|
Doc Hawkins posted:Uh, yeah, duh! It's the node way!
|
#
?
Mar 23, 2016 16:05
|
|
|
|
| # ? Jun 5, 2024 09:10 |
|
|
My interpretation is they felt that the html tags would handle the formatting and gluing strings together with '+' would be sufficient. I guess their conversations never made it to wondering what would happen if someone wanted to display a float or a formatted timestamp.
|
|
#
?
Mar 23, 2016 16:06
|
|
|
Internet Janitor posted:I wonder how many npm modules like that wouldn't exist if JS had been designed with any sort of string formatting facility built in. For a language specifically designed with UI glue logic in mind, and which includes special syntactic sugar for describing regex patterns, it's a bizarre omission. It's not without precedent, Java lacked String.join() for eighteen years.
|
|
#
?
Mar 23, 2016 16:07
|
|
|
Doc Hawkins posted:Uh, yeah, duh! It's the node way!
|
|
#
?
Mar 23, 2016 16:51
|
|
|
I can see the 270,000 line package.json now...
|
|
#
?
Mar 23, 2016 17:08
|
|
|
Honestly the thing that bugs me most about this is that apparently nobody keeps local copies of the libraries they depend on, so their build process depends on some remote package repository. Isn't that just screaming out for security leaks? Publish an innocuous library, get it incorporated into a few hundred thousand websites, make a seemingly-innocuous change with hidden ramifications, and bam, it goes live very nearly immediately.  (I mean, relying on a library for a simple string padding method is also kind of but it's understandable in the more general case to not want to reinvent the wheel)
|
|
#
?
Mar 23, 2016 17:11
|
|
|
TooMuchAbstraction posted:Honestly the thing that bugs me most about this is that apparently nobody keeps local copies of the libraries they depend on, so their build process depends on some remote package repository. Isn't that just screaming out for security leaks? Publish an innocuous library, get it incorporated into a few hundred thousand websites, make a seemingly-innocuous change with hidden ramifications, and bam, it goes live very nearly immediately. The great thing is the guy unpublished all his stuff. So anyone who noticed in time could have published something with the same names and new version numbers and easily have exploited to god knows how many projects. I have no idea why they don't have any sort of signatures or any basic form of security. IronDoge fucked around with this message at 17:21 on Mar 23, 2016 |
|
#
?
Mar 23, 2016 17:18
|
|
|
IronDoge posted:If you wanted to concatenate things to a string repeatedly would you: It gets even better. The guy unpuplished all his code because some lawyer sent NPM emails claiming one of his libraries had a similar / same name as some company, and NPM took down that lib. The guy then took down all of his other code.
|
|
#
?
Mar 23, 2016 17:20
|
|
|
TooMuchAbstraction posted:Honestly the thing that bugs me most about this is that apparently nobody keeps local copies of the libraries they depend on, so their build process depends on some remote package repository. Isn't that just screaming out for security leaks? Publish an innocuous library, get it incorporated into a few hundred thousand websites, make a seemingly-innocuous change with hidden ramifications, and bam, it goes live very nearly immediately. A lot of people do that, and there are a lot of things to help you do that (local npm registry, npm-shrinkwrap, etc.), you just don't see it because those people aren't complaining about how everything is suddenly broken.
|
|
#
?
Mar 23, 2016 17:23
|
|
|
TooMuchAbstraction: I feel the same way. I tend to want to peg the version of dependencies and explicitly choose to upgrade them when new versions become available rather than relying unnecessarily on repositories outside my control. For small projects and dependencies you can even check those deps into your version control so that simply cloning the repository gives everybody exactly the right version of everything. NPM seems almost intentionally designed to discourage this workflow by generating a bazillion tiny files for every package you install, so if you check the npm directory in it creates a huge mess. Automatically fetching dependencies at clone-time isn't nearly as bad security-wise as doing it on every build, though.
|
|
#
?
Mar 23, 2016 17:24
|
|
|
TooMuchAbstraction posted:Honestly the thing that bugs me most about this is that apparently nobody keeps local copies of the libraries they depend on, so their build process depends on some remote package repository. Isn't that just screaming out for security leaks? Publish an innocuous library, get it incorporated into a few hundred thousand websites, make a seemingly-innocuous change with hidden ramifications, and bam, it goes live very nearly immediately. You mean something like ajax.googleapis.com?  I have no idea about the implementation details of that site, but if you block it like 80% of all websites will stop functioning. I hope google treats it like fort knox.
|
|
#
?
