@boomzilla said in Programming Memes Thread:
He shouldn't have abandoned the “we might just rewrite it straight up in Rust” line of thought. He was onto something there
@boomzilla said in Programming Memes Thread:
He shouldn't have abandoned the “we might just rewrite it straight up in Rust” line of thought. He was onto something there
@Zecc said in Programming Memes Thread:
I like how I can't tell if many of the names he uses are real or not.
I recognized (from hearing) a lot of them, so most probably actually exist. Possibly without the two accompanied by the newspaper clippings, those seemed silly enough to be plausible Noe.
@Tsaukpaetra said in Linux on the Desktop? A long way off... :
@Thief said in Linux on the Desktop? A long way off... :
Microsoft have also recently released / said they'll release the specs for all the binary MS Office file formats, so openoffice.org should support them properly soon enough.
Would that it went anywhere...
It sort of did. They even standardized the newer formats as ISO standards (while the Star/Open/LibreOffice ones are only ECMA standards) … in a typical Microsoft way with slight differences from what Microsoft Office actually implements.
@Zerosquare That's not a physical impossibility. It is, of course, dumb, and was clearly shot with the soldering iron cold, but it was physically arranged and photographed. The AI one, on the other hand, features a levitating can which couldn't be arranged that way for a photo.
@Luhmann No, it doesn't. Stock photos don't contain unphysical elements.
@Tsaukpaetra Yes, it was basically a pen plotter, and was that kind of construction. Just instead of a pen it had a stylus and the debug library was driving it to tap on the system dialogs that couldn't be tapped through the debug bridge.
@pcooper said in Is there a guide to certificate algorithms?:
If you're looking for something a little more authoritative than what I as a random person on the Internet says, then I'd suggest looking at Mozilla's configuration recommendations:
Thanks, that's what I was looking for.
If you're a bit more paranoid, it's worth noting that the NSA's guidance as of a few years ago was to use P-384 or 3072-bit RSA for securing government systems, as they didn't seem to think P-256 or 2048-bit RSA was good enough, though I haven't seen any compelling reasons as to why.
Yeah, the Mozilla page says there ain't much of a difference and P-256 should be enough.
It's also worth knowing that ECDSA uses curves that have parameters hand-picked by NIST, and so doesn't qualify as a "Safe Curve". I figure if the US government recommends the military use it for important things then it can't be too bad, but just throwing that out there.
Perhaps they are confident they are the only ones who know the weakness .
That's the main argument I'm aware of for using Ed25519 instead, but it isn't generally supported by CAs/browsers/etc. for "normal" TLS yet (which I'm guessing isn't due to a vast conspiracy, but one never knows…).
My guess is that some of the implementors didn't want to bother with the separate imlementations that curve uses.
@BernieTheBernie said in From Pure Windows 7 to Linux Dual Boot:
@BernieTheBernie said in From Pure Windows 7 to Linux Dual Boot:
Oddly, RDP (xrdp on kde standard) feels a little sluggish. Much slower than the Windows 11 machine.
"A little sluggish". Uhm, actually terrible.
Why tf is it so sluggish?
When I move a window around on the screen, the Windows 11 machine shortly bursts data sending to about 1 Mbps. For a moment only.
But the Debian 12 machine... sends 6 Mbps for several seconds.
Why? But why?
My guess is because compositing is turned on.
Windows, with both window manager and the RDP included in the system install, is smart enough to turn off compositing when using remote desktop and/or sharing the desktop, but in Linux, rdp is a niche use-case—most people either use terminal only, X forwarding over ssh, or xpra—and the window manager (I'm guessing kwin-x11 in your case) is a separate package, so it is not smart enough to turn it off.
Well, it should turn it off in a VM because it does not have anything to support hardware acceleration in the first place, but it probably isn't smart enough for that either, because the authors never tested it on a box without at least somewhat modern graphics card.
@Tsaukpaetra said in From Pure Windows 7 to Linux Dual Boot:
Weird, I don't remember that, I might have to spin up a machine to see what happens on mine...
If you use an older or simpler window manager that doesn't do compositing, or doesn't do it by default, then you wouldn't have the problem.
Apropos xpra, I used it locally for apps in containers, which is obviously fine, but the one time I tried it for actual remote access to Azure VM, it was pretty slow too. But that setup had something like two nested SSH tunnels over two nested VPNs, so the problem was almost certainly that the connection was just overall horribly slow. Since it was forwarding just the specific application, compositing didn't come into play, but lack of hardware acceleration still might have been too, the app might have been trying to use it too—in X11, most of the OpenGL APIs will be there even if there is no acceleration, it'll just be very slow.
