Enlightened
-
@boomzilla said in Enlightened:
And then there's a TDWTF soul if ever there was one, complaining about the forum in the zero day topic:
Invite him here. His email address is public.
-
@anonymous234 More names for the list:
Members of the Tizen Association represent major sectors of the mobility industry, from numerous areas of the world. Current members include telecommunications network operators and electronics manufacturers: Fujitsu, Huawei, Intel, KT, NEC Casio, NTT DoCoMo, Orange, Panasonic, Samsung, SK Telecom, Sprint and Vodafone.
-
-
@RaceProUK said in Enlightened:
Bechemel
Is delicious with macaroni, but I don't know what that has to do with
AssmungSamsung.
-
@hungrier said in Enlightened:
@RaceProUK said in Enlightened:
Bechemel
Is that when
womennon-Koreans only talk about Samsung in a movie?Close.
@anonymous234 said in Enlightened:
Is delicious with macaroni, but I don't know what that has to do with
AssmungSamsung.
-
-
Here's an interesting comment from Slashdot on this thread:
Actually, the Daily WTF article is not particularly educational when it comes to EFL. It covers the obvious surface detail of what the developers do dangerously wrong. There are far worse things under the surface.
I had a chat to some of the Enlightenment devs at FOSDEM a few years ago. They were very proud of their new object system and IDL, which they thought would make it easy to bridge higher-level languages with their libraries. Unfortunately, their IDL exposed C types and nothing but C types as arguments. Their example had a char* parameter and a char* return. I asked them a few questions:
How do I know if it's and input or output (or both) parameter?
Is its length another argument (and, if so, in what units) or is it NULL-terminated?
Is there ownership transfer involved (i.e. is the caller still responsible for freeing the argument or does the callee take that responsibility? Is the caller responsible for freeing the return value and if so must they call free() or some other cleanup function)?
Is this an array of bytes or a string (i.e. should I map it to a string or data object in another language), if it's a string, what encoding does it expect and is that a global property or specified explicitly?
Apparently none of these questions had occurred to them and they didn't even understand why you'd want to know the answers to about half of them. The worst thing for me is that not only are these all important for bridging with higher-level languages, you need to know most of this information to be able to correctly use a C API, and they weren't putting it in the documentation and didn't even have consistent conventions (and therefore only need to document the exceptions). That was when I learned to avoid EFL like the plague. It may have improved since then, but I doubt it - good developers only reinvent the wheel after they've looked at existing ones and understood their flaws. The EFL developers are vaguely aware of square wheels and decided to try triangular ones as a replacement.Hell, I myself only know the barebones of C and even I understand why those are perfectly cromulent questions... Geeze.
-
Similar experience, I thought maybe I'd look up at Tizen apps "for fun" and after about a day or so I was certain it was not going to be any sort of fun! Well, unless S&M is your thing... And here is [thedailywtf.com] an educational article about the EFL libraries you get to use when designing native Tizen apps.
It makes me proud to know my story has saved so many lives form the claws of EFL.
-
@Onyx said in Enlightened:
@Rhywden said in Enlightened:
Is anyone surprised?
Yeah.
ONLY 40?
Nobody said they were done looking.
-
I assume everyone knows that this forum got linked on Ars today?
-
@lucas1 IIRC, the OP now has more upvotes than it did a few weeks ago. OTOH, the forum didn't crash under the load, which is weird. Maybe NodeBB scales better than Discourse after all.
-
@asdf The forum did crash. Because I noticed the post and I heard "the dev is an arsehole" and thought they were talking about me :D. The forum didn't load.
-
@lucas1 said in Enlightened:
I assume everyone knows that this forum got linked on Ars today?
It wouldn't be the first time. Plus the many references to this forum scattered all over the ars forums over the years (I'm not even gonna bother linking those). Oh, and don't forget the time they referenced one of @end's blog posts about us, back in the Worse Than Failure days.
-
@Onyx said in Enlightened:
@Rhywden said in Enlightened:
Is anyone surprised?
Yeah.
ONLY 40?
Ain't no body got time to read that crap for more zero days! Tizen garbage can is too smelly even for the most disheveled of hackers to plunge in?
-
-
@NeighborhoodButcher isn't smack synonymous to spank?
-
@wharrgarbl At least in US English, unless otherwise specified, it is generally assumed that a smack is on the cheek, while a spank is (by definition) on the ass.
-
@tufty
New UI styles by Windows version:
Win3.1: WINDOWS!!
Win9x: 3D-BEZELS!!
WinXP: 3D-ROUND!!
Vista/Win7: TRANSPARENCY!!
Win8: FLAT!!
-
@abarker so we expect smack smack to be a more severe error than a spank spank? Make sense, since it's a security thing
-
@wharrgarbl said in Enlightened:
so we expect smack smack to be a more severe error than a spank spank?
Depends on how friendly the spanker and spankee are.
-
10: BETTER FLAT!
10 CU: MORE DEEPLY FROSTED TRANSPARENCY!
-
@wharrgarbl said in Enlightened:
@abarker so we expect smack smack to be a more severe error than a spank spank? Make sense, since it's a security thing
Depends. For me, getting spanked was a severe punishment as a child. My mom would use something like a plastic mixing spoon, and she knew how to swing it. I've never really been smacked, though.
