|
Munkeymon posted:Makes me want to make an NPM clone that filters out anything tainted by his work. You could be like that one guy who posts to C++ repos about using leading underscores, except you're submitting PRs against anything that has one of his packages as a dependency.
|
#
?
Jun 20, 2019 17:19
|
|
|
|
| # ? Jun 7, 2024 15:33 |
|
|
Nolgthorn posted:His 'ansi-cyan' library is used in 223,321 other repositories. It's enough to make me quit programming. I guess this read: https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5 was inspired by that repo (?)
|
|
#
?
Jun 20, 2019 17:41
|
|
|
Just gonna chime in in the waning moments of this monadchat to once again recommend Eric Lippert's series of monad tutorials: https://ericlippert.com/category/monads/page/1/ Or just start with this one: https://ericlippert.com/2013/02/21/monads-part-one/ There are countless monad tutorials out there, and I've read way too many of them. Eric's series is probably the one that gave me the best practical understanding of the pattern. After reading through those posts I was able to later go back to some of the more technical descriptions and actually get most of it. It felt a lot like being 5 years old and learning how to add numbers together for the first time.
|
|
#
?
Jun 20, 2019 17:56
|
|
|
ryde posted:I honestly wonder if we need something akin to a cyclomatic complexity check for dependencies in package managers. These guys did that, and used it to mark anything with complexity <= 10 (and at or below 35 lines long) as a "trivial dependency" http://das.encs.concordia.ca/uploads/2017/07/Abdalkareem_FSE2017.pdf
|
|
#
?
Jun 20, 2019 18:05
|
|
|
Dumb Lowtax posted:These guys did that, and used it to mark anything with complexity <= 10 (and at or below 35 lines long) as a "trivial dependency" They did complexity checks on the packages themselves, not the dependency tree (which I think is what ryde was talking about).
|
|
#
?
Jun 20, 2019 18:24
|
|
|
necrotic posted:They did complexity checks on the packages themselves, not the dependency tree (which I think is what ryde was talking about). Yes, basically something that says "Your dependency tree is bad and you should feel bad, clean it up!" built into the package manager to push back against the situation going on in NPM (and Maven to a lesser degree)
|
|
#
?
Jun 20, 2019 18:46
|
|
|
ryde posted:I honestly wonder if we need something akin to a cyclomatic complexity check for dependencies in package managers. Finally JavaScript's native support for Infinity has a real-world use case.
|
|
#
?
Jun 20, 2019 18:51
|
|
|
ryde posted:Yes, basically something that says "Your dependency tree is bad and you should feel bad, clean it up!" built into the package manager to push back against the situation going on in NPM (and Maven to a lesser degree) Is this happening in maven? My experience of java has been more the opposite, everything ends up depending on a handful of huge libraries like guava and the popular bits of apache commons
|
|
#
?
Jun 20, 2019 19:47
|
|
|
code:
|
|
#
?
Jun 20, 2019 20:10
|
|
|
Also: The Monad Tutorial Fallacy tldr: an explanation for something abstract like monads suddenly "clicking" for you (after a bunch of others don't) doesn't necessarily mean that explanation was a particularly good one, it's just that you've hit the critical mass of examples and ways of looking it at that you can understand it
|
|
#
?
Jun 20, 2019 20:20
|
|
|
poemdexter posted:
surprised by how few, maybe. i just tried this (well, the maven equivalent) on our main java project and nearly all the dependencies are things we depend on directly. the only place the dependency tree even starts to get deep is where we use batik to rasterise svg and that's split into a bunch of jars that depend on each other for some reason.
|
|
#
?
Jun 20, 2019 20:25
|
|
|
Soricidus posted:surprised by how few, maybe. i just tried this (well, the maven equivalent) on our main java project and nearly all the dependencies are things we depend on directly. the only place the dependency tree even starts to get deep is where we use batik to rasterise svg and that's split into a bunch of jars that depend on each other for some reason. I'm on Spring Boot so there's a lot of dependencies but it's mostly apache stuff and other easily recognizable libs.
|
|
#
?
Jun 20, 2019 20:29
|
|
|
Suspicious Dish posted:monads and strife, 
|
|
#
?
Jun 20, 2019 21:00
|
|
|
Frankly, I think a lot of enthusiasm for monads comes from that a lot of people were just never really taught abstract mathematics, and then suddenly they "need" to learn this one abstraction that a bunch of people are talking about, and it's their first real introduction to that kind of formalism and it's a bit mindblowing. There's a cute little functional-programming-for-professionals mini-conference I've gone to a few times where these dudes get up and gush about the amazing things you can do with semigroups and monoids, and it's the same thing. Anybody who actually took algebraic structures in college is going to be massively non-plussed, but that doesn't mean it's not legitimately interesting to people who haven't.
|
|
#
?