@LaoC said in Hacking News:
I see no reason to switch. Supposedly the algorithm is faster (which doesn't matter at all in SSH), but DJB & Tanja Lange say it's crap and quite a few things coming out of NIST turned out to be smelly so I would prefer not to.
The https://safecurves.cr.yp.to/ (by DJB & Lange) lists the NIST P-256 and P-384 as manipulatable, because they include an unexplained pseudo-random constant, but it does not list the P-521. It does list “E-521”, which someone said is the same curve here, but https://neuromancer.sk/ doesn't seem to agree (P-521, E-521).
@Zecc said in In other news today...:
Just when I thought I couldn't hate advertisers more than I do.
Advertising is both the driving force of modern society and its future downfall.
Without advertising, people wouldn't be buying a lot of the shit they do, because it wouldn't even cross their minds they could want something like that, which would mean economy wouldn't grow as fast and the progress would be slower, though we'd probably have more time on our hands. But with advertising getting ever more aggressive as it is wont to get, we'll sooner or later drown in useless junk and visual and audible smog.
… it crossed my mind to check what CFSSL supports[1]¹, and it looks like they offer:
rsa
) size ∈ 〈2048, 8192〉 bitsecdsa
) size ∈ {256, 384, 521} (the P-256, P-384 and P-521 curves)ed25519
) (size ignored, it's just one curve)so that's probably the set that's actually usable. If Microsoft support EC at all, that is.
And their default is actually ecdsa
size 256.
¹ Use the source, Luke. I didn't even bother trying the documentation, I already know it sucks.
@dkf It is completely irrelevant that it can also be using a non-ssh transport, the point is it is using a different implementation of ssh transport than the one affected by the security advisory.
@Carnage said in The Official Funny Stuff Thread™:
English is NOT THIS crazy.
The pronunciation changes over time a lot faster than the spelling, which is held fixed by by long history of written texts, especially literature. But the pronunciation doesn't change randomly, there are patterns to it, and therefore the correspondence from letters to sounds does follow those patterns. Not very regularly, and there are several ways some phonemes could evolve, but it still isn't just random.
@DogsB And that's supposed to be news to whom, exactly? I thought everybody (who cared at least somewhat anyway) already knows that.
Everybody I know has always been generating X.509 (TLS) certificates using algorithm¹ RSA
, because it's traditional and because it only takes one parameter, the size.
But recently I've seen some proposal that stipulated algorithm¹ EC
with curve secp384r1
² for a project CA, also stating other algorithm like Ed25519
might be considered for the subordinate keys, and we just discussed vulnerability concerning P-521, which openssl would know as EC
secp521r1
, in putty.
The matter is further complicated by the fact that
keyUsage
.Does anybody know of a guide on what to use for which purpose, usable by average developer or devops engineer? My google/duck/etc.-fu is failing me.
¹ As in openssl genpkey -algorithm
option.
² The -pkeyopt ec_paramgen_curve:
option.
@Arantor said in Hacking News:
@Bulb Git on Windows is a generally unmitigated shitshow.
Which has exactly nothing to do with the issue at hand, because the standard install of git uses openssh, not putty, for transport, and does not even offer an option to sign anything with ssh (only with gpg).
@HardwareGeek linked an article in Hacking News that said:
There are instances where this vulnerability can be exploited without the need to compromise a server in advance.
One such case is the use of SSH keys for signing Git commits. A common setup involves using Pageant, the ssh-agent of PuTTY, locally and forwarding the agent to a development host.
Here, you configure Git to use OpenSSH to sign Git commits with the SSH key provided by Pageant. The signature is then generated by Pageant, making it susceptible to private key recovery.
Who in their right mind does that‽
Git commits should be signed by keys that are part of some public key infrastructure, but SSH doesn't have any method of signing certificates or even certificates at all. And while it uses the same algorithms as PGP/GPG or X.509, there is no sane reason to actually use the same key with it.
On the other hand
Collecting signatures from an SSH server is not as critical as it would mean the server itself is already compromised, and thus, the threat actor has broad access to the operating system.
Yes, it is, because the normal use-case is that the user has one key and uses it to access all systems they administer, so if one server is compromised, stealing the keys allows getting to those other systems.
Either way, the attack affects
NIST P-521 curve
Has anybody already started using that? I've been using the smaller ed25519 curve for over a decade, but still have to have an RSA key for quite a few systems that don't support it.
