WTF Bites

topspin

@cvi said in WTF Bites:

@Gern_Blaanston said in WTF Bites:

So, their cost cutting plan is to lay off 90 people while at the same time hiring 100.

Fire the expensive high-salary senior people and hire a pile of interns?

The math doesn't lie!

Churn is a great tool for knowledge retention.

boomzilla

@topspin said in WTF Bites:

@Tsaukpaetra said in WTF Bites:

@cvi said in WTF Bites:

@Gern_Blaanston said in WTF Bites:

So, their cost cutting plan is to lay off 90 people while at the same time hiring 100.

Fire the expensive high-salary senior people and hire a pile of interns?

The math doesn't lie!

Churn is a great tool for knowledge retention.

Knowledge retention? Sir, this is ~~a Wendy's~~Reddit.

Arantor

I give you one of the third party apps for Reddit and their take on this “fair pricing” situation: https://www.reddit.com/r/apolloapp/comments/13ws4w3/had_a_call_with_reddit_to_discuss_pricing_bad/

error

This file is triggering my OCD.

We have:

mixed tabs and spaces indentation
indentation that doesn't align with tab stops (odd number of spaces indented)
random indentation that doesn't reflect actual structure
mixed double quotes and single quotes
Engrish! return "Author must be included set of " + firstSet + " images";
typos in the field names
var url4= $("input[name*='./ctaUrl']"); Why url4? It's not the fourth anything, There's no url1-3.
if(condition) { doSomething(true); doSomethingElse(true) } else { doSomething(false); doSomethingElse(false); }
plenty of copypasta

And of course, the bugs I was assigned to fix.

BernieTheBernie

@error Instead of complaining, you should feel lucky that url1-3 are no more used.

Watson

@BernieTheBernie said in WTF Bites:

@error Instead of complaining, you should feel lucky that url1-3 are no more used.

But must be included set of url1-4.

Applied Mediocrity

I've been mostly keeping blissfully ignorant of all the modern Store app crap. Is there any legitimate and sane reason whatsoever for this shit? Or is it their new, best idea of security by obscurity, because file system permissions are difficult, let's go shipping?

These kinds of ideas feel like from that program @Tsaukpaetra decompiled in the other thread

Bulb

@Applied-Mediocrity It is a unique identifier of the package. I think probably of the specific build so when it does an upgrade, it can unpack the new version and then remove the old one after you restart the app.

Every package manager needs some kind of unique identifiers for packages, and they chose to use some kind of hashes so they don't need to enforce unique names. I think the store actually supports alternate sources (for corporate use, mainly), so they don't have full control over them.

It has nothing to do with security. Store applications were designed as fully sandboxed, and while non-sandboxed applications are allowed these days, sandboxing is the default for applications written in the newer framework (universal windows platform).

Zerosquare

I think Raymond Chen had a blog article about this, but I'm feeling today.

Applied Mediocrity

@Bulb said in WTF Bites:

It is a unique identifier of the package.

Was it invented by those youngsters mentioned in the Diseducation thread that don't know anymore what a folder is and what such arcane contraption might be used for?

when it does an upgrade, it can unpack the new version and then remove the old one after you restart the app.

What an amazing innovation. I couldn't believe such a thing was possible otherwise.

It has nothing to do with security.

Unique identifiers have everything to do with security. They're presented in the launcher UI with only an icon and a name. Without unique name enforcement users cannot differentiate between legitimate and illegitimate/malicious app no matter what the package manager knows.
Also, removing the constraint only served to promote higher quantity of shovelware that literally every such store is chock-full with.

Store applications were designed as fully sandboxed

Store applications were designed by a bunch of monkeys flinging themselves down a mountain QWOP-style.

topspin

What the fuck is this shit. Show a full keyboard, would ya?

topspin

@topspin I’ve googled keyboard for ants and the results didn’t even mention @Tsaukpaetra. Disappointing.

BernieTheBernie

@topspin What about touching that ABC "button"?

loopback0

@topspin said in WTF Bites:

What the fuck is this shit. Show a full keyboard, would ya?

Pinch the keyboard to make it smaller, do the opposite to make it bigger.

topspin

@loopback0 intuitive. Not.
How about a button? There’s still room next to the drag area.

topspin

@BernieTheBernie switches between what you see and alphabet, but not related to the ant size.

In other news, now that I know how to embiggen it again, I’m now trying to type one-handed on the ant sized one.

BernieTheBernie

@topspin Uhm, reading WTD on a real computer with a 27" screen, distorted that bit...
So you'd better try

ant --build --target=keyboard --size=big

HTH.

Zecc

@Applied-Mediocrity said in WTF Bites:

let's go shipping?

