HomeSearchPrevious dayNext day

00:08:42<SootBector>a social network for bobbies
00:14:47<SootBector>I find infomaniak charge extra for domain privacy and are trying to sneak "DNS fast anycast" into my basket as well for an additional yearly fee - did not expect such dark patterns from them
00:16:20<SootBector>"Domain Plus" ticked by default, details of the two things it comprises are hidden behind a click
00:19:31<nukke>most registrars offer whois privacy for free
00:19:49<nukke>in fact I'm struggling to find one that doesn't
00:20:51<SootBector>yes, very surprising to find that was a few euro/yr
00:21:42<fireonlive>textfiles posted about it in #archiveteam-twitter too, apparently he had an account at one point (the wiki made it seem that way at least)?
00:21:52<fireonlive>indirectly that is, via digipress
00:22:22<fireonlive>hmm weird they charge for that
00:26:47<@JAA>Ello, new social network, who dis?
00:27:08<SootBector>would prefer not to support that dark pattern so the search for somewhere to do acme DNS continues
00:27:34<SootBector>it's user 23 JAA , hai
00:30:23<fireonlive>SootBector: you could do the CNAME thing i guess
00:30:39<SootBector>thanks for the reminder to look that up
00:31:01<fireonlive>also if porkbun has a plugin they seem good so far
00:31:50jasons quits [Ping timeout: 240 seconds]
00:32:51<SootBector>https://github.com/acmesh-official/acme.sh/blob/master/dnsapi/dns_porkbun.sh updated 3yrs ago, hope that's a good sign
00:34:04<fireonlive>https://github.com/joohoi/acme-dns
00:34:23<fireonlive>this seems to be one of them
00:36:20<fireonlive>or maybe the one
00:36:21<fireonlive>lol
00:37:25<fireonlive>v3 seems to be the latest via https://kb.porkbun.com/article/190-getting-started-with-the-porkbun-api
00:37:32<fireonlive>(re: dns_porkbun.sh)
00:40:14<SootBector>would you be able to check if there's an expiry date on the api keys there?
01:01:39<fireonlive>sure
01:02:07<fireonlive>does not seem to be
01:02:28<fireonlive>SootBector: ^
01:24:37<SootBector>great! appreciate you
01:25:30<SootBector>had a look at cloudflare too, it takes 12 clicks on a calendar picker to make a key that lasts a year. unsure how long they can be set for in total
01:25:55<SootBector>editing the page to 10yrs from now did not work
01:28:50khobragade quits [Ping timeout: 240 seconds]
01:35:21jasons (jasons) joins
01:46:37<fireonlive>oh boo
01:46:48<fireonlive>i should check my cloudflare key lol
01:48:22<fireonlive>i like how theirs let you scope to zone, though not to record :/
01:48:40<fireonlive>looks like none expire
01:48:49<fireonlive>SootBector: leave "TTL" blank for start and end and should not expire
01:52:50<SootBector>well now I feel embarassed :)
01:53:09<fireonlive>i closed the tab but AIUI it didn't say optional or anything beside it
01:53:15<fireonlive>so easy mistake :3
01:53:29<SootBector>I blame gandi
01:53:33<fireonlive>AIUI->IIRC
01:53:39<SootBector>used up all my brain juice
01:53:48<fireonlive>haha
01:54:13<fireonlive>"i" have a few domains w/ cloudflare too and they also are good so far
01:55:09<fireonlive>only thing is you can't change your NS away from cloudflare i think?
01:55:24<TheTechRobo>fireonlive: I think you can
01:55:32<fireonlive>i believe it started as a way to have the best control over their own domains, then they opened it up to their customers slowly as a 'loss leader' sort of thing
01:55:38<fireonlive>well; 'break even leader'
01:55:48<SootBector>good to hear. I'll look at a couple more options but think porkbun is the one for me
01:55:50parfait quits [Ping timeout: 240 seconds]
01:56:01sec^nd quits [Remote host closed the connection]
01:56:09<TheTechRobo>ah
01:56:14<TheTechRobo>you can, but it requires a paid account
01:56:19sec^nd (second) joins
01:56:24<TheTechRobo>https://lounge.thetechrobo.ca/uploads/1dbec3007d2581b2/image.png
01:56:33<Terbium>boooo
01:56:42<Terbium>paid upgrade just to change nameserver
01:56:47<TheTechRobo>yeah
01:56:54<Terbium>Down with Buttflare!
01:56:56<TheTechRobo>Still not moving away from Cloudflare, though, because it's really convenient
01:56:57<fireonlive>just found that yeah
01:57:02<Terbium>*riot*
01:57:41<fireonlive>"The custom nameservers can only be created as subdomains of frothy.example"
01:58:04<SootBector>I saw some things that were free but required a card number registered, is that not one of them?
01:58:13<fireonlive>"Cloudflare enables you to use nameservers which reflect your own domain (eg. ns.frothy.example). You can use them in place of your Cloudflare assigned nameservers."