Also it is funny that the exploit affects the longer key while the shorter ones remain safe.
@topspin I've contemplated trying out the Linux version, but some @#$%^(#% came up with a bunch of wrong arguments why /usr/local
(they use on x86 Mac) and /opt/homebrew
(they use on aarch64 Mac) are not appropriate for Linux—when in fact they are—and chose to use prefix /home/linuxbrew
. Sorry, no, that location is totally inappropriate. Not installing this .
autoconf
For the horrible kludge autoconf is, it was pretty much designed to avoid this exact problem. During development it uses perl and m4 and whatnot, but it generates shell scripts compatible with even pretty ancient versions of shell so the application can be installed without a bunch of other development dependencies.
Also, I thought homebrew switched almost completely to precompiled bundles so it shouldn't need heaps of tools like this.
@topspin said in I, ChatGPT:
just having someone else speak the text again worked well enough for ages
…and text-to-speech has existed, and been good enough for the purpose, for quite a while, too.
@Atazhaia Not really. The background is a random short video clip. Not as random as it would change on every load. It changes every day or twice a day or something like that and seems to be the same for everybody or maybe everybody in a region, and there's also annotation what the background is, so someone is clearly picking them by hand. Often it is a couple of seconds long loop of drone footage, so it jumps back at the end, and is in general quite distracting. Fortunately you can tell it you don't want it to move by default.
@Atazhaia Glad to hear there are still people who don't fix what ain't broken out there.
@Zecc I did a couple of times. It ain't hard.
@Zecc I've usually seen it included in the accessories for a sewing machine. So you can fix your mistakes.
@topspin Microsoft is fond of random pretty pictures as a background. When it's still picture, it's OK. They also sometimes use random pretty videos and that can … be somewhat nauseating and distracting if you get a loop of drone video that kinda zooms in and jumps back every couple of seconds on the background, plus it slows down the browser a bit or two.
@Benjamin-Hall said in WTF Bites:
On linux, the default DNS resolution in NodeJS is to do the lookup each and every time a connection attempt is made. Which makes some sense--that's why load balancers exist. But for UDP and sockets, this makes for bad things--it will always get a different IP for each part of the connection.
I doubt the system isn't caching it. Instead what it is doing is that it rotates the IP addresses on its side too. Because the name server doesn't send one of them randomly, it sends all of them in random order.
@Benjamin-Hall said in WTF Bites:
And no, there's no toggle. You have to manually do the lookup and force the connection to use the same IP (basically override the DNS name and do the connection to a specific IP, resolved once manually before you start the socket.
That's how you are supposed to do it. And how the low level (system call) interface always works. A socket is bound to an address, not a name, connected to an address, not a name, and if you use sendto/recvfrom instead of connecting, they take address, not a name. Resolving the name is a separate step. Doing it more than once makes no sense.
@Benjamin-Hall said in WTF Bites:
I'll admit, the whole library we're using for this is a totally janky mess we inherited from our "R&D" partner.
It's probably composing the operations the wrong way then.
@DogsB I didn't see that list yet, but I did see a list of search engines offered on phone initialization. Besides the usual suspects (ddg is a usual suspect by now) it had two potentially interesting entries,
and something like three “ecological” search engines that I didn't care to remember—or bookmark.
@LaoC said in I, ChatGPT:
Butt why?
The questions, the questions, they keep coming, they are coming, coming …
is the purpose of that site in the first place in the first place. It's a single template with a random “name” and a bunch of random links. It does not contain anything that would pop up in searches or anything. Is it some kind of test? A honeypot for broken bots?
does the robots.txt
say:
# silly bing
#User-agent: Amazonbot
#Disallow: /
# buzz off
#User-agent: GPTBot
#Disallow: /
# Don't Allow everyone
User-agent: *
Disallow: /archive
# slow down, dudes
#Crawl-delay: 60
Note that most of it is commented out, and the one thing that isn't, /archive
, does not even exist and does not appear to be linked anywhere.
@Arantor said in Fun with maps:
I don't see no weapon in Bolivia's … … apparently Bolivia has a civil flag, that is just red, yellow and green stripe, and a state flag, which additionally has the coat of arms on it. TIL.
@BernieTheBernie Have you ever seen the Debian Policy Manual? Nobody with attention deficit can ever manage to learn that thing, and I believe passing an exam on that is still a requirement for getting upload permissions to Debian repositories.
@Applied-Mediocrity said in In other news today...:
@Bulb Not arbitrar[il]y.
