Threads for wizardishungry

    1. 6

      Yes! It’s funny, part of the impetus for writing my post was that there didn’t seem to be anything I could point people to that discussed these issues. I think Adam was in the same boat, and then we ended up posting on the same day. :-) I actually highly recommend his post as well, because despite the overlap his is more focused on rate-limiting, and mine is more focused on background on how to think about XFF and a variety of use-cases. I have it linked from the bottom of my post.

      He also has a good post about the special challenges of IPv6 in rate-limiting, which apparently (as with XFF itself) almost nobody is handling well: https://adam-p.ca/blog/2022/02/ipv6-rate-limiting/

    1. 2

      This is useful to me as well because my legacy YouTube account won’t connect with the Roku or mobile apps.

      1. 1

        Feel free to reach out if you need any help with these scripts :-) I’m really happy that they’re helpful to other people.

      1. 1

        Rust doesn’t seem to have first class support on Ubuntu… What is the recommended way of installing something like this on Ubuntu LTS?

        1. 3

          I’ve had good luck building with Rust via asdf

          1. 1

            recommended way

            https://rustup.rs/ ?

            1. 1

              Difftastic seems to use bleeding-edge rust features, so it was easier for me to package for Guix than Debian. If you can get guix on your system I could send you a recipe (or I’ve submitted it for inclusion in the guixrus channel also)

              1. 2

                I don’t have a good sense of what rust versions are available on different distros. I’m trying to be conservative, and only increase the rust version when there’s a benefit, but I’m not sure what threshold to use.

                How old are the default rust versions on your distro?

                1. 2

                  How old are the default rust versions on your distro?

                  I have rustc 1.48.0

            1. 3

              I have looked at some of their projects, and I think it is astonishing what they were able to achieve with plain terminals! However, I have the feeling that the “visuals” are perhaps “too glamorous”… This is in fact a trend I see appearing, in which many CLI application use too much “eye candy”, especially emoticons where for example a simple [x] would be enough…

              On the other side, I love their SSH-based applications idea, i.e. wish, as an alternative to web-based applications… (In fact, at the startup I’m involved in Console9, I was thinking of using such a SSH-based UI as an alternative to the web-based UI.)

              1. 3

                CLI application use too much “eye candy”, especially emoticons

                Perhaps it’s time to add a version of NO_COLOR for emojis?

              1. 8

                A good side effect of using a password manager in the browser, is that it won’t be fooled by this. The user may of course override it by pasting in their password regardless – it is therefore necessary to train the users to always be extremely suspicious if the username and password isn’t autofilled/detected by the password manager.

                1. 2

                  I’ve noticed a number of legitimate (Shopify?) e-commerce websites that prompt the user to enter their PayPal credentials directly into elements on the merchant’s website. It’s crazy that they’re encouraging this kind of user behavior.

                  1. 3

                    Or there’s Plaid, which has you enter the credentials for your bank and then the 2FA code into whatever app or website you are connecting.

                    1. 1

                      I’ve noticed a number of legitimate (Shopify?) e-commerce websites that prompt the user to enter their PayPal credentials directly into elements on the merchant’s website. It’s crazy that they’re encouraging this kind of user behavior.

                      Crazy or not crazy, it depends on how willing you are to even entertain the idea of the current web as something sane.

                  1. 4

                    This is fine but setting the time to the zip epoch boundary would make the intention more immediately obvious to users.

                    1. 8

                      For nearly all users they will only notice timestamps in a zip archive if they break. Since the intent is for zip files to not break I think the intention is perfectly obvious to them. For those who do notice it’s a harmless easter egg.

                      1. 2

                        This is not just in a zip file; these times will be written to disk. Looking around a random node_modules on my disk reveals a ton of files with this modification date. 1980-1-1 or 1970-1-1 is a more obvious zero value.

                        1. 13

                          Sure but I think the whimsy is worth the cost here. Whimsy has value culturally and shouldn’t be discounted.

                          1. 4
                      1. 2

                        Well that’s quite exciting. Anyone used it with golang?

                        1. 3

                          Go uses its own memory allocator. In fact, Go doesn’t use any C library at all (except sometimes libc, but even then, it only uses libc to call system calls and things like getpwuid_r, not for malloc).

                          1. 3

                            I think they may have been thinking of something like this: Manual Memory Management in Go using jemalloc

                            1. 1

                              Thanks for that. Tbh I was hoping to get “free” performance improvements because I know the codebase I work on allocates quite freely.

                          1. 2

                            The source of the extension is on GitHub if someone wants to figure out how this actually is supposed to work - https://github.com/facebookincubator/meta-code-verify/

                            1. 4

                              They are currently not using Subresource Integrity but working around that with a combination of fetch(), TextEncoder() and crypto.subtle.digest(). That’s really surprising.

                              I would have assumed that they register a ServiceWorker to handle all fetch events and then replace the existing request with a fetch(sameURL, { integrity: expectedHash})… The variables have names like workaround, so maybe they are dealing with some browser inconsistencies here?

