This is apparently not a joke: http://www.nomorejavascript.com/
-
Clearly the solution is to build a time machine and kill the guy who made JavaScript before he makes it.
While I might be very happy if you did that, you might not like what happens if you try. (I know what was the second choice language for scripting browsers at that critical time…)
If there's one thing playing Red Alert has taught me, it's to be careful with changing the space-time continuum!
-
Why aren't you disclosing this information? Trying to play the interesting card?
-
One day and less than 500 people have expressed interest. On the internet, this is "ebola in the USA" levels of virulent.
-
Filed under: Discoursistency, we need a new tag cloud to attack
-
Which is still more easily fixed by extending the debugging tools to be able to present the original source/variables/types etc. using some kind of annotations the compiler would place in the generated JavaScript
We have those. They are called source maps.
-
Can source maps show the Haskell types when I compile with Fay? Java types when I compile with JWT? Ruby types when I compile with Opal? Of course being able to see the where the execution is in the original source is important, but these languages also need to adjust the types and the debugger should also understand that. And suitable expression parser so it can evaluate expressions in that language.
-
Is there any problem with JS that hasn't already been addressed with a language/tool/library?
And, if there aren't, doesn't that really just mean that someone needs to integrate some of the features of these into the standard?
-
Is there any problem with JS that hasn't already been addressed with a language/tool/library?
Yes, the fact that there are too many competing JS libraries/frameworks/tools.
-
Touché. I have to admit, I have sometimes started a project by searching through libraries to figure out which one works best or is more appropriate to my project.
I think building the features that are most useful into the language standard, though, would help. Of course, then the simplicity of the language suffers, and what once was a complaint about Library X is now a complaint about the language proper, so maybe I'm being simple.
-
Yes, the fact that there are too many competing JS libraries/frameworks/tools.
Filed under: too lazy to photochop it to match this scenario
-
and what once was a complaint about Library X is now a complaint about the language proper
and the language suffers from using it in ways that library X was not designed to handle....
-
build a time machine and kill the guy who made JavaScript before he makes it.
http://tvtropes.org/pmwiki/pmwiki.php/Main/HitlersTimeTravelExemptionActSecondly, even if you do manage to kill him, something even worse will appear in his place;
Filed under: TV Tropes should be on the onebox whitelist.
-
TBH there are a handful that you will encounter in most circumstances.
-
nah. i'll wait a few days so it has an "almost newish kinda look to it.
Or you could photoshop his avatar onto the cover for the lulz.
-
I actually forgot about that. Yeah, that's just fucking stupid.
I remember reading that on meta.d or here or somewhere. Why is that, I wonder?
-
But the O'Reilly book about Python is the one with the rat:
http://akamaicovers.oreilly.com/images/9780596513986/lrg.jpg
-
Yeah, but that's a rat, not a blakeyrat.
-
Note the "POOP" at the top of the cover.
Filed under: Never used Python enough to have a real opinion about it, though
-
What were they thinking, not making it a python?
-
What were they thinking, not making it a python?
They changed it for second edition:
http://www.rmi.net/~lutz/img00001.gif
The one about performance is an angry snake:
http://akamaicovers.oreilly.com/images/0636920028963/cat.gif
It gets longer for sysadmins:
http://img.docstoccdn.com/thumb/orig/81759051.png
and by the time you get to network programming, it's downright obscene:
http://akamaicovers.oreilly.com/images/0636920025016/lrg.jpg
-
Rats get eaten by big snakes ...
-
and by the time you get to network programming, it's downright obscene:
Maybe they are trying to imply that network programming with Python is a clusterfuck?
-
Why aren't you disclosing this information? Trying to play the interesting card?
Because I don't think it's very important and it would probably start an argument. If you know me (and I really don't hide who I am, even if I don't flat out give all the links) then you'll be able to hazard a good guess. Being mysterious occasionally amuses me too…
[spoiler]My contacts who were inside the relevant parts of Netscape and Sun at that critical time in the mid-'90s inform me that it was pretty much a toss-up between Crockford's rebadged Lisp derivative and Tcl. No other languages were even close to in play at that point.[/spoiler]
-
Filed under: TV Tropes should be on the onebox whitelist.
Tested, does not successfully embed. Needs custom code.