Bulb

@Applied-Mediocrity said in WTF Bites:

@Bulb said in WTF Bites:

It is a unique identifier of the package.

Was it invented by those youngsters mentioned in the Diseducation thread that don't know anymore what a folder is and what such arcane contraption might be used for?

It is a folder as far as I can tell. It still needs a unique name.

when it does an upgrade, it can unpack the new version and then remove the old one after you restart the app.

What an amazing innovation. I couldn't believe such a thing was possible otherwise.

It … always either

used just one package source,
used similar identifiers already (the idea is not new), or
caused problems when you got different installers or sources mixed up.

It has nothing to do with security.

Unique identifiers have everything to do with security. They're presented in the launcher UI with only an icon and a name. Without unique name enforcement users cannot differentiate between legitimate and illegitimate/malicious app no matter what the package manager knows.

That needs to be true mainly when installing the app. At that time, the user knows which source they are using and how much they trust it.

Also, removing the constraint only served to promote higher quantity of shovelware that literally every such store is chock-full with.

Well, yes. It is also, specifically in the Microsoft case, undermined by how hard porting applications for it has been for quite a while.

Store applications were designed as fully sandboxed

Store applications were designed by a bunch of monkeys flinging themselves down a mountain QWOP-style.

Yes.

Zerosquare

This post is deleted!

TwelveBaud

@Applied-Mediocrity It's a link to a specific activity within the WhatsApp Metro app.

Okay, let's break it down...
5319275A - Meaningless garbage that WhatsApp decided to include. Should be WhatsApp.
WhatsAppDesktop - Name of the app.
cv1g1gvanyjgm - Base36-encoded thumbprint of the certificate used to sign the app. Used so that apps with the same name from different developers are treated as different.
App... - Name of the specific activity (== window or page) within the app to launch.

This allows the shortcut to point to that activity regardless of whether WhatsApp is installed as part of Windows, as part of your device vendor's crapware, as part of your user profile, or on some other device, and know which page in Microsoft Store to pop up if you don't have it anywhere. Windows Installer did the same thing with its shortcuts (using GUIDs), and for the same reasons.

Store applications were designed by a bunch of monkeys flinging themselves down a mountain QWOP-style.

Well, you're not wrong...

Applied Mediocrity

@TwelveBaud said in WTF Bites:

Okay, let's break it down...

Good idea. I'll lend you a hammer.

Meaningless garbage that WhatsApp decided to include

Not the only one like that, I'm afraid.

Name of the app

But the real name that it shows to the user is shoved in some manifest or something.

Used so that apps with the same name from different developers are treated as different.

As I've said already, I take an issue with this fake-ass uniqueness. Would that mean I can sideload Microsoft.NET.Core.tra-la-la as long as the cert used for signing is trusted, and have it look perfectly legitimate? Right now I have two WhatsApp in my start menu and under Apps & features. One of them has slightly larger icon. At a glance that's all that differentiates them.

And, I mean, if your crap would be named Calculator, that should be a dead giveaway that the world doesn't need another one. If it's called Word or if it's a game containing the word Scrolls, certain creatures worse than slime mold will write you a cease and desist letter. Want a unique name? Register a trademark. Don't want to bother with that? Then the name is not significant enough to have any meaning to begin with.

Name of the specific activity (== window or page) within the app to launch.

Magical delimiters! Does that mean I can't use ! in the name?

Gustav

@Applied-Mediocrity said in WTF Bites:

Does that mean I can't use ! in the name?

Of course you can't, it's not in ID_Continue class.

