1. 6

    There have been trojans found in ./configure scripts (look it up), which is why I regularly advocate for abandoning autotools. And the response I usually get is “Let’s not talk about that, please.” A plaintext blob is still a blob.

    1. 4

      Shouldn’t the solution be sandboxing the build? Instead of … what are you proposing instead of autotools that could eliminate the possibilities of trojans in the build process exactly?

      1. 4

        I absolutely love BSD Makefile syntax. A project I maintain is a good example of a simple BSD Makefile. For reference, I’ve posted it below.

        SHLIB=	pushover
        SHLIB_MAJOR=	0
        SRCS=	libpushover.c sanity.c
        INCS=	libpushover.h
        
        CFLAGS+=	-I${.CURDIR} -I/usr/local/include
        LDFLAGS+=	-L/usr/local/lib
        
        LDADD=		-lcurl -lsbuf
        
        .if defined(PREFIX)
        LIBDIR=		${PREFIX}/lib
        INCLUDEDIR=	${PREFIX}/include
        .endif
        
        .include <bsd.lib.mk>
        
        1. 1

          I usually try to make my makefiles OS-agnostic by trying to adhere to the POSIX makefile spec (w/o the GNU or BSD extensions).
          But the neatness and brevity of BSD makefiles astounds me.

          1. 1

            Yeah. I generally don’t need to worry about supporting non-BSD systems.

          2. 1

            I meant to reply to the comment above yours. Sorry!

            1. 1

              Which is fine if you are happy to depend on bsd.lib.mk existing, but if you’ve ever looked inside that file then you’ll be absolutely horrified if anyone claims it is simple or readable.

              1. 1

                I’ve hacked on bsd.lib.mk, wasn’t difficult for me.

            2. 1

              Sandboxing could prevent a trojaned shellblob from harming the build host, but it wouldn’t prevent it from tampering with the build product.

              One point worth making is that a configure.ac or configure.in is amenable to auditing, so projects that use autotools without distributing a prerolled ./configure shellblob don’t have this problem. It’s bad practice to check ./configure into git, so a lot of people don’t do that. Nowadays, a source tarball that is essentially output from git archive is really common. So it’s a point less worth arguing as time goes by.

              1. 1

                You “regularly advocate for abandoning autotools”, and I was trying to ask what you propose for people to use instead that would be safe from trojans.

                1. 1

                  Nothing is truly safe, but the generated configure scripts is usually well over 10,000 lines of hard to read shell script, and few people will look at that, if any. It’s incredibly easy to hide something in there, even for larger projects with quite a few contributors. You can try to hide something in the main code or somewhere else too, but it’s much more likely to be noticed.

                  1. 1

                    I don’t have a one size fits all solution to advocate. CMake is okay; I’ve had some experience with it. Meson looks like it might be interesting.

                    In a lot of cases a makefile and a judicious use of pkg-config is good enough.

                  2. 1

                    Sandboxing could prevent a trojaned shellblob from harming the build host, but it wouldn’t prevent it from tampering with the build product.

                    That’s not a particularly interesting threat model. Anyone with the ability to trojan a configure script that you run also has the ability to trojan any of the source files in the build that the configure script is generating.

              1. 2

                Wow. I knew we could fairly easily bakdoor new elliptic curves, but a block cipher? I had no idea.

                1. 1

                  There’s quite a few places a backdoor can hide in a block cipher; there are constants littered around some algorithms to help with diffusion (e.g. key-schedule constants). I suppose an algorithm’s S-box construction is another place a backdoor could be snuck into.

                  A lot of algorithms try and prove they have nothing up their sleeve by selecting constants so that they’re above suspicion. For example Pyjamask uses the decimals of Pi for it’s key-schedule constants.

                1. 5

                  Good read.

                  Using Cobra isn’t particularly necessary - the standard library’s flag package is full featured enough (although annoyingly opinionated in not supporting GetOpt style long and short options)

                  You could do what I noticed age does and hack around this limitation by adding another flag and prefixing the long option name with a - (dash).

                  var str string
                  flag.StringVar(&str, "l", "default value", "str help message")
                  flag.StringVar(&str, "-long", "default value", "str help message")
                  

                  Passing --long=value or -l value to the program will do the same, imitating getopt long style.

                  1. 1

                    Later on I’ve found out age doesn’t actually add a - and that Go’s flag does just support long-style opts all on its own.

                    I don’t recall if long opts weren’t supported for a time.

                  1. 3

                    Why the censoring of “BrainFuck”? To me, as it’s the name of the language, it seems like a nice excuse to use the word “fuck” without censoring it.

