1. 6

    Continuing to work on a reverse shell controller written in Go. I haven’t started working on the implant yet, but I’m thinking of writing it in Rust.

    1.  

      As a package maintainer, I’ll say it is annoying when a project uses both Go and Rust.

      1.  

        What package system do you find it to be annoying for? Is the reason it’s annoying because you’re working with multiple toolchains at the same time, or is there something specific to the packaging process that makes working with multiple languages difficult?

        1.  

          More toolchains just mean more problems, More libraries to find and install, more patches to apply specific to your distro.

    1. 11

      I don’t expect much from my text editors, and I don’t like mods/plugins that are too invasive. So, my vim config is pretty sparse:

      syntax on
      colorscheme koehler
      set number
      set mouse=a
      set autoread
      map <C-O> <ESC>:w<CR>
      map <C-X> :q!<CR>
      set colorcolumn=80
      autocmd VimLeave *.go :!go fmt
      

      Basically, show line numbers, show me the 80 character width boundary, enable some syntax highlighting, and let me save and close using CTRL-O and CTRL-X, respectively (yes, it’s a remnant of my younger days when I used nano). I program in Go a lot, so the last line is to run the code formatter whenever I exit a file with the “.go” suffix

      EDIT: The following is just a commentary on me. I’m not suggesting any of it is a relatable developer experience for others, and I don’t suggest it’s the “right” way or “wrong” way to do anything.

      It’s probably worth mentioning why I don’t expect much from my editor, mostly because I’d like to hear y’all’s thoughts on the matter as well. The reason I don’t expect much from my editors is because I don’t ever want my editor messing with the way content is presented. I don’t want it collapsing functions, I don’t want it making code completion suggestions, I don’t want it collapsing comments, I don’t want it replacing symbols (like lambda or square root), etc.

      Every time I open a file, I see every printable byte of it, and it’s a constant memory refresher of either where code is located and/or how it’s implemented. You’ll notice that my vim config only contains directives that affect things around the code (i.e. line numbers, 80 character boundary). I read the code raw, I write the code raw, I debug the code raw. I think that always seeing all the code ultimately helps me understand the codebase better and leads to me writing better code.

      1. 3

        map <C-O> <ESC>:w<CR>
        map <C-X> :q!<CR>

        Do you know about ZZ ?

        1. 1

          I don’t think so. What is that?

          1. 2

            Write and quit.

        2. 2

          I would add filetype plugin indent on, use non-recursive mappings for single mode only, and use proper 'equalprg' with formatting before save, not on closing Vim.

          1. 12

            I have literally no idea what any of that means or why I would do any of that

            1. 5

              map is recursive (which mean that 2 mappings map a b and map b c will cause a to work like c, which can be unexpected) and non-mode-specific (which mean that it works in normal, visual, select, and operator-pending modes). It is better to use non-recursive mode-specific mappings, which in this case is probably nnoremap which will cause for example that if one day you decide to swap : and ; then these mappings will still work.

              'equalprg' is program that will be used to filter provided input when = command is used, more info can be found in help :h = and :h 'equalprg'.

          2. 2

            autocmd VimLeave *.go :!go fmt

            That will clobber the buffer if the file isn’t valid Go, right? Doing that on VimLeave seems awkward since you can’t actually correct it (as Vim will exit)?

            1. 2

              No, it will not, as this only run command, not filter the content (to filter it would need to be :%!go fmt /dev/stdin).

              1. 1

                Ah yeah, so it’s just so that you can see an error on invalid syntax when you exit Vim?

          1. 3

            I am trying to figure out how to compile the Neo4j Seabolt driver on Arch Linux. I can get it compiled just fine on Debian, but cmake complains about a missing openssl-1.0.0 library on Arch.

            1. 1

              Maybe still lingering libressl/openssl discrepancies?

              1. 1

                Well after looking at it some more, I think it’s simply because Arch is on a newer openssl version (version 1.1.1.d-1 currently), and Debian is on 1.0.0. The Seabolt driver needs 1.0.0, and cmake is, naturally, not able to find that on my Arch system. Just need to figure out how to get 1.0.0 on my Arch system now…

                1. 1

                  Please don’t. Try relaxing the cmake requirement and see if the new openssl is just fine.

            1. 10

              I would prefer we maybe even remove plang specific tags. IMO zig is not ready for its own tag. Where is the cobol tag? Where is the forth tag? So on and so forth.

