|
Have you tried Racket?
|
#
?
Feb 1, 2020 01:04
|
|
|
|
| # ? May 24, 2024 21:44 |
|
|
xtal posted:Actually it's a PO box I don’t think that’s the same thing unless there’s been some major PO Box innovation I’m not aware of. Adhemar fucked around with this message at 10:33 on Feb 1, 2020 |
|
#
?
Feb 1, 2020 01:09
|
|
|
rt4 posted:Have you tried Racket? Not yet, I'm mostly playing around and thought it was funny two major implementations behave so differently on a simple example
|
|
#
?
Feb 1, 2020 01:19
|
|
|
rt4 posted:Have you tried Racket? It's impolite to ask for fetishes in public like this
|
|
#
?
Feb 1, 2020 01:34
|
|
|
Why is this such a common bug across different hardware and kernels? How hard is it to count upwards?  https://twitter.com/mgattozzi/status/1222598434655330304
|
|
#
?
Feb 1, 2020 02:54
|
|
|
Thermopyle posted:"What's your address?" Typically, you don't need to know someone's address to the micrometer. Four decimal places is ~10 meter resolution, which is what the word system seems to be. Here's my new word system: take 10,000 words, sort them alphabetically, and .0001=word 1, and then you live at 21pizza43bicycle, which is near 21pinapple43binoculars
|
|
#
?
Feb 1, 2020 02:58
|
|
|
What 3 words splits the surface of the earth into 3m squares, so it's trying to compete with other coordinate reference systems and inherently sucks at human postal addresses. It's just not even worth trying to make it work that way - it's like programmers loving time zones, except worse because it's VC backed rent seeking. In the UK we have a system called OSGB, it's been printed on pretty much every map for the last 80 years. It's better than what3words because 1) it's scalar, you can estimate where somewhere is in relation to somewhere else, 2) it's not proprietary. What 3 words keep their word database secret and charge for it. 3) OSGB works offline, without data, or electricity. If you have these whats the point of optimising for spoken information exchange as what3words does? Just use the GPS 4) I can tell a French person a sequence of letters and numbers and they can understand where I mean, what3words "localisation" is literally untranslatable because they don't release their system. gently caress what3words, they're literally the worst type of VC startup - using it isn't even a tradeoff of ethics for convenience , their solution is downright worse in every way. As a piece of work for a regional emergency service I integrated what3words into their system and regret it.
|
|
#
?
Feb 1, 2020 11:15
|
|
|
Adhemar posted:I don’t think that’s the same thing unless there’s been some major PO Box innovation I’m not aware of. USPS will forward mail from your PO box to your actual address. Only helps you if you're staying in the same relatively small area though, and a bunch of services will reject PO boxes.
|
|
#
?
Feb 1, 2020 18:45
|
|
|
til about osgb, and the worldwide version: universal transverse mercator it's cool. e: i wish there were short names for the parts of zones, though. some middle ground of resolution between "this 60th of earth" and "this exact number of meters east and north" e2: aha, there's also a USNG which has that subdivision  e3: alright, i am a big nerd, and i have decided i like MGRS the most, since it is global, but has subdivisions, and easy sub-sub-divisions using more significant digits in the meter measurements Doc Hawkins fucked around with this message at 19:08 on Feb 1, 2020 |
|
#
?
Feb 1, 2020 18:48
|
|
|
OddObserver posted:And of course the places where anonimization was sort of done printing last four digits was often the choice. And nowadays credit card companies and other institutions routinely validate that you are who you say you are by asking for "the last four digits of your social".
|
|
#
?
Feb 1, 2020 19:19
|
|
|
what3words seems utterly useless, but at least it spawned angry copy-cats like what3fucks (bad words, apparently down) and what3ducks (species of ducks). Greetings from American Black-Torrent-Freckled! If you want something slightly less proprietary and made by people who think cities and nations are a useful addressing concept, Open Location Code is google's attempt. If I say I'm at PX25+94, Gothenburg you can google it and immediately know I'm a fish-worshiping pervert.
|
|
#
?