-
Guys, VBScript has been hiding in IE for all this time, maybe it's his time to shine! I read at some forum that it's widely used so it must be good :)
[spoiler]My contacts who were inside the relevant parts of Netscape and Sun...[/spoiler]
You mean they were a PITA?
-
Guys, VBScript has been hiding in IE for all this time, maybe it's his time to shine! I read at some forum that it's widely used so it must be good
Wasabi to the rescue!
-
What the balls is wrong with this quote? The text shown if the quote is collapsed [1] does not appear in the quote when it is expanded [2]. Also, if I click on the spoiler text in the collapsed post, it doesn't appear.
[1]
[2]
-
Wow, also, I edited that post (to (1) summon @DiscourseBot instead and (2) say that if I click the spoiler text in the collapsed quote it doesn't show up), and it showed me the edited version, then reverted to the non-edited one even after a hard refresh of the page. But if I click the edit button, it shows me the edited version in the text box.
-
Ruby copied PHP.
<?php
function my($arg1)
{
return "arg1:{$arg1}";
}
a = 'Python'
b = 'can be'
c = 'persuaded too'
print '{a} {b} {c}'.format(**locals())
-
Python: one clear way to get the job done, and about a dozen bonus ways thrown in for fun!
-
@sam said:
Some networks (and mobile networks) decide to disable web sockets altogether, like Telstra in Australia
Just to muddy the waters a bit...my result, on Telstra in Australia no less. The only failure was 443 with SSL.
-
Have you looked at https://websocketstest.com? It doesn't seem to be related in any way.
-
WTF? The http version is what you would expect, but https is Russian?
-
Wild guess, the https site is how they test 443 with SSL, also a wild guess...it is not failing because the 443 site has an invalid SSL certificate.
The websockets test page is a WTF in and of itself.
-
Speaking of certificates, anyone know of a way to make secure WebSockets work with self-signed certificates? We'll have to switch to secure soon-ish when we start allowing access to our application from outside the local network and currently the only way I found of doing that is tricking browsers to ask me about it by typing the
wss://
URL directly into theaddressomniawesomeshitgoeshere bar.I can't really expect users to do that every time, and given our system it doesn't make much sense to buy certificates for every install. We might if there's not a better way, but...
-
Surely to be able to accept a self-signed certificate you need to supply a custom CA or at least the public key of your certificate, which raises the question of how do you securely transfer that information to the browser in the first place?
Filed under: not a security expert
-
Speaking of certificates, anyone know of a way to make secure WebSockets work with self-signed certificates?
Get the browser to accept that particular self-signed certificate and it should work. But frankly it's a deployment bear. Get a real CA to sign it instead; for basic work, you're talking about only a few bucks for something that will save you hundreds of hours of pain trying to get all browsers to shut up and accept the self-signed cert. Indeed, the difference in awfulness compared to how much it costs to get a single host certificate is so high I'd suggest paying for it out of your own pocket if you can't be bothered to get your work to pay.
You could also try the private CA route (the CA's root certificate needs to be a suitable self-signed certificate with the right properties set: I always have to look them up) but that's not worth it unless you're working in a totally paranoid environment. The only time I got involved with that side of things, it was because I was working with some people who were technically German military (a bunch of very nice weather forecasters who really knew their stuff).
The security of the connection once the server identity has been established has got pretty much nothing to do with how fancy a CA you used, and everything to do with not using a broken SSL implementation or a weak cypher suite. Stay patched.
-
Surely to be able to accept a self-signed certificate you need to supply a custom CA or at least the public key of your certificate, which raises the question of how do you securely transfer that information to the browser in the first place?
If it is self-signed, there's no CA. Roots of a tree of trust have to be self-signed; if they're signed by anything else they're not a root. (Nobody trusts an unsigned root at all. That'd be like trusting a whiteboard to always have correct info on it while supplying a full set of markers in a box at the side.)
