|
Suspicious Dish posted:what's preventing a post-install script from reading ~/.gnupg? how is that locked down? okay, so I've read the private key in ~/.gnupg, but I'll still need the password that the private key was encrypted with if I want to sign anything, and a post-install script has no way of getting at that. I think it's a reasonable assumption ityool 2017 that people are generating private keys with a password. also, another benefit of signed packages is that now you have an avenue to revoke a particular key if you know you've been owned and need to distance yourself from any haram versions. although, I wonder how much better this is than npm itself just going "hey, this package has been owned, do you really want to use it?" in large red ascii text or whatever whenever you go to install it
|
#
?
Aug 30, 2017 08:34
|
|
|
|
| # ? Jun 7, 2024 21:38 |
|
|
nielsm posted:Yes, the problem is that in Python, any assignment is an implicit declaration that the variable lives in the assignment scope, unless it has been declared nonlocal in the same scope... unless it's a global, I think? So then the issue isn't in declaring where a variable lives, since that's happening implicitly, it's just in being unable to effect the contents of an outer scope variable from within an inner scope without an obtusely-named keyword.
|
|
#
?
Aug 30, 2017 08:40
|
|
|
GenJoe posted:okay, so I've read the private key in ~/.gnupg, but I'll still need the password that the private key was encrypted with if I want to sign anything, and a post-install script has no way of getting at that. I think it's a reasonable assumption ityool 2017 that people are generating private keys with a password. Aren't npm accounts authenticated with a password? Why don't they prompt at install time there too? If it's because the system cached a token because entering a password every time is a pain, the same thing happens with the gnupg agent daemon. Revocation is an interesting case, since there I would assume that a hacked key would need to get rotated out and a new key put in is place. But any attacker could use this same mechanism to swap that key out, no? Any central authority could indeed simply pull a hacked package much easier than trying to update key revocation lists. Short key name collisions happened at my last job and trying to get apt to not trust a key was an exercise in futility.
|
|
#
?
Aug 30, 2017 08:55
|
|
|
Suspicious Dish posted:Aren't npm accounts authenticated with a password? Why don't they prompt at install time there too? If it's because the system cached a token because entering a password every time is a pain, the same thing happens with the gnupg agent daemon. How often do you sign things with the key that controls your package releases? How often are you going to do that shortly before installing a random node package?
|
|
#
?
Aug 30, 2017 09:02
|
|
|
GenJoe posted:this post is Nothing is ever 100% secure. Take Master locks for instance, They are the worst of the worst https://www.youtube.com/watch?v=NAcNsdWw_y0
|
|
#
?
Aug 30, 2017 10:22
|
|
|
How do other package registries prevent typo squatting?
|
|
#
?
Aug 30, 2017 11:37
|
|
|
Some fuckwit I work with sporadically puts 'css' in his css class names. I presume he only does it sporadically because that would violate his personal rule of never being consistent about anything.
|
|
#
?
Aug 30, 2017 12:06
|
|
|
chippy posted:Some fuckwit I work with sporadically puts 'css' in his css class names. I presume he only does it sporadically because that would violate his personal rule of never being consistent about anything. My #1 pet peeve: code:
|
|
#
?
Aug 30, 2017 16:14
|
|
|
I hate variable names with "meta" information like that. Same reason I dislike most spins on Hungarian notation. Also why I don't like prefixing interfaces with an I. It feels like crossing the streams.
|
|
#
?
Aug 30, 2017 16:37
|
|
|
He used to do full-blown Hungarian notation but its been beaten out of him.
|
|
#
?
Aug 30, 2017 16:48
|
|
|
I only use Hungarian notation for UI, eg. btnOk, txtCustomer, dlgConfirmOrder. Just writing "ok" and "cancel" feels wrong and is prone to name conflicts.
|
|
#
?
Aug 30, 2017 16:54
|
|
|
How do you guys feel about mThing in C++. I think it's the one place Hungarian style is actually helpful, especially for debugging.
|
|
#
?