                    Maybe I’m just a potty mouth :P

                    1. 2

                      I agree–just quoting the repo. :)

                    1. 1

                      What “common scripts” does SmartBlock “stand in” for? I was hoping for a more technically informative article about how the feature works

                      1. 11

                        I can relate to this to some degree. But this is a very good lesson to learn: you don’t owe anything to any of those people. You shouldn’t really feel guilty. If they don’t put the effort to create a proper bug report, why should you put the effort to fix it? More mitigations include: issue templates, labels “can’t reproduce”, “question” or “help wanted”, a more strict policy clearly laid down in the README, or even just… disable the issues section. Just make it clear that it is your project and won’t generally work on other people issues, but may accept pull requests.

                        I still think it’s worth it to publish the code, even if it only “works for you”. Others, who care, may find it valuable. I don’t know what project’s author talks about, how popular they are, or what community uses them (e.g. the entry barrier for Python is a lot lower than it is for other languages, so expect more poorly written complaints here), but I haven’t encountered this situation to the same degree. The compliments are really nice, even if rare (they wouldn’t feel special otherwise).

                        1. 3

                          shouldn’t really feel guilty

                          I still just do though. This is a personal issue, but I can’t help feeling that way.
                          I’ll probably just start disabling issues on my GH projects.

                        1. 1
                          1. 3

                            I don’t know if it’s supposed to be, but I find this story charming and hilarious!

                            1. 6

                              Ooh, you get to find out about Aphyr’s series, which this sorta works with! It’s mentioned in another comment here, and at the bottom of the article.

                              1. 1

                                Thanks! These are great.

                            1. 4

                              If you go this route also consider using a language linter such as languagetool, proselint or writegood all of which have plugins for various editors.

                              1. 2

                                All of them (except the LanguageTool at some degree) are focused on English writers only.

                                Here I should probably write a looooong comment and dive into the elaboration that we still can’t get most things done with a computers automagically which many can proof by writing any sort of liner/analyzer (except the regular spelling dict) to check documents written in, for example, Polish language. (you can insert here any verbose language with flexible grammar rules).

                                But in the end I’ll left that to you, since I know there are some people related to linguistics here.

                                1. 1

                                  I know that most writing tools are heavily English biased, but the README on writegood linked to an example German extension (the appropriately named schreib-gut).

                                  I know that some languages are less tractable when it come to computational language analysis (eg Finnish is apparently impossible to have an autocomplete for), and it seems like the classes of problems might not match English’s (eg some idioms can’t be confusing due to declination), but I suspect it’s a matter of people sitting down and making such tools.

                                2. 1

                                  write-good is quite an ironic name since it should be write-well for it to be grammatically correct.

                                  1. 5

                                    I think that’s the joke.♥

                                    1. 2

                                      That would.. Make a lot of sense. ♥

                                    2. 2

                                      Maybe it’s influenced by Ingsoc’s Newspeak.

                                    3. 1

                                      Thanks. I’ve been suggested to use grammarly, but I prefer a s/w that can be used offline. I’ll check these out.

                                    1. 4

                                      I think elementaryOS’ overall UI style is a welcome contrast to the “flat” UI style that’s been big for so long now. Maybe it’s more accurate to say that it’s a good mix of the two (flat vs skeuomorphism).

                                      1. 19

                                        Oh.. So like literally “listen” to network traffic. That’s pretty cool!

                                        1. 5

                                          It reminds me of listening to Wikipedia: http://listen.hatnote.com/

                                        1. 2

                                          Nowadays I mostly use WSL+Windows Terminal if I’m ever doing something with go, c, python, bash, on Windows (provided whatever I’m doing with those doesn’t actually depend on running on actual Windows).

                                          I find for stuff like Android/Java/Kotlin/C# development and writing software for Windows, an IDE like IntelliJ or VisualStudio is almost a must.

                                          1. 2

                                            All of these also seem to work in POSIX sh, just FYI.

                                            1. 8

                                              My own philosophy is that blogs don’t need comments. If you want to respond you can contact me or write your own blog post or tweet or tiktok about it - whatever it may be. I don’t want to assume responsibility for moderating and/or curating somebody else’s words that will show up alongside my own.

                                              1. 2

                                                Personally, I’m often disappointed to find that a blog post doesn’t have a comments section. Writing an e-mail just to express your gratitude feels weirder than leaving a comment.

                                                1. 3

                                                  I appreciate gratitude expressed by email way more than that expressed by comment.