              I think there is enough posting about it to warrant a tag.

              All the links you posted are months apart from each other.

              1. 15

                Lobsters seems to get more Zig submissions than COBOL submissions. That is very unreflective of the real world, but Lobsters tags are for Lobsters submissions, not for the real world.

                1. 6

                  In regards to the COBOL and FORTH tags, I have not seen nearly as many active COBOL and FORTH posts as I have Zig posts. Also the creators/maintainers of those languages are not as active as the creator/maintainers of Zig are on this site.

                  I think that the discussion on whether any language should have a tag (which is a fine discussion to have) is separate from if Zig should have a tag. In my opinion the question is, given that we have language specific tags should Zig get its own?

                  1. 3

                    There are languages with a vastly larger audience that don’t have a tag, and imho shouldn’t have a tag, my favorite language included. Tags are not a magical boon to a language, in fact they are liable to have an opposite effect if the audience isn’t large enough. I am not a fan of Zig, but I do think it deserves a fair shot as much as any other. If given the chance, perhaps it will one day turn into a language I’m excited about. Without that fair shot, that day will never come.

                    1. 3

                      I don’t think that the main purpose of this site is to be an incubator for languages, but a place for people to discuss articles related to tech. So, to elaborate on my post above, in my opinion the question is*, “would a tag help users of this site find/avoid a topic?”, not “would the tag help the growth of said topic?”.

                      *given that we have language specific tags and given how tags are currently being used to filter for topics

                      1. 3

                        I don’t think there is enough audience or activity to make a zig tag useful or interesting, either to filter or search for. I would probably filter it out if it existed, but it would not be a very useful or good filter because it would filter out an article a month. If we are going to create a new tag I would actually prefer something that covers Rust, C, C++, Zig, D, Go and the various other low/no gc languages that primarily value performance.

                  2. 3

                    Agreed. As an alternative proposal, perhaps having tags for types of languages would be more useful. For example, a tag for languages are that typically compiled (e.g. C, Go, Rust) and a tag for languages that are typically interpreted (e.g. Python, Bash).

                    (Yes, yes, there are languages that may fall in one category or another based on the context, but in those cases, the appropriate tag can be used by the poster; I’m not suggesting that the tags draw hard lines based on the language being discussed)

                    1. 3

                      A little finer grained than that would be nice but yes. The ML tag gets used by OCaml, F#, Haskell etc.

                  1. 4

                    Ordinary work.

                    Studying for the “Google Cloud Certified Professional Cloud Security Engineer” (I copy pasted that, hopefully they don’t ask about on the exam.)

                    1. 4

                      “Cloud” really occurs twice in that certification title?

                      1. 3

                        Good catch : )

                        I’m actually not sure, copied it from the search results preview of an official Google page after the page timed out.

                        Tried again now and got “Professional Cloud Security Engineer” on one Google site, possibly the same.

                        I’m fairly certain that I got the copy paste right so based on this and other experiences I suspect they have some kind of funny summarizer sitting there messing up my search results.

                        Edit: after first deciding to not care I still went back and checked, here’s the page:

                        https://cloud.google.com/certification/cloud-security-engineer

                        There’s no mention of the word “certified” on that page so either Google is doing some black hat seo on itself, or the excerpt is stale or there’s a snag there.

                        1. 2

                          So parse it as ‘Professional Cloud Security Engineer’ certified on ‘Google Cloud’?

                          Either way - good luck with the exam!

                          1. 2

                            Thanks!

                        2. 2

                          I guess it makes sense? <Brand/Product Area>

                      1. 3

                        Since earlier this week, I’ve actually gotten this app up and running. It shows which other recipes share ingredients with the recipe you’re looking at, and it’ll order them by most shared ingredients to fewest shared ingredients. Hoping this weekend to 1) pick a license for when I open sauce it, 2) polish the backend code (making it more readable), and 3) do a security code review to make sure it’s safe to potentially run a public instance.

                        Oh, and, of course, do the most important thing before releasing: picking a name (feel free to recommend some)

                        1. 2
                          • Cookmate
                          • Countertop
                          • Opticook
                        1. 21

                          The most discussed articles have been always “non-tech”, because “tech” as you defined is not conductive to discussion. You can have Q&A, more links, but those produce less comments than discussion.

                          1. 6

                            That’s a good point, reminds me of survivorship bias. There very well may be lots of technical content we just don’t see because it’s not as conducive to discussion (and consequently not featured on the front page)

                            1. 9

                              You can be on the front page without discussion. For example, my post here got >20 upvotes without any comments.

