@leftpaddotpy@hachyderm.io avatar

leftpaddotpy

@leftpaddotpy@hachyderm.io

purely dysfunctional programmer, soft and snuggly version; they/she.

This profile is from a federated server and may be incomplete. Browse more on the original instance.

b0rk, to random
@b0rk@jvns.ca avatar

what's your favourite third-party command line git tool? Mostly interested in tools that just do 1 thing (like git-absorb or delta or git-vee), not so much full git UIs like lazygit or magit. Also not looking for prompt tools like starship right now.

leftpaddotpy,
@leftpaddotpy@hachyderm.io avatar

@glyph fyi that one has been effectively replaced with the cli called "gh". but for some reason they didn't deprecate hub? wat.

dfeldman, to random
@dfeldman@hachyderm.io avatar

If there were another binary backdoor similar to the xz attack that was found today... how would you find it?

(The xz attack was found by chance and some trivial issues that caused performance degradation)

leftpaddotpy,
@leftpaddotpy@hachyderm.io avatar

@raito @alanc @dalias i would absolutely believe autoconf files to be a vector for malicious code, they're incomprehensible macro noise by nature, and this is just speaking as a nixos maintainer for whom these files are simply constantly broken and should not be used regardless of malice

tbh my view is that release tarballs that aren't simply the git state are a practice that should be abolished. or at least we should diff the heck out of them and figure out how to catch malicious autoconf.

leftpaddotpy,
@leftpaddotpy@hachyderm.io avatar

@raito @alanc @dalias wonder if the solution here is to construct things to evaluate whether an autoconf script is one that could have been generated by any released version of autoconf and check the maintainers' work, so we could find out if there's malicious stuff going on (even if distros just ignore the release tarball anyway)

leftpaddotpy,
@leftpaddotpy@hachyderm.io avatar

@alanc @rst @raito @dalias yeah. which means really we have a responsibility to either make it possible to get those exact versions via docker or nix or so, or we need to abolish putting autoconf files in tarballs

joeyh, to random
@joeyh@hachyderm.io avatar

I rag on github a whole lot, but this is one feature it has that I really like.

Since JiaT75 backdoored xz-utils, I have blocked him and now get to see a warning in every project he touched.

I hope wasmtime et all are doing some careful review..

leftpaddotpy,
@leftpaddotpy@hachyderm.io avatar

@joeyh i blocked all the pro stallman open letter signers with a script years ago, and i can find which projects are most likely to be toxic by the number of blocked contributors on them. for some reason i have never found the blocked contributors to have done anything substantive though. it's funny how right wingers claim they do everything and actually ... do not.

leftpaddotpy, to random
@leftpaddotpy@hachyderm.io avatar

pushes ur compiler off a shelf like a cat breaking a vase
CLANG!!!

leftpaddotpy, to random
@leftpaddotpy@hachyderm.io avatar

software engineering strategy: make the program crash and dump core cleanly and early.

fun fact: signed overflow can be made to crash 100% of the time in a substantive code base with nearly zero (gcc) to immeasurably low overhead (clang). and then you don't have to think about it doing unpredictable UB ever again.

simply pass: -fsanitize=signed-integer-overflow -fsanitize-undefined-trap-on-error to the compiler

in rust
[profile.release]
overflow-checks = true

leftpaddotpy, to random
@leftpaddotpy@hachyderm.io avatar

girl are you the ipv4 address space because you seem completely exhausted

leftpaddotpy, to postgres
@leftpaddotpy@hachyderm.io avatar

good evening! do you use #gnu software of any description? #postgres? #zsh?

have you found the manuals annoying and hard to find things in, or telling you to go f-- err i mean read the info page?

consider using the single page builds of such reference manuals on https://docs.jade.fyi

they have nice CSS and no page splitting so you can simply hit ctrl f

leftpaddotpy, to random
@leftpaddotpy@hachyderm.io avatar

OH: "that's the thing, at least it's pure. if it's garbage at least it is purely functional garbage"

terrorjack, to haskell
@terrorjack@functional.cafe avatar

one aspect #haskell still sucks is build parallelism:

  1. vanilla cabal builds are coarse grained and have component level build dependency

