More

jrvieira · 2024-12-29T02:23:51 1735439031

can you provide a relevant example for this context?

hn3er1q · 2024-12-29T06:52:53 1735455173

That was an entire body of research at the University of Minnesota and the “hypocrite commits” weren’t found until the authors pointed people to them.

https://www.theverge.com/2021/4/30/22410164/linux-kernel-uni...

dylan604 · 2024-12-29T02:32:49 1735439569

How long did the log4j exist?

https://www.csoonline.com/article/571797/the-apache-log4j-vu...

What was the other package that had the mysterious .?

timschmidt · 2024-12-29T04:11:40 1735445500

And yet they were found. How many such exploits lurk unexamined in proprietary codebases?

dylan604 · 2024-12-29T04:47:06 1735447626

yet you say this like Apple or Google or Microsoft has never released an update to address a security vuln

timschmidt · 2024-12-29T07:22:29 1735456949

Apple[1], Google[2], and Microsoft[3] you say?

You say this as if being shamed into patching the occasional vuln is equivalent to security best practices.

Open code which can be independently audited is only a baseline for trustworthy code. A baseline none of those three meet. And one which by itself is insufficient to counter a reflections on trusting trust style attack. For that you need open code, diverse open build toolchains, and reproducible builds. None of which is being done by those three.

Are you getting your ideas about security from the marketing department?

1: https://arstechnica.com/security/2024/03/hackers-can-extract... 2: https://www.wired.com/story/google-android-pixel-showcase-vu... 3: https://blog.morphisec.com/5-ntlm-vulnerabilities-unpatched-...

dylan604 · 2024-12-29T16:10:48 1735488648

Go ahead and put that cup of kool-aid down for a minute. There are so so many OSS packages out there that have never been audited? Why not? Because people have better things to do. How many packages have you audited? Personally, I don't have the skillz to do that. The people that do expect to be compensated for their efforts. That's why so many OSS packges have vulns that go unnoticed until after they are exploited, which is the same thing as closed source.

OSS is not the panacea that everyone touts it to be.

timschmidt · 2024-12-29T20:56:24 1735505784

> There are so so many OSS packages out there that have never been audited? Why not? Because people have better things to do.

I'm not aware of any major open source projects that haven't experienced some level of auditing. Coverity alone scans everything you're likely to find in a distribution like Debian or Fedora: https://scan.coverity.com/o/oss_success_stories

> How many packages have you audited?

Several on which I depend. And I'm just one pair of eyeballs.

> Personally, I don't have the skillz to do that.

Then why are you commenting about it?

> OSS is not the panacea that everyone touts it to be.

I don't know who's touting it as a panacea, seems like a strawman you've erected. It's a necessary pre-requisite without which best practices aren't possible or verifiable.

jrvieira · 2024-11-21T12:10:17 1732191017

"Fractals are not self-similar"

https://m.youtube.com/watch?v=gB9n2gHsHN4

If you want to learn more about the fascinating world of fractals.

falcor84 · 2024-11-21T16:43:13 1732207393

The parent comment didn't mention self-similarity; did you maybe intend to reply to another comment?

jrvieira · 2024-11-18T10:19:25 1731925165

i am guessing that most people think that the cognitive load cost is usually not worth the benefits.

i agree that the cognitive load in a language like js which is not prepared to accommodate this paradigm is not worth it

even when deciding to use Haskell we need to weigh the pros and cons wrt the project's goals

jrvieira · 2024-11-16T18:08:43 1731780523

I used Affinity tools as a better alternative. Are they not a player anymore?

jrvieira · 2024-11-13T23:57:54 1731542274

you're worried that they'll explain 3rd degree polynomials with a leftist bias?

defrost · 2024-11-14T00:01:05 1731542465

The overwhelming majority of their publication on organics has an unmistakable bias toward D- sugars ...

ClassyJacket · 2024-11-14T07:15:29 1731568529

I mean, look at all the insane places leftists have shoehorned gender crap into lately. I wouldn't put it past them.

tenuousemphasis · 2024-11-14T11:10:22 1731582622

Ah yes, leftists shoehorning gender into checks notes elliptic curve math discussion.

throw_a_grenade · 2024-11-14T11:38:13 1731584293

[flagged]

jrvieira · 2024-11-14T21:22:13 1731619333

introducing the concept of mathsplaining

jrvieira · 2024-11-13T23:54:08 1731542048

first thing i did when i read "3rd degree polynomial" was search "elliptic curve 3b1b"

jrvieira · 2024-11-13T11:37:56 1731497876

146 in how many? 80 in how many?

nielsole · 2024-11-13T11:53:49 1731498829

80/557

146/1109

jrvieira · 2024-11-13T12:04:41 1731499481

that's above 12% on both.

now correct it for number of sold phones each (estimated by looking at the 70 most popular models) and we'll get why they said 1/4.

jrvieira · 2024-10-16T10:28:45 1729074525

These days?

endymi0n · 2024-10-16T10:32:26 1729074746

Had the same thought from the headline, but the punchline is that he's using the VPN he completely built himself and can't even trust that one.

exitb · 2024-10-16T11:00:19 1729076419

He most likely wouldn't have this problem if he used a VPN product for clueless users. It has nothing to do with trust towards a class of technology and all to do with the fact that computers are hard.

isoprophlex · 2024-10-16T10:45:44 1729075544

... which is entirely a PEBCAC-type error in this case, as he never tested if his configuration worked as expected.

udev4096 · 2024-10-16T11:00:41 1729076441

Which is not surprising because according to him, all it takes is running a simple bash script

jrvieira · 2024-08-26T17:38:10 1724693890

vimgolf.com is a classic

jrvieira · 2024-08-20T21:03:04 1724187784

so you're not so worried that they do this analysis (this is very tame comparing to what they really do), but rather that they are transparent about it?