                              (Using TextEncoder is also a bit error-prone. I wrote it up for them in https://github.com/facebookincubator/meta-code-verify/issues/128).

                              1. 2

                                Does this offer anything over just using subresource integrity?

                                1. 2

                                  It adds a further (and “independent” from the web app provider) audit point. Suppose an attacker compromises whatsapp web server/CDN, she would be able to change as well subresource integrity hashes in the HTML source of the web page. With Code Verify she would have also to compromise CloudFlare verification endpoint (with the compromised hashes).

                            1. 3

                              At least at my university they were, I recall people making day by day diary type entries as late as 2003. I managed to archive a script that checked to .plan updates - an early blog aggregator: https://github.com/wizardishungry/nupl

                                  1. 3

                                    The coordinator communicates with each worker using an improvised JSON-based RPC protocol over a pair of pipes.

                                    Any idea why they used this instead of encoding/gob - easier to printf debug? Why not net/rpc - lack of contexts and frozen state of package?

                                    1. 1

                                      Working on two code generation based Go projects:

                                      1. 3

                                        You’ll have to remember to bypass the test cache if you modify data in external test. go test -count 1

                                        1. 5

                                          Go’s test cache takes external files opened by your tests into account, via https://pkg.go.dev/internal/testlog

                                          1. 2

                                            I did not know that. That’s an impressive detail. Thanks!

                                        1. 3

                                          Does anyone have a bash one-liner to parse https://api.github.com/meta to known_hosts format?

                                          1. 1

                                            If you want to grab keys in an automated way, use ssh-keyscan.

                                            Of course a MITM attach on either that or grabbing a web url can give you compromised keys so you don’t want to be refreshing this regularly unless changes alert a human. Keys stored in your own git repo that are used as part of a deployment is a lot better than doing a fresh scan on each new deployment or leaving it for TOFU for each user.

                                            1. 1

                                              At least with curl, you presumably can trust the tls certificate.

                                          1. 9

                                            With the disclaimer that I am neither an experienced Go programmer, nor have I worked on large teams, I don’t understand what any of this has to do with being bad for smart programmers. In fact, I would say that many of the deficiencies that the article lists are in fact pitfalls for juniors programmers. Much of it comes down to having a substandard type system, so the compiler and associated tooling can’t give you useful guarantees or feedback. An experienced programmer may be able to keep the code’s requirements in their heads, but most junior programmers should have the compiler check their work, and Go’s design makes it impossible to do this.

                                            1. 12

                                              I thought Go was well known for having extremely good static analysis tools. The type system isn’t that powerful, but static analysis isn’t just type systems.

                                              1. 1

                                                That’s possible. I’m not in tune with the Go ecosystem enough to know if that’s the case, but this is the first I’m hearing of it. I’d be curious to know what these analyses are and what guarantees they provide.

                                                1. 5

                                                  The golangci-lint list of linters is probably a good view of what people are using generally.

                                                2. 1

                                                  The analysis package makes it pretty easy to write them too, with the biggest downside being that for some reason I always struggle spelling analysis correctly 😅

                                                  A simple example to check for copyright comments, and a slightly more complicated example to check if you’re actually calling functions that return a function in defer (defer Fun()()).

                                                  Both go vet and staticcheck are implemented with this.

                                                  1. 1

                                                    I wrote one at a previous job to make sure that event constants were matched up with functions of the correct type. Most helpful because that was a common thing people fat-fingered.

                                              1. 36

                                                Without discussing any of the other points, this article (published in late 2020) misunderstands or misrepresents (point 5) the state of go dependency management, citing a 2015 thread about vendoring dependencies. The author may not be the most informed writer.

                                                1. 22

                                                  Most articles that use “Golang” in the title are not from the most informed writers.

                                                  I’m not overly pedantic about these sort of things, but I’ve noticed for a number of years it’s a fairly accurate heuristic (although hardly perfect, exceptions as well).

                                                  1. 5

                                                    I was told this by an Old Gopher with respect to a readme in a GitHub repo & my response was that I had reflexively done so to make finding it with search engines more obvious since Go has many meanings.

                                                    1. 3

                                                      I list “Golang” on my CV for more or less the same reason (as Go (“Golang”)), and there are plenty of exceptions as well of course: like all heuristics it’s far from perfect. But it holds up fairly well in general.

                                                      The SEO value is probably not all that much; right now my “Statically compiling Go programs” article is the first result on a DDG for both “golang compile static” and “go compile static”, and for Google it’s the second result. It doesn’t use the word “Golang” in either the title or body.

                                                1. 1

                                                  The other feature you quickly find yourself needing is the ability to use arbitrary objects as keys in a hash map. In languages that don’t support that (Perl, Python, Go, JavaScript until recently) you can use strings as keys, generating a unique string for each key object.

                                                  Go does support arbitrary values as keys.

                                                  1. 2

                                                    With the caveat that the type must be comparable. For example, the type may not be a map, slice (array is ok) or a struct containing a map or a slice.

                                                    1. 2

                                                      This is cool, but it doesn’t seem like it can do most syscalls without stopping the world?