Aug 30, 2017 16:55
|
|
|
You mean as a hack to compensate for lovely tooling that can't syntax-highlight those things in a different colour or w/e? Eh, I guess it's fine. As long as you realize that that's what you're doing and don't think it's actually good.
|
|
#
?
Aug 30, 2017 16:59
|
|
|
SupSuper posted:I only use Hungarian notation for UI, eg. btnOk, txtCustomer, dlgConfirmOrder. Just writing "ok" and "cancel" feels wrong and is prone to name conflicts. I've just realised I used to do this when doing Winforms development without it occuring to me that I was basically using my hated hungarian. Although I would use names like okButton, nameTextbox, etc.
|
|
#
?
Aug 30, 2017 17:05
|
|
|
Volguus posted:Ughh ... I'm not sure this is fine, but anyway. Not about github going down (duh, github will be with us forever), but how about taking over repositories, typosquatting or other forms of injecting unknown/unwanted code. I mean, how can one trust what npm has to offer when npm has no way of checking its offerings? In what universe does that make any sense? And that documentation sample that I just posted is a perfect example of "no brain cells were used in the making of this thing". How can it be possible to get things from a 3rd party location without me telling you specifically to do so and say that "it's fine" with a straight face? I don't have any package maintenance expertise but "GitHub will always be up and accessible" along with "any code up on GH is a huge security threat" seems to be an amazingly fine grained position.
|
|
#
?
Aug 30, 2017 17:25
|
|
|
return0 posted:The why is you, as React is actually pretty good. Should have put more accent on JSX part; I'm not denying that react.js is nice - I just hate: code:code:edit: imho, there should be clear separation of presentation layer (JSX) from code (rest of react), preferably in their own files. This way you could use different templating engines as well and get rid of babel that does the assembly of the template canis minor fucked around with this message at 18:42 on Aug 30, 2017 |
|
#
?
Aug 30, 2017 17:43
|
|
|
Thankfully as JavaScript people have learned over the past year and a half, programming languages can be compiled or interpreted, which has lead to an explosion of React-alikes placed all along the runtime/compile-time gradient. Some compile to nothing but template strings + innerHTML ( https://svelte.technology/ ) Some compile to JavaScript methods ( React ) And some compile to a custom bytecode language ( https://github.com/glimmerjs/glimmer-vm ) So now you get all the fun of "code is data is code" discovery confused by the fact that it's all being written on top of a platform which has a GC, runtime program evaluation with a good JIT, and a fast native parser for the language you're trying to compile.
|
|
#
?
Aug 30, 2017 17:57
|
|
|
chippy posted:I've just realised I used to do this when doing Winforms development without it occuring to me that I was basically using my hated hungarian. Although I would use names like okButton, nameTextbox, etc. Visual Studio 6.0 Constant and Variable Naming Conventions" https://msdn.microsoft.com/en-us/library/aa240858(v=vs.60).aspx
|
|
#
?
Aug 30, 2017 18:26
|
|
|
return0 posted:The why is you, as React is actually pretty good. Ruby does not let published packages depend on git repos, only other published gemspecs (including to private gem servers). Bundler is for development and allows git references. necrotic fucked around with this message at 18:32 on Aug 30, 2017 |
|
#
?
Aug 30, 2017 18:29
|
|
|
SupSuper posted:I only use Hungarian notation for UI, eg. btnOk, txtCustomer, dlgConfirmOrder. Just writing "ok" and "cancel" feels wrong and is prone to name conflicts. Well you see this is best practices because how else are you going to keep all the variables you use for your business logic separate from your controls (I do the same thing)
|
|
#
?
Aug 30, 2017 18:32
|
|
|
Zemyla posted:No, but you can transpile it from Haskell! You absolutely can. http://pyjs.org/
|
|
#
?
Aug 30, 2017 19:06
|
|
|
canis minor posted:Should have put more accent on JSX part; I'm not denying that react.js is nice - I just hate: Yeah fair enough. For balance, another thing that sucks a bit about React is it's halfway-house CSS for inline styling, which is awkward for expressing hover states etc. necrotic posted:Ruby does not let published packages depend on git repos, only other published gemspecs (including to private gem servers). Bundler is for development and allows git references. My bad, I misremembered.
|
|
#
?
