:wtf: How can this be so wrong??? (AKA the Discopocalypse thread)
-
I'm not convinced they will given the state of everything else... Although if they do, it will be interesting to see if I fall off the list of people who have been awarded them in the past few days. I only got a couple of them today...
-
Discourse is the forum for the future, when 300ms of CPU time is as common as water.
If Discourse was coded efficiently, the UI would be so fast that users would be unable to interact with it.
-
Well, they've already got the "users unable to interact with it" part down pat, amirite?
-
They're getting too used to insta-banning people who disagree with them. This attitude is going to backfire and it will be glorious!
Jeff is glorious leader of civility! Jeff attitude can never backfire! Jeff knows all! /*plonk*
-
Why is "Sign Up" and "Remind..." a link that looks like a button, but "no, thanks" a link that looks like a link?
You know the fucking answer to that question. Stop being dense.
Give me "Monday" as the date for the ban pool.
Nope. Looks like you're out $0.Looks like they didn't appreciate me posting a "dev" thread asking about their reasoning behind doing avatars in a fucked up way
TheyWe could totally tell because:- "wait a second, no regular user annoys me like this"
- "I wondered if [Nocha was a TDWTF user] based on his tone but I didn't recognize him and the IP did not match any other suspended account"
- "also something I object to, they make the most annoying bug reports. I will type a whole bunch of annoying irrelevant stuff, then maybe get to the point by the end, if ever"
- "They brag to each other about bans, finding problems with software"
Also you're seriously pissing me off.
-
-
I love the reply. "You don't know the codebase, IT R HARD!"
Really? It is now 21:28 local. I never worked with PHP GD. I just typed
php GD turorialin Google and I'm leaving this reply box open.
It is now 21:49 local. Didn't even use the tutorial, just went to the docs. Had to use Google once, and that's only because I was apparently blind.
I also created a new cloud9 workspace in the time allotted so I can link this: https://letteravatars-onyx47.c9.io/
It will only generate a white
Ton a black background but really, does anyone doubt in how easy it is to change colours?This is the entire code:
<?php $image = imagecreatetruecolor(128, 128); $white = imagecolorallocate($image, 255, 255, 255); $black = imagecolorallocate($image, 0, 0, 0); imagefilledrectangle($image, 0, 0, 128, 128, $black); $font = './DejaVuSans-Bold.ttf'; $text = 'T'; $box = imagettfbbox(64, 0, $font, 'T'); imagettftext($image, 64, 0, (128 - $box[4]) / 2, 128 - ((128 - $box[1]) / 4), $white, $font, $text); header('Content-Type: image/png'); imagepng($image); imagedestroy($image); ?>Modifications to make it save the image? Remove the
headerline and add the filename as the second parameter toimagepngfunction.This is fucking PHP. Personal fucking Hell Pit! 20 lines! With spacing!
I don't give a toss about your "complicated architecture". This is a standalone fucking file. Just call the fucking thing! No routing Ruby on Ember Rails with a Sidequik of bullshit and garnished with Redis. IT'S A FUCKING SCRIPT, WE'VE BEEN DOING THIS SINCE THE DAYS OF CGI!
-
"also something I object to, they make the most annoying bug reports. I will type a whole bunch of annoying irrelevant stuff, then maybe get to the point by the end, if ever"
My original reason for going over there was to post a legitimate bug report (that was accepted) around inconsistent handling of quotes when generating replies. The avatar handling shocked me, as they seemed to be completely ignoring any suggestion that there might be a better way of doing things. I did look through their discussions that I could find where they discussed the options, at no point was generation at sign up time even considered, but creating a custom font was discussed, and fonts made
And the dev post was only in response to eviltrout stating that he would be happy to discuss design decisions in that area, rather than derailing a post about security.
-
does anyone doubt in how easy it is to change colours?
Don't you have to make sure the two colors come out with fairly low contrast? I mean, not too easy nor too hard to read for most people. Just...questionable, you know?
-
@hungrier said:
Can we think of any worse ways it could be done?
generate letter avatars as a pixel-by-pixel HTML table
serve letter avatars as Java applets- each pixel is an embedded Flash object
Chrome on Android would like to have a word with you.
-
I'm not sure doing stuff on registration using GDI would be that bad.
Unless they never save the letter avatars and requests are just routed to a gener... no, nobody is that stupid!
Right? Right?
Discourse.
Why is "Sign Up" and "Remind..." a link that looks like a button, but "no, thanks" a link that looks like a link?
Discourse.
Maybe I'm remembering wrong, but wasn't that why they changed their Gravatar support, because it could effectively do the same thing that their current Avatar CDN can do?
Yes, but Discourse.
ETA: Also, I love how one post is trolling topics (because I CBA to figure out how to bold just the s)
Discourse. (BTW, how does an Estimated Time of Arrival fit in this case?)
There is no way they can have come up with something that horrific without actually trying to make it bad could they...? please tell me they didn't think this was good...