01:58:18BlueMaxima joins
01:58:23<TheTechRobo>I've never seen anything free on Cloudflare that requires you to provide a credit card
01:58:27<TheTechRobo>It's either free or paid
01:58:36<SootBector>there is now, I can find it
01:58:53<fireonlive>i think this is just to allow you to use vanity names with cloudflare
01:59:04<fireonlive>but not use your registered domain at cloudflare with a different NS
01:59:44<fireonlive>so it'll show big.frothy.example and milky.frothy.example instead of cloudflare's default ones
02:00:00<nicolas17>:|
02:00:13<TheTechRobo>oh, that's what you meant
02:00:15<TheTechRobo>yeah
02:00:28<fireonlive>but cloudflare won't let you take frothy.example and use, say, dns.he.net
02:01:24<TheTechRobo>This reminds me, I was going to set up a honeypot
02:01:41<fireonlive>those are fun
02:01:44<TheTechRobo>(Not for regular scrapers, to be clear)
02:02:08<TheTechRobo>(I don't care if you're scraping my website but when you start brute-forcing logins I start to object)
02:03:17<fireonlive>are you going to do the gzip bomb thing
02:03:56<SootBector>send a stern email to their parents
02:04:05<TheTechRobo>fireonlive: That is a wonderful idea
02:05:01<fireonlive>for legal purposes that wasn't my idea
02:06:32<@JAA>gzip is kind of not very ideal for this, sadly.
02:08:05<fireonlive>saw it on this site: https://blog.haschek.at/2017/how-to-defend-your-website-with-zip-bombs.html
02:08:47<@JAA>Yeah, that just compresses a large number of NULs, but it'll never get as efficient as 42.zip.
02:09:17<SootBector>TheTechRobo: it's called Zero Trust, free plan requires a payment method. nothing to do with DNS though
02:09:20<@JAA>You don't get the nice layering from ZIP.
02:09:36<SootBector>(apart from "DNS filtering for up to 3 locations")
02:09:44<fireonlive>wonder if bots supporting brotli could do better
02:09:45<TheTechRobo>let's bug google and mozilla to add zip support to their browsers
02:09:45<fireonlive>lol
02:09:58<SootBector>I'd like to ftp a zipbomb please
02:10:19<fireonlive>https://42.zip used to work
02:10:37<fireonlive>it's now a redirect, because.. people i guess
02:10:41<@JAA>IIRC, 42.zip isn't directly problematic either. It's only when you try to unpack it recursively that it gets, well, a bit large.
02:12:23<fireonlive>"ThioJoe" got his panties in a twist about "how dangerous" the domain was; then google domains suspended it for "Phishing"
02:12:31<fireonlive>(link goes to the thread)
02:12:45<Terbium>the whole ".zip" fiasco was kinda stupid
02:13:13<Terbium>there was such a huge internet uproar over the addition of this tld
02:13:29<@JAA>The basic issue with gzip/deflate is that the window size is only 32 KiB. So you can never get a larger compression ratio than 32768. In practice, the limit is a bit lower of course.
02:13:49<TheTechRobo>Don't some browsers support zstd, or am I dreaming?
02:13:51<@JAA>Simple gzip -9 gets approximately a factor 1000.
02:14:20<@JAA>Chromium has a flag for it IIRC. But not on by default.
02:14:58<fireonlive>ugh yeah the infosec community's reaction to .zip being a thing was
02:15:03<fireonlive>"big cringe"
02:15:28<TheTechRobo>JAA: You tested how well zstd did on a bunch of nulls, right?
02:16:03<@JAA>I did, and enabling the crazy options made the output larger. lol
02:16:08<fireonlive>speaking of big cringe: [Reuters RSS] [🔴 Down] Request failed with status code 403
02:16:18<fireonlive>it was up for ~4 days though
02:16:22<fireonlive>lol
02:16:31<fireonlive>(cloudflare protection)
02:16:41<@JAA>hackint/#archiveteam-ot 2023-12-28 11:48:12 UTC <@JAA> `time dd if=/dev/zero bs=4M count=1024 | zstd --long=31 | wc -c`: 12.3 seconds, compressed it to 391183 bytes
02:16:44<@JAA>hackint/#archiveteam-ot 2023-12-28 11:48:27 UTC <@JAA> `time dd if=/dev/zero bs=4M count=1024 | zstd --long=31 --ultra -22 | wc -c`: 1274m46.844s, compressed it to 430070 bytes
02:17:33<TheTechRobo>lol
02:18:01<fireonlive>provider: ok, appointment cancelled because <reasons on their end>, please call us at your convenience to schedule a new one
02:18:10<@JAA>On the same machine: `time dd if=/dev/zero bs=4M count=1024 | gzip -9 | wc -c`: 22.2 seconds, 4168175 bytes
02:18:11<fireonlive>me: you'll literally never hear from me again
02:18:27<Terbium>whose your provider?
02:18:31<SootBector>more on cname method https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode
02:18:49<@JAA>`zstd -3` also produces larger output than `zstd -1`.
