Threads for phillmv

  1. 1

    Such a nightmare of a spec.

    I read OAuth1 about a year ago, and skimmed most of OAuth 2 and it’s shocking to me how such a simple (both conceptually and in practice) protocol has been ruined by dense yet vague prose. Don’t even get me started on the state of the various libraries…

    1. 2

      Note that Rails 4 already has better error pages, though there’s no embedded REPL.

      1. 2

        Thats true but its still not as useful as this error page.

        1. 2

          Right! Not saying it’s not a good gem, just mentioning it’s one of the new things.

          1. 3

            Heh. And here I am, converting an app to rails 3. The future never stops.

      1. 2

        Most of my time is taken up with my consultancy, state.io. Client work done properly involves a lot of effort and some foresight. It’s exciting and stressful to be responsible all the time. We’re planning on having a security pub nite up in Toronto next year.

        I’ve just felt the first stirrings of a new talk in me, which I want to develop. I have an ongoing family photography archival project that I want to execute on (I’m really fascinated with being able to serialize data to archive-quality paper). I want to engage a friend of mine for some illustration work and ideas for tshirts. I have this half bred idea involving music videos that I’ve been waiting on time to poke at.

        There’s a list somewhere, on top of half a dozen books sitting in different parts of my apartment. Life is all in all pretty good.

        1. 2

          Cute, but at least that page in particular is more of an intro to Ruby.

          Are there any more higher level resources for implementing security in Ruby/Rails/et al? I’m training my security consultant business partner in the ways of Rails, and resources on what people-consider-to-be-best-practices seem thin on the ground.

          1. 2

            Well, the hard part about security in Ruby is that the language is so flexible, if you’re not familiar with it, you can miss entire classes of vulnerabilities. Like “oh, I just monkeypatched #authorized? to always return true.” So it’s kinda necessary.

            We have a Rails Guide on security: http://guides.rubyonrails.org/security.html

            1. 2

              Well… that’s kind of irrelevant, no?

              It gets trickier if you want to load in plugins that other people wrote, sure, but… for the most part as a web developer I’m not thinking about that attack vector – I’m more concerned about people trying to break my app. If they’re eval'ing code the game is already over.

              I’m not a terribly big fan of that guide. That said, when I do have any idea on how to improve it, I will duly share it.

              1. 1

                Part of the guide is how you may not realize people may eval your code.

                For example, there’ve been a few DoS attacks against Rails where some_input.to_sym was getting called… not strictly an eval, but somewhere where you may not think of input being a problem.

                I know of Rails apps that actually have Ruby code in a field in the db that gets eval’d. ಠ_ಠ

          1. 4

            Wow, I learned a lot of things from this thread on HN. I’m now suspecting I’ve been “slowbanned” for the last few months which is why each page load takes 5-6 seconds. I always thought the servers were just slow.

            Really a bummer, I thought I’ve only ever been helpful on HN. Oh well, nice that there’s an alternative that’s a little more transparent.

            1. 2

              The thing that really bothers me about HN is that any story that is remotely critical (or, isn’t a whole sale cheerleader for:) YC, the Valley, VCs, pg, YC companies, etc gets immediately removed from the front page.

              I get it it’s a YC promotional tool and pg’s baby – so that kind of editorial discretion is their prerogative – but it’s more than a little weird to see any bearish sentiment on the industry get edited away. It’s not in any of our interest for the bubble to pop, but the day will come…

              1. 2

                I don’t believe that this is true. I remember that when the AirBnB fiasco with the woman’s apartment getting trashed was happening, there were three or four separate threads which basically all linked back to the same article, but PG couldn’t take any of them down because people would be upset with him for suppressing dissent. They were cluttering the front page, but his hands were tied. Furthermore, I remember several articles about “Winter is Coming” being on HN, and also that I found out about Sequoia telling everyone to tighten their belts and to raise immediately from HN. More recently, there was also a front page post about how it doesn’t make sense to join a startup job if you’re trying to get rich.

                On the other hand, PG does post the YC jobs pages that you can’t comment on, which I find odd. By and large though, I think that PG is doing a fine job and is relatively fair and balanced. I would say that the problem is more with the commenters.

              2. 1

                To be fair, HN is slow :) But the public index only needs to be updated every minute or so, so it’s no wonder it loads quickly. It’s basically a static asset.