Jun 20, 2019 21:01
|
|
|
Suspicious Dish posted:monads and strife, Mods?
|
|
#
?
Jun 20, 2019 21:01
|
|
|
(crossposted from infosec thread) Ladies, gentlemen, and friends, Eric S. Raymond. https://twitter.com/mjg59/status/1141786872387010561 For people with screenreaders: Bug report ESR posted:Hi, Project news quote:2.5.14: 2019-06-20:: 
|
|
#
?
Jun 20, 2019 21:04
|
|
|
Soricidus posted:Is this happening in maven? My experience of java has been more the opposite, everything ends up depending on a handful of huge libraries like guava and the popular bits of apache commons Less trivial libraries, more a bunch of libraries with the same functionality. My projects usually end up with Jackson and GSON, plus some sort of layer over Jackson, and three different logging libraries just by default. My current project also has a few serialization formats, a "retrier", joda time (despite the library being Java 8), has two embedded HTTP servers, and something like three HTTP clients.
|
|
#
?
Jun 20, 2019 21:05
|
|
|
Arsenic Lupin posted:(crossposted from infosec thread) My "favourite" ESR advice is that if you have a heisenbug it's probably because your compiler's optimiser is buggy so dial back the optimiser settings until it goes away
|
|
#
?
Jun 20, 2019 21:23
|
|
|
rjmccall posted:Frankly, I think a lot of enthusiasm for monads comes from that a lot of people were just never really taught abstract mathematics, and then suddenly they "need" to learn this one abstraction that a bunch of people are talking about, and it's their first real introduction to that kind of formalism and it's a bit mindblowing. There's a cute little functional-programming-for-professionals mini-conference I've gone to a few times where these dudes get up and gush about the amazing things you can do with semigroups and monoids, and it's the same thing. Anybody who actually took algebraic structures in college is going to be massively non-plussed, but that doesn't mean it's not legitimately interesting to people who haven't. I think you may be onto something. Grade school courses are practically designed to make a person despise math. I'm all for people realizing that math can actually be pretty interesting and engaging.
|
|
#
?
Jun 20, 2019 21:24
|
|
|
ryde posted:Less trivial libraries, more a bunch of libraries with the same functionality. My projects usually end up with Jackson and GSON, plus some sort of layer over Jackson, and three different logging libraries just by default. My current project also has a few serialization formats, a "retrier", joda time (despite the library being Java 8), has two embedded HTTP servers, and something like three HTTP clients. oh, yeah, that kind of thing is totally real and an issue. just not very similar to the npm thing with single-line libraries there's an npm package called "zero" and i was legit surprised that it isn't a single line that exports the constant 0
|
|
#
?
Jun 20, 2019 21:30
|
|
|
Soricidus posted:oh, yeah, that kind of thing is totally real and an issue. just not very similar to the npm thing with single-line libraries How many packages does it import?
|
|
#
?
Jun 20, 2019 21:33
|
|
|
Dumb Lowtax posted:I never understand when someone hates on another poster just for posting a lot of text. editing is a virtue
|
|
#
?
Jun 20, 2019 21:36
|
|
|
Qwertycoatl posted:How many packages does it import? Well, there's Not1, Not2 and Not3... *scroll scroll* Not23, Not24...
|
|
#
?
Jun 20, 2019 21:37
|
|
|
Arsenic Lupin posted:(crossposted from infosec thread) for those of us who don't know much about C programming, what are the implications of this? does it demonstrate an exploitable defect in the software (e.g. I could run code on your computer with a carefully crafted GIF file), or does it just show cavalier and sloppy practice?
|
|
#
?
Jun 20, 2019 21:42
|
|
|
Yes. It means that for some input, instead of saying "hey thats bad input" it just crashes. That implies there could be a security issue, but there is a bug at least. ESR's response is like that sega game that you could punch to get to the secret level select menu, when an error happens just pretend like it didn't and do something else. e: https://www.youtube.com/watch?v=i9bkKw32dGw taqueso fucked around with this message at 21:48 on Jun 20, 2019 |
|
#
?
Jun 20, 2019 21:45
|
|
|
It's possible that you could provide some input that doesn't produce a segfault, but still fucks poo poo up. The whole purpose of a parser is to reject arbitrarily broken input.
|
|
#
?
Jun 20, 2019 21:46
|
|
|
Unrelated I've gotten a BIOS to segfault once. That was fun.
|
|
#
?