                            2. 2

                              Maybe it would be better to give a small negative weight to number of comments, rather than positive weight. It could be weighted in a way that it wouldn’t affect high-vote posts with a moderate number of comments. Instead it would elevate good technical posts that get lots of upvotes but don’t have many points of discussion, and diminish the staying power of argumentative topics.

                              The negative weight to number of comments could be disabled for certain tags like ask and meta, since the value of those comes from the comment section.

                            1. 7

                              I’ve been getting into the habit of cooking good fresh food every day, but sometimes I have leftover ingredients and I don’t have the experience to immediately know what else I can use them for. Some recipes have “exotic” ingredients (by which, I mean simply ingredients you don’t commonly have and use in many recipes). For example, traditional gumbo has a vegetable called Okra. Okra is great in gumbo, but the quantity that I get from store is sometimes more than I need for the number of servings I’m making. Problem: identified, Solution: underway

                              I’ve been using Go and Neo4j to build an application that takes a set of recipes as input, graphs the relationships between recipes and ingredients, and uses that information to tell you how picking one recipe to make will allow you to make other dishes with the fewest additional ingredients. Basically, it’s an inventory management system to help you maximize utility of your larder. I’ve already gotten the backend mostly done, so I’m just making a UI now. I don’t personally need a UI to get value out of this, as I can just use the Neo4j Browser, but I’d like a UI so that others can use this without having to learn Cypher.

                              1. 3

                                cough Frittatas cough

                                It’s nice to have a few “garbage” recipes that can easily take on a random assortment of leftover ingredients. Things like soups, fried rice, frittatas, etc. Most vegetables can be grilled or roasted on their own and used as their own dish. You can also boil vegetables and puree them and use that in other dishes, in a lot of different ways. Pork braised in pureed roasted corn is incredible.

                                I was working for a bit on data modelling substitutions in recipes and it got way out of hand. Currently it’s now a 3,000 word first draft called “Falsehoods programmers believe about substituting ingredients in recipes.”

                                1. 3

                                  Okra can be roasted or fried for a pretty good side dish. I sympathize on needing to use up ingredients.

                                  Edit: I’ve seriously considered doing an inventory management system like you describe too, but the data entry side of it just was too daunting. It turned into an ML project to scan receipts from grocery shopping and try to infer the contents of your pantry from them rather than actually producing recipes.

                                  1. 1

                                    Though I’ve been doing the data entry by hand (and I don’t mind doing that work, given the value I get out of it after), I understand others may not want to do it. I’ll probably implement a recipe reader for specific websites like AllRecipes, but I have no interest in ML or OCR.

                                  2. 1

                                    In 2003, there was an online database of cocktail recipes that allowed visitors to provide a list of every ingredient they had on hand and it would return a list of possible drinks that they could make.

                                    As I recall, there was a checkbox for “assume I have kitchen basics (salt, water, butter, milk)”. There was also some kind of control that would make the system ALSO show you recipes that would necessitate a trip to the store, but only for X more items.

                                    All these years, I’ve assumed it was accomplished with SQL. The site was FAST. (Definitely a bunch of plain HTML forms, maybe some hand-written javascript. No ads.)

                                    Side question.. anybody know what the site was called? Maybe that plus a trip to web.archive.org would enable me to find the dev on twitter or github today… …The predominant color on the site was green. I think.

                                  1. 4

                                    In a potentially far-reaching move […]

                                    There’s nothing “potentially” about it. I don’t know why it would be a good thing for the government to 1) decide what constitutes software accessibility, and 2) force people by threat of legal action to change the way their websites work when there’s no negative externality to not being able to use a website

                                    1. 13

                                      How is this any different than the government mandating certain architectural/design rules for commercial buildings and public spaces (ADA)?

                                      1. 3

                                        That’s the whole point if I understand the case correctly (and I may not! I’m not a lawyer!).

                                        See here:

                                        First, the Ninth Circuit reaffirmed its position that, to be covered by the ADA, a website or mobile app must have a nexus to a physical place of public accommodation. The court stated that this nexus was “critical” to its analysis in the Domino’s case where the “alleged inaccessibility of Domino’s website and app impedes access to the goods and services of its physical pizza franchises – which are places of public accommodation.” The Ninth Circuit said in a footnote that it was not deciding whether “the ADA covers the websites or apps of a physical place of public accommodation where the inaccessibility does not impede access to the goods and services of a physical location.”