Aug 30, 2017 19:45
|
|
|
Xarn posted:Issue just got opened up, apparently our preview release breaks :nsfw:
|
|
#
?
Aug 31, 2017 01:54
|
|
|
Typical programmers, forcing all the data into binary.
|
|
#
?
Aug 31, 2017 02:19
|
|
|
Doom Mathematic posted:How do other package registries prevent typo squatting? Maven has namespaced packages and uses a verification step (e.g. prove that you own the domain) before assigning those namespaces.
|
|
#
?
Aug 31, 2017 03:19
|
|
|
XML solves typo squatting since everyone will copy and paste it
|
|
#
?
Aug 31, 2017 03:24
|
|
|
MisterZimbu posted:Well you see this is best practices because how else are you going to keep all the variables you use for your business logic separate from your controls It's very needful in Windows Forms as each form subclass winds up containing a shitload of UI elements as instance variables.
|
|
#
?
Aug 31, 2017 04:27
|
|
|
Thermopyle posted:I hate variable names with "meta" information like that. Same reason I dislike most spins on Hungarian notation. Didn't crossing the streams wind up being really good and important though?
|
|
#
?
Aug 31, 2017 07:17
|
|
|
You're thinking about it too much. But if you want to do that, it was OK in very limited and specific circumstances, no?
|
|
#
?
Aug 31, 2017 14:03
|
|
|
Sedro posted:Maven has namespaced packages and uses a verification step (e.g. prove that you own the domain) before assigning those namespaces. What about typosquatting the namespaces, though?
|
|
#
?
Aug 31, 2017 16:49
|
|
|
http://redux.js.org/docs/recipes/WritingTests.html#middlewarequote:Middleware functions wrap behavior of dispatch calls in Redux, so to test this modified behavior we need to mock the behavior of the dispatch call. Groaaan
|
|
#
?
Aug 31, 2017 18:50
|
|
|
code:
|
|
#
?
Aug 31, 2017 19:14
|
|
|
Parse it like this:JavaScript code:
|
|
#
?
Aug 31, 2017 19:39
|
|
|
Destructuring is cool and good, just like arrow functions.
|
|
#
?
Aug 31, 2017 20:09
|
|
|
ok the company i work for is rewriting the system in a modernisation program, They were testing it the other day and for 5 users continually asking for pages they were taking 15-35 seconds per page.... This is using Node, and other modern stuff.
|
|
#
?
Aug 31, 2017 21:12
|
|
|
Look, you're not supposed to prematurely optimize. That means you don't have to care about runtime whatsoever until it becomes a problem, right?
|
|
#
?
Aug 31, 2017 21:20
|
|
|
Suspicious Dish posted:Parse it like this: Thank you, it makes sense rewritten like that. I just don't understand the necessity of clever terseness, especially combined with the FP circlejerk that's everywhere now. I'm getting old.
|
|
#
?
Aug 31, 2017 21:34
|
|
|
I still think arrow notation in ECMA Script was a mistake (as I can't get used to it as well) Just gotten a new phone - went from iPhone to Android; moved most of my apps just fine appart for Goodreads, which is found as similar app as "Grommr: Gay Gainers & Bellies"
|
|
#
?
Aug 31, 2017 22:22
|
|
|
Just spend some time getting used to them. Write a bunch of random stuff with them until you got it. That's what I did and I definitely wouldn't want to go back to not having them. They're great once you're used to them, and they're particularly great for nested functions as the arrows concisely and accurately explain whats happening.
|
|
#
?
Aug 31, 2017 23:46
|
|
|
|
| # ? Jun 7, 2024 21:38 |
|
|
Arrow functions also capture `this` so you don't have to do `let self = this` or `func.bind(this)`.
|
|
#
?
Aug 31, 2017 23:51
|
|