Feb 1, 2020 19:39
|
|
|
Xerophyte posted:what3words seems utterly useless, but at least it spawned angry copy-cats like what3fucks (bad words, apparently down) and what3ducks (species of ducks). Greetings from American Black-Torrent-Freckled! Yeah, this is what I already posted. Google calls their OLC addresses "plus codes". This scheme supposedly takes care of the "what is this address close to?" problem of what3words.
|
|
#
?
Feb 1, 2020 20:05
|
|
|
Thermopyle posted:Yeah, this is what I already posted. Google calls their OLC addresses "plus codes". This scheme supposedly takes care of the "what is this address close to?" problem of what3words. Honestly it's a pretty neat idea with real world application which is why I expect it to get turned down and deleted in a year or two.
|
|
#
?
Feb 1, 2020 20:13
|
|
|
Came across this in the Twitter thread someone just posted. I call it npm.txt. Be sure to read the response from the project owner. https://github.com/lodash/lodash/pull/4518 tldr; security vulnerability in highly used npm package, severity is high, starts breaking builds due to security issues. Someone makes the extremely tiny change to fix the issue and submits a PR. After 4 months PR is still not merged because the project owner doesn't consider it worth his time to hit merge. putin is a cunt fucked around with this message at 05:35 on Feb 2, 2020 |
|
#
?
Feb 2, 2020 05:33
|
|
|
quote:This package gets more downloads than react, jquery, angular, and vue combined. It is relied upon by your financial institutions, your healthcare providers, your critical infrastructure, and many of your other national security interests. Hold up I'm just grabbing this tiny violin for all these massive for-profit organizations relying on this dude's hobby project and his volunteer time. After he said it wasn't worth his time no one from these big companies complaining about their static analysis tools replied saying "we will make it worth your time" $$$. Have a look at the dudes activity, he has been working solid on open source stuff for like 10 years, but in the last 9 months has tapered off. Probably got a life or had a family or whatever.
|
|
#
?
Feb 2, 2020 07:19
|
|
|
SAVE-LISP-AND-DIE posted:What 3 words splits the surface of the earth into 3m squares, so it's trying to compete with other coordinate reference systems and inherently sucks at human postal addresses. It's just not even worth trying to make it work that way - it's like programmers loving time zones, except worse because it's VC backed rent seeking. what3words is the bitcoin of geolocation implementations, so expect morons to flock to it en masse
|
|
#
?
Feb 2, 2020 07:26
|
|
|
Xik posted:Hold up I'm just grabbing this tiny violin for all these massive for-profit organizations relying on this dude's hobby project and his volunteer time. The objection is literally that the npm ecosystem relies on random projects controlled by one dude that hasn't updated in 9 months, and when there's an issue in one of those packages the only way to get it fixed is to convince the owner of that project to care. People care enough to have already written the patch! The only thing stopping it is that the only person with the authority to actually update the version everyone uses doesn't give a poo poo! e: are you suggesting "extort people for money if they want to fix your security vulnerabilities" should be the business model for npm projects as a matter of course?
|
|
#
?
Feb 2, 2020 07:37
|
|
|
"My jenkins build is broken because unpaid dude hasn't merged a patch" is an indictment of everyone involved other than unpaid dude. Cache your dependencies, figure out how to override a dependency, and stop pretending it's production code when it's written on the back of a used napkin. (I would not be remotely surprised to learn that you cannot override dependencies using npm, in which case lol but also find working tools.)
|
|
#
?