Applied Mediocrity

@Gustav But W̸̧̧̧̧̠̻̤̻̳͚͙̩̜͖̞̦̞͍̺̪͎̪̺̰̹͙͖͇̮̝̬̗̳̦͙̘̻͇͖͑͋͒͐̇͗̋̔̈́̒̆̇̂̋̈́̉̒͆̏̍͑̈́͛̔͒̒͑͐̀̊̍͑̎̓̀̉͊͐̍̈̄̚͠͝͝͝͠͝͝ͅḫ̴̨̛̛̼̗̠͓͚̥͈͖͖̼̱̭͇͇̩̭̑́̆̀́͋̑̿̓̀́̾̏̃̈̔̑̀̐͛̍̾͂̒͋̒̈̓̊̋͑̍̾̚̕͘̚͝͝͝͝ͅͅͅá̵̢͇̗̻̭̮̖͔̗̇̐͌̅̃̂̃͊͗͂͐̽̉̀͋̒̚͜ţ̴̛̛̮̝̙̼̱̠̥͕̠̤̣͇̰̹̖̼̯̯̪͎͙̮̜̥͉̝͓͙̯̖̯̻̑̀͒͌̃̇̃̑̚͜͜͜͠ͅș̴̨̨̛̜̙̘̹̣̹͌̅͂͛̃̽͗́͐̔̐̃̄͗̒̋̇͑̈́̓̈́̐͐̈́̏̂̓́̋̕̚͝A̶̡̨̧̡̧̛͓̦̠̪͇͔̙̬͙̖̲̲̙͉͙̥̮̞̥̼͚͙̣̤͇̯̙̫͎͚͇̬̥͍̭̠̭͕̜̰͈͆͆̀̒̽͊̃͛͌͛͂̾̆̈́̿̊̅̋̔̅͂̓̂̈́͛̈̂͗͊̄̿̑̕̕̚̕̕̚͘͝͠͠͝ͅp̷̢̢̧̧̨̹̰̦͍̮̩̫̮̞̝͚͚̪͈͚̭͉̠̥͉̟̘̱̖͓̗̠̗̲͇̈́̅̋͋́̈̊̾͐̅̔͋̆͆̽̍͂̓̏̈́͊͑͝p̵̨̛̛̝̣͈̝̗̲̭̹̤̼͇̙̖̞̲͈͍̻͕̠͉̞͓͉̻̖̟̻͎͙̭̉͌̄̀̈́͐̊̑̾̈́̋̀̀̈́̓̈́̌̐̇̓͋̓̇̀͂̆̈́̿̄́͋̋͂̈́̕̚͜͜͝͝͝͝D̵̨̲̫̲̪̪̞̖͍̖̻̦̲̼̻̩̪̞̘̳͚͇͎̼̻̜̊̏͌̍͌̄̓̿͌͋͌͌͜͠e̵̛͍͑̓̈́͋̄͊̒̾͒͑́̉̈́̒́͑͂̅̓̈́̀͐̑̓͛̈́̓̽́͂́̑̂̍̓͊̕ͅs̶̛̬͙͖̦̝̺͙̜̥̜̟̩͕̗͎͓̤̱͍̮̳̪̫̤̼̼̳̜̽͗̎͗̀̄̀̔̊̉͌͑͌̅͛͆̂̑̏̍̈́͘̚͠͠ͅk̷̢̢̧̤̰̖͇̬̻͔͈̰͉̯͍͎̟͇̩̞͓̗̤̪̱͉̗͒̂̔̊͆̎̆̽̌̈́̄́̉͑̎̋̃͐̎̎͂̄͠t̸̢̯͔͇̘̞̋̈̾̊͛̀̈́̀͆͜͠ő̷̢̫̺̥͉̱̰̣̹͖̬̯̱̗̤͖̫̺̝͉̼͚̝̥̱̥̭͚͕̼̹̭̖͈̺̗̣̳̬͎̙͇̉͗̌̅͌ͅp̶̧̛̛̛͎̋̆̀̅̀̂̅͗̈́͌͆̀̌̄́̒̾̏̀̈́͑̆͒̚̕͝͝ is perfectly fine then?

Gustav

@Applied-Mediocrity sure, why wouldn't it be? On the other hand, a name containing ! would be extremely annoying to use in code (where you define and use activity names).

Applied Mediocrity

@Gustav I don't give a roadkill rat's ass about any stupid fucking code. File names and magical tokens are data strings.

cvi

How about "forever"?

Google/Youtube.

Applied Mediocrity

@cvi You will like and cherish what the great sun gods of technology have deigned to make available to you, untouchable user, in their infinite wisdom, may their names be praised evermore. Lie down and open wide.

TwelveBaud

@Applied-Mediocrity said in WTF Bites:

Would that mean I can sideload Microsoft.NET.Core.tra-la-la as long as the cert used for signing is trusted, and have it look perfectly legitimate?

Yep. Nothing legitimate would ever make use of it because it wasn't signed by 8weky... (and the signing cert is part of the reference) but unless the victim has 8weky... memorized they won't know it's not Microsoft's.

PotatoEngineer

This post is deleted!

Gustav

@Applied-Mediocrity said in WTF Bites:

@Gustav I don't give a roadkill rat's ass about any stupid fucking code. File names and magical tokens are data strings.

But activity names aren't.

dkf

@Gustav said in WTF Bites:

@Applied-Mediocrity said in WTF Bites:

@Gustav I don't give a roadkill rat's ass about any stupid fucking code. File names and magical tokens are data strings.

But activity names aren't.

I've put spaces in ELF symbol names in the past. What is possible and what tooling makes easy are two different things.

Applied Mediocrity

@Gustav said in WTF Bites:

But activity names aren't.

Hence they have no business being in file names.

Gustav

@Applied-Mediocrity so what should be in the filename? How do you correlate files with activities from specific app packages?

dkf

@Gustav said in WTF Bites:

so what should be in the filename?

