The Official Status Thread
-
i'm sure it can be done. something about submodules.
Git submodules suck for the same reason thatsvn:externals
suck. Theoretically it's an abstraction that is supposed to paper over the fact that you have different parts stored in different physical repositories, but in practice the abstraction is leakier than the Titanic's hull after hitting the iceberg. You lose atomic commits (maybe? probably?), you lose consistent revision numbers. Half the time you can't even put a URL into the.gitmodules
file (orsvn:externals
property) because some of your users will want a different upstream repo than your other users.Maybe I just haven't found the right workflow (I haven't used them all that much), but that whole approach seems more or less completely broken to me.
-
yes to me it's broken too. (possible != good)
i wonder if there is a right workflow. all of them seem to be broken in one way or another.
-
On a different topic...
Has anyone read an article or something that had an even slightly trustworthy estimate of what percentage of application crashes are due to or indicative of a bug that is actually part of an exploitable security vulnerability?
("Exploitable security vulnerability" is deliberately a bit vague, but think something like a control-flow hijack and/or reading sensitive information (a la Heartbleed). It's reasonable to assume (i) C/C++ and (ii) reasonably mature programs/libraries for purposes of this question.)
-
My understanding is that 100% of buffer overflows are indicative of a exploitable security vulnerability.
-
Send your shoulder aliens back to reading comprehension school; he wants something that a) isn't specific to type of vulnerability and b) is derived from a statistically-signfiicant subset of application crashes (such as the pile of crash dumps Microsoft's analyzed over the years).
Also, there is such a thing as a non-exploitable buffer overrun: off-by-one overruns can combine with stack padding to yield this result, and you can also find cases where the attacker simply does not have enough control over the injected value to perform an exploit.
-
Send your shoulder aliens back to reading comprehension school; he wants something that a) isn't specific to type of vulnerability and b) is derived from a statistically-signfiicant subset of application crashes (such as the pile of crash dumps Microsoft's analyzed over the years).
Someone is feeling spunky today.
-
Right but the only Git client worth shit on Windows is Visual Studio, which for some reason doesn't support stash.
Holy Belgium, I hope they get that in sooner than later.So far I was aware the VS client didn't support SSH connections (which I don't care too much about as long as HTTPS works), but stashing is sorely needed when working with multiple branches in a single git repo.
If Visual Studio supports powertools like
reset --hard
orrebase
you could have a way to work without stash, but then again you need to know git's internals before using them. I really wouldn't hand those willingly to coworkers who are new to git...
-
Has anyone read an article or something that had an even slightly trustworthy estimate of what percentage of application crashes are due to or indicative of a bug that is actually part of an exploitable security vulnerability?
No idea, so I'm going to answer a different question: I estimate that for the vast majority of such bugs, isolating and fixing the bug is less effort than isolating it and proving it's never harmful.
That does assume bugs that actually happen: my experience with code analysis software goes in the other direction where I usually end up double-checking the buffer bounds and setting 'not an issue'.
-
I'm gonna re-download the Github for Windows client and see if it handles conflicts yet. I actually liked it quite a bit.
-
Send your shoulder aliens back to reading comprehension school; he wants something that a) isn't specific to type of vulnerability...
I'll defend @blakeyrat here; if you don't know a full answer to a question but know something that could still be helpful, it's reasonable to put that forth even though it's not a direct answer.Also, there is such a thing as a non-exploitable buffer overrun: off-by-one overruns can combine with stack padding to yield this result, and you can also find cases where the attacker simply does not have enough control over the injected value to perform an exploit.
There are other cases as well; for a simple one, just take a program that overruns a buffer then immediately callsexit(0)
(and assume there are noatexit
handlers waiting around to do something). Or say that-fstack-protector
or/GS
is on, there's no information disclosure bug that lets the attacker read the canary, and the function returns immediately after the overrun... that's almost unexploitable. Depending on the overrun's nature and canary type (I don't know for sure what GCC and CL use though I think this doesn't apply to them), it may be absolutely unexploitable.
-
I'm gonna re-download the Github for Windows client and see if it handles conflicts yet. I actually liked it quite a bit.
I haven't used it but don't get your hopes up. It appears there's lots to get wrong with git's "simple model".So far I use several tools (CLI and third party GUI) because no tool suite covers every corner case I'd want it to.
-
SourceTree seems to do about everything, but its usability is so terrible you're almost better off using the CLI.
-
(Hey @discoursebot, why is the distance between baselines unchanged by <small>?)
Because the Discourse stylesheets specify line-height. That means silly things like changes in font size don't influence the line spacing.
Do you see what I mean? It's totally ridiculous, and if they had any half competent UI people, they wouldn't have any CSS settings for line-height. But we've seen plenty of evidence the discourse was designed by people who only care if it looks flashy.
Edit: huh, looks like they fixed it for
<big>
. Zey are learning!
-
There are two major classes of buffer overrun, and they can be classified according to where the buffer is located: either the stack is smashed or the heap is smashed. A canary can probably detect a stack smash (unless the overrun writes exactly the right value over the canary) but has no effect on a heap smash. Heap smashes can be limited by making the heap non-contiguous (with unreadable pages interspersed) but that's quite wasteful of virtual memory and doesn't protect allocated buffers on the same page.
It's a good idea to not write code that's vulnerable to buffer overruns.
-
Status:
toothree many meetings, not enough programming.
-
Status: swallowed some air! Help!
-
//TODO: make an acronym expander bot....
Make a bot that edits posts to have an abbr tag in them when it detects an acronym.
-
You can clone a local repository and push to it, too. You don't need to clone the remote repository every time.
-
There are two major classes of buffer overrun, and they can be classified according to where the buffer is located: either the stack is smashed or the heap is smashed.