                                        Like, that’s the key thing–the website augments a physical location.

                                      2. 10

                                        there’s no negative externality to not being able to use a website

                                        If an insufficient number of websites include accurate accessibility metadata, browser developers won’t write code to consume it. If nobody uses it, then the effort will never get off the ground, and accessibility tool (and, almost identically, search engines) rely on heuristics instead. The benefit is reaped by the web authors, who don’t have to write the metadata, but is born by browser and search engine developers, who are not direct parties. Thus, it’s an externality.

                                        1. 2

                                          Allow me to clarify, I’m looking at this in the frame of actions that are legally recognized as externalities; I think the example you point out is a cultural/social consequence of adhering to accessibility standards. Legally, negative externalities are generally effects that directly cause harm to a party not involved (I’m sure there are exceptions, but we’re talking about the rule here). If a website doesn’t work, that is neither endangering the person unable to access the website, nor is directly inflicting harm to them. That’s why I’m saying the government shouldn’t really be involved in something like this.

                                          1. 3

                                            In the case of Dominos there was an online-only promotion that was inaccessible, so they literally lost money if they had to phone in an order.

                                            1. 2

                                              I think calling it losing money is overzealous. It would be losing money if they had no choice but to order from Dominos. They weren’t forced to order from Dominos. If there’s a coupon for groceries that gets mailed out by a grocery store, we don’t legally pursue the grocery store for being exclusionary if someone that doesn’t have a mailbox didn’t get the coupon (e.g. homeless folks). They didn’t lose money, they just didn’t save some money; those aren’t the same thing

                                              1. 1

                                                Well of course folks who aren’t customers aren’t going to care/lose money, but there was literally an unfair financial advantage in favor of those who could use the website to order pizza vs those who could not use the website to order pizza. Folks who had to use a phone to order pizza literally paid more than those who could use the website. They lost money.

                                        2. 7

                                          In addition to what other posters have raised - IMO ‘no negative externality’ is a defensible claim, but far from a sure one.

                                          The negative externality of impeded access is paid by the carers (usually family), who end up spending their time managing the affairs of someone who would otherwise be able to do so themselves.

                                          1. 5

                                            I think you’ve misunderstood the ADA. The whole point of creating a private right of action is that the government does not set specific standards. Instead those affected by inaccessible accommodations sue, and a court decides if the place is in fact inaccessible. Accessibility is the standard. Places of business are free to meet that standard in any way that actually meets it.

                                            1. 2

                                              You’re right, I did misunderstand it.

                                            2. 6

                                              I’ve also tried to make this point but nobody wants to hear it… I don’t think we want the government to get involved in UI/UX design.

                                            1. 2

                                              Local drives (spinning and solid state), geographically stored in various locations.

                                              If you’re looking for an online solution, Spider Oak might be an option?

                                              I’ve also heard good things about NextCloud

                                              1. 4

                                                This seems to be purely a personal preference, entirely orthogonal to comment quality.

                                                // add 1 to i
                                                i += 1;
                                                
                                                // Dear reader, as you may see, the following line will 
                                                // add the number one to the variable called "i".
                                                i += 1;
                                                

                                                They’re both equally awful.

                                                The IMHO useful rules are:

                                                • Comments should state why, not how
                                                • Comments in the form “and now do that thing” mean you want a function, not a comment
                                                1. 3
                                                  // sometimes the below would
                                                  // segfault. This seems to fix it:
                                                  len--;
                                                  

                                                  I think explaining why is useful in the way a smoke alarm is useful, but I’d much rather not have a fire in the first place.

                                                  1. 2

                                                    At least it explains why that line of code exists, and is a start to tracking down the root cause.

                                                    1. 1

                                                      Better to not put the bug in the first place, though, agreed?

                                                      1. 6

                                                        That is usually easier said than done.

                                                        1. 3

                                                          It now occurred to me, that writing such a comment is in a way an act of bravery and humility: of accepting one’s own imperfection; that we know we may not always be able to do something perfectly. And then, not hiding it under the carpet, but explicitly communicating our vulnerability to the reader: “here’s where I reached some boundary I could not cross; not able to, or having to trade my attention off for something else, in the limited span of life we have available; I respect and embrace the thought, that you, my dear reader, may be able to improve this; more than that — I want to help you, by giving you any important hints I think may let you make the best use of your time and intelligence.”