DISCOURSE.
Come on, guys. Don't you know this answer by now?
-
-
-
After I got [0, 3) flags for my valiant effort earlier today, i don't feel charitable enough to flag yours :P
-
And that takes 19ms to run on my poxy 1-vCPU VM. From the command line. Including starting PHP up, without a bytecode cache, compiling it, executing it, outputting it, and exiting.
-
Damnit we live in a
Mad Max futureDOS 4.0 past where 640kB is all anyone will need! 300ms of CPU time is foreeeeeeever!
-
300ms, for every user on every Discourse instance without a custom avatar, every time someone requests it.
And even if my shitty PHP ran for a minute it would be a win overall because you're only supposed to run it once
-
I wonder if there was some way to....I dunno...per-generate avatars and then randomly select one that matches username's first letter at registration time.
-
Fuck you, it's late
-
I can't wait until they start misidentifying users and banning non-TDWTFers
I think we need a way to hack meta.d and auto-identify those banned people and bring them into our stable. They need some loving from people who understand what they're going through.
-
What is this, Discourse Users Anonymous?
-
Semi-anonymous?
-
Disco-nonamous?
-
You know the fucking answer to that question. Stop being dense.
Yeah, it's called "the asshole UI design". Like the toolbars that have to have an opt-out option, so they go out of the way to hide it from the user.
Nope. Looks like you're out $0.
And you're so fucking proud of this, aren't you?
We could totally tell because:
"wait a second, no regular user annoys me like this"
Oh, right. On meta.d, the root of all evil is TDWTF. Every bad thing said about our software, every impolite remark is TDWTF. We were always at war with TDWTF.
"also something I object to, they make the most annoying bug reports. I will type a whole bunch of annoying irrelevant stuff, then maybe get to the point by the end, if ever"
Which doesn't change the fact that you people got more out of this community than you ever deserved. It was all fine in beta, when you had some realization your software was buggy - but then 1.0 rolled, then a few "stable" versions that ended up still having showstopping bugs (how many ways to XSS your shit have we found in your purportedly stable software?), and you kept lapsing into fucking denial.
"They brag to each other about bans, finding problems with software"
You'd prefer we kept that to ourselves and be content with running a buggy piece of shit? Of course you would, that's the Discourse way. Just smile and wave.
We only brag and laugh about bans because your brand of crazy has desensitized us so much that we can't even get fucking pissed about it. You know they're unwarranted, you know if you did that to any other community you'd be fucking Reddit front page stars, you know that you're in fucking denial and no amount of people from here getting banned can fix issues with your software. If anything, you should be fucking thankful that it's us who find those problems and not one of your bigger clients. What would you rather have - a bunch of folks making things spin on your forum, or Cisco pulling their contract because they got hit by the same vulnerability, except this time it was used to steal cookies and run drive-by downloads?
But no. You'd rather cover your eyes and hope the sky doesn't fall down just today. You'd rather engage in childish antics, self-banning from this forum and just purging every single TDWTFer from yours as if it was some kind of katharsis, as if we were the cause of all your problems.
Also you're seriously pissing me off.
And you're pissing me off - both you personally and you as in Discourse team. So since you're on our turf now, I'll tell you one thing, and you can pass it to the rest of the team:
##Go. Fuck. Yourselves.
-
Needs more enterprisey. Each avatar render is assigned a generation strategy which may output arbitrary html, which may provide any implementation whatsoever, with flash, applet, image, canvas, webgl, text available at release, and an interoperable API between them.
-
1.0 rolled, then a few "stable" versions that ended up still having showstopping bugs (how many ways to XSS your shit have we found in your purportedly stable software?), and you kept lapsing into fucking denial.
And don't forget the email leak! That should never have made it to beta let alone anything even considered release ready. It didn't even require any injections or special tools. Just browser dev tools and patience.
-
Is it a "leak" if you treat it as a feature? I'm sure @riking could add into the cluster-fuck that is disco-derp-ditude but that might mean...Jeff is a not-good devving-person.
-
That was post 1.0? Jesus, I don't even...
-
Talk about feature creep—I heard a vicious rumour that the next version of Discourse will probably contain a fully-fledged webserver...
-
That was post 1.0? Jesus, I don't even...
It was close. Discourse 1.0 was announced on 24 August 2014. Badges for the email leak were awarded on 30 August 2014.
-
What was the repro for that anyway? I think it was Matches seeing mine first but we couldn't figure it out, and then you found it during one of my hiatuses so I missed the resolution...
-
I think I worked with @tufty or @matches on that. Anyway, you went to someone's profile page, preferably their notifications, and sniffed the traffic for a new notification to stream in. When you inspected the contents of the data packet, their email address (or was it the email address of the person doing the action?) was right there in plain text.
-
Ah, that explains it. I think the original was me liking a post. and, IIRC, Matches seeing my enail. We thought it had something to do with having two tabs open IIRC. Guess that the factor we missed was that one of those tabs was a profile page, most likely.
