@carol@crabby.fyi
@carol@crabby.fyi avatar

carol

@carol@crabby.fyi

Cis. Author of The Rust Programming Language book. Crates.io team. Integer 32 co-founder. Pittsburgher. Elated and gassy.

I'm probably not going to approve your follow request unless we've interacted IRL.

This profile is from a federated server and may be incomplete. Browse more on the original instance.

carol, to random
@carol@crabby.fyi avatar

Open source is not anything DHH says it is

carol, to rust
@carol@crabby.fyi avatar

I love what @leahawasser is doing with the pyOpenSci open peer review of packages https://www.pyopensci.org/about-peer-review/ that results in a list of recommended packages https://www.pyopensci.org/python-packages.html

This seems like a way more effective and accessible solution to the "what libraries are appropriate to use" problem than, say, cargo-crev.

carol, to random
@carol@crabby.fyi avatar

I AM HERE! 🐍🦀 a crab amongst the snakes

carol, to rust
@carol@crabby.fyi avatar

I wrote a guest post on the Rust Foundation blog on my experience attending the Open Source Software Security Summit:

https://foundation.rust-lang.org/news/attending-cisas-open-source-software-security-summit/

Di4na, to random
@Di4na@hachyderm.io avatar

What about "yet giving the ability to give advice require deeper proof of expertise and understanding of the life of maintainers?"

Said otherwise. Fuck off.

>>> yet granting someone administrative access to the source code as a maintainer requires a higher level of earned trust, and it is not given away as a “quick fix” to any problem.

https://openssf.org/blog/2024/04/15/open-source-security-openssf-and-openjs-foundations-issue-alert-for-social-engineering-takeovers-of-open-source-projects/

carol,
@carol@crabby.fyi avatar

@Di4na lmao. "Pay attention to how interactions make you feel. Interactions that create self-doubt, feelings of inadequacy, of not doing enough for the project, etc. might be part of a social engineering attack."

This just in: OpenSSF declares OpenSSF scorecard to possibly be a social engineering attack

carol, to random
@carol@crabby.fyi avatar

what would it look like if forking an oss project wasn't seen as hostile, but was an acceptable way of making a family of projects that choose different tradeoffs?

carol, to random
@carol@crabby.fyi avatar

the lesson I'm choosing to take from xz, as an oss maintainer, is that anyone trying to pressure or guilt me into doing something should immediately be told no, for security reasons

timClicks, to random
@timClicks@mastodon.nz avatar

The coolest thing about Rust Nation UK 2024 confirmed all my worst fears about software supply chain security (and then xz made things worse) https://tim.mcnamara.nz/post/746402277639782400/supply-chain

carol,
@carol@crabby.fyi avatar

@timClicks what sort of checks would you like to have seen?

luis_in_brief, to random
@luis_in_brief@social.coop avatar

🔥 it’s a core mistake of the movement that OSI (and maybe Creative Commons, though it is differently situated) emphasized licensing so disproportionately over community in the early 2000s.
https://hachyderm.io/@mattdm/112134152636307431

carol,
@carol@crabby.fyi avatar

@luis_in_brief does this point to a need for an organization to be created that does have a human+community-centric vision?

carol, to rust
@carol@crabby.fyi avatar

I'm on the program committee for this year, and the CFP is open now until April 25! https://sessionize.com/rustconf-2024

You should submit a talk! Yes, you!!

carol,
@carol@crabby.fyi avatar

Here's my Top Secret™️ tip for writing a great talk proposal:

Be as specific as possible about what an attendee of the talk will get out of it.

That's it. Lots of proposals don't do this, and because the proposals are reviewed without identifying information about the submitter, it's sometimes hard to tell if a talk is going to provide useful info, be a vendor pitch, or not have anything substantial to say.

carol, to random
@carol@crabby.fyi avatar

the RMS trash picker, for all your RMS trash picking needs. or as i've recently taken to calling it, RMS plus trash.

carol, to rust
@carol@crabby.fyi avatar

I'm pleased to announce that @chriskrycho has agreed to join me as a co-author of The Rust Programming Language book! 🎉

I'm incredibly excited to work with Chris-- we're going to be adding a chapter on async, at long last 😁

#RustLang

epage, to rust
@epage@hachyderm.io avatar

Hot take: The #rustlang community is wrong in their MSRV (minimum supported Rust version) policies, making things harder on maintainers without helping their users.

Generally, maintainers follow an "N-M" policy, meaning they support a fixed number of versions back from stable (e.g. with stable at 1.76, an N-2 policy would support 1.74).