Jun 20, 2019 21:48
|
|
|
Segfaults are the best case scenario -- the computer detected something went wrong and exited. The implication is that someone determined can make the program do something far worse than segfaulting by setting things up in stupid ways. Basically, it's an invitation to dig deeper. Perhaps some rogue GIF file can steal you bank account information. Gracefully exiting after a segfault misses the point; the segfault isn't the problem here.
|
|
#
?
Jun 20, 2019 21:49
|
|
|
Hammerite posted:for those of us who don't know much about C programming, what are the implications of this? does it demonstrate an exploitable defect in the software (e.g. I could run code on your computer with a carefully crafted GIF file), or does it just show cavalier and sloppy practice? not all memory corruption bugs can be turned into code execution. but some can, and it isn't always easy to tell which, hence why they're generally considered something you should drat well take seriously and fix whenever you find them. unless you're esr apparently
|
|
#
?
Jun 20, 2019 21:49
|
|
|
Hammerite posted:for those of us who don't know much about C programming, what are the implications of this? does it demonstrate an exploitable defect in the software (e.g. I could run code on your computer with a carefully crafted GIF file), or does it just show cavalier and sloppy practice? In this case, a lot of C bugs trace back to improperly managing memory one way or another. This triggers a SEGFAULT. The consequences of messed-up memory are serious enough that (A) they can gently caress up the way the program runs and (B) they can be used to overwrite working code with new code. This is why SEGFAULT normally crashes a program, to prevent its continuing after the memory has been tampered with. A good detailed explanation; if you want less detail, skip to "Since strcpy does not check " ESR has decided that it's really annoying to sanitize input when a fuzzer detects a problem, so he's just redirected the feature that crashes on a memory leak .... to continue in working code. Which it's at least possible that the segfault has successfully overwritten.
|
|
#
?
Jun 20, 2019 21:54
|
|
|
Here's a dumb piece of garbage: gcc 9.0 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90947
|
|
#
?
Jun 20, 2019 23:03
|
|
|
in other esr news, he's made a "loadsharer" page for people that hold up the internet with things like the timezone database, dnsmasq etc. of course where would the internet be without raymond? nowhere, that's where! quote:Me. Also now on SubscribeStar for those of you unhappy with Patreon. GIFLIB, GPSD, NTPsec, irkerd, repository conversions for major projects, my 17-year effort to clean up the manual-page corpus - all that and now organizing a network to fund other LBIPs. Need: High. Criticality: High: Past service: High. yes, ers's hostile fork of ntpd is just as critical to the internet as the tz database.
|
|
#
?
Jun 21, 2019 00:35
|
|
|
Bruce Byfield posted:In addition, Sons claims that some of the developers working on key projects like NTP are "are older than my father" -- presumably, in their fifties or sixties -- and so out of date that they should retire. Aging developers will shortly become a growing concern throughout free software, and Sons is right that younger recruits should be encouraged. Barf. Experience is bad, and people should stop working when they're old enough to be grandfathers. There are rigid and out-of-date developers in their middle age, true, but this does not magically start at age 50.
|
|
#
?
Jun 21, 2019 00:45
|
|
|
Old people made computers, computer science, basically all the software we use today. Young people just write the same JavaScript app in a new framework every 6 months.
|
|
#
?
Jun 21, 2019 00:51
|
|
|
xtal posted:Old people made computers, computer science, basically all the software we use today. Young people just write the same JavaScript app in a new framework every 6 months. Lots of young people are doing really interesting stuff in graphics if nowhere else. 
|
|
#
?
Jun 21, 2019 01:11
|
|
|
xtal posted:Old people made computers, computer science, basically all the software we use today. Young people just write the same JavaScript app in a new framework every 6 months.
|
|
#
?
Jun 21, 2019 01:12
|
|
|
zergstain posted:I was only familiar with functor being used to mean "function object," i.e. a type that defines operator()(). I think it’s like having a template trait over containers like C++ code:
|
|
#
?
Jun 21, 2019 01:20
|
|
|
https://twitter.com/gravislizard/status/1141871110192914432
|
|
#
?
Jun 21, 2019 02:30
|
|
|
programmers of every age from 10 to 100 are making worthwhile and significant contributions to all kinds of software projects esr is not one of them
|
|
#
?
Jun 21, 2019 02:51
|
|
|
|
| # ? Jun 7, 2024 15:33 |
|
|
I tried writing a SIGSEGV handler once. That was a long time ago when I was much newer to programming, and I was just playing with stuff, so it's not in the wild anywhere. If I remember, I thought I could "uncrash" the program. Never got anywhere beyond an infinite SIGSEGV loop, and gave up on the idea shortly.
|
|
#
?
Jun 21, 2019 03:13
|
|