                                                          1. 1

                                                            This week I removed a warning log line from code so I’d get meaningful prints only. The comment above it explains the line right before the log line is critical due to a bug in the code.

                                                            The comment below that one reads “2015-03-20: is this still the case? When can we delete this code?”

                                                            I then carry on with my job, knowing that people far more familiar with the codebase than I have tried and failed to remove that bug.

                                                    2. 3

                                                      Comments are for explaining why something is the way it is, not what some piece of code is doing. Rule of thumb is assume the reader knows how to read code.

                                                      So, in your example where you explain what the code is doing (namely, incrementing by 1), that comment is bad because it’s explaining what’s going on and not why you’re incrementing by 1 (if such an operation requires an explanation in the first place), not because the comment isn’t a complete sentence. When explaining why something is happening in code, complete sentences are not only good for comprehension, it’s the professional thing to do

                                                      1. 2

                                                        “Increment i by 1”-style is really, really important when you have constraints that limit how “clean” your code can be. A couple of major cases are performance stuff and formal verification (functional decomposition “cuts” your information space in a way that’s murderous for specification). Also with very dense notations: a J expert knows exactly what count =: ({. ,. #)/.~ does but a beginner might not, so I could comment with an explanation.

                                                        1. 1

                                                          That is true in example code used in a language tutorial. But for production code, it seems like overkill. It should be possible to at least assume the reader knows the language in question!

                                                          1. 2

                                                            The thing is, every mainstream language is large enough that you have a situation roughly like the following, where the letters may correspond to language features, standard lib packages, conventions around naming and package organization, or higher level idioms:

                                                            • A, B: Everyone knows them, even newbies
                                                            • C, D: Most junior devs would know them
                                                            • E, F: Professionals in the languages usually know them, but probably not junior devs
                                                            • G, H: Even many professionals are not familiar with them

                                                            Thus “knows the language in question” is not a binary flag, but a many-dimensional object with spectrums of “know” along each dimension.

                                                            The appropriate amount to comment, then, depends on what level of expertise you assume, the number and type of devs you foresee working in the codebase, the amount of dev churn on your team, and so on. Erring on the safe side of explaining too much is often the right move. But overdoing it can be a problem too. Judgement dictates.

                                                            Personally I see the problem of too little explanation more often than too much, but I’ve seen both.

                                                        2. 2

                                                          entirely orthogonal to comment quality.

                                                          I basically agree with your post, but I’d amend the above to “theoretically orthogonal but in practice correlated.”

                                                          That is, I think the author has a point with his broken windows observation. All else being equal, a team following this rule would be more likely, I’d guess, to have good comments than one that didn’t. It’s just one of those things that makes you stop for a few seconds and put more thought into what you’re typing. It won’t always work, and in the hands of blind rule followers it might encourage needless verbosity, but still, I’d guess for most teams this is a net positive rule.

                                                        1. 4

                                                          Maybe I’m not imaginative enough, but I can’t think of a scenario where I’d implement an Error type that way. That said, this is interesting, thanks for sharing. I’m glad to hear that go vet catches this.


                                                          Edit:

                                                          I think the code shown is a good example of the point being made, which is that programmers should understand how casting and implicit translation works in Go. Looking at it again, the recursion is way more obvious:

                                                          Typically, type A would be a struct of some kind, and not simply a string. Then, the Error() function would print some field of A, and not A in its entirety. In the case provided, however, the program attempts to Sprintf() the variable a; because a is not a primitive data type, there is an implicit translation to a.Error(), introducing the recursion

                                                          1. 2

                                                            The typical scenario where you would implement MyError that way is more or less: type MyError uint32, where uint32 is an error code from some third-party API. You would expect the error message might want to include the uint32 value.

                                                            1. 1

                                                              Sorry didn’t see this earlier. It looks like any issue counts, and I maintain the “good first issue” and “help wanted” labels regularly:

                                                              https://github.com/oilshell/oil/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22

                                                              https://github.com/oilshell/oil/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22

                                                              If anything piques your interest, feel free to DM me here or chat with me on https://oilshell.zulipchat.com/ .

                                                              Some of the “good first issue” require some expertise, but not all. Oil is a plain Python program, with a small number of plain C extensions, so it shouldn’t be too hard to get started. On Linux machines you should be able to make a dev build in 1 to 3 minutes (e.g. after installing Python headers, etc.)


