a pictogram for buttons or messages.

                  I give the answer a massive 👎

                1. 8

                  Yeah, SELinux documentation sucks a lot and the error messages leave a ton to be desired. Given the rise of containers and the power available with systemd’s options, I appreciate the post’s title. You can achieve most of the practical benefits alone with either of those solutions.

                  Personally, I still disagree with turning it off, but having a broken and nonfunctional system is worse than an insecure one. So turning it off, temporarily I hope, is usually the right call. (Defense in depth is a nice ideal.)

                  One of the things I’m happy with is that I’ve been able to automate (through ansible) using my own custom policies to apply to systems. Though that did take me weeks of reading documentation and even reading source code to piece together. Ugh. Not everyone is willing to put up with that, I know.

                  1. 24

                    This really feels like the author has a series of (not so good IMO) complaints about WebPKI and then decides that since it isn’t perfect for their situation, throw it all away rather than accepting even incremental improvements.

                    We do not need to have perfect security, just slightly better than yesterday’s.

                    Also, the reasons why the earlier free certificate authorities were never trusted was because they were awful at security. StartSSL had major problems that were only revealed by forced audits to continue to be trusted. Before they were accepted though, it was completely trusted by a huge swath of software. The security requirements that browsers and other maintainers mandate to be part of their trusted root programs meant that these free programs didn’t measure up. (Good or bad thing? I think net good, but it does limit the CA industry to only those that can support the ongoing financial burden. That generally precludes those without money from participating.)

                    If you want a free certificate that is not issued by a US firm, check out ZeroSSL. They are an Austrian company, so now you then have EU’s rules to deal with instead.

                    (NB: I’m a former Let’s Encrypt employee. I do have a bias here.)

                    1. 12

                      A long standing bug in Firefox suddenly got exposed because some service updated their HTTP3 implementation. Possibly on Google or Cloudflare’s side, both of which are used by Mozilla for their infrastructure. And Firefox will check in (unless told otherwise) early on, making it possible to hit the bug very early on. Resulting it Firefox being unable to load any other page with that thread. Ouch.

                      1. 3

                        I was wondering why Firefox was suddenly making my fans go and stop loading anything! Wow, that’s pretty messed up.

                      1. 5

                        This is good, but it, IMO, should be SHA256 or Blake2 instead, which are considered cryptographically strong unlike MD5.

                        1. 2

                          Since this is just a validation script you could theoretically make it generic enough to process a handful of different hash types so that it’s more compatible.

                          1. 2

                            I was just thinking about this, and had two thoughts:

                            • Generalize it by adding a CLI flag to indicate which hashing function is being used. (Something like, -n md5, -n sha256, etc)
                            • And/or also supporting the Multihash format
                            1. 2

                              Thought about adding other formats, but considering I was nerd-sniped, I had other things I intended to do today 😅

                              Definitely gonna read up on Multihash, as this is the first time I’ve heard of it.

                            2. 1

                              Feature creep 😁

                              But adding that into the script wouldn’t be too much of an excercise.

                            3. 1

                              You’re absolutely right, but most sites that I’ve come across that use the pattern only provide MD5.

                              I thought about adding a flag to specify the type of sum, but feature creep 😁

                              1. 1

                                Yeah, but how would that help you run a script where the MD5 was provided :)

                              1. 1

                                Does anyone know of a similar tool for Python-based projects? It looks like it could be fairly handy, if not a tad overkill.

                                1. 2

                                  I’m not familiar with a library that provides the --changelog feature out of the box, but it seems like a pretty solid idea to do that.

                                  1. 1

                                    If you are talking about python projects installable via pip, you can ship the CHANGELOG.md file with the build. read here after that, you can just write a similar regex for fetching the version numbers as well

                                    1. 11

                                      There’s also the sorta-equivalent for Linux, as itemized by systemd. I don’t think they are particularly well-adopted, but hopefully will be, which exists as a superset of BSD’s.

                                      1. 5

                                        I read the 200s there as a list of exit codes to avoid using lest my program crashing be mistaken for some specific behaviour which systemd subprocesses exhibit and the daemon has particular expectations about.

                                        1. 3

                                          Shells typically map signal death of a process into $? by taking the signal number and adding 128 to it. So where SIGINT is signal 2, $? will contain 130. Yes, this means that at the shell prompt, you can’t tell the difference, but the use of the higher exit status numbers is rare. On Linux, with a cap of 64 signals, that only blocks 128-192 from being usable by others, but still most Unix software has traditionally avoided the higher numbers.