Feb 2, 2020 07:43
|
|
|
I will never defend the hilarious dumpster fire that is npmJabor posted:e: are you suggesting "extort people for money if they want to fix your security vulnerabilities" should be the business model for npm projects as a matter of course? But yeah for sure do this, people want this dudes time because he spent X years creating value for all these companies and now he is saying he has other priorities that no longer match theirs. If you want to convince him to do what you want then offer a bunch of $$$$. The code is right there in the repo released under an open license, these companies can patch locally or maintain a fork if it's so critical to their infrastructure. Also companies usually call it service agreements not extortion, but I mean, I think you're on to something here.
|
|
#
?
Feb 2, 2020 07:53
|
|
|
What if the both things can be true? NPM ecosystem is a hilarious trashfire and big corps are only allowed to complain when they aren't trying to profit off free stuff?
|
|
#
?
Feb 2, 2020 08:37
|
|
|
Xarn posted:What if the both things can be true? NPM ecosystem is a hilarious trashfire and big corps are only allowed to complain when they aren't trying to profit off free stuff? This seems like a good takeaway to me. Rather than us have a multi-page digression on the ethics and politics of open-source and of companies seeking to exploit it as a resource. A topic that's worthy of/worth containing in (depending on how you see it) its own thread really (and there is an active one in YOSPOS right now). The linked Github thread makes a lot of references to something called "prototype poisoning". I had never head of this before. A search turned up this explanation: https://medium.com/intrinsic/javascript-prototype-poisoning-vulnerabilities-in-the-wild-7bc15347c96 People use this language? like, to do more than just write web pages?
|
|
#
?
Feb 2, 2020 13:45
|
|
|
Don't worry everyone, maybe the lodash guy will transfer the repository to someone else to maintain, which will solve this whole thing.
|
|
#
?
Feb 2, 2020 13:52
|
|
|
Why is some untrusted string getting eval()ed anyway, half-assed sanitisation regex or not?
|
|
#
?
Feb 2, 2020 14:33
|
|
|
Hammerite posted:I named my street Church Lane and the next street Church Lanе and all these loving incompetent postal workers are constantly complaining that they can't tell the difference as if that's my loving problem!!! 
|
|
#
?
Feb 2, 2020 15:08
|
|
|
I didn't think "stupidity of street names" was on my list of considerations for where I'd want to live, but I guess I'm learning new things about myself.
|
|
#
?
Feb 2, 2020 15:45
|
|
|
Notice to all citizens: Due to a regretful data migration error, all postal items will now and henceforth be delivered to 0 null void.
|
|
#
?
Feb 2, 2020 15:55
|
|
|
Do this for anything marked *auto* and you've just made a whole lot of people happy
|
|
#
?
Feb 2, 2020 16:37
|
|
|
Queens is just so goddamned special.
|
|
#
?
Feb 2, 2020 16:56
|
|
|
How is it that javascript development just keeps getting worse and worse? Y'already had left-pad
|
|
#
?
Feb 2, 2020 17:45
|
|
|
ynohtna posted:Notice to all citizens: I got a letter from a lawncare company once that opened with "Hello, NULL!"
|
|
#
?
Feb 3, 2020 03:51
|
|
|
Presto posted:I got a letter from a lawncare company once that opened with "Hello, NULL!" i don't think there's a person alive who hasn't received at least one email with broken templating
|
|
#
?
Feb 3, 2020 06:25
|
|
|
Actually, the most common "broken mail" thing I get in my mailbox are mails sent by some sort of newsletter mass-mail tooling where the from address is not set correctly to an address belonging to the newsletter's domain. If they have links in them or something that don't match the from address domain, gmail's spam filter, at least, dumps them directly into spam.
|
|
#
?
Feb 3, 2020 07:53
|
|
|
repiv posted:Why is this such a common bug across different hardware and kernels? How hard is it to count upwards? Having worked on the silicon side, rust whining about ‘silicon bugs’ strikes me as incredibly immature. Calling their own misunderstanding of speculative execution someone else’s bug.
|
|
#
?
