@tbroyer@piaille.fr avatar

tbroyer

@tbroyer@piaille.fr

Web development (frontend, Web APIs), Web app security, build tools, Java, Kotlin, Gradle, etc.

This profile is from a federated server and may be incomplete. Browse more on the original instance.

tbroyer, to webdev
@tbroyer@piaille.fr avatar

Announcing Platformer: a set of libraries to help implement:

• attribute reflection in web components following the HTML specification
• WebIDL type coercions for your public JS APIs (including web component properties)

https://github.com/tbroyer/platformer

Comes with ECMAScript decorators (compatible with TypeScript 5.2+ and Babel) for vanilla custom elements and Lit elements.

Currently not published on NPM (as I'm still evaluating whether all of this is a good thing worth pursuing 😂 feedback welcome!)

#webdev #WebComponents #buildWithLit

melix, to random French
@melix@mastodon.xyz avatar

Un copain m'a fait remarquer que mon dernier billet était un peu long. En effet, je viens de vérfiier, 15 pages A4, ça n'est plus trop un billet mais presque un essai à ce niveau ! Entre les 2 je dirais :)

tbroyer,
@tbroyer@piaille.fr avatar

@melix "ChatGPT, fais moi un résumé" 🫣

tbroyer,
@tbroyer@piaille.fr avatar

@melix <insert meme Doctor in Philosophy: "we're all going to die (eventually)">

(rhaa, pourquoi y a pas d'emoji :troll: quand on en a besoin)

develwithoutacause, to til

#TIL any errors thrown in attributeChangedCallback get swallowed. They're not propgated to whoever called el.setAttribute('observed', 'data').

tbroyer,
@tbroyer@piaille.fr avatar

@zachleat @develwithoutacause Probably because no built-in element would ever throw when changing an attribute.
State is derived from attributes, but attributes don't directly "set" state, and it's not abnormal to sometimes be in some sort of "invalid state" and you have to cope for it.

Would you like it if you had to be careful updating min, max and value in proper order or it would throw?

See https://blog.ltgt.net/web-component-properties/ where I touch the subject a bit (among other things)

andrewfeeney, to random
@andrewfeeney@phpc.social avatar

Still crazy to me that a credit card is basically your money password written on a card in your wallet. Want to pay over the phone? Just tell us your money password!

tbroyer,
@tbroyer@piaille.fr avatar

@andrewfeeney In the EU, you have to validate transactions in an app on your phone (works with a push notification; conversely also means you have to have a smartphone compatible with the bank's app and app store).
And for non-remote transactions, all cards (I believe, at least that's the case in France) have been chip-cards with a PIN (or biometric for some) for decades.

nixCraft, (edited ) to infosec
@nixCraft@mastodon.social avatar

Poll: Are you encrypting DNS traffic using protocols such as DoT (DNS over TLS) or DoH (DNS over HTTPS)?

tbroyer,
@tbroyer@piaille.fr avatar

@nixCraft @stephengentle That's exactly what I did (also installed pi-hole, so pi-hole is the DNS server pushed through DHCP, and it uses the dnscrypt-proxy as upstream, that then uses DNS-over-? I don't remember what kind of encrypted protocol is used 🫣)

b0rk, (edited ) to random
@b0rk@jvns.ca avatar

poll: when you have a merge conflict, how do you prefer to handle it?

tbroyer,
@tbroyer@piaille.fr avatar

Fwiw, I use (and recommend) Meld: https://meldmerge.org/
But VS Code or IntelliJ IDEA work great too
(and in any case, I invoke it with git mergetool)

davatron5000, to random
@davatron5000@mastodon.social avatar

📝 New post! I spent a bunch of time on this one.

A tale of three architectures: How we built, rebuilt, and then rebuilt Luro + 3 things I've learned about software architecture.

https://daverupert.com/2024/02/three-architectures/

tbroyer,
@tbroyer@piaille.fr avatar

@davatron5000 Didn't you mix up the numbers of duck-size horses and horse-size ducks? In the list of each architecture you wrote "100 horse-sized ducks" and "1 duck-sized horse", shouldn't that rather be "100 duck-sized horses" and "1 horse-sized duck"?

tbroyer,
@tbroyer@piaille.fr avatar

@davatron5000 LGTM 👍

rauschma, to random
@rauschma@fosstodon.org avatar

For a static checking tool: What are best practices w.r.t. writing to stdout and stderr? Information: progress, successes, failures.

Update—found material on the web:
– stdout: normal output of program. Everything you want to see if you save it to a file and read it later.
– Only print “live” UI elements such as progress bars if stdout is interactive (directly observed by a user, not piped somewhere etc.).
– stderr: diagnostic or unexpected data not useful to consumers of normal output

tbroyer,
@tbroyer@piaille.fr avatar

@immibis @rauschma +1, which to me means that the result of the tool (validation failures and warnings) goes to stdout, and stderr is for failures of the tool itself.

nimphal, to random

It has been a while since I've encountered this, but just in case it's not clear - do not, and I mean, do not, validate people's names

tbroyer,
@tbroyer@piaille.fr avatar

@nimphal poke @yournameisinvalid

owa, to random
@owa@mastodon.social avatar

Let’s make it very clear. Apple is under NO obligation to kill Web Apps in the EU. It’s a spiteful decision driven from pure greed.

Don’t put up with it, join us in fighting back

https://open-web-advocacy.org/apple-attempts-killing-webapps/

tbroyer,
@tbroyer@piaille.fr avatar

@owa Do you think Google could argue they're compliant already? given that:
• A2HS is about generating an application and installing it
• they already support third-party application stores that could install such apps
• this is exactly what Samsung does already iiuc (on its devices, as the Samsung Store is only available there), so Mozilla or Microsoft (or others) could possibly do it too, and Samsung could possibly open it up to non-Samsung devices? (given Samsung Internet is available more widely)

(I don't know all the technical details, so I might be entirely wrong)

b0rk, to random
@b0rk@jvns.ca avatar

popular git config options https://jvns.ca/blog/2024/02/16/popular-git-config-options/

tbroyer,
@tbroyer@piaille.fr avatar

@b0rk

> and now git’s default behaviour when your branch has diverged from the upstream is to just throw an error and ask you what to do (very similar to what git pull --ff-only does).

You sure? 'cause unless I missed it, the doc says it will merge (I've had pull.ff=only for years so can't tell from experience).

tbroyer,
@tbroyer@piaille.fr avatar

@b0rk Oh, also, the core.excludesfile now has a "default value" so you can put your exclusion patterns to ~/.config/git/ignore without anything specific in your gitconfig.

tbroyer,
@tbroyer@piaille.fr avatar

@b0rk Ah true; the rest of the page is all centered around the fact that "git pull" is sort-of a shorthand for "git fetch && git merge" though.

(reading through this page, and the git-config page for pull.rebase, branch.<name>.rebase and autoSetupRebase, I can't understand what the default behavior is supposed to be 🤷 I'll happily defer to your experience as you seem to be using the default configuration whereas I configured a specific behavior on my end)

tbroyer,
@tbroyer@piaille.fr avatar

@b0rk This is a great move!
(thanks for the screenshot)

(did I thank you for these posts and conversations about Git? thank you ❤️; just shared this post on work chatroom, like many things you did, and we did buy your zines too)

tbroyer, to react
@tbroyer@piaille.fr avatar

I think I totally forgot what React Compiler and Offscreen API are. Majority of the rest has already been seen in Next.js, but I have to admit I never really understood what "transitions" are and how to use them (that said, I haven't coded with React for months). Appreciate the small note on web components support, at last!

It's really clear though that what once was a rather "simple" library (functions returning virtual dom; even the magic of hooks wasn't too hard to grok) has become something really really complex over time.

https://react.dev/blog/2024/02/15/react-labs-what-we-have-been-working-on-february-2024

#react #WebComponents

tbroyer, to random
@tbroyer@piaille.fr avatar

Ha ha, this is a fun (sic) phishing attempt:

  • mail posing as an UAE bank
  • but sent from an indian investment firm (with valid SPF, DKIM and DMARC, so probably a vulnerable/misconfigured SMTP server on their end);
  • call-to-action links to the canadian "bikers against pedophiles"' (‽) staging website (a page under wp-includes, so probably leveraging a WordPress vulnerability)
  • that redirects to a page on the czech Pandora website
  • that mimics the UAE bank, asking for credit card details (phishing page has already been removed and I forgot taking a screenshot a few hours ago)

#phishing #spam

panos, to bluesky
@panos@catodon.social avatar

OK this will probably be an unpopular opinion, but regarding the and whether it's ok to be opt-out... For me the discussion doesn't make much sense because this is how fedi works. When you enable federation, your posts are federated to any activitypub-supporting server, unless you opt-out by fediblocking. Do you approve all of these servers? Do you agree with their ToS? Have you read the ToS of all of them, or know where they belong to? No. I know this might make you insecure about your data, but it's better to be honest than create a false impression of control, which then feels attacked when Threads or Bluesky appear. I understand that somebody may not want their content appearing in Zuckerberg's or Dorsey's platform. But they could already be running an AP server that's federated to your server, and you will never know. This is what we signed up for, adopting an open protocol and using software that federates with everyone as the default. And tbh I like it this way - an opt-in federation would be a disaster for smaller servers, it would practically be impossible to federate. By using an AP-enabled server, I'm telling everyone that it's ok to interact with my content - unless I actively block them. It doesn't include an agreement for how or from whom this content will be used. The fact that both servers run AP-compatible software is only a technicality. So if Bluesky implemented AP support it would suddenly be ok that interacting with their users would be opt-out, like with every AP server?

Don't get me wrong, I understand that everyone wants to be in control of their social circle, and I support you if you want to block Threads or Bluesky bridges. But I don't really see how it's unethical to have a bridge that is opt-out, just like any other AP-server. Our only "agreement" is using an open protocol, not any common ToS. ActivityPub is not ethically superior by definition, anyone can adopt it, and we have the right to block them, and this is all by design, it's not a different corner of the internet, everyone in the internet can use the protocol and see/display your public content. The drama every time some server does basically what we allowed them to do and we don't like it, is getting really old quickly. It doesn't "protect" fedi, it only makes it hostile and boring. If you're concerned about who sees your content, please run a followers-only account and control your followers. Running a public account in an openly federated platform and then getting angry when you don't agree with every single server you're federating with is a recipe to make sure you'll be angry for years to come.

tbroyer,
@tbroyer@piaille.fr avatar

@panos @hsivonen This is not much different from free/libre open source software in a sense: you may not like that some people use the software you create, but if it's FLOSS then that's what you signed for, and adding terms to the license to prevent such use would make it no longer FLOSS.

That's how GAB can use Mastodon, 4chan can be built with PHP and YUI, etc. whether you like them or not.

melix, to random French
@melix@mastodon.xyz avatar

"Essayons et si ça ne marche pas, on aura appris quelque chose". Cette maxime, souvent vantée, est pourtant trompeuse. Sous couvert de bons sens, elle est largement utilisée dans le management pour justifier des décisions basées uniquement sur l'intuition, ou pire, la croyance. Pourtant, c'est ignorer que certains échecs sont prévisibles.

tbroyer,
@tbroyer@piaille.fr avatar

@melix Pour les groupes de niveau, c'est peut-être pas si tranché: https://x.com/JulienPain/status/1755703776747417793?s=20

> Une étude Pisa aboutit toutefois à une conclusion différente. Elle explique que ces groupes de niveaux peuvent être utiles. Mais à deux conditions. D'abord que ces groupes soient limités à certaines matières - pas à tous les enseignements. C'est le cas avec la réforme de G. Attal
> Mais aussi que ces groupes soient limités dans le temps, ce qui ne serait pas a priori le cas ici.

D'après les réponses sur X, ça serait en place en Suisse avec de bons résultats 🤷

scrwd, to random
@scrwd@mastodon.social avatar

Just a thought - not necessarily a good one - if I created a custom element <site-layout> and use it to insert blocks of content into specific <slot> elements it could create for quite lean pages - but I guess it would mean using shadow dom too…

I wonder if this something @enhance_dev makes better - I need to take a look again.

&lt;site-layout&gt;  
 &lt;h1 slot="header&gt;Title&lt;/title&gt;  
 &lt;nav slot="sidebar"&gt;…&lt;/nav&gt;  
 &lt;main slot="content"&gt;…&lt;/main&gt;  
&lt;/site-layout&gt;
tbroyer,
@tbroyer@piaille.fr avatar

@scrwd That's definitely where Enhance or WebC would shine (IIRC, Marko too, probably Astro as well).
You'd "just" be using the custom element syntax for server-side templating though, not a "true" web component, so you could just as well use other server-side templating languages.

tbroyer,
@tbroyer@piaille.fr avatar

@scrwd @macdonst Astro does have named slots: https://docs.astro.build/en/basics/astro-components/#named-slots

aeris, to random French
@aeris@firefish.imirhil.fr avatar

Avec Rust, j’ai l’impression de me retrouver à une certaine époque de NodeJS ou de Go et de Debian…
« Nécessite rust 1.68 minimum ». Debian :

# apt-cache policy rustc            
rustc:
  Installé : 1.63.0+dfsg1-2
  Candidat : 1.63.0+dfsg1-2
 Table de version :
 *** 1.63.0+dfsg1-2 500
        500 http://ftp.fr.debian.org/debian bookworm/main amd64 Packages

Ah ben oui, faut du Debian testing… 😑

tbroyer,
@tbroyer@piaille.fr avatar

@aeris …ou alors aller chercher des paquets fournis par les projets eux-même (ou des tiers de confiance), e.g. https://nodejs.org/en/download/package-manager#debian-and-ubuntu-based-linux-distributions pour Node, https://adoptium.net/installation/linux/ pour Java

…et https://docs.docker.com/engine/install/debian/#install-using-the-repository pour Docker :troll:

(bon pour Rust et autres par contre, aucune idée)

nixCraft, (edited ) to random
@nixCraft@mastodon.social avatar

Poll: Have you ever been up all night coding a project?

tbroyer,
@tbroyer@piaille.fr avatar

@hvangalen @nixCraft Same here, personal projects only.

b0rk, to random
@b0rk@jvns.ca avatar

what are your favourite git config options to set? Right now I only really have git config push.autosetupremote true and git config init.defaultBranch main set in my ~/.gitconfig, curious about what other people set

(diff algorithm patience? a custom diff/merge tool? enable rerere?)

tbroyer,
@tbroyer@piaille.fr avatar

@b0rk I set pull.ff=only, and wonder why I don't put rebase.autoStash=true and rebase.autoSquash=true as I almost always pass them on the command line.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • JUstTest
  • ngwrru68w68
  • everett
  • InstantRegret
  • magazineikmin
  • thenastyranch
  • rosin
  • GTA5RPClips
  • Durango
  • Youngstown
  • slotface
  • khanakhh
  • kavyap
  • DreamBathrooms
  • provamag3
  • tacticalgear
  • osvaldo12
  • tester
  • cubers
  • cisconetworking
  • mdbf
  • ethstaker
  • modclub
  • Leos
  • anitta
  • normalnudes
  • megavids
  • lostlight
  • All magazines
    •