> In html you can just view comments as another node in a uniform tree.

When you parse an AST with comments (or a CST), they do become "just another node in a uniform tree". Think about it - in HTML you have a tree of nodes but comments can be anywhere, which is exactly as obnoxious to deal with as a CST where comment nodes can be anywhere.

This is a terrible reason to not support comments. If it was really important, then probably you should support comments in only a couple of places, e.g. on attributes or on selectors.

But I don't think it is very important. I can't think of a single tool that loads CSS, rearranges it, and then spits it back out in a form that would benefit from comments.

> in HTML you have a tree of nodes but comments can be anywhere

Maybe I'm misunderstanding, but no they can't. For example the comment here is not a comment, but part of the URL:

    <a href="https://example.com<!-- comment -->">click me</a>

And HTML like this is simply broken:

    <div<!-- comment -->>content</div>

Maybe you meant "they can be anywhere that a Node can be in the DOM", but I think that's more or less what the CSS "mistake" is suggesting should be true about CSS (just replace "DOM" with "CSSOM").

Yes, anywhere in the node tree. Imagine if CSS was specified in HTML-style. We might write this selector:

  h1,
  /* don't forget h2! */
  h2 {
    color: /* I love red */ "red";
  }

Like this:

  <rule>
    <selector>
      <alternative>
         h1
      </alternative> <!-- don't forget h2 -->
      <alternative>
         h2
      </alternative>
    <selector>
    <attributes>
      <color><!-- I love red --> red</color>
    </attributes>
  </rule>

Which is pretty much exactly the same as what you'd get as a CST from parsing the CSS.

Problem is, the CSSOM models that more like this:

    <rule selector="h1, h2">
      <style>
        <property name="color" value="red" />
      </style>
    </rule>

Perhaps your takeaway from this is "the CSSOM is bad" (and I don't necessarily disagree), but it's what the "mistake" is talking about.

> h1, h2, h3 should not have different styles. it's an anti-pattern that leads to broken accessibility

How does that hurt accessibility? Are you saying people use h3 in order to get its style even when they didn't mean h3?

I think the opposite could happen too - if they all have the same style then people might just use h1 everywhere which is probably just as bad. People tend not to use elements that have no obvious use, like <output> which apparently has better accessibility but does absolutely nothing else, so nobody bothers. The whole "semantic web" thing failed partly because of this.

> Are you saying people use h3 in order to get its style

yes, and that people assume the purpose of having different tags is to control styling

I mean, they aren't wrong. That is part of the purpose. Of course now we try and do it via CSS but it's definitely still fine to use <b> as bold and <i> as italic, even if the semantic pedants will insist that they mean "Bring attention to" and "Idiomatic" (that name's stretched so thin you can see through it!).

> Most people tend not to

Yeah because normal people never have to deal with alphanumeric strings...

> Yeah because normal people never have to deal with alphanumeric strings...

Natural language tends to have a high degree of disambiguating redundancy and is used to communicate between humans, who are good at making use of that. Programming languages have somewhat less of disambiguating redundancy (or in extreme cases almost none), and, most critically, are used to communicate with compilers and interpreters that have zero capacity to make use of it even when it is present.

This makes "letter looks like a digit that would rarely be used in a place where both make sense" a lot more of a problem for a font used with a programming language than a font used for a natural language.

People named Al are having a field day with the recent AI boom.

El confusion is absolutely a problem for regular people.

This indeed. In the last couple of years, I've had to re-read a whole lot of sentences because I read it as the wrong Al/AI in my head at first.

That yaa can gat ba wath ana waval dasn't maan that wa all shaald start wratang laka thas.

Alright, Lumpy Space Princess

Legal language isn't very natural

Legal language is natural language with particular domain-specific technical jargon; like other uses of natural language, it targets humans who are quite capable of resolving ambiguity via context and not compilers and interpreters that are utterly incapable of doing so.

Not that official State Department communication is mostly “legal language” as distinct from more general formal use of natural language to start with.

The US Supreme Court uses Century or Century Schoolbook.

> Natural language

I said alphanumeric strings not natural language. Things like order codes, authentication codes, license numbers, etc.

No, because normal people can read "l00l" as a number just fine and don't actually care if the underlying encoding is different. AI won't care either. It's just us on-the-spectrum nerds with our archaic deterministic devices and brains trained on them that get wound up about it. Designing a font for normal readers is just fine.

Normal readers know that capital "i" has crossbars on it.

Why design an intentionally ambiguous font? There is only downside to it.

SiFive have had a very long time to create competitive CPUs and they haven't really managed it. I dunno what's going on there but I'm not sure I'd buy them either.

Their P870-D looks plenty competitive.

What they might have issues with is finding clients to license it to.

I would guess the same. Although Android is adding support for RISC-V so I could potentially see them looking into RISC-V Android phones.

Feels kind of unlikely though. Ventana probably ran out of money.

> Traverse the HTML fragment and remove elements as configured.

Well this is clearly wrong isn't it? You need a whitelist of elements, not a blacklist. That lesson is at least 2 decades old.

I mean... "as configured" can me either an allow OR a denylist. That sentence doesn't really prescribe doing it one way or the other..? You have to parse the denylisted elements because they will affect the rest of the parse, so you _have_ to remove them afterwards in the general case.

Looks like it supports both actually: https://wicg.github.io/sanitizer-api/#sanitization

That's better than only supporting `removeElements`, but it really shouldn't support it at all.

Yeah sure. Seems like a big leap from "they use Palintir's software" to implying that it was somehow important for this attack.

Also did they really call it Operation Grim Beeper? Hilarious if true (but I suspect not given how codenames are meant to work).

Grim Beeper was coined by Michael Doran of the Hudson Institute, it was not an internal code name

I was willing to give this a chance because maybe he meant it won't happen soon, but no he's actually saying it will never happen. Crazy.

Why is that idea "crazy", prima facie?

"Never" is an incredibly strong word, and in the bigger scheme of humanity, the universe, and the next billion or so years, _everything_ that we can imagine will happen.

It's an intellectually lazy argument to make. Like saying "we will never walk on the moon" in the 1900's.

Because a) we know human-level intelligence is possible because we can directly observe it, b) GPU development has clearly slowed a lot but it hasn't stopped, c) even if it had stopped that doesn't mean they can never improve ever again, d) GPUs probably aren't the most efficient architecture for AI anyway so there are more opportunities for development even without process improvements, e) we're clearly not that far off AGI.

This is the sort of thing that might have made sense in 2005, not 2025.

Correction: (a) we can observe the effects of human-level intelligence but we don't actually know what human intelligence is because intelligence is best described as a side-effect of consciousness (aka the experience of qualia) and science has yet to provide a convincing explanation of what that is exactly.

> … what human intelligence is because intelligence is best described as a side-effect of consciousness …

Is "human intelligence" and "intelligence" equal?

And: How to become conscious before being intelligent?

Or: If intelligence is a side-effect, how often this side-effect can't be observed?

Xor: What if an intelligent being denies being conscious?

I didn't say in (a) that we know what human intelligence is exactly. I said that we know it is possible. It exists.

I fully disagree on your point (e) and everything pretty much hinges on that.

Especially when you consider that the author is apparently an "Assistant Professor at Carnegie Mellon University (CMU) and a Research Scientist at the Allen Institute for Artificial Intelligence (Ai2)".

I don't think unsafe Rust has gotten any easier to write, but I'd also be surprised if there was much unsafe except in the low-level stuff (hard to write Vec without unsafe), and to interface with C which is actually not hard to write.

Mostly Rust has been used for drivers so far. Here's the first Rust driver I found:

https://github.com/torvalds/linux/blob/2137cb863b80187103151...

It has one trivial use of `unsafe` - to support Send & Sync for a type - and that is apparently temporary. Everything else uses safe APIs.

Drivers are interesting from a safety perspective, because on systems without an IOMMU sending the wrong command to devices can potentially overwrite most of RAM. For example, if the safe wrappers let you write arbitrary data to a PCIe network card’s registers you could retarget a receive queue to the middle of a kernel memory page.

> if the safe wrappers let you write arbitrary data to a PCIe network card’s registers

Functions like that can and should be marked unsafe in rust. The unsafe keyword in rust is used both to say “I want this block to have access to unsafe rust’s power” and to mark a function as being only callable from an unsafe context. This sounds like a perfect use for the latter.

> Functions like that can and should be marked unsafe in rust.

That's not how it works. You don't mark them unsafe unless it's actually required for some reason. And even then, you can limit that scope to a line or two in majority of cases. You mark blocks unsafe if you have to access raw memory and there's no way around it.

It is how it's supposed to work. `unsafe` is intended to be used on functions where the caller must uphold some precondition(s) in order to not invoke UB, even if the keyword is not strictly required to get the code to compile.

The general rule of thumb is that safe code must not be able to invoke UB.

Yes. I was objecting to the parent poster's "can and should be" which sounds like they think people just randomly choose where to use the unsafe decoration.

The situation seems reminiscent of "using File::open to modify /proc/self/mem". It's safe to work with files, except there's this file that lets you directly violate memory safety.

I can't say I got the same feeling. To me, the "Functions like that" lead-in indicated the opposite if anything since it implies some kind of reasoned consideration of what the function is doing.

So if you're writing a device driver in rust...

- Hardware access is unsafe - Kernel interface is unsafe

How much remains in the layer in-between that's actually safe?

All logic, all state management, all per-device state machines, all command parsing and translation, all data queues, etc. Look at the examples people posted in other comments.

Yep. Its kind of remarkable just how little unsafe code you often need in cases like this.

I ported a C skip list implementation to rust a few years ago. Skip lists are like linked lists, but where instead of a single "next" pointer, each node contains an array of them. As you can imagine, the C code is packed full of fiddly pointer manipulation.

The rust port certainly makes use of a fair bit of unsafe code. But the unsafe