02:19:35<Terbium>SootBector: interesting, I'll give that a try
02:19:44<Terbium>I usually do DNS-01
02:21:04<fireonlive>Terbium: medical one
02:32:20<fireonlive>5d 2h 49m 52s, 128 MiB transferred via ZNC lol
02:35:07jasons quits [Ping timeout: 272 seconds]
03:32:05AlsoHP_Archivist joins
03:34:39HP_Archivist quits [Ping timeout: 272 seconds]
03:38:21jasons (jasons) joins
03:59:57Shjosan quits [Quit: Am sleepy (-, – )…zzzZZZ]
04:00:34Shjosan (Shjosan) joins
04:06:01<fireonlive>youtube breaks cmd+click/control+click and probably middlebutton clicking on links in comments because... it has to show this modal with javascript on a normal click. https://dl.fireon.live/irc/5846d7f3dbcfefb5/image.png
04:06:05<fireonlive>🙃🔫
04:06:43<fireonlive>(right clicking the link is also broken)
04:32:50<TheTechRobo>Yep
04:33:06<TheTechRobo>Just like how Ctrl-backspace used to be broken in the comment field
04:48:07tzt quits [Ping timeout: 272 seconds]
04:49:43HP_Archivist (HP_Archivist) joins
04:51:17AlsoHP_Archivist quits [Ping timeout: 272 seconds]
05:05:26<fireonlive>https://dl.fireon.live/irc/faae33bf6d9cebdc/image.png
05:05:34<fireonlive>neat warnings from porkbun
05:05:51HP_Archivist quits [Ping timeout: 272 seconds]
05:09:48<@JAA>Deleting before expiration? Wut?
05:09:53<@JAA>Which TLD is this?
05:12:41<fireonlive>JAA: cx
05:14:31<@JAA>Interesting
05:14:44<fireonlive>wish me luck with my domain there
05:14:45<fireonlive>:P
05:14:54<@JAA>Looks like there are TLDs with even longer time frames.
05:15:08<@JAA>.com.cy gets deleted 40 days before expiration if you didn't renew it.
05:17:35<fireonlive>o_o
05:17:41<fireonlive>sheesh!
05:17:49<fireonlive>what does 'expiration' even mean then lol
05:20:13<@JAA>At least that's what Gandi's big list claims, don't see it in the actual TLD policy.
05:20:22<fireonlive>hm
05:20:26<fireonlive>how odd
05:21:27<Terbium>porkbun is pretty crappy
05:22:08<@JAA>Gandi also claims that .kw needs to be renewed between 180 and 90 days before expiration. Which also isn't anywhere in the policy.
05:22:14<@JAA>I guess Gandi has its own special terms.
05:24:30<fireonlive>Terbium: why's the porkbun crappy?
05:24:43<fireonlive>(and where to go? lol)
05:25:15<Terbium>sending only one notice prior to domain suspension. No alerting system even when your login to the account for any issues.
05:25:36<Terbium>so if you miss the email saying your domain has issues or will be suspended, nothing will show up if your login to your porkbun account
05:25:42HP_Archivist (HP_Archivist) joins
05:25:52<Terbium>no warnings, nada, then your domain is suspended
05:27:00<fireonlive>:o interesting
05:33:52AlsoHP_Archivist joins
05:36:15HP_Archivist quits [Ping timeout: 272 seconds]
05:36:34DogsRNice quits [Read error: Connection reset by peer]
05:45:17<fireonlive>favourite 'kvm' anyone? like an external one such as tinypilot or pikvm
05:53:23<that_lurker>If I had server I would most likely go with tinypilot, but I have not looked into open source kvm's since craft computings video
05:53:34<that_lurker>s/server/servers
05:58:24HP_Archivist (HP_Archivist) joins
06:00:19AlsoHP_Archivist quits [Ping timeout: 272 seconds]
06:04:39AlsoHP_Archivist joins
06:05:23HP_Archivist quits [Ping timeout: 272 seconds]
06:10:21pabs quits [Client Quit]
06:11:05AlsoHP_Archivist quits [Ping timeout: 272 seconds]
06:14:00<fireonlive>thanks :)
06:15:44pabs (pabs) joins
06:17:03HackMii_ quits [Ping timeout: 255 seconds]
06:19:10HackMii_ (hacktheplanet) joins
06:24:06HackMii_ quits [Remote host closed the connection]
06:24:31HackMii_ (hacktheplanet) joins
06:29:13HP_Archivist (HP_Archivist) joins
06:29:24khobragade (khobragade) joins
06:30:43jasons quits [Ping timeout: 272 seconds]
06:32:31Doranwen quits [Remote host closed the connection]
06:32:57Doranwen (Doranwen) joins
06:36:43HackMii_ quits [Remote host closed the connection]
06:37:16HackMii_ (hacktheplanet) joins
06:43:20khobragade quits [Ping timeout: 240 seconds]
06:47:10khobragade (khobragade) joins
07:27:05khobragade quits [Ping timeout: 272 seconds]
07:33:48jasons (jasons) joins
07:35:55BlueMaxima quits [Read error: Connection reset by peer]
08:41:30<pabs>https://berthub.eu/articles/posts/a-2024-plea-for-lean-software/ https://news.ycombinator.com/item?id=39049956
09:16:22<joepie91|m>"[...] and simple products importing 1600 dependencies of unknown provenance"
09:16:43<joepie91|m>using dependency count as a metric for risk is, uh, not a great starter if you're trying to convince people that you have the answers to software security
09:17:46<joepie91|m>the assumptions that one needs to make to consider that a representative metric (without any further context) are enough to make me question their entire view on the matter
09:18:16<@arkiver>related to security or not, i do try to limit dependencies for my stuff
09:18:23<joepie91|m>because that is, to put it politely, not how dependency security works
09:18:56<flashfire42>You wanna hear bad security?