Feb 3, 2020 19:46
|
|
|
JawnV6 posted:Having worked on the silicon side, rust whining about ‘silicon bugs’ strikes me as incredibly immature. Calling their own misunderstanding of speculative execution someone else’s bug. The platform APIs they are calling are explicitly supposed to be monotonic, how is that not someone else's bug? e.g. on Windows they are calling QueryPerformanceCounter and MSDN is pretty unambiguous on the matter  I know there are footguns related to using RDTSC directly but that's not what Rust is doing repiv fucked around with this message at 20:16 on Feb 3, 2020 |
|
#
?
Feb 3, 2020 19:58
|
|
|
redleader posted:i don't think there's a person alive who hasn't received at least one email with broken templating My girlfriend received a recruiting email to [DIVERSITY CANDIDATE] once.
|
|
#
?
Feb 3, 2020 20:33
|
|
|
Qwertycoatl posted:Why is some untrusted string getting eval()ed anyway, half-assed sanitisation regex or not? So what's going on is that _.template(), which has been removed in the latest version of lodash, generates JS code at runtime and runs new Function() to compile the template. As a convenience for debugging, it allows you to put in a special //# sourceURL=./foo/myTemplate.js which debuggers can pick up and map back to the original. In theory, if someone passes in { sourceURL: "foo\nalert('haxx0r lol')" }, then it will run that code. But is a check in lodash for this to sanitize such newlines, but it doesn't quite check correctly. It checks for \r and \n, but forgot about the Unicode newlines. Now, no sane person would ever explicitly pass in an untrusted sourceURL to begin with. That's where prototype poisoning comes in. Inheritance in JavaScript works differently than some others. Objects chain their properties from a parent, and every normal {} object shares a global parent, called "Object.prototype". If someone is able to somehow modify Object.prototype to add a sourceURL property with an attacker-controlled value, then this turns it into an RCE. Note that prototypical inheriance this isn't specific to JavaScript, lots of languages work this way. Much like return-oriented programming, the exploit isn't necessarily in lodash, it's just a gadget here. lodash just has a conveniently obvious eval in the form of _.template. The real exploit is what let someone modify Object.prototype, since that can do damage literally anywhere. That said, _.template is an awful idea to begin with. That's why it was removed in future versions of lodash. Sanitizing the sourceURL for unicode is also a bit of a weak fix. But hopefully that explains what's going on.
|
|
#
?
Feb 3, 2020 21:00
|
|
|
Also npm isn't any worse than Perl's CPAN, Ruby Gems and Python's PyPI. Similar security disasters are starting to happen there.
|
|
#
?
Feb 3, 2020 21:02
|
|
|
Thanks for the explanation. I'm glad my job just uses noted non-secuity-nightmare language C.
|
|
#
?
Feb 3, 2020 21:07
|
|
|
Suspicious Dish posted:Also npm isn't any worse than Perl's CPAN, Ruby Gems and Python's PyPI. Similar security disasters are starting to happen there. It's strictly worse in that JavaScript has (had?) a woeful stdlib and for some reason JS people drag in a dependency for every single line of code. Though I guess you could argue that's not inherent to npm.
|
|
#
?
Feb 3, 2020 21:18
|
|
|
|
| # ? May 24, 2024 21:44 |
|
|
Yeah, the culture of node/npm is somewhat different than the traditional culture of those other languages. I think a lot of that came down to how relatively easy it was to run npm install, compared to virtualenv/setuptools/pip or whatever, and again, the pretty miserable stdlib experience in node. But now that those tools are starting to get easy to use and commonplace, and Python is starting to see even bigger adoption because of TensorFlow + PyTorch, we're seeing more and more security issues, e.g. https://twitter.com/x0rz/status/994116668086542336 I remember reading long, long ago that someone went to a big Ruby conference and handed out cards that said "sudo gem install farts" or something and all that package did was ping home how many times it was ran and how often it was ran with sudo, and the answer was a depressingly large amount. And this was years before node.js even existed.
|
|
#
?
Feb 3, 2020 22:15
|
|