That's what GUIDs are for. They're popular in Windows I hear, and you could always stuff the manifest in the registry for easy lookup.

Gustav

@dkf let me get this straight. To solve @Applied-Mediocrity's "problem" of filenames being only partially human readable and even that part having restricted character set, you propose to remove the human-readable part altogether? I don't think you two are working toward the same goal.

dkf

@Gustav said in WTF Bites:

I don't think you two are working toward the same goal.

Working?

Parody

@Gustav What if (stay with me here) we replace the file with a URL with the GUID attached that links to a web service that tracks what they're doing and returns the app and activity they need to do it? If the app isn't installed the OS could go get it and call back afterwards. This would even work on the web, letting sites across the world continually prompt you to install their app and continue in it instead of using their perfectly usable website!

Arantor

@Parody That sounds like you're bringing Web3 technology to the desktop.

:citizen-kane-clapping.mp4:

loopback0

A website I just went to defaulted the language to de-GB. Currency in GBP and most, but not all, of the text in German. There isn't an option to select the language.

LaoC

@loopback0 said in WTF Bites:

A website I just went to defaulted the language to de-GB. Currency in GBP and most, but not all, of the text in German. There isn't an option to select the language.

Zet zaunds reeli weri skeri!

Gustav

@Parody said in WTF Bites:

@Gustav What if (stay with me here) we replace the file with a URL with the GUID attached that links to a web service that tracks what they're doing and returns the app and activity they need to do it?

You mean exactly how it is now, except RFC 3986-compliant?

Bulb

On friday, I got a request to enable CORS on some storage, with the racionale that “the backend service stores some files there that the front-end (an SPA in Angular) needs to read”.

Well, ? Anything the app is supposed to display can come directly over the API and if it is a document the user is supposed to download and save, they don't need CORS for that.

So I asked the front-end dev and yeah, it is a document they should save, but it has the wrong name on the server and the front, so the front-end fetches it into a Blob and creates URL from that.

Ok, but can't it just get the right name? The name browser sets as default for download is just the last component of the path, and the ‘directory’ can be used for any disambiguation needed.

So I ask the back-end dev. Yeah, we tried, but the browser was offering the name with full path for download, not just the last component we wanted, so we came up with this workaround.

, right?

So we debugged the thing together. It turned out that given container endpoint, say https://example.blob.core.windows.net/kontainer/ and filename disambig-uati-ngpr-efix-000000000000/name.xslx, the BlobClient.getBlobUrl method produces https://example.blob.core.windows.net/kontainer/disambig-uati-ngpr-efix-000000000000%2Fname.xslx. The storage treats / and %2F the same—it urlunquotes the path first—but for the browser the encoded form is not treated as a separator.

… one .replaceAll("%2F", "/") everything works fine as intended and the kludge with fetching to blob can be abandoned.

Of course the method does have to urlencode the path, because it might contain other characters not valid in a URL. It just shouldn't be encoding the /s. Shows even such ‘simple’ operation as urlencoding something isn't necessarily simple.

ixvedeusi

@dkf said in WTF Bites:

I've put spaces in ELF symbol names in the past. What is possible and what doesn't fuck up your tooling ~~makes easy~~ are two different things.

dkf

@ixvedeusi LLVM and lldb are happy with it. I never got gdb working right on that machine (because macOS is very odd about signing of debugging tools).

Arantor

@dkf said in WTF Bites:

@ixvedeusi LLVM and lldb are happy with it. I never got gdb working right on that machine (because macOS is very odd ~~about signing of debugging tools~~).

dkf

@Arantor

DogsB

Parody

@Bulb said in WTF Bites:

Of course the method does have to urlencode the path, because it might contain other characters not valid in a URL. It just shouldn't be encoding the /s. Shows even such ‘simple’ operation as urlencoding something isn't necessarily simple.

The sad thing is, if it specifies it wants just a file name, not a path to a file, it's doing what it should even though that's generally not what you want.

I ran into something similar recently with a "website in a box" program with Windows and Android versions (among others). It attempts to write to a file in a folder in a folder relative to a base folder (so "foo/bar/baz.txt"), creating the folders and file if needed.

On Windows you get what was intended: a folder named "foo" containing a folder named "bar" containing a file named "baz.txt".

On Android you get a folder named "foo/", a folder named "foo/bar/", and then either an error if the intended folder structure didn't already exist or a new "baz.txt" if it did.

Silly slashes.

BernieTheBernie

@DogsB What are you complaining about?
That the mug is not dishwater proof? Nothing unusual.
That the mug is not microwave proof? Don't know how common that is; anyways, I do not have a microwave oven.
That no barcode was stuck on the "Barcode Placement" area? So what?
That the thing is Made in China? Why would you expect something different?