09:18:57<flashfire42>https://www.theguardian.com/australia-news/2024/jan/18/victoria-court-cyber-attack-files-2016
09:19:11<joepie91|m>the thing with "limiting dependencies" is that depending on what ecosystem you're working in, it can significantly worsen both the complexity and security issues in your codebase
09:19:20<@arkiver>some code using tons of little-known dependencies feel too much like a many attached little black boxes i have no idea of how they work exactly
09:19:43<joepie91|m>arkiver: that is a deceptive experience
09:19:52<flashfire42>https://www.skynews.com.au/australia-news/crime/court-services-victoria-reveals-hundreds-more-hearings-compromised-in-hack-as-body-scrambles-to-notify-those-affected/news-story/94fed655a1f0887cfdb1308d8c33e563
09:20:17<joepie91|m>as in, I understand why it feels weird to people, but it's not an accurate assessment of the situation, and the risk is generally much higher with a few monolithic/kitchen-sink dependencies
09:20:17<@arkiver>i do think there can be a correlation between security on dependencies - but an indirect one. if people use (relatively heavy) dependencies to for 'simple' tasks that didn't require that dependency, it shows they may not have enough experience and are more likely to introduce security problems in their code
09:20:33<@arkiver>security and*
09:20:54<@arkiver>but *number of dependencies* itself is not a good metric
09:20:57<joepie91|m>but that's the thing, though, that's where "lots of dependencies" comes from - the reason there are lots of dependencies is because they aren't heavy dependencies, they're single-purpose tools
09:20:57icedice (icedice) joins
09:21:14<joepie91|m>I am far more suspicious of things with few dependencies than things with many dependencies for this reason
09:21:33<joepie91|m>because the former tend to have much more 'unused complexity' in their dependency stack than the latter, by virtue of the dependencies being designed and packaged much less granularly
09:21:34<@arkiver>i can see a reason for that too
09:21:58<@arkiver>it's really about why a certain dependency was used, what it is supposed to do according to the one using it
09:22:33<joepie91|m>like, dependency count is basically a completely useless metric, it doesn't tell you anything except for the amount of (metaphorical or literal) folders, it's entirely a function of the distribution method, and has nothing to do whatsoever with the complexity that it represents, even if it feels like it does
09:22:53<joepie91|m>you need to assess the actual complexity, api surface, etc. of the total set of dependencies
09:23:01<joepie91|m>to get a useful metric out of it
09:23:02<@arkiver>yes
09:23:49<joepie91|m>all this is why I'm highly suspicious of someone's views regarding dependency security if they hold up package count as a relevant metric :p because this is something that people should know about if they have expertise in the field
09:24:19<joepie91|m>to me it signals that they're going off gut feelings rather than analysis
09:25:05<@arkiver>it's in the same bucket as judging a "programmer" by lines of code :P
09:25:11<joepie91|m>yeah
09:26:02<joepie91|m>anyhow, all of this is not to say that needlessly complex software is not a problem, but "too many dependencies" is certainly not the cause
09:27:39<joepie91|m>(the actual reason is, as usual, capitalism - though in indirect ways, like employers not wanting to invest in training, hype cycles, etc.)
09:28:12<ehmry>are we trying to convinces ourselves that more dependencies does not mean more lines of code?
09:28:39<joepie91|m>most software is built to make money, not to be good or useful, and that is logically going to result in people being driven in their technology choices by things that promise the most result for the least effort, regardless of whether those promises hold true in practice
09:28:57<joepie91|m>no amount of technical arguments will fix the incentives there
09:29:05<joepie91|m>ehmry: it does not
09:29:31<ehmry>joepie91|m: generally speaking or is this rust specific?
09:30:36<joepie91|m>ehmry: re: "it does not"? it's a general principle, but whether "many small dependencies" (which is where this applies) is even an option is dependent on the language's dependency mechanism (it's possible in JS and Rust for example, not so much in Python)
09:31:31<joepie91|m>the language needs to have some degree of support for incompatible versions of a package to exist within a single codebase, for this to work
09:31:44<joepie91|m>so anything with a flat named dependency tree is out
09:32:05<ehmry>whatever, I just find the spin amusing
09:32:33<@arkiver>joepie91|m: not sure i agree with the very quick step towards capitalism - over the long term "promises" that don't hold true will be filtered out using capitalism as it wastes resources.