                                          I see about 3 or 4 which software other than a daemon manager might want to use.

                                        1. 2

                                          Wouldn’t this create a false sense of security? Surely my browser validates an input of type “email” and warns me when the value is malformed, however, nothing stops me from manually passing an invalid e-mail-address directly via POST, most simply by replacing the input type with “text”, unless there is also server-side validation.

                                          1. 6

                                            I expect this to be used less on content sent from a client to a server, but rather in reverse, content sent from a server to a client. For example, a dynamically fetched comment on a blog post is injected into the DOM after passing through the Sanitizer API. That is, the string value in the database is untrusted.

                                            Of course, you could attempt to make it trusted by passing it through the Sanitizer API before even storing in the database through client side manipulation of the form, but that leads to your very concern as it could be bypassed. Run it through the Sanitizer both times? Submission and display?

                                            1. 2

                                              Sanitizing SVGs will be useful

                                          1. 10

                                            The Sanitizer API is a browser-provided implementation for the same problem DOMPurify tackles. Very nice to see this, for performance and maintenance benefits.

                                            MDN has documentation on what the API looks like currently, though it is in draft stages. Here is the specification itself.

                                            1. 9

                                              A String is returned with disallowed script and blink elements removed.

                                              No, why blink? I loved you blink, back in 1999. We’ll never forget you <3

                                              1. 3

                                                What I want is the <hype> tag again.

                                              2. 4

                                                The current MDN documentation is outdated. The latest API will not return strings.

                                                1. 1

                                                  The article implies that React does this, as well. Do you know whether that’s the case?

                                                1. 7

                                                  An alternative if you don’t like these patterns, I help maintain geo_pattern. It’s originally from Github, and generates a variety of different patterns from a seed value. Also written in Ruby!

                                                  1. 1

                                                    Heads up: This article is from 2018, when the latest version of hex was 0.17.3. The latest version is now 0.21.3, check the changelog for anything that might be different using Hex today. I think the commands covered in this are still mostly the same, though.

                                                    1. 3

                                                      Is there any public proof of this permission? I checked the linked LICENSE.txt but that hasn’t changed since 2010. I’m curious about the terms the Realtek firmware is distributed under.

                                                      1. 19

                                                        I like that there is now yet another ACME compliant endpoint. What we need next are clients that actually support arbitrary endpoints. There are a lot of management UIs that interface with generic clients but expose Let’s Encrypt as the only option. I want to be able to plug in my own private ACME CA but still get all of the automation benefits.

                                                        1. 2

                                                          99% of them do so that you can use a staging URL, don’t they?

                                                          1. 1

                                                            Not that many even expose the option of staging LE or not. Of those that do, it’s still hardcoded to Let’s Encrypt’s staging environment. Still not generic.

                                                            1. 3

                                                              All of these allow setting the API server:

                                                              The official client does it: https://certbot.eff.org/docs/using.html#changing-the-acme-server

                                                              Acme.sh does it in the article

                                                              Terraform: https://registry.terraform.io/providers/vancluever/acme/latest/docs

                                                              Traefik: https://doc.traefik.io/traefik/https/acme/#caserver

                                                              K8s cert manager: https://cert-manager.io/docs/configuration/acme/

                                                              Which ones have you used that don’t? I get that they probably mostly want sane defaults and don’t want people filling out random MitM API servers or something, but I’ve not found one that doesn’t allow me to change it.

                                                              1. 1

                                                                I’m thinking about those that sit on top of these. For example, setting up ACME in CPanel, OpenWRT, OPNsense. Or commercial software, like a website builder or managed service provider. (Installing wordpress, gitlab, or something else for you.) It has been a while since I’ve checked on these; I’d love it if they are more flexible now.

                                                                The underlying protocol implementations are flexible, indeed. There isn’t really a sysadmin/CLI focused tool that can’t accept an arbitrary endpoint. It’s the layer above that I’m frustrated with.

                                                                1. 1

                                                                  Oh! Yeah, if it’s not actually an ACME client, but a client to the client, yeah, I’ve never seen those expose arbitrary endpoints either. CPanel doesn’t even use Let’s Encrypt, it uses it’s own root CA. So you’re kinda stuck trusting CPanel and not even a public entity like Let’s Encrypt.