Mar 23, 2016 17:31
|
|
|
Like someone mentioned, the sane thing that sane developers have been doing forever it to distribute their libraries with a hash or a checksum or signed. I don't know anything about npm, but it's surprising to find out that they just said gently caress it, or I guess it didn't even come up? I get pissy when I try to build Rust program and there needs to be megabytes of bullshit downloaded. I suppose it isn't a big deal, but for some reason there are some Rust developers that apply the same line of thinking, that is to smush libraries together like two dolls kissing and then become self-righteous about it. Not only is it awkward, it's also just rude, like not putting a top-level folder in a tar/zip. That's not to say that they're all like that, I'm finding that people who enjoy writing rust code either used to be hardcore functional programmers (who are exempt from my disdain but still a little weird), or web developers who want to be "systems programmers" but not actually learn anything about how a computer works. Also I never looked before but it seems that Cargo has the same problem as NPM with regards to security? Also, is autoconf and make really that painful for new programmers to figure out? This is a good one ... https://github.com/kevva/is-positive quote:Note: This module doesn't consider 0 to be a positive number and doesn't distinguish between -0 and 0. If you want to detect 0, use the positive-zero module. vvv Yeah now that I think about it, I take that back. I can't really blame someone if they take a glance at using autoconf for the first time and say gently caress it. It works for me though  . Maybe I'm the weirdo that should start using cmake or something.
dougdrums fucked around with this message at 19:35 on Mar 23, 2016 |
|
#
?
Mar 23, 2016 19:17
|
|
|
autoconf is a horror.
|
|
#
?
Mar 23, 2016 19:28
|
|
|
dougdrums posted:vvv Yeah now that I think about it, I take that back. I can't really blame someone if they take a glance at using autoconf for the first time and say gently caress it. It works for me though Cmake was designed by people who apparently thought that autoconf was just too sane and understandable.
|
|
#
?
Mar 23, 2016 20:42
|
|
|
What are the cool kids using nowadays for their large builds then, that doesn't involve Java?
|
|
#
?
Mar 23, 2016 21:14
|
|
|
dougdrums posted:Not only is it awkward, it's also just rude, like not putting a top-level folder in a tar/zip. wait, what? You mean that thing some people do of putting a pointless extra level in a zip? That's really annoying, why would you expect people to do that of all things?
|
|
#
?
Mar 23, 2016 21:50
|
|
|
If you use a CLI unpacker, archives that don't contain a top level folder can very easily explode their files into the current directory and make a mess when you blindly say "extract all". If you use a GUI unpacker you're less likely to make this mistake. Whether you care or not probably predicts which type of tools you use.
|
|
#
?
Mar 23, 2016 21:54
|
|
|
Because I don't know if tar xf file.tar.gz is gonna gently caress up my home directory and I'm too lazy to list it before hand. I thought that was always the courtesy, in addition to doing it with torrents and whatnot. http://www.linfo.org/tarbomb.htmlInternet Janitor posted:Whether you care or not probably predicts which type of tools you use. dougdrums fucked around with this message at 22:02 on Mar 23, 2016 |
|
#
?
Mar 23, 2016 21:55
|
|
|
I've never heard of that before.Internet Janitor posted:If you use a CLI unpacker, archives that don't contain a top level folder can very easily explode their files into the current directory and make a mess when you blindly say "extract all". If you use a GUI unpacker you're less likely to make this mistake. Whether you care or not probably predicts which type of tools you use. My perception of people who prefer to use command-line tools over GUI ones is that they're the kind of people who feel that they know what they're doing and like to have full control over everything at the cost of some user-friendliness. If you deliberately put yourself in that position then tbh it seems to me you can't complain when you then have to take extra care around things like that. Less flippantly, it seems like the proper answer to this situation would be to have an option on the archive-unpacking tool that says "if the contents aren't in a top-level directory, then create one for me, named after the archive, and put the files in there instead" (or that could be the default behaviour and there could be an option to suppress it).
|
|
#
?