Arbitrarily. If the argument is a text, it might legitimately contain "
s, &
s and %
s. You shouldn't be disallowing them because cmd.exe is shit¹
The library takes a list of arguments, and promises to pass each as a separate argument. If it does not work, it is a bug in the library. The user is allowed to assume it will actually do that, and if it does not, it is a vulnerability in the library.
¹ Well, maybe you actually should, because cmd.exe being shit means it's almost impossible to correctly work with such argument inside the batch file too, so the script probably isn't going to work correctly anyway. The library should still pass the argument as a single argument as it declares.
@topspin said in In other news today...:
Probably due to a fundamental misunderstanding of what Rust claims to solve.
Not really. More because the Rust maintainers and community are generally more sensitive to reliability and security issues.
@Arantor said in In other news today...:
note that as per TFA, Go, Erlang, Ruby, Python, PHP and Node.js all have this issue …
So I clicked through to the technical description, and holy fuck quoting argument so that cmd.exe doesn't do any additional expansions is INSANE:
Since spaces can’t be escaped properly outside of the double-quoted string, you have to use double quotes to wrap the command arguments.
However, inside the double-quoted string,%
can’t be escaped properly.To solve this situation, the following tricky escaping is required:
- Disable the automatic escaping that uses the backslash (
\
) provided by the runtime.- Apply the following steps to each argument:
- Replace percent sign (
%
) with%%cd:~,%
.- Replace the backslash (
\
) in front of the double quote ("
) with two backslashes (\\
).- Replace the double quote (
"
) with two double quotes (""
).- Remove newline characters (
\n
).- Enclose the argument with double quotes (
"
).By replacing
%
with%%cd:~,%
,%cd:~,%
will be expanded to an empty string, and the command prompt fails to expand the actual variable, so the % will be treated as a normal character.Please note that if delayed expansion is enabled via the registry value
DelayedExpansion
, it must be disabled by explicitly callingcmd.exe
with the/V:OFF
option.
Also, note that the escaping for%
requires the command extension to be enabled. If it’s disabled via the registry valueEnableExtensions
, it must be enabled with the/E:ON
option.
… the insane %%cd:~,%
sequence is because apparently ^%
ends up taken as ^%
rather than %
as expected from ^
being the escape character.
@Applied-Mediocrity So you want the application to arbitrary restrict input that would be perfectly valid if it was correctly quoted as the function promises to do‽
@Applied-Mediocrity Yes, it does, because of the impedance mismatch between platforms.
When launching a Windows-specific application, the launcher's developer has to understand the peculiarities of how the launchee interprets its command-line, but when a portable application launches another portable application, the standard library must ensure that the way it passes the arguments on Windows matches the way the standard library on Windows will parse them in the launchee. Because author of a portable application must not be expected to know the quirks of all the platforms.
And before you say bat and cmd are Windows-specific, there is a lot of tools that are portable, but have a platform-dependent wrapper script to launch them that another portable application might be expected to launch without needing to know the details of the platform.
@Applied-Mediocrity said in In other news today...:
@Arantor I'm going to make a
myrust_real_escape_string()
joke, of course, but... how is that a problem of Rust? Or even Windows, for that matter? The latter design is wonky, yes, as OSS fanbois like to remind everyone as if splitting arguments was some Nobel Peace Prize shit. But whose job is it really not to allow arbitrary user input there, anyway?
The application should have its own constraints for the user input, but it has to rely on the Rust standard library to pass the arguments to the launched process in a way they will be understood as intended. If it didn't do that, it is the standard library's fault. Which exists only because the Windows API is poorly designed, but the Rust standard library authors knew that.
Unicode QID Emoji Tag Sequences: method of defining arbitrary Emoji without any sort of Unicode consortium approval process by referencing arbitrary Wikidata QID.
Mozilla clearly thinks it's a bad idea¹.
¹ I found out about it while looking up why Firefox doesn't implement some other thing and landing on that page.
@sockpuppet7 said in responsivenes with vh and vw:
is there any reason why it's not the normal way of doing this?
Typography rules that have been experimentally established over last couple hundred years.
@TwelveBaud said in responsivenes with vh and vw:
For something like Wibble, consider adding a second column of text once over a certain width. That keeps each line narrow enough to read easily. There may be some pain if an article is over a screen in height (since viewers would have to scroll to the bottom to finish the first column and then scroll back to the top to read the second) but I don't think Wibble articles are long enough that that'd be an issue.
In that case it would be better if the columns were limited to screen height and the page switched to scrolling horizontally by adding more columns. Like the reading view in Word.