                                                              edit: I labeled the 2 smallest but still impactful issues with hacktoberfest

                                                              https://github.com/oilshell/oil/issues?q=is%3Aissue+is%3Aopen+label%3Ahacktoberfest

                                                            1. 4

                                                              I’m re-reading The Stormlight Archive by Brandon Sanderson, and I’m on Oathbringer at the moment

                                                              1. 2

                                                                I recently started his book Mistborn. The first of his books I’ve read, and I’m quite liking it so far.

                                                                1. 2

                                                                  Mistborn is great, and I’m going to revisit that subseries because I didn’t know about this (spoilers) novella: The Secret History

                                                              1. 4

                                                                Love these kinds of articles about really niche topics/problems

                                                                1. 2

                                                                  I’m trying to figure out the go present tool. I like the format, I like the features, and I want to use it. However, the documentation seems to be pretty lax compared to other Golang documentation that’s chock full of examples.

                                                                  I would be very interested in any documentation, tutorials, guides, etc. that y’all may know of.

                                                                  1. 3

                                                                    Having made several go present presentations, let me make it easier for you: there is actually no documentation to speak of. The best way to learn is to look at the source of an existing presentation. Luckily, there are several here: https://github.com/golang/talks/tree/master/content.

                                                                    1. 1

                                                                      there is actually no documentation to speak of

                                                                      I was afraid to go as far as to say there was no documentation, in case I’d missed something; that said, I agree and there’s virtually nothing except other people’s presentations to reference. Thank you very much for the link

                                                                  1. 1

                                                                    Hm, I never thought about the fact that Go has no package manager. How do Go people discover and integrate Open Source libraries?

                                                                    1. 3

                                                                      Go has several competing package managers. It’s got no central server for package management, though - in practice, everything is fetched directly from the git repo where it’s developed.

                                                                      How do Go people discover and integrate Open Source libraries?

                                                                      Thankfully the languages parent company built a search tool which makes discovering things relatively straightforward.

                                                                      1. 1

                                                                        Go modules is built in to the go command, and pretty much the “de-facto package manager” now. It took a while, but we got there.

                                                                        A more central server is something that’s being worked on: https://proxy.golang.org, although it’s not quite the same as npm/gems/pypi, etc. (which is probably a good thing? YMMV)

                                                                        1. 1

                                                                          Ah, I’m a little out of date then.

                                                                          For go code, I’m strongly in the “commit your dependencies” camp, so imo there’s less need for a central package repo with high availability.

                                                                          1. 1

                                                                            One of the neat things about modules is GOPROXY: instead of making requests directly to example.com/proj, they’re made against $GOPROXY/example.com/proj, which can then either proxy to example.com/proj, or serve a cached version.

                                                                            The proxy.golang.org is just a “default” GOPROXY, but it’s easy to run your own, which allows you to mirror external code to guarantee availability while also not adding a a lot of code to every project’s vendor directory. While there are still use cases for comitting the vendor directory (go mod vendor puts all dependencies in vendor/), I think this is a good middle ground for many projects.

                                                                            1. 1

                                                                              Yeah, for projects where people don’t want vendoring for whatever reason, that sounds handy.

                                                                              Personally, I vendor because

                                                                              A) ‘dependency code is my responsibility’, so it should go through the same review process as everything else, which is easier if it’s in-tree, and B) Build-time network dependencies (even if only to a proxy I control) are a source of flakiness. I have enough trouble getting builds to pass when the computers are all working properly.

                                                                      2. 2

                                                                        go get

                                                                        1. 0

                                                                          There’s a lot more that goes into a package manager than go get (e.g. dependency tracking, duplication detection, integrity checks). If go get constitutes a package manager, then so does curl | bash, and I’d say that definition falls short quite a bit

                                                                          1. 2

                                                                            I wasn’t claiming that go get is a pkg mgr; merely that it is how Go users integrate open src libs.

                                                                            There’s a new solution to the problems you mention, which does actually involve a pkg mgr: https://search.gocenter.io/stats

                                                                            1. 1

                                                                              Ah, gotcha. I can understand that package managers might be used to merge/integrate software, and that go get is used for that.

                                                                              Is there an expectation that package managers are used to discover software? I don’t think I’ve ever used my package manager for that except to check if a package exists before I install it.

                                                                            2. 2

                                                                              go get used to be similarish to curl | bash, but it now integrates with go mod, which is Go’s package manager.

                                                                              1. 1

                                                                                I also am a big fan of putting third party code in my repository and selectively merging changes from upstream. Usually it means that I understand the third party code more completely and I’m better able to modify it to fit my needs. And I don’t run into the issue where my app from three months ago no longer builds, because no code has changed unless I allowed it to.

                                                                                This only works in situations with limited amounts of third party code and sufficient developer resources.

                                                                            3. 1

                                                                              I never realy use the package manager in other languages to “discover” packages, either. And I rather like that I don’t have to deal with the hassle of “publishing” stuff to some package repository, but can just push to git and be done with it.

                                                                            1. 10

                                                                              I can’t bring myself to executing things that I don’t see the full expansion of before execution. These would all be great if I could customize bash to prompt me with the expansion and y/n. Otherwise, I don’t think I’d risk trying. It’s the same reason I don’t even use !!.

                                                                              1. 6

                                                                                zsh will expand these on <Tab>. So try typing !!<Tab>.

                                                                                1. 4

                                                                                  I use !!, but only to sudo a command. Otherwise I agree - it’s a touch too easy to mess things up.

                                                                                  1. 2

                                                                                    For history commands, you can always append a “:p” to the end to only print the command and not execute it. It inserts it into your history too, so you can !! and execute it after viewing it.

                                                                                    $bash> echo a
                                                                                    a
                                                                                    $bash> ls
                                                                                    file1 file2
                                                                                    $bash> !e:p
                                                                                    echo a
                                                                                    $bash> !!
                                                                                    a
                                                                                    

                                                                                    The “!e:p” command will only print the last command that started with an ‘e’; it won’t execute it. Because it’s now in the history, !! actually executes it.

                                                                                  1. 5

                                                                                    Ooh, interesting. I program in C fairly regularly, and I didn’t know about macro calls in #include statements

                                                                                    This is valid preprocessor:

                                                                                    #define ARCH x86
                                                                                    #define ARCH_SPECIFIC(file) <ARCH/file>
                                                                                    #include ARCH_SPECIFIC(test.h)
                                                                                    

                                                                                    I like it

                                                                                    1. 4

                                                                                      Whenever I’ve done any hobbyist kernel devel, I’ve preferred to have something like an include/x86_64/arch folder and and include/arm/arch folder. Then I’d have, in the Makefile, cc -I include/${ARCH}, and in *.c:

                                                                                      #include <arch/whatever.h>
                                                                                      

                                                                                      IMO it’s cleaner than symlinks (which I’ve seen in certain projects), and less likely to confuse than

                                                                                      #include ARCH_SPECIFIC(whatever.h)
                                                                                      
                                                                                    1. 4

                                                                                      I don’t really understand why there’s a Gitbook for this. It doesn’t seem to contain anything that couldn’t simply be in the README on GitHub, and even the documentation isn’t in there…

                                                                                      Code is written according to the rules of the CERT C Coding Standard

                                                                                      That said, it’s great to see a project that strictly adheres to these kinds of secure coding standards. We need more of this in the software development community, in general.

                                                                                      1. 4

                                                                                        I don’t really understand why there’s a Gitbook for this. It doesn’t seem to contain anything that couldn’t simply be in the README on GitHub, and even the documentation isn’t in there…

                                                                                        One important advantage over a github README is that this way it’s entirely independent from GitHub.

                                                                                        Regarding the CERT C Coding Standard, I’d be curious to hear from the author what it means concretely. The last time it was discussed here, my impression was that guidelines were rather along the lines of “be careful about overflows and with null-terminated strings”.

                                                                                        1. 5

                                                                                          One important advantage over a github README is that this way it’s entirely independent from GitHub.

                                                                                          I don’t see the connection.

                                                                                          There is no ‘GitHub README’. There is a readme file, which is included with libspng and hosted wherever it is hosted; if it happens to be on github, then it will be there, but the readme is no more dependant on github than the rest of the library.

                                                                                          1. 2

                                                                                            Agreed, I should revise my statement from

                                                                                            it’s great to see a project that strictly adheres to these kinds of secure coding standards

                                                                                            to

                                                                                            it’s great to see a project with the goal of strictly adhering to these kinds of secure coding standards

                                                                                            since I suppose we don’t know how closely the author follows the CERT, especially if the warnings are sometimes as vague as “don’t have a bug”.

                                                                                            I still think it’s good that they’re trying to adhere to some standard. At least that gives the community surface area to critique. A project without guidelines is much harder to fix