Trusting a self-signed is technically pretty simple actually: put the public part of the key-pair (i.e., the true self-signed certificate) in the collection of trusted certificates that the browser (or OS, depending on browser/platform) maintains. The problem is that you have to do this manually for each client; if you have an automation mechanism, you've either got a gaping security hole or you've got a better solution than a self-signed certificate in the first place (i.e., you might as well use the certificate securing the management channel, or something else signed by the same authority). Users really hate having to do security management; they totally do not understand it, and you should do your best to avoid having them involved in the loop. Alternatives are things like you going to each client machine with a read-only USB stick and copying the certificate off that before installing it, but that's a lot of leg-work. And you'll have to repeat all of it if you ever need to reissue the server credentials (production certificates should have relatively short lifespans so that if you get a break-in you're only compromised for a limited time).
By contrast, (most?) root CAs keep their private credentials offline in a locked safe. They then delegate the day-to-day operational CA work to a subordinate CA; if that gets compromised, they can rebuild (with much cost and annoyance, to be fair).
-
If it is self-signed, there's no CA.
Right. I have a brain-worm which makes me automatically read "self-signed" as "not signed by a publicly known CA".
@dkf said:if you have an automation mechanism, you've either got a gaping security hole or you've got a better solution than a self-signed certificate in the first place
That's what I was trying (and failing) to say.
-
Get the browser to accept that particular self-signed certificate and it should work.
Nope. HTTPS works, WSS refuses cooperate, had to accept it separately.
But frankly it's a deployment bear. Get a real CA to sign it instead; for basic work, you're talking about only a few bucks for something that will save you hundreds of hours of pain trying to get all browsers to shut up and accept the self-signed cert.
Yeah, I'm pushing for it, but I can't do it myself unfortunately, so I depend on others to get that part done.
-
Nope. HTTPS works, WSS refuses cooperate, had to accept it separately.
Must be using its own separate trust store. That's a WTF for normal use unless there's an excellent reason to do otherwise…
-
Speaking of certificates, anyone know of a way to make secure WebSockets work with self-signed certificates?
There is no way cheaper or easier than buying a new certificate. I speak from experience.
I can't really expect users to do that every time, and given our system it doesn't make much sense to buy certificates for every install.
If you're set up using subdomains, buying a single wildcard cert pays for itself in like... 3 subdomains. Maybe 2.
If you set up a new domain for every install, then you're kind of stuck in a world of hurt.
-
There is no way cheaper or easier than buying a new certificate. I speak from experience.
Do you have any recommended vendors?
-
Not really. I haven't needed one in a lot of years.
The last company I worked for where it was my job to obtain them used Network Solutions, because they had a guy who knew a guy who knew a guy and long story short, we got them cheap and with free support.
But I wouldn't recommend them unless you already have an account with them.
-
If you're set up using subdomains, buying a single wildcard cert pays for itself in like... 3 subdomains. Maybe 2.
If you set up a new domain for every install, then you're kind of stuck in a world of hurt.
It's mostly going to be one certificate per customer until we start offering a shared "cloud" (eyugh! kill me now!) solution as well. So yeah, a pain. And knowing the type of customers we currently deal with, I think the easiest way will be just to buy it and swallow the cost, since no matter how much cheaper we are than the competition atm they still split hairs to no end.
-
They're all funding each other, sometimes with trust fund money. We can only hope that eventually the successive failures mean they all run out of money and it finally ends.
Except, there is no real failure when it comes to startups. You just "pivot" into some other profitable industry, while still keeping your company name the same to ensure everyone is thoroughly confused.
-
-
It's mostly going to be one certificate per customer until we start offering a shared "cloud" (eyugh! kill me now!) solution as well. So yeah, a pain. And knowing the type of customers we currently deal with, I think the easiest way will be just to buy it and swallow the cost, since no matter how much cheaper we are than the competition atm they still split hairs to no end.
Well, using a real CA in there will save you so much time and effort that you ought to regard the fee as just something recovered from the savings you make. Self-signed certificates are that big a pain in practice, and running your own CA is not for the faint-hearted. Been there. Done that. NEVERMORE!
-
Thanks @dkf and @blakeyrat for all the advices. I'll bring up the certification issue again this week and fight tooth and nail to get that shit done at last. I was all for it since the start, but I got sick of reminding the ones responsible to get it done, opting for just making shit work with self-signed if possible, but from what you guys are saying it's gonna be even more of a pain that way.
Guess I underestimated all the ways it's a PITA from a technical standpoint.
-
I would say that in practical terms it's impossible.
It's close enough to "impossible" you can call it impossible and you'll be safe.