09:33:18<joepie91|m>nope, they do not
09:33:22<@arkiver>it is just a local minimum in optimization of part of the business that i believe successful companies grow out of
09:33:28<joepie91|m>capitalism is not an efficient system, despite claims to the contrary
09:34:13<joepie91|m>in fact, the amount of waste in capitalist structures is completely absurd
09:34:24<@arkiver>maybe we should blame that people don't live forever? due to people dying and new people taking over we lose some information in this optimization of the business, which leads to the failures your describe
09:34:32<joepie91|m>nope
09:34:51<joepie91|m>sorry, I don't have a lot of patience for the "doing weird dances to try and not have to admit that capitalism might have issues" thing
09:35:06<@arkiver>there are of course different views of what is waste
09:35:13<joepie91|m>I analyze this sort of thing full-time in more than one way
09:35:18<ehmry>this came out of the weird dance to justify depedency explosion
09:35:25<@arkiver>ehmry: :)
09:36:21<joepie91|m>I literally get paid to deal with dependency security and failed business processes, for example, and on the activist side I have every reason to understand the exact reasons why companies fail
09:36:43<joepie91|m>and no, the problem is not "people dying and losing optimization information"
09:37:10<joepie91|m>the problem is that capitalism is a system of power, not a system of resource allocation, and people with power do what people with power always do
09:37:33<joepie91|m>while they are still people like everyone else and susceptible to the exact same biases that everyone else is
09:37:54<joepie91|m>just their choices have far-reaching effects because they control so many things, directly or indirectly - that's the difference
09:37:57<@arkiver>if we would talk about the "system of power", then yes i fully agree
09:38:00<joepie91|m>it literally is just that
09:38:20<joepie91|m>that is where the waste comes from, that is where bad business policies come from, that is how companies fail, etc.
09:38:59<@arkiver>i personally view capitalism as "things optimising for greatest value" - but unfortunately that "value" is often "power", where problems come from
09:39:20<joepie91|m>the question is "greatest value for whom?"
09:39:42<joepie91|m>because it certainly doesn't and cannot optimize for greatest societal value, unless you assume that biases don't exist, which they do
09:39:57<@arkiver>i would say "society", but i see "the individual" is the one you talk about - and unfortunately i guess it is the individual and not society in the majority of cases
09:40:09<@arkiver>(maybe i have a too positive view of "value" :P )
09:40:24<@arkiver>well, "value" in connection to "capitalism"
09:43:00<joepie91|m>but which individual?
09:44:11<@arkiver>a person?
09:44:37<@arkiver>maybe i misunderstand
09:44:48<joepie91|m>yes, but which person? if it optimizes for "the individual", as opposed to "society", then which individual(s) are we talking about? it's not "every individual" because then it would be "society"
09:45:43<@arkiver>a person working on increasing value
09:45:53<joepie91|m>to?
09:46:01<joepie91|m>because this sounds like circular reasoning
09:46:30<@arkiver>a "thing" from which they either directly or indirectly benefit
09:46:46<@arkiver>i don't see the circular reasoning - i'm trying to understand your view
09:46:58<joepie91|m>so, to rephrase, it optimizes for people looking out for themselves (and their own things they benefit from) and only that?
09:47:52<@arkiver>yes, but i'm not saying people will also gain something for themselves - many do not or in a very limited way
09:48:23<joepie91|m>so then is this not very fundamentally a system that is just about power, with wealth/benefit as a proxy for that power?
09:48:38<joepie91|m>and I mean "about" in the sense that that is its purpose for existence, not just an accident
09:49:18<@arkiver>yes, i think we (I?) are working towards that. i was learning/understanding the reasons behind your view or what you previously said
09:49:28<joepie91|m>right, okay
09:50:38<joepie91|m>then yeah, this is pretty much that reason; capitalism certainly optimizes for something, but it is that power of "those at the top" (whoever that may be at any given moment in time), not "societal benefit"
09:51:22<@arkiver>thanks for explaining and thinking with me on that, it's a new view of this for me (although i know this is by far not a new view generally)
09:51:49<joepie91|m>I appreciate taking the time to understand it, even if I misjudged your intention for a bit there, sorry :)
09:52:39<@arkiver>no worries :)
09:54:03<joepie91|m>to circle this back to the "software is built to make money, not to be good" - software doesn't actually need to be good to extract wealth from people with it, it just needs to be sufficiently tolerable
09:54:23<joepie91|m>the bare minimum for it to be profitable is that it needs to sort of work most of the time
09:54:47<joepie91|m>and so the entire software development industry revolves around that target, even many of the supposed 'best practices' and 'reliability engineering' things
09:56:19<joepie91|m>this means that there is no reason to invest in giving people time and space to learn new things, for instance, and so developers are frequently crunching away trying to get something sorta working on an impossible deadline, picking either the tool that they are already familiar with or the tool that looks the easiest to get started with (which is usually more marketing than reality, because again, capitalism), because that's the fastest
09:56:19<joepie91|m>path towards the objective they have been given in the time/space allotted
09:56:43<joepie91|m>and that is how you end up with so many things being built with inappropriate tools, and that eventually just becoming the culture of software development
09:58:43<joepie91|m>React and its whole ecosystem is a very good example of this; React is a very good tool for a specific set of usecases, and completely inappropriate for many others, but you can still use it for them if you squint... and so people who have only learned React will use it for everything they can use it for, and that's why it's everywhere now, often with absurdly complex mountains of build tooling because that was the hyped-up thing this
09:58:43<joepie91|m>week, and there was no time to investigate options carefully, so might as well go with the crowd
10:00:03Bleo18260 quits [Client Quit]
10:01:23Bleo18260 joins
10:02:06<joepie91|m>and I hope this makes it obvious why all the "people should be building simpler software" argumentation is not going anywhere...
10:44:02<ehmry>joepie91|m: how does what make it obvious?
10:46:02<ehmry>are you saying the argument is false or that it's not worth considering?
10:46:26<joepie91|m>I am saying that it is ineffective, because software developers will not magically gain the space and time to "do it right" because they've read a blogpost
10:46:56<joepie91|m>telling someone basically to "do better" is not helpful when there's a practical reason why they cannot
10:47:15<joepie91|m>it requires actually addressing the underlying practical issues
10:47:53<joepie91|m>I say this as someone who goes to some lengths to get it right in the things I work on
10:48:00<ehmry>but capitalism has practical justifications, you will never been effective in opposing it
10:48:39<joepie91|m>that is an entirely different discussion from "is it helpful to chastise developers for doing the only thing they are allowed to do?"
10:50:04<ehmry>only when it's turned around
10:51:36<ehmry>yes, soon enough the fingers will be pointed at the rust developers for make a mess of things
10:51:45<ehmry>deal with it
10:53:25joepie91|m does not see anything actionable to discuss here
11:52:27c3manu quits [Ping timeout: 272 seconds]
11:59:12c3manu (c3manu) joins
12:25:53Iki joins
12:28:33jasons quits [Ping timeout: 272 seconds]
13:01:50Arcorann quits [Ping timeout: 240 seconds]
13:28:54IRC2DC quits [Remote host closed the connection]
13:31:45jasons (jasons) joins
13:55:52<nicolas17>"the reason there are lots of dependencies is because they aren't heavy dependencies, they're single-purpose tools" yeah but surely we can agree stuff like npm is-even module is ridiculous?
13:56:55<nicolas17>I have little experience with Rust
13:57:20<nicolas17>but I feel like it has the right number of dependencies and things-split-into-separate-libraries
13:57:38IRC2DC joins
13:58:03<nicolas17>as opposed to C++ (where using deps is hard so people use few of them or make Big Libraries that Do Everything) or Javascript (where there's *too many* trivial modules)
14:00:29<TheTechRobo>Agreed
14:05:56<joepie91|m>nicolas17: the problem with every "some packages are just excessive" argument is that the other side of the tradeoff is never specified; what is the perceived cost of "a package"?
14:06:10<joepie91|m>like, to argue that a package is "too much", that implies that the costs exceed the benefits
14:06:17<joepie91|m>you can argue that the benefits are minimal, sure, but then what are the costs?
14:06:49<joepie91|m>(this is usually the point where people start making incorrect assumptions like "1 more package = trusting 1 more person" or "more packages = more likely to break")
14:07:14<nicolas17>most npm modules are owned and maintained by 1 person who could go rogue or get their account compromised, so yes :P
14:08:08<joepie91|m>that is not how the math works out in reality, because those small packages are part of 'dependency constellations', ie. sets of related packages maintained by the same person that generally co-occur
14:08:24<joepie91|m>this is the whole point of my argument; how big a package is is literally just a property of its distribution, nothing more, nothing less
14:08:35<joepie91|m>you cannot infer any meaningful metrics from that data point alone
14:09:04<joepie91|m>what actually matters is total complexity, how many people of what veracity you're trusting, etc., none of which actually correlate with package count or size in any meaningful way
14:09:18<joepie91|m>package count and package size are simple-but-wrong metrics
14:10:07<joepie91|m>people just assume that these things correlate because they generally do in ecosystems that are built around monolithic packages, where a dependency is a large investment both for the maintainer and the user; but those assumptions do not hold up universally
14:10:25<nicolas17>yeah taking them as metrics is wrong because two programs could have the same total number of dependencies yet be in very different situations for this purpose
14:10:40<nicolas17>...but you have to admit this is absurd https://old.reddit.com/r/programming/comments/4bjss2/an_11_line_npm_package_called_leftpad_with_only/d19vysi/
14:11:19<joepie91|m>the left-pad incident had literally nothing to do with package size, and people using it as an argument is a sure flag that they are unfamiliar with the problem domain, tbh
14:11:34<nicolas17>I was not pointing at leftpad
14:11:37<nicolas17>I linked to a specific comment
14:11:41<joepie91|m>and are just grabbing something that kinda sorta looks right for their argument
14:11:48<joepie91|m>ah
14:12:04<joepie91|m>I do not see the value in litigating specific packages
14:12:39<joepie91|m>and this returns to my previous point: every argument is always about how the benefit is "too small" but it never makes concrete the supposed cost you pay in exchange for it
14:12:58<joepie91|m>these arguments just assume a certain minimum cost of a package that is entirely unsupported by arguments
14:13:43<joepie91|m>if the cost of adding a package were hypothetically zero (regardless of whether it actually is, let's assume it is for a moment, for the sake of illustrating my point), then any sort of "it's not worth it" argument would be irrelevant because it is always worth it, if the cost is zero
14:14:03<joepie91|m>so clearly the cost of a package is a relevant factor in whether it is worth it, so why do people leave it unspecified in these arguments?
14:14:57<joepie91|m>and IMO it is because acknowledging how low the cost of a package, in and of itself, actually is, would make it apparent that the oh-so-popular bandwagoning about "haha look at node_modules, look at left-pad" is, in fact, wrong
14:19:35<nicolas17>augh some opensource.samsung.com kernel packages have compiled binaries of the toolchain
14:26:59jasons quits [Ping timeout: 272 seconds]
15:15:59IRC2DC quits [Remote host closed the connection]
15:16:17IRC2DC joins
15:30:24jasons (jasons) joins
16:29:13jasons quits [Ping timeout: 272 seconds]
17:23:35AlsoHP_Archivist joins
17:24:38<kpcyrd>nicolas17: I'd recommend to look into cargo-crev if you're interested in this kind of supply-chain security (re dependencies) :)
17:24:50HP_Archivist quits [Ping timeout: 240 seconds]
17:31:54jasons (jasons) joins
17:36:06sec^nd quits [Ping timeout: 255 seconds]
17:51:35sec^nd (second) joins
17:56:17<nicolas17>kpcyrd: I have 5 days of experience with Rust and I used 0 dependencies
17:56:23<nicolas17>I think I'm far from needing something like that
18:08:03sec^nd quits [Ping timeout: 255 seconds]
18:17:48<fireonlive>you know, i wonder how long before hard drives and SSDs have online DRM
18:17:58<fireonlive>🤔
18:18:10<TheTechRobo>Shh, don't give them ideas!
18:18:17<fireonlive>x3
18:18:45<fireonlive>”please activate your storage device” “device must check in every 1.5 days”
18:18:54<@JAA>Please drink verification can.
18:19:09<fireonlive>glug glug!
18:19:35<fireonlive>seagate sees it best
18:20:10sec^nd (second) joins
18:22:41<SootBector>free HDD. mid-roll adverts on all my video files
18:25:40<kiska>fireonlive https://server8.kiska.pw/uploads/618224c2a0d466e9/20240120_052044.jpg guess how much of this screens digitiser works
18:31:50jasons quits [Ping timeout: 240 seconds]
18:33:31<katia>28%
18:40:37<kiska>Probably :D
18:42:16<kiska>katia I have highlighted the section that works https://server8.kiska.pw/uploads/e4a0542e049f423c/20240120_052044.jpg
18:43:28<kiska>I have also gotten a Bluetooth keyboard to work! https://server8.kiska.pw/uploads/87b7609628391fc8/20240120_052015.mp4
18:44:30<katia>:O
18:53:57riku quits [Quit: WeeChat 4.1.2]
18:54:38<fireonlive>kiska: oof!
18:55:52<fireonlive>bluetooth keyboard is awesome x3
19:02:53<kiska>And now that I have updated Magisk... it keeps crashing :(
19:09:49DogsRNice joins
19:10:15<kiska>omg... This phone still has Chrome 64.0.3282.137 :D
19:19:58<fireonlive>:o
19:20:17<fireonlive>rip Magisk
19:33:36<kiska>Do I spend $22 AUD on the replacement screen + digitiser?
19:35:30jasons (jasons) joins
19:48:52<katia>maybe? what phone is it
19:57:48<kpcyrd>nicolas17: the programming language it was built for is irrelevant, it gives you data about how many people have looked at the code you depend on. if that code is split into 5 libraries, or 50 libraries or 500 libraries barely matters (it's the same amount of code), "how much has been reviewed" is what matters.
20:00:30<kpcyrd>is-positive-integer has not been updated within the last 8 years, that's plenty of time to do a code review, but cargo-crev shows people are either not doing reviews, or they are not publishing their "no findings" reviews
20:01:02<nicolas17>ah I thought cargo-crev was for cargo/rust
20:01:22<joepie91|m>(does anyone actually use crev outside of Rust, despite it being nominally language-agnostic?)
20:02:12<joepie91|m>(as I only ever see it brought up in Rust circles)
20:02:34<@JAA>According to https://github.com/crev-dev/crev , cargo-crev is the only usable implementation, so...
20:04:01<@JAA>I'd like to see it spread. All languages could benefit from something like this.
20:04:49<kpcyrd>what I'm saying is, even in Rust circles there's only very few reviews. Either do reviews yourself or cope with the fact nobody except the author may have ever looked at it.
20:05:32<kpcyrd>complaining about the amount of libraries amounts to nothing. complaining amount of _code_ something depends on however, is very valid.
20:05:53<kpcyrd>*about the amount of
20:06:24<kpcyrd>or rather, complaining also doesn't really amount to much, you'd still have to find simpler alternatives or write them yourself
20:06:58<kpcyrd>(then get other people to review them)
20:08:24<kpcyrd>the "get free code reviews" economy is a little down at the moment unfortunately
20:09:12<@JAA>I do think that things like is-even are silly. There's a non-trivial amount of (computational) work involved in fetching and installing a package. Doing that for the equivalent of `(n%2)==0` is ridiculous.
20:10:52riku joins
20:13:32<kpcyrd>yes, but is this really a problem that shows up in real life? is-positive-integer only has 4 dependents, all but one have 0 dependents in their own, except one, which is used by something called `libvegetable`
20:14:04<kpcyrd>it's extremely unlikely you actually end up with is-positive-integer in your dependency tree
20:14:26<@JAA>Yeah, right. If it isn't used, it's not a problem, although I think it shouldn't even exist. :-)
20:15:26<riku>lol, how is that a real library
20:15:39<riku>> version 1.1.1
20:16:01<riku>didn't get it right the first time, i guess
20:17:25tech234a quits [Quit: Connection closed for inactivity]
20:17:58<joepie91|m>(the answer is that no, this sort of stuff is not really a problem in real life)
20:18:28<joepie91|m>like, JS definitely has a number of issues with its dependency ecosystem, but this is none of them
20:27:48<fireonlive>when tech234a forgets IRC exists :(
20:28:14<fireonlive>supply chain security is a fun topic :D
20:30:03<fireonlive>https://www.theregister.com/2024/01/19/2023_storage/
20:30:06<fireonlive>the squeeze continues
20:32:50jasons quits [Ping timeout: 240 seconds]
20:33:41<nukke>wew lad. 20GB is *nothing*.
20:35:39<fireonlive>ikr? o_o
20:35:48<joepie91|m>if Microsoft actually cared about the environment, I imagine they could stop boiling the oceans with the Plagiarism And Exploitation Machine 3000 instead
20:35:54<joepie91|m>but that somehow doesn't seem to be in the cards
20:36:03<joepie91|m>also: apparently this storage cut is a huge issue because of legal requirements for retaining research data
20:40:48<fireonlive>ah yeah, that would be a big issue with departments who have to scramble to dump it all.. somewhere
20:40:50<nicolas17>it's especially fun when someone has 10TB of data in some storage service, the cap gets reduced to 20GB with a deadline of next month, and the service's own bandwidth limits don't let them download 10TB in a month
20:40:53<fireonlive>if they can even find the funding for that
20:41:40<@JAA>At least the deadline is somewhat nice here (end of May), plus it sounds like it'll just restrict new uploads for now if you're still above the limit then.
20:41:47<@JAA>That's better than some other services.
20:41:57<nicolas17>yeah Google did worse than that in the past
20:41:57<fireonlive>nicolas17: reminds me of that reporter who had a week to move 300TB of data before it was purged (also some of that data was involved in an active lawsuit?)
20:42:03<fireonlive>that was google i think
20:42:07<nicolas17>fireonlive: that's the case I was rememebering yeah
20:42:19<fireonlive>ah ye
20:42:20<@JAA>Aye
20:42:27<nicolas17>not everyone has 300TB of local storage, or an Internet connection fast enough to download it
20:42:34<fireonlive>indeed
20:42:49<nicolas17>but it's especially bad when *even if* you had that, *Google's* bandwidth limits don't let you possibly download it in time
20:42:50<fireonlive>also even if you had the money to suddenly purchase it... things take time to arrive
20:43:02<fireonlive>ah ye! 10TB/day i think
20:43:04<@JAA>Or the money on hand to immediately purchase the hardware required.
20:43:31<fireonlive>hope you got good credit!
20:44:05<nicolas17>I need to hurry up with this samsung shit
20:44:16<nicolas17>it seems they delete files sometimes
20:44:18<@JAA>CHF 4000 just for 300 TB raw HDD storage here currently, without redundancy or the hardware to connect it to existing computing equipment.
20:45:28<@JAA>At least you can do 300 TB on 0.5G in a week, so that part wouldn't be completely infeasible.
20:45:31<@JAA>But yeah
20:45:48<@JAA>Er
20:46:03<@JAA>I accidentally a factor 8.
20:46:07<@JAA>4G required
20:53:29<fireonlive>Samsung: https://dl.fireon.live/irc/d4ba4e80d890fc50/wtf-delete.png
21:12:28AlsoHP_Archivist quits [Read error: Connection reset by peer]
21:35:50BlueMaxima joins
21:36:38jasons (jasons) joins
22:00:34<fireonlive>+rss- Ceph: A Journey to 1 TiB/s: https://ceph.io/en/news/blog/2024/ceph-a-journey-to-1tibps/ https://news.ycombinator.com/item?id=39060339
22:00:35<fireonlive>sanic
22:13:27SootBector quits [Remote host closed the connection]
22:22:50SootBector (SootBector) joins
22:25:39Arcorann (Arcorann) joins
22:31:59SootBector quits [Remote host closed the connection]
22:32:25SootBector (SootBector) joins
22:33:23jasons quits [Ping timeout: 272 seconds]
23:02:06<nulldata>https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/
23:04:43<fireonlive>midnight blizzard.. when you just really want some dairy queen after getting high
23:06:26<nukke>https://billsworld.neocities.org/
23:06:28<@JAA>> the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions
23:06:35<@JAA>> The attack was not the result of a vulnerability in Microsoft products or services.
23:06:38<@JAA>Hmmmm
23:07:26<@JAA>If a non-production test account can access senior leadership's emails, *something* isn't right...
23:10:15<fireonlive>...sounds like someone fucked permissions o_O
23:16:15decky_e joins
23:26:39HackMii_ quits [Ping timeout: 255 seconds]
23:32:54HackMii_ (hacktheplanet) joins
23:34:02HackMii_ quits [Remote host closed the connection]
23:34:27HackMii_ (hacktheplanet) joins
23:36:45jasons (jasons) joins
23:55:54qwertyasdfuiopghjkl quits [Remote host closed the connection]

HomeSearchPrevious dayNext day