  2. cabal/ghc has multiple home units now but that's only for repl for the time being

  3. cabal/ghc has semaphores now so multiple ghc --make -jsem processes can share cpu cores without oversubscribing. which is nicer, but not nice enough

  4. semaphore format is home brew and not something more standard like make jobserver. hard to fit in external build systems

  5. external build systems resort to using oneshot mode instead of make mode, so one ghc invocation produces one .hi .o pair, and a fair amount of cpu cycles is wasted compared to make mode due to repeatedly building context that could have been shared

  6. more importantly, once .hi of upstream module is emitted, before ghc -c exits, downstream module should queue for compilation immediately. but this is tricky to implement and often omitted

  7. ironically the wasted cpu cycles in ghc oneshot mode is often compensated by increased parallelism. because external build systems parse cabal metadata but breaks cabal component level dependency wall

  8. but now there's a thing called cabal custom setup and now you need to resort to actually respecting Setup.hs for those packages and they can easily become bottlenecks of a build

  9. the people equipped with knowledge to fix the situation thoroughly have tons of more important issues on their plate

leftpaddotpy,
@leftpaddotpy@hachyderm.io avatar

@terrorjack and as you undoubtedly know there's the workspace abuses that can be done to hand the entire thing to ghc: https://jade.fyi/blog/cabal-test-dev-trick/

another annoying thing about the one shot mode is that it's necessary to be able to distrust the incremental compilation of ghc and have a build system without a concept of previous build. so you have this very frustrating tension between good parallelism and incremental builds in such systems and i have no idea a proper solution: https://jade.fyi/blog/the-postmodern-build-system/

beka_valentine, to random

i've discusses this before in the context of decentralization and why so much of the web has become a giant pile of shit tools but it's worth repeating bits of it, so here goes

https://sfba.social/@marcidy/111964900301293558

leftpaddotpy,
@leftpaddotpy@hachyderm.io avatar

@beka_valentine use NixOS lmao

we have "put the horrible garbage in an aggressive sandbox during builds" so it becomes reproducible horrible garbage that does actually have strong constraints on what it fucks with on the system. (also everyone's docker images are horrible and probably outdated base images and whatever; i just cannot trust them given how absolutely scuffed container build processes are)

terrorjack, to haskell
@terrorjack@functional.cafe avatar

ok. sparks is indeed a nice way to get work stealing nested parallelism for free in #haskell, as long as you work with spark# directly and don't use par, pseq or anything built upon these combinators

leftpaddotpy,
@leftpaddotpy@hachyderm.io avatar

@terrorjack oh no lol, why is the lib so unfit for purpose?

leftpaddotpy,
@leftpaddotpy@hachyderm.io avatar

@terrorjack though, don't you need something seq like anyway to let it figure out the evaluation order itself?

leftpaddotpy,
@leftpaddotpy@hachyderm.io avatar

@terrorjack i see, but you need to be able to force a spark from another spark no?

leftpaddotpy,
@leftpaddotpy@hachyderm.io avatar

@terrorjack How would this work with dynamic parallelism structures where you actually do want to spawn sparks from your sparks? I do agree it's probably more sensible that this is a monad tho, it's very monad shaped overall.

fasterthanlime, (edited ) to random
@fasterthanlime@hachyderm.io avatar

I'm fairly sure I'm good but just checking: is there any reason to censor a Wireshark stream of what happens when plugging in my home computer?

My reasoning is that anything that matters should be encrypted with TLS or other, that the LAN addresses are useless, and I'm even okay with my public IPv4/IPv6 addresses leaking.

With that in mind.. can you think of anything else that shouldn't end up on the YouTubes?

leftpaddotpy,
@leftpaddotpy@hachyderm.io avatar

@fasterthanlime i wrote a bad pcap anonymizer inside https://github.com/lf-/clipper which eats hardware addresses and ips and assigns deterministic replacements (depending on order in the capture iirc). it is not at all comprehensive (e.g. i think my usage doesn't have a real layer 2) but it was what i used to put captures in my test suite without disclosing ip addresses or macs or other fingerprintable info

leftpaddotpy, to random
@leftpaddotpy@hachyderm.io avatar

wow the signal usernames design is good actually:

  • username is exclusively an "adding you" thing
  • this is because they are one way of getting an invitation to chat with you
  • there's also randomized and resettable links that can be shared for this
  • usernames must always have discriminator numbers, which can be freely selected
  • usernames aren't shown to anyone you are in chats with
  • by default phone numbers are no longer shared with chats

this seems to have basically Fixed it

riley, (edited ) to random
@riley@social.audiovalentine.com avatar

It seems like my five year old Thinkpad X1C7's keyboard is starting to fail. Repairing it would probably be at least $400. Should I:

leftpaddotpy,
@leftpaddotpy@hachyderm.io avatar

@riley wow why is it $400 to fix it? the replacement keyboard couldn't possibly be more than like 200 right?!

hazelweakly, to random
@hazelweakly@hachyderm.io avatar

One thing that's wild to me is that we've gotten fairly solid at building distributed systems that are resilient, workable, and fairly decently designed... As soon as they hit a certain amount of scale, and only then.

So much shit out there just gets slapped together with every single cloud scale mega-cluster service and tool like its a limited edition box of candies that's going out of stock

leftpaddotpy,
@leftpaddotpy@hachyderm.io avatar

@hazelweakly also implicit in this is that you never have to build another stateful cluster. which is obviously a completely bullshit assumption! at some point you start having your cluster be too big that the software inside is beyond reasonable limits and you need to split it.

hrefna, to random
@hrefna@hachyderm.io avatar

Flatly, no nonsense: Y'all need help.

https://github.com/snarfed/bridgy-fed/issues

There are better ways to do this than harassment and brigading.

This is the sort of thing that makes me want to run screaming away from the fediverse for any sort of personal project.

I don't care where you land on the ethics of such, this nonsense is wrong.

leftpaddotpy,
@leftpaddotpy@hachyderm.io avatar

@hrefna i think they need a big press on the ban interactions temporarily button tbh. it's a good button. but people should stop doing this stuff!! gosh

leftpaddotpy, to random
@leftpaddotpy@hachyderm.io avatar

@beka_valentine is the "one big polycule uwu" iww sticker openly licensed somewhere?

leftpaddotpy, to random
@leftpaddotpy@hachyderm.io avatar

OH: "help my (45M) trans open source contributors (23F, 24F, 22F, 25F, ...) have unionized"

b0rk, (edited ) to random
@b0rk@jvns.ca avatar

has anyone used a tool that gives you an equivalent of git reflog for the staging area, so that you can undo any changes you make to it, even if you ‘git reset —hard’?

feels a bit weird that git obsessively tracks every change you ever make, except to the staging area, where it doesn't track anything at all

(I know jj does this and I know how to hack it together with git hooks, but I'm curious about if anyone actually uses a tool that does this)

leftpaddotpy,
@leftpaddotpy@hachyderm.io avatar

@b0rk wish git stash actually worked the way I expect, also. I had a minor near-data-loss restore -SW incident yesterday and it makes me think: we could just stash that stuff, if the stash cli didn't seemingly always do something orthogonal to what a commit operation would do

leftpaddotpy, to random
@leftpaddotpy@hachyderm.io avatar

The CTF team I play on at UBC in Vancouver, @maplebaconctf, has just released a post about how to take action as a Canadian about the Public Safety Canada attempt to ban hardware development tools like the Flipper Zero.

Tools like the Flipper help us repair old tech, find and report security issues, and more.

You can read about who's responsible and a guide of how to take action here: https://maplebacon.org/2024/02/flipper-zero/

(repost for those who've defenestrated .social)
#FlipperZero #cdnpoli #righttorepair

  • All
  • Subscribed
  • Moderated
  • Favorites
  • JUstTest
  • mdbf
  • everett
  • osvaldo12
  • magazineikmin
  • thenastyranch
  • rosin
  • normalnudes
  • Youngstown
  • Durango
  • slotface
  • ngwrru68w68
  • kavyap
  • DreamBathrooms
  • tester
  • InstantRegret
  • ethstaker
  • GTA5RPClips
  • tacticalgear
  • Leos
  • anitta
  • modclub
  • khanakhh
  • cubers
  • cisconetworking
  • provamag3
  • megavids
  • lostlight
  • All magazines
    •