Filed under: Also, I think my sentence structure indicates I should go sleep now
-
Eek.
And it seems like such an easy thing to test against - inspect every response in your test builds for the sensitive data before sending it to the client, and if you find, say, an email address of one of your test accounts in the response, ring the fucking bells.
I've never seen such a system IRL though, so I don't know how WTFy it would be.
-
I got it by watching my own profile and liking posts, and then when @tufty was testing with me, I was watching my profile while he did actions.
I was the one who found out you could request people's info instead of making a post and hope people bit and gave you that info.
-
Also I just read the thread, how the fuck inefficient is their code that it takes 300 ms to generate a letter on a solid-color background?
WHY HELLO THERE CODE COMMENT!
Oh and the reason it's slow is that it shells out to ImageMagick after creating and taking a synclock. Twice, after MD5ing the username twice. The second time is apparently the killer.@nocha said:
discourse/lib/letter_avatar.rb at main · discourse/discourse
A platform for community discussion. Free, open, simple. - discourse/discourse
[image]
To answer the question, users will continue to get a usable forum, as all requests for letters are done client-side, but there is no fallback, so they'll just get broken images instead of letters.
-
I wasnt part of the email leak, i found other site breaking things.
-
o answer the question, users will continue to get a usable forum, as all requests for letters are done client-side, but there is no fallback, so they'll just get broken images instead of letters.
So if the shitty 3rd party goes down, users get a worse experience. I wonder how much load their avatar generation can handle before it starts to crumple. I'm still baffled by their logic but fuck it. They are fucking themselves over I'm the long run. Morons.
-
The next time one of the "long name hijacking" bugs regress
Wait, I missed that bug. Sounds fun. What was it?
generate letter avatars as a pixel-by-pixel HTML table
STORY TIME
Last place I worked at, the boss wanted UI that would show a progress bar to indicate how far along one was in a multi-step form.Easy enough. I'll just use css and two divs...
NOPE CSS IS BROKEN AND DIVS DONT WORK USE TABLES
Okay-- tables. So I'll make a table with one TR and two TDs, and set width and background color according to percentage done.
NOPE! The right way of doing it is to create a TR with 100 TDs of 1px each and loop through them and paint them accordingly
So I points out-- hey, how do you propose we fulfill the client's requirement of having this progress bar do decimal-point precision.
pause a beat EACH TD WILL HAVE A TABLE with one TR and 10 TDs and...
I say nothing when he realized they client wanted it to 2 decimal places. Was waiting for each of those TDs to contain a Table... for a grand total of 10s of thousands of HTML elements (nested, of course), plus style="background-color:xxx" and width="1px" on each. That would mean, what, a good extra 100kb per page?
So he says "Are you SURE the one table with two TDs with width will work?"
My point being: DISCOURSE!
(sidenote: remind me one day to tell you about the HTML calendar he wanted that would track by half-hours...)
sidenote2****strong text
BUG REPORT: Start a reply. use the down cheveron to hide the reply as draft. Keep reading. Highlight some words, and click on the "QUOTE" popup. Nothing happens.
Should I file a bug with meta.derp?
Filed under: How's the new forums coming?
-
@Lorne_Kates said:
Wait, I missed that bug. Sounds fun. What was it?
Uh, to the best of my recollection, @darkmatter among other people found a way to XSS their way into setting other people's long names for them. I can't really tell the story well, and disco-search + the wee hours of the morning mean I CBA to look it up...
-
XSS their way into setting other people's long names for them.
That was just generic JS that could be used in combination with any XSS vector ...
-
Why is "Sign Up" and "Remind..." a link that looks like a button, but "no, thanks" a link that looks like a link?
So you'll be less likely to click "no thanks", duh.
preemptive possible
-
Now I'll join the rest of you in banville.
Snerk: "Trolling topics rather than adding constructive criticism."
-
Grabbed the colours from discourse's code, ran it for each of them in a super-old PHP VM I had lying around:
http://i.imgur.com/bANY1Je.png
I honestly don't know why they just don't bundle the damn things with each discourse install. It's smaller than the emoji folder.
It'd probably be even smaller if they took some effort to removing the ones which look almost identical:
-
Simple solution and Discourse don't go together.
If Jeff had another brain cell it'd be lonely.
-
Alright, which of you guys are these two? And what are the chances of them being banned by Monday...
-
I'd say their ban chances are fairly low unless they come out. They're a little too civil for pocket WTDWTF members (and I mean that in the nicest possible way :P)
-
I would agree, except that @faoileag and I also got banned from Meta.d, and @faoileag hasn't even been around in a year!
-
And holy jellypotato, I clicked on @faoileag's name in the above post to make sure it was right because Discourse's user auto-complete wouldn't pop up for me, and it shot me 20 posts upward and most of the user card was off-screen...
-
That bug is known (in slight variations) at least by @riking. It was a secret bug report!
Filed Under: gotta make those reports secret!