-
@abarker These days spanking your kids would get you into trouble
-
@abarker
My buns become well conditioned enough that I broke my mom's wooden mixing spoon.So then we got a leftover cutdown piece of a 1x2... >_>
-
-
@izzion said in Enlightened:
that I broke my mom's wooden mixing spoon.
My mom did that too. That's when she stopped.
-
Had a chat with a friend who still works at Samsung and he's optimistic about Koreans allowing creating tests for his project. He just needs to battle two arguments: test are a waste of time, and there's no place for tests in business software. You can expect Samsung new 0-day count to start dropping any time now.
-
@NeighborhoodButcher
Are you trying to kill us all by getting us to hold our breaths for Samsung to fix their code? :o
-
Anyone interested in some more 0-days, like:
snprintf(query, MAX_QUERY_LEN, "select exists(select * from package_info where package='%s')", pkg_name);
-
@NeighborhoodButcher where did you find this? :)
-
@Amihai I'll let you guess :)
EDIT: Ah they seem to have fixed this particular line in master, but I bet it's still on production TVs.
-
@NeighborhoodButcher I actually had a slide in my talk saying that in the few places I looked it seems samsung checked for Sqli :-)
-
This post is deleted!
-
@djls45 said in Enlightened:
@tufty
New UI styles by Windows version:
Win3.1: WINDOWS!!
Win9x: 3D-BEZELS!!
WinXP:3D-ROUND!!Fisher Price
Vista/Win7: TRANSPARENCY!!
Win8: FLAT!!FTFY.
-
Ah looks like TV Tizen is still closed-source (which probably violates a few licenses), so I cannot show you some nice code examples. But I'll dig into the mainline to see what's changed (or not).
-
@NeighborhoodButcher yeah, I couldn't get the firmware open for the TVs so most of my work was done on their Tizen smartphones and the open source parts that were available.
But I talked with some of the people from the TV department there. They seem more competent than the mobile people, even security wise
-
@Amihai yeah, they seem to have fixed some of those. Fun fact: in every place I checked they forget to free memory allocated for the query string. Ask the pkgmgr for package info enough times and you'll crash it. Crashing the pkgmgr = pretty much headshoting the system.
-
@NeighborhoodButcher sounds just like the code I saw
https://pbs.twimg.com/media/C8ulfbvVoAAJQVM?format=jpg&name=large
I compiled this list of rules that I'm pretty sure they followed during the development process
-
@Amihai if you manage, try to get the code for a thing called WAS (Widget Application Service, if I remember correctly). That was the worst code I've ever seen in Samsung, and I had already seen much. It should be under some kind of GPL, so they are forced to hand it over.
Other than that you can dig into anything EFL-related. Those things are so absurdly bad, it's unimaginable. Quick example: how to send a C struct between threads? While of course open a socket-based pipe between them and push a pointer to the struct to the other side. That's how you sync things in Tizen.
Also, 3 words which should spike curiosity: YouTube, hack, kernel.
-
@NeighborhoodButcher Youtube on TVs or phones? :)
-
While we're on a topic of synchronization in Tizen, I just remembered the Indian Webkit Optimization Event. Some time ago, a bunch of brilliant Indian programmers were tasked in optimizing page rendering in EWebkit. And optimize they did - every page loaded much faster. Unfortunately, it didn't took much time to notice some minor bugs like half of the page not rendering randomly. By inspecting the optimizations it turns out they were quite genius in their simplicity - if you remove all thread synchronization, everything will work faster.
A few programmers wept that day.
-
Another thing I just remember. There was (is?) a daemon process responsible for launching apps. It has to be run with a very long string as a parameter. People were curious why that was and one they they checked. And it was not a pretty sight. You see, this app forked itself and launched the app it was supposed to launch. But it needed to pass some arguments to the new process. Now the Korean programmers faced a problem - where to put those arguments? Make a string buffer? Nah, that would be too obvious. So why not use the first argument passed from the shell to the daemon itself and use it as the buffer? Now, that's a solution! So a new rule was forged - never run the daemon without at least 200 spaces as the first argument.
EDIT: It's still here :) https://review.tizen.org/git/?p=platform/framework/web/wrt.git;a=blob;f=src/wrt-launchpad-daemon/launchpad_src/launchpad.c;h=4171cf10ae5ba9ec04619e42c356771e81b9e7e0;hb=HEAD#l494
You might also notice how an app is launched. I'm leaving figuring out what's wrong with it as an exercise to the reader (hint: _start, _init...).
-
@NeighborhoodButcher The fucking hell?
Also:
_E("dlsym not founded. bad preloaded app - check fpie pie");
-
-
@NeighborhoodButcher said in Enlightened:
You might also notice how an app is launched.
Why on earth do they go to so much effort to avoid the
execve()
system call?
-
@dkf execva() would work without problems. That's enough not to use it.
-
@dkf said in Enlightened:
@NeighborhoodButcher said in Enlightened:
You might also notice how an app is launched.
Why on earth do they go to so much effort to avoid the
execve()
system call?Because it's insecure
-
@NeighborhoodButcher said in Enlightened:
I'm leaving figuring out what's wrong with it as an exercise to the reader
447 sleep(1);
Yeah, that's enough, no need to look at the rest of the code.
-
@asdf That's the standard synchronization method in Tizen. I got so used to it, I don't even notice it anymore.
-
@NeighborhoodButcher said in Enlightened:
I got so used to it, I don't even notice it anymore.
I guess it's time for you to share the remaining WTFs and update your resume, then. Unless you want to slowly forget how to program properly.