Mar 23, 2016 22:06
|
|
|
IronDoge posted:The great thing is the guy unpublished all his stuff. So anyone who noticed in time could have published something with the same names and new version numbers and easily have exploited to god knows how many projects. I have no idea why they don't have any sort of signatures or any basic form of security. This actually happened already because of this fiasco. Though this looks like someone simply botched the publishing mechanism instead of pushing something nefarious. http://www.drinchev.com/blog/alert-npm-modules-hijacked/ The idea that released packages aren't immutable and irrevocable ("delisting" is fine) is absolutely insane for a package management provider.
|
|
#
?
Mar 23, 2016 22:07
|
|
|
Hammerite posted:Less flippantly, it seems like the proper answer to this situation would be to have an option on the archive-unpacking tool that says "if the contents aren't in a top-level directory, then create one for me, named after the archive, and put the files in there instead" (or that could be the default behaviour and there could be an option to suppress it). In some formats, like tar, you need to process the whole archive to determine if there is or isn't a common directory prefix. (You'd also have to do some file path interpretation, but only for edge cases.)
|
|
#
?
Mar 23, 2016 22:16
|
|
|
TARs have top-level directories, ZIPs don't.
|
|
#
?
Mar 23, 2016 23:02
|
|
|
ExcessBLarg! posted:TARs have top-level directories, ZIPs don't. That's the common pattern, but sadly it's not enforced. (For good reason, really, but most often a lack of top-level directory in a tar file is just badness.)
|
|
#
?
Mar 23, 2016 23:06
|
|
|
Yeah, if you feed tar a list of files it'll happily omit a top level directory. Basically any time I get any archive I move it into a temp directory until I figure out what it has inside.
|
|
#
?
Mar 23, 2016 23:24
|
|
|
Ika posted:It gets even better. The guy unpuplished all his code because some lawyer sent NPM emails claiming one of his libraries had a similar / same name as some company, and NPM took down that lib. The guy then took down all of his other code. So, the Kik guy posts about how they only made a "polite request", along with an email exchange that reveals he's a giant rear end in a top hat: Kik rear end in a top hat posted:We don’t mean to be a dick about it, but it’s a registered Trademark in most countries around the world and if you actually release an open source project called kik, our trademark lawyers are going to be banging on your door and taking down your accounts and stuff like that — and we’d have no choice but to do all that because you have to enforce trademarks or you lose them. Azer posted:There's a lot of horrors here, but the big technical one is that any of these people think you can actually change a package in a package manager to be something completely different. Sure you can do a major version increment, but still people are going to wonder why the hell a library they were using is completely different now. ExcessBLarg! fucked around with this message at 00:02 on Mar 24, 2016 |
|
#
?
Mar 23, 2016 23:58
|
|
|
There's nothing giant rear end in a top hat in that email exchange except from azer.
|
|
#
?
Mar 24, 2016 00:00
|
|
|
I don't know, saying "We don’t mean to be a dick about it" in a professional context generally means you're being a dick about it.
|
|
#
?
Mar 24, 2016 00:01
|
|
|
I must be missing the part of this trademark that covers a dozen lines of JavaScript to poorly pad strings:quote:IC 009. US 021 023 026 036 038. G & S: Computer software for use with mobile phones and portable computing devices to exchange, share and create text with other users; computer software for electronic messaging services; computer software for use with mobile phones and portable computing devices to exchange and share digital photos; computer software for use with mobile phones and portable computing devices to download audio, video, digital photos and programs; electronic payment systems, namely, a computer application software used for processing electronic payments to and from others; computer software for use with mobile phones and portable computing devices to create video and digital photos to share with other users; computer software for use with mobile phones to launch other applications and connect to other software services. FIRST USE: 20150900. FIRST USE IN COMMERCE: 20150900
|
|
#
?
Mar 24, 2016 00:10
|
|
|
To be fair if a patent agent started a sentence with, "We don't mean to be a dick about it-" I don't think I'd be too worried. But besides that, if those emails are accurate yeah their patent agent was pretty civil otherwise, instead of being a big man baby, even if he was wrong. I mean with what Azer said, it probably actually now seemed like a liability to the folks at npm. dougdrums fucked around with this message at 00:16 on Mar 24, 2016 |
|
#
?
Mar 24, 2016 00:12
|
|
|
Didn't npm used to treat package versions in lexicographic order, as - 1.9.1 took precedence over 1.10.1. I vaguely remember something like this happening, but can't find anything about it atm.Hammerite posted:
There's always the best of two worlds - Total Commander, or alternatives (although I hated muCommander on Mac).
|
|
#
?