                                                  I also feel a comment section is meant to serve other readers of the article at least as much as its author, so in fact I feel expressions of gratitude about the article are misplaced in the comments.

                                                  1. 1

                                                    I also feel a comment section is meant to serve other readers of the article at least as much as its author

                                                    That’s a good point, and I agree!

                                                    What I dislike about writing e-mails is the ceremony involved. I need to explain what article I’m referring to, why I’m writing, say hello and goodbye and so forth. In a comments section, all of those things are implied. (That’s not to say I dislike writing e-mails in general, just as a replacement for comments.)

                                                    1. 1

                                                      Indeed. That is why I appreciate emailed expressions of gratitude so much more – here I have someone so compelled to say thanks that all the trouble they had to go through didn’t deter them. It just hits differently.

                                                      (Doesn’t mean a graceful and sincere response necessarily comes naturally, so sometimes I have taken a long time to reply and in a handful of cases I never did – but don’t let fear of shouting into a void discourage you. I promise, if the author does see your message (which spam filters unfortunately do make uncertain), it will almost certainly be gladly received, even if you never hear back.)

                                                  2. 1

                                                    I make a point of writing emails to express gratitude. Maybe it’s a little weird, but it’s almost always appreciated.

                                                  3. 1

                                                    I how many (if any) tiktoks exist that are replies to blog posts.

                                                  1. 1

                                                    I fail to see the use for Go for non-enterprise projects. It doesn’t seem to offer anything interesting compared to languages I already know (like C) apart from goroutines. I would love to be proved otherwise, though.

                                                    1. 11

                                                      I like using go for (personal) server applications, because it has a comprehensive and well-designed standard library, that generate static binaries that can be easily copied around. With the new embed directive, this should make it even easier. I think Go doesn’t want to be interesting, it wants to be convenient, and that is certainly something it manages.

                                                      1. 4

                                                        I love to use Go for personal projects because it costs nothing to host it. I am talking about resources consumption. It fits on many “free plan” VMs, where Java would not.

                                                      2. 2

                                                        Personally, I just find it easy to write and understand and plus I enjoy the syntax.
                                                        When most people have a rough idea of something they want to make they do up a prototype in Python, but I usually do the same in Go just because I enjoy writing it.

                                                        1. 1

                                                          Compared to C for private and non enterprise projects Go offers:

                                                          • No requirement for header files
                                                          • Sometimes less verbosity
                                                          • Nicer Errors
                                                          • Faster build times

                                                          While Go has good tooling C might still have more.

                                                        1. 1

                                                          I tried this with my old fav slrn but I do need something that handles HTML format

                                                          https://imgur.com/a/OQXE42V

                                                          1. 2

                                                            You can configure slrn to run articles through html2text and a little s-lang, description at the bottom of the page here: https://feedbase.org/documentation/#slrn

                                                            It isn’t super fast, but it looks pretty good: https://koldfront.dk/misc/lobstersslrn.png

                                                            1. 1

                                                              From the README, there are two groups:

                                                              • lobsters - “Multipart HTML/Plain UTF-8 QP”, and
                                                              • lobsters.plain - that is “Plain UTF-8 QP”

                                                              Try out lobsters.plain I guess?

                                                              1. 2

                                                                I had recently added that. I’m tempted to turn .plain into ISO-8859-1 for the nasty legacy clients.

                                                            1. 11

                                                              That pretty well sums up why I just block it entirely. A favorite local web site moved from a normal wordpress comment system to disqus a few years back, and that bothered me enough to stop participating even though i’d enjoyed it for 6 or 7 years up to that point. Even in the beginning, disqus felt slimy. Since the acquisition by the surveillance tech firm: it’s a hard “No.”

                                                              1. 1

                                                                how do you go about blocking it?

                                                                1. 4

                                                                  I use the EFF’s privacy badger add-on.

                                                                  1. 4

                                                                    umatrix is the way to get back control on the Web

                                                                    1. 3

                                                                      Umatrix was one of my favourite extensions.
                                                                      Too bad its repo has been “archived” now. Development has ceased.

                                                                      1. 1

                                                                        Still works pretty darn well for me, so it’s still my favourite 😊

                                                                    2. 3

                                                                      I blacklist it in my pihole install.

                                                                  1. 2

                                                                    Why not use Tor for this, which is a general and well-known solution?

                                                                    1. 3

                                                                      Lack of mobile clients, probably.

                                                                      1. 3

                                                                        In theory they could bundle a Tor client in Signal and send traffic through its SOCKS/HTTP proxy (definitely doable on Android).

                                                                        But in practice it’d probably be hell.