What we should instead be doing is specifying fixed versions (N%M==0), maybe with a grace period (e.g. "N%5 for MSRV with upgrades deferred by a release").

carol,
@carol@crabby.fyi avatar

@epage i'm feeling spicy, might delete later, but:

  • crate MSRVs don't mean much without a rustc LTS
  • anyone asking an OSS crate for something other than what the maintainer feels like doing (either upgrading faster or supporting further back) should be paying the maintainer for it
carol, to rust
@carol@crabby.fyi avatar

The #RustLang Foundation is hiring another infrastructure engineer! https://foundation.rust-lang.org/careers/

timClicks, to random
@timClicks@mastodon.nz avatar

Them: The endpoint returns a 200 OK response with no body
Me: ಠ_ಠ
Them: ...?
Me: HTTP 204 was right there

carol,
@carol@crabby.fyi avatar

@timClicks which would you rather have: 200 with no body, or 204 WITH a body (which I encountered recently)?

kurtseifried, to random

Do you know who is to blame for bad passwords in the 23andme hack? Find out with @joshbressers and me on the #osspodcast https://opensourcesecurity.io/2024/01/21/episode-412-blame-the-users-for-bad-passwords/ TL;DR: It's complicated.

carol,
@carol@crabby.fyi avatar

@kurtseifried
@joshbressers I'm just going to leave this here https://www.urbandictionary.com/define.php?term=Donk

luis_in_brief, to random
@luis_in_brief@social.coop avatar

Put out a post trying to explain the case to normies. Lots of nuance lost in a post of this length, of course, but the tldr is that @conservancy had a very significant win. Some more details, a lot of which wouldn't fit in the post, in 🧵.

https://blog.tidelift.com/will-the-new-judicial-ruling-in-the-vizio-lawsuit-strengthen-the-gpl

carol,
@carol@crabby.fyi avatar

@luis_in_brief courts will look favorably on us software folks filing a bunch of lawsuits, with the only change being the license involved, in order to fuzz the laws, right? right??? 😉

fasterthanlime, to random
@fasterthanlime@hachyderm.io avatar

Starting to think that CEOs using sport metaphors is a red flag

Thinking back on personal experience it certainly seems to be a signal 😬

carol,
@carol@crabby.fyi avatar

@fasterthanlime military metaphors too imo

carol,
@carol@crabby.fyi avatar

@fasterthanlime currently on my list for "most cringe" is "left of boom"

kurtseifried, to random

To put it bluntly: barcodes are a miracle and underappreciated.

Software package identifiers are much harder, which is probably why everyone complains about every existing solution to some degree because they are all. in fact. not great. Because it's a really hard problem. Find out with @kurtseifried and @joshbressers on the #osspodcast https://opensourcesecurity.io/2024/01/07/episode-410-package-identifiers-are-really-hard/

TL;DR: CISA did a REALLY Interesting thought experiment about 4 possible outcomes and you should probably read the paper they produced talking about them.

P.S. I wish I could @cisa

carol,
@carol@crabby.fyi avatar

@kurtseifried
@joshbressers just finished listening to this episode, but I haven't read the PURL spec or the CISA paper about how package ID interacts with DNS buuuut... I would LOVE to see people host their Rust crates on their own domain (Cargo supports installing from wherever; hosting a crate index could be easier)! If you meant crates.io should add DNS verification though, yeah no, I'd rather not 😅

kurtseifried, to random

Good news: radios are getting really cheap and low power, heck we stuck one on the cats collar. Bad news: we're sticking radios in everything new, and relying on them, maybe too much? Also, it's amazing that things like GPS even work at all considering how weak the signals are. Find out more with @joshbressers on the #osspodcast https://opensourcesecurity.io/2023/12/10/episode-406-the-security-of-radio/ Also Kurt totally doesn't do illegal things with stuff that isn't legal to turn on, but he does know what happens when you turn on a GPS signal jammer.

carol,
@carol@crabby.fyi avatar

@kurtseifried
@joshbressers "I'm going to admit to a felony:" aaaaand any lawyer listening to this has segfaulted.

carol, to random
@carol@crabby.fyi avatar

You put your Altman in,
You take your Altman out,
You put your Altman in,
And you shake him all about,
You do the hokey-pokey and you move VC around,
That's what tech's all about

luis_in_brief, to random
@luis_in_brief@social.coop avatar

A legal brief on the definition of “double spacing”, with not-so-gratuitous swipes at Microsoft Word, is total catnip to me. https://matthewbutterick.com/pdf/jones-line-spacing-motion.pdf

carol,
@carol@crabby.fyi avatar

@luis_in_brief "Defendants conveniently omit
from their paper that Defendants themselves have filed documents with the Court in 24-point
spacing." OOOOOOH BURN🔥 !

notgull, to random
@notgull@hachyderm.io avatar

Answering a frequently asked question: how do you do concurrent combinators in smol?

https://notgull.net/futures-concurrency-in-smol/

carol,
@carol@crabby.fyi avatar

@janriemer @matze @chriskrycho @notgull Clarification: We are adding an async chapter to the regular The Rust Programming Language book, we are not working on the Async Rust book at https://rust-lang.github.io/async-book/ at this time 😅

  • All
  • Subscribed
  • Moderated
  • Favorites
  • megavids
  • thenastyranch
  • rosin
  • GTA5RPClips
  • osvaldo12
  • love
  • Youngstown
  • slotface
  • khanakhh
  • everett
  • kavyap
  • mdbf
  • DreamBathrooms
  • ngwrru68w68
  • provamag3
  • magazineikmin
  • InstantRegret
  • normalnudes
  • tacticalgear
  • cubers
  • ethstaker
  • modclub
  • cisconetworking
  • Durango
  • anitta
  • Leos
  • tester
  • JUstTest
  • All magazines
    •