Mar 24, 2016 00:14
|
|
|
pokeyman posted:I must be missing the part of this trademark that covers a dozen lines of JavaScript to poorly pad strings: The take-down of pad-left wasn't from Kik requesting it be taken down. Kik requested a package called 'kik' to be taken down, the author threw a tantrum and removed 'pad-left' only after 'kik' was removed for trademark or copyright or whatever reasons.
|
|
#
?
Mar 24, 2016 00:14
|
|
|
http://www.haneycodes.net/npm-left-pad-have-we-forgotten-how-to-program/quote:There’s a package called isArray that has 880,000 downloads a day, and 18 million downloads in February of 2016. It has 72 dependent NPM packages. Here’s it’s entire 1 line of code: return toString.call(arr) == '[object Array]';
|
|
#
?
Mar 24, 2016 00:30
|
|
|
piratepilates posted:The take-down of pad-left wasn't from Kik requesting it be taken down. Kik requested a package called 'kik' to be taken down, the author threw a tantrum and removed 'pad-left' only after 'kik' was removed for trademark or copyright or whatever reasons. Touché. I'm therefore surely missing the part of that trademark that covers "a command-line tool and a library for creating projects by using starters".
|
|
#
?
Mar 24, 2016 00:33
|
|
|
pokeyman posted:Touché. I'm therefore surely missing the part of that trademark that covers "a command-line tool and a library for creating projects by using starters". I'm not a lawyer, and neither was the guy sending the emails to people.
|
|
#
?
Mar 24, 2016 00:36
|
|
|
Hammerite posted:Less flippantly, it seems like the proper answer to this situation would be to have an option on the archive-unpacking tool that says "if the contents aren't in a top-level directory, then create one for me, named after the archive, and put the files in there instead" (or that could be the default behaviour and there could be an option to suppress it). I use dtrx to extract everything. It does exactly that, and also saves me from having to remember how the command line options for tar work.
|
|
#
?
Mar 24, 2016 00:38
|
|
|
It turns out that the whiny petulant child, in the process of throwing his tantrum and taking his ball and going home, also unpublished every module that he had contributor access to, not just his own modules. But, you know, this wasn't a kneejerk reaction on his part. n.e: 
|
|
#
?
Mar 24, 2016 01:36
|
|
|
In summary, everyone involved was a dipshit, ignore NPM forever. End of lesson.
|
|
#
?
Mar 24, 2016 01:47
|
|
|
nevermind me, im just sticking it to the man yo *break the ecosystem of an entire language* I'm not really sure who will come out worse, Azer or NPM. I'm betting NPM.
|
|
#
?
Mar 24, 2016 02:01
|
|
|
pokeyman posted:I must be missing the part of this trademark that covers a dozen lines of JavaScript to poorly pad strings: Without getting into excruciatingly boring detail: 1) Trademark infringement is based on comparing a number of factors to determine if consumers will confuse two marks. Having the same name for two software products from different sources could very likely be confusing. 2) Case law says that a trademark owner does not actually have to defend their trademark against all potential infringers, although there is a risk that a) their trademark may become a generic term and then be unprotectable (most famously aspirin, although there are other examples) or b) the owner may after enough time be unable to eventually enforce their rights against a particular person. Disclaimer: the above is generic information from a US perspective.
|
|
#
?
Mar 24, 2016 02:03
|
|
|
|
| # ? Jun 5, 2024 09:10 |
|
|
I remember, a few years ago, having a conversation with a developer who was working on a framework/ecosystem that was going to have its own package manager. One point he thought was important: make everything namespaced by user. So who cares about azer/kik if you have kik/framework or whatever. Speaking as someone who works at a company who publishes packages with the name of our service on it, that medium post makes them look like tone-deaf idiot fuckers, and I would be absolutely disgusted if we did something similar, not from any moral argument, but because we want developers to like us and use our poo poo. Jesus christ, if the existing package actually has any usage, much less that and the maintainer seems cagey, then why not just call yours kik-js? The dev comes out looking dumb, but kik comes out losing money. Their trademark legal team just damaged the value of their trademark, and should all be fired. E: oh, also the marketing horror who thought that medium post counted as damage control Doc Hawkins fucked around with this message at 02:34 on Mar 24, 2016 |
|
#
?
Mar 24, 2016 02:26
|
|