                                                                    1. 4

                                                                      Typewriters are incredibly complex and precise piece of machinery. At their peak in the decades around World War II, we built them so well that, today, we don’t need to build any typewriters anymore.

                                                                      Cool, now it’s time to find all the many typewriters to help me type in my native script. Oh wait a minute, they don’t really exist. This is also a great solution for CJK languages which have multiple scripts and large ideographic orthographies.

                                                                      A heavier and well-designed object feels different. You don’t have it always with you just in case. You don’t throw it in your bag without thinking about it. It is not there to relieve you from your boredom. Instead, moving the object is a commitment. A conscious act that you need it. You feel it in your hands, you feel the weight. You are telling the object: « I need you. You have a purpose. »

                                                                      Right, so I should tell my partner, who has a lot less upper body strength than I do, that she needs to carry a metal weight in her bag to help her feel connection with her writing device, and also give her back pain? Come on. Portability is a huge leveller. It helps folks ride around on bicycles or walk instead of driving with their goods. It helps women, who have less upper body strength, carry things around. It lets kids, the elderly, and anyone who has issues hauling things be enabled to use the device. This feels like an anti-accessibility measure to me.

                                                                      Instead of being mass-produced in China, ForeverComputers could be built locally, from open source blueprints.

                                                                      Nice we got some xenophobia here as well.

                                                                      Geeks and programmers know the benefit of keyboard oriented workflows. They are efficient but hard to learn.

                                                                      With the way my RSI is going, I’m really hoping we as a society can move away from keyboard oriented workflows, but okay. I’m glad our vision of the future only has people with full range of motion with their 10 digits as writers.


                                                                      While I like some of the ideas here, I really want to question these choices that the author has made. Who actually wants to use these devices? Certainly not my parents, my partner, nor I. These are things that a certain subset of the software community values, but far from universal. There’s also a lot of implicit eurocentrism in the typewriter. Modern computers have dramatically increased the accessibility of reading and writing to folks with poor vision or dexterity, and we don’t remember the typewriters that did break or jam frequently. Let’s not throw away accessibility due to some nostalgia that a programmer has.

                                                                      1. 5

                                                                        Instead of being mass-produced in China, ForeverComputers could be built locally, from open source blueprints.

                                                                        Nice we got some xenophobia here as well.

                                                                        What’s wrong with localized production instead of long-distance mass-production in typical mass-producing-nations like China? His remark neither meant China specifically (but rather used it as a device), nor did it address the Chinese people but the nature of China’s economy. Or are you going to argue that China does not primarily focus on mass-production?

                                                                        Apart from that, I agree with your statements.

                                                                        1. 2

                                                                          Because it’s naive if the point is about mass production and shipping. If you’re trying to argue that your device is made externally, then I’m pretty sure the entire thing is not assembled in China. The chip may have been fabricated in Taiwan (through TSMC), other electronic parts in China, with small parts from, say, Indonesia. Modern supply chains are complex, and assuming something comes solely from China feels disingenuous.

                                                                          It would have been simpler to say “Instead of being assembled and shipped over large distances, ForeverComputers could be built locally”

                                                                          1. 3

                                                                            It may very well be naive, yes. But I still don’t see how it’s “Xenophobic” to say what they’ve said.

                                                                            1. 1

                                                                              Sure, I can go either way on it. I wasn’t inclined to give the piece the benefit of the doubt when the rest of it seemed so out of touch, but I can see it being both naivite/figure-of-speech or mild Xenophobia.

                                                                      1. 1

                                                                        Personally I don’t care for RSS, because I like the diversity in presentation and styling that different sites use. I like seeing a grid of thumbnails on Youtube, or a list of threads with vote/comment counts on Reddit. I’m sure it’s possible to get similar presentation if you hack on your own RSS reader, but at that point I’d basically be rewriting those sites and I don’t see any benefit in it.

                                                                        That said, some sites can get really annoying to browse, especially on mobile. I like RSS for those sites.

                                                                        1. 4

                                                                          I get this. And I agree when we’re talking about smaller sites+blogs.
                                                                          I just use RSS to keep up-to-date with said sites/blogs, and I usually view the actual articles in a browser.

                                                                          1. 2

                                                                            A lot of formerly popular feed readers only showed title+link and you read on-site anyway, if that’s your thing

                                                                            1. 1

                                                                              A good example of it is are news sites, or ad-heavy sites. LitHub is one I like to read the articles but the actual site is littered with ads and related content blocks. Getting the articles from the RSS feed strips all that out and makes it much easier to read.