I didn't think CSS supports flowing over multiple columns, but it seems CSS3 does (https://caniuse.com/multicolumn), you'd just need to adjust the number of columns suitably with some media rules and perhaps a bit of javascript to measure the content length.
@Benjamin-Hall said in WTF Bites:
@Bulb For reference, here's what I have to do to script the installation of mysql on debian bullseye (running as root):
So I guess it wouldn't work with the mariadb fork?
apt-get install -y debconf-utils DEFAULTPASS="<some stuff here>" # this sets configuration so the package installer doesn't prompt us (despite being non-interactive...) sudo debconf-set-selections <<EOF mysql-apt-config mysql-apt-config/select-server select mysql-8.0 mysql-community-server mysql-community-server/root-pass password $DEFAULTPASS mysql-community-server mysql-community-server/re-root-pass password $DEFAULTPASS EOF #get the mysql repository via wget wget --user-agent="Mozilla" -O /tmp/mysql-apt-config_0.8.29-1_all.deb https://dev.mysql.com/get/mysql-apt-config_0.8.10-1_all.deb; #set debian frontend to not prompt export DEBIAN_FRONTEND="noninteractive"; #config the package dpkg -i /tmp/mysql-apt-config_0.8.29-1_all.deb; #update apt to get mysql repository apt-get update #install mysql according to previous config apt-get install mysql-server mysql-client --assume-yes --force-yes apt-get update -y -qq > /dev/null
because otherwise the deb packages will prompt for installation guidance. If I wanted a graphical installer, I'd not be using linux on the command line.
Well, that's the root password. I don't think mysql can do the process credentials login like postgresql does, so it has to get some. And it does use the standard tools for it.
@Benjamin-Hall said in WTF Bites:
Everyone praises linux package management. "just use the package manager!" they say.
Except when the major packages I need are not in the main repo but in their own separate repos, each of which uses their own methods for getting the keys, plus a bunch of manual crap. And the documentation is out of date. So they just fail to actually work.
There was a period of time when most of the interesting software was in Debian and few people ever bothered to publish separate Debian repositories (in part because the Debian packaging tools are a bit … well, you need to read the manual to use them). That time is, unfortunately, gone.
And then there are a bunch that are completely not set up for scripted installation, but require manual intervention of the "log into this webserver and use the setup wizard, also grab this temporary password from the (unstructured) error logs and stick it here using these console commands..." variety.
I can feel my sanity slipping away piece by piece, second by second. /rant
Chocolatey does somehow manage to script vast majority of Windows installers though.
@dkf That would mean we gave up on ever having what was supposed to be the Web 3.0. Which … yeah, we might not, blockchain's being used for many a wrong thing but I don't think I've seen a use-case to make it really compelling for the mainstream.
But in case we do get it, we can always fix it up by making it Web 1:3.0.
@Arantor said in I Hate Jira Because ...:
Meanwhile Joel has part moved on and is now a co-founder at hash.ai
Make of that what you will.
From the name it sounds like something related to the two biggest buzzwords of the day, blockchain and AI, but it does not seem to actually be either.
I wasn't really able to quickly understand what it really is or how it really works, but it sounds like some kind of integration framework for building tool combining data and application fragments from various places. I didn't see any mention of blockchain and AI is mentioned simply as one of the fragments you can integrate with.
@hungrier Well, .min.
means it's all squashed to one line, not how much is squashed there.
@PleegWat The “ingress protection” is a bit better specified than the old water resistance, so the IPx7 (IIRC the phone in question declares IP67) or 8 should actually mean it will survive a dunk in the toilet.
@Arantor Yes, I noticed (Glitch is also their last product, they seem to have sold off everything else). But I would expect the fogbugz.com domain would stay with fogbugz, but it has this nonsensical redirect.
@Arantor Hm, either way FogBugz does not appear to work any more ☹. The fogbugz.com redirects to www.fogcreek.com/fogbugz and that doesn't respond.
Or they moved it somewhere else altogether. Either way ignitetech's web is horribly slow.
@Arantor linked a site in I Hate Jira Because ... that said:
Anyone that thinks otherwise needs to spend more time with FogBugz or Trello…
@Arantor said in I Hate Jira Because ...:
breezing through the board to view those tickets fired far more network requests and traffic than it really should.
That's what I suspected.
Apropos. In the last project here they used GraphQL. The point of GraphQL is supposed to be that the client can say what information it wants to get, including from related entities and stuff, and get it in one round-trip, or at least much fewer round-trips. I was quite disappointed though: