ubernostrum

@ubernostrum@infosec.exchange

The man with the plan and the pocket comb.

Django security team. Ex-Mozillian.

I have enough opinions of my own to tell you about, without wasting time trying to give you my employer's.

Don't forget to tip your servers and normalize your Unicode.

This profile is from a federated server and may be incomplete. Browse more on the original instance.

hynek, to random
@hynek@mastodon.social avatar

Shots fired by the flake8 maintainer.

We can have a nuanced discussion about the failures of flake8 etc, but you’ll still have to acknowledge that a VC-backed, non-Python project profited from decades of community work, & has sucked all air out of the space.

It’s not like I’m not using Ruff—but I do it begrudgingly & find the cheerleading around it baffling. It has practically destroyed a part of the ecosystem & it looks like nobody has seen the VC playbook play out.

https://youtu.be/XzW4-KEB664

ubernostrum,

@hynek I’ve been resisting and arguing against Ruff for this reason for a long time, and I’m glad to see the argument gaining traction. There’s no amount of trusting Charlie that can solve this when Charlie is ultimately answerable to his investors.

(I am coming around to a similar opinion on Pydantic)

ubernostrum,

@hynek I don’t think Pydantic is all the way there yet, but I’m worried about it. Not as much as I’m worried about Ruff, though.

ubernostrum,

@agateau @hynek “Kill off all other tools in this space, leaving only a VC-backed one which must now make a 10x return on investment” is not a great thing to encourage, I think.

Also, it’s open-source today, but what happens in a year or two after the VCs clamp down and we see the “exciting new open source journey” post where it switches to a not-actually-open-source license” as so many other things have done?

ubernostrum,

@flameeyes @hynek @ogi You realize Ruff is trying to eat/replace many more tools than just flake8, yes? Your particular burning supernova hatred of a maintainer of one of the tools Ruff is trying to replace is absolutely irrelevant given all the other tools, not maintained by the person you hate, which are also at risk of being subsumed by Ruff.

ubernostrum,

@flameeyes So, you know what the business plan was with Uber? They were going to use billions of dollars of VC investment to do super-cheap rides until all the taxi companies they competed with went bankrupt, and then they'd be able to ratchet their prices up and make back the money in a market where they had a monopoly.

Ruff has VC money subsidizing its development in a way that other code-quality tools don't, which means Ruff can conceivably "do an Uber" to that particular space -- use the money to out-compete everybody else and then, once all the other tools have withered away from lack of users/contributors, how will Ruff's investors get their money back?

That is a thing to be concerned about, and the time to be concerned about it is now. How you personally feel about one of the maintainers of one of those tools is irrelevant.

ubernostrum,

@flameeyes I think that if you are advocating that everyone be punished collectively for what you see as the sins of one maintainer, then we are unlikely to be able to have a constructive discussion. And that certainly seems to be what you're advocating here.

hynek, to random
@hynek@mastodon.social avatar

Copilot just confidently suggested a sweet SQL injection to me.

We’ve got some wild times ahead of us, folks. 🫠

ubernostrum,

@hynek @glyph @danilo Ah yes, little Bobby Copilot, we call him.

zzzeek, to random
@zzzeek@hachyderm.io avatar

There are so many websites that track CVEs and "bug bounties", tracking packages that make use of standard library functions which if they were given untrusted input, could perform harmful acts.

Why are there no websites tracking the individual CVE trolls who are constantly opening frivolous CVEs and wasting everyone's time?

ubernostrum,

@glyph @zzzeek @jay I want a place to report the people who just run an auto tool and “report” that it doesn’t like our DMARC or SPF or whatever and that this is a critical urgent vulnerability we should pay them for the privilege of finding out about.

glyph, to random
@glyph@mastodon.social avatar

idle technology thought:

The "@" symbol as used in email has a sort of poetry to it. It describes a person at a place. It symbolically embeds an understanding of the structure of the network.

Twitter's abuse of the @ symbol to address a person is the protocol design equivalent of a linguistic drift that results in semantic inversion, like the unfortunately popular "I could care less".

In a better world the fediverse would've retreated to custom-scheme URIs rather than double-@ addressing.

ubernostrum,

@glyph My memory is fuzzy but I thought it was a user-originated convention that they later officially adopted (like the hashtag).

tqbf, to random

I wrote a thing and now I can close a bunch of tabs woooo. https://fly.io/blog/macaroons-escalated-quickly/

ubernostrum,

@tqbf Just an FYI, Django also has had simple HMAC-signing functionality for years :)

https://docs.djangoproject.com/en/5.0/topics/signing/

ubernostrum,

@tqbf I have a philosophy degree. Do you really want to ask me about how long a sentence can be? Because I can give you opinions. With examples.

ubernostrum,

@tqbf slaps roof of sentence

This bad boy can fit so many fucking semicolons in it

ubernostrum, (edited ) to random

You are going to see some claims today on social media that Nancy Pelosi inappropriately suggested a relationship between a group of protestors and China (exactly what she said is still being debated). You should know that the protestors in question were affiliated with an organization which receives huge chunks of its funding through (and whose co-founder is married to) this guy:

https://web.archive.org/web/20231006002142/https://www.nytimes.com/2023/08/05/world/europe/neville-roy-singham-china-propaganda.html

As several people have been patiently explaining all day: you likely would have no problem believing it if you were told disruptive protests or anti-government movements in another country were funded/supported by US interests. It is naïve and in fact falls for the myth of American exceptionalism to believe no other country does or can do the same thing to us (and well-documented that several countries very much do).

hynek, to random
@hynek@mastodon.social avatar

Someone who didn’t suffer an outage due to mock-caused falsely passing tests hasn’t used mock long enough. https://fosstodon.org/@jankatins/111827209894488125

ubernostrum,

@hynek @glyph @geofft @tintvrtkovic My stance on those sorts of libraries is that I want them to internally use a requests.Session or an httpx.Client/httpx.AsyncClient and let me pass my own instance in as a constructor/initializer argument.

Which is why all my own libraries that are clients to other services are now doing exactly that.

Quinnypig, to random
@Quinnypig@awscommunity.social avatar

“For some reason our AWS bill spikes 4% in February once every four years. I don’t understand why.”

ubernostrum,

@Quinnypig @glyph Several years ago a large well-known company charged me a late fee on my monthly bill, saying I hadn’t paid the previous month. But I had their autopay feature enabled.

The culprit? They changed their autopay process date to be the 29th of each month…

The late fee ended up being refunded, but not without some work and some explaining.

ianbicking, to random
@ianbicking@hachyderm.io avatar

Here's a challenge for my fellow Americans: if you are against Trump, then you should be pro-Biden. Not with handwringing and pearl clutching as though it's some terrible chore. Just be pro-Biden, like "yay, go Biden!"

This reluctance, this desperate Leftist need to hold onto contrarianism and cynicism is fucking childish. If you say the election is important then do the fucking deed and CHANGE YOUR OWN MIND.

It's also super fucking easy! I'm pro-Biden! Genuinely!

ubernostrum,

@ianbicking I have been watching this stuff for years and I am so, so terrified that the "sow enough astroturfed dissent to just barely swing it" strategy is about to work for the third time in my adult life (the prior two being the elections of 2000 and 2016).

ubernostrum,

@ianbicking And that's without getting into the way the "progressive" "left" in the US has just completely lost the plot over the past decade-ish, assuming they ever had it to begin with.

ubernostrum,

@dneary @ianbicking I don't understand this. There's a pretty clear norm in both major parties that an incumbent President doesn't need to re-litigate their nomination from first principles. Why do you feel this norm needs to be broken in this specific case, and what good (as opposed to giving media a "Democrats in disarray, can't even unite behind their incumbent" horse-race narrative) do you feel it would actually do?

Especially in light of the very convincing evidence we got this week for how Democratic voters feel about Biden (won NH in a massive blowout despite not even being on the ballot so people had to go to the trouble of turning out to write him in).

ubernostrum,

@zzzeek @glyph @ianbicking I have a very long unpublished rant about this, but it's a combination of: evangelical-style belief in the Rapture/Revolution and corresponding belief that nothing less can ever redeem the broken fallen world; long-term infiltration of the "left" by right-wing and right-wing-adjacent figures; desire for cachet from being seen to say and agree with what everyone else in their circle does; rampant deliberate misinformation; ignorance; arrogance; knee-jerk opposition in place of coherent politics; and for some of the "superspreaders" a fear of losing their influence/income if their claims/predictions are ever allowed to be refuted.

ubernostrum,

@ianbicking @dneary Yeah, citing the election that gave us Nixon and the election that gave us Reagan as examples to emulate does not make much sense to me.

The Republicans are obviously running Trump again. We have the guy who beat Trump and then had an incredibly productive term as President. This should be an easy call!

And the fact that the only "challengers" are all right-wing-funded weirdos should tell you that people who understand politics also think it's an easy call, because if some of the popular Dem governors thought there was a real need for a contested primary they'd be contesting it.

ubernostrum,

@ianbicking @dneary Also, it's worth noting that those examples (68, 80) aren't of an older norm of contested primaries -- using primary elections to decide a major party's presidential nominee is actually the thing that's (relatively) new.

1968 is thus a doubly terrible example, because it was the last hurrah of the older party-picks-the-delegates system and did such a horrid job that it was immediately replaced by the first modern presidential primary nominating system.

ubernostrum,

@dneary @ianbicking I think Newsom is obviously positioning himself to be a future presidential contender, and not a 2024 one.

But you still haven't explained why you think a contentious hard-fought primary this year would be a good thing or what you think we would gain from it, which is increasingly suspicious.

ubernostrum,

@dneary @ianbicking The only “strategists” I’ve seen saying this were pushing for someone just as old in previous elections and mostly seem to be angry they couldn’t beat Biden with votes so now are trying to beat him with social media discontent. That’s one reason why it’s suspicious.

ubernostrum,

@dneary @ianbicking This is not a list of names of people I would personally take strategic political advice from, and in several cases would not consider “Democrats” at all. And even supposing that Biden’s age were an issue, he has a VP. A VP who is constantly on tour to cheering crowds and who looks a lot more like the actual voting base of the party than Gavin Newsom does, but who, one feels, is the real reason why many of these guys are nervous about Biden’s age, if you get my drift.

ubernostrum,

@dneary @ianbicking I guess I'm still confused because the only reason for giving Biden the boot still seems to be "he's old". And the people you cite are generally not saying the Democrats need a competitive primary, they're saying the Democrats have to force Biden off the ticket somehow.

And yet... he beat the crowded field in 2020, beat Trump, and had an extraordinarily productive first term, delivering a ton and clearly sending the message "give me a bigger Congressional majority and I'll deliver even more". In what world do we say "nah, that's bad, don't want that"?

  • All
  • Subscribed
  • Moderated
  • Favorites
  • JUstTest
  • mdbf
  • ngwrru68w68
  • modclub
  • magazineikmin
  • thenastyranch
  • rosin
  • khanakhh
  • InstantRegret
  • Youngstown
  • slotface
  • Durango
  • kavyap
  • DreamBathrooms
  • megavids
  • GTA5RPClips
  • tacticalgear
  • normalnudes
  • tester
  • osvaldo12
  • everett
  • cubers
  • ethstaker
  • anitta
  • Leos
  • provamag3
  • cisconetworking
  • lostlight
  • All magazines
    •