You can certainly smash globals too, though admittedly you don't hear about those as much.Heap smashes can be limited by making the heap non-contiguous (with unreadable pages interspersed) but that's quite wasteful of virtual memory and doesn't protect allocated buffers on the same page.
Heap smashes are actually pretty difficult to exploit nowadays too; long gone are the days of just overflowing into the next block's header and waiting forunlink
to do its thing; consistency checks at unlink time at least try to make sure that hasn't happened. I don't think the protection is quite at the level of stack canaries, but things are quite a bit harder than they used to be. (Sort of like how ASLR and DEP have also made exploiting stack overflows harder but not even close to impossible.)It's a good idea to not write code that's vulnerable to buffer overruns.
Well, of course. But as long as people are writing in C and C++, you might as well say "I want a pet unicorn."
-
Status: If I am talking about a new venture, and you ask to see my business plan, I will immediately think you are an idiot.
That is all.
-
TRWTF is still being on Windows XP.
Right. So this customer has two problems. Besides using our ANAL package, he's also running XP. Very well spotted.
-
-
greek
If I was Greek I would find it normal to swindle other Europeans for this OANAL turd.
-
A part of the domain computers report, OS column:
It's fun!
Actually, I'm now glad I ran this. Which idiot left those Server 2003 entries alive? There's only one running, the rest are, I buttume, the leftovers from some migration or whatever... Every day I find something new in this mess.
-
-
You have my sympathy ...
But then again ... looking at our own install base I found several XPs, a truck load of 2003 (just short of 20%) and lo and behold 2 NT4 boxes and 1 2000 Pro. I'll write those last 3 down as a clerical error though. The customer is scrapped so these boxes should have been marked as inactive.
-
Status: royally pissed.
Rant incoming later when I find some time. Will probably be relatively light on WTF but I need to vent.
-
Status: Finding out why a program takes 17 seconds to save its parameters to a leveldb database.
So I finally got the opportunity to rewrite this part of the program from scratch, and reduced the ”save” operation time from 17 seconds to 0.0028 seconds. And the parameters are stored in an XML file now, so they are
readablea bit more readable than before.Progress!
-
Status: least enjoyable bike commute in a long time
For a few days it's been refusing to pull away because it thinks the side stand is still down, probably gunk in the switch due to riding it through winter. This morning it did it again, so I had to put it on the centre stand and pull the switch out manually.
Except when engaging the stand the bike fell over. Much swearing ensued. It's a heavy bastard and I had to get help putting it upright again.
I finally got going, and within 5 minutes some belgian pulled out in front of me when I was maybe 50m from the junction they were at. Just enough time to swerve around them and pound on the horn to express my dissatisfaction with their observation skills. Much swearing ensued
I then got to the nice fast part of the road into work. Except there was a car in front of me never going above 30MPH, on a road too twisty and narrow to safely overtake. Much swearing ensued.
so, yeah. I'm a bit worked up this morning
-
so, yeah. I'm a bit worked up this morning
Hi, welcome to the club. I'd give you a card but I tore them all because they were the cheapest thing around I could destroy .
-
Just enough time to swerve around them and pound on the horn
You have an electric bycicle with a horn?
Or did you actually mean "motorbike"?
-
put it on the centre stand
's a heavy bastard and I had to get help putting it upright again
above 30MPH
What kind of bicycles are you thinking of?
It may be a UK thing that "bike" can be taken to mean motorbike as well as bicycle. Or a biker thing (by biker I mean motorcyclist, not you pussies who use your own muscles)
-
@Jaloopa said:
above 30MPH
Ah, missed that bit at the start of that line.Reading fail is a barrier to comprehension.
-
I could probably easily reach 30mph on my bicycle when going downhill that one long steep incline near where I live.
I wouldn't try it though. It ends in a sharp turn.
-
If you're using Git, the answer is: "FUCK YOU!"
TDEMSYR. In fact, it's usually simpler to have different branches in different directories with DVCS.
EDIT: Oh, should have known.
-
You have an electric bycicle with a horn?Or did you actually mean "motorbike"?
I thought he was talking about a tuktuk...
-
Status: I just typed *1= into my calculator. Off to get more coffee...
-
Make a bot that edits posts to have an abbr tag in them when it detects an acronym.
tempting but i doubt @PJH would aprove.....
-
tempting but i doubt @PJH would aprove.....
I'd have thought the authors of the posts would be even less approving.
I upgraded P/OS on this PoS POS system...
-
I'd have thought the authors of the posts would be even less approving.
Are you trying to entrap someone here?
-
Hmmm?
-
-
-
I tried to resist...
Well that was my point - that's exactly the sort of thing I'd expect from some sort of automated system.
-
I'd have thought the authors of the posts would be even less approving.
well yes, but at the very least you would have to approve to grant to bot TL4 powers for global edit.
so regardless of the post owners objections (which i'm sure would be there) yours is the one that counts. :-P
filed under, thanks for the edit @aliceif, i do seem to typo that one rather easily., TL4 POWERS FTW!
-
Status: Just ordered the pre-prerelease of Medieval Engineers.
-
Status: Not lurking (Anymore). Also trying to overcome my ADA allergy so I can keep coding
-
It's a good idea to not write code
that's vulnerable to buffer overrunsin C/C++.
FTFYWell, of course. But as long as people are writing in C and C++, you might as well say "I want a pet unicorn."
And the pet unicorn will happen before they switch to a safe alternative like Ada.
This is a thing now? Did you really make a special emoji just for blakeyrat?
-
For a second I thought you were talking about the Americans with Disabilities Act O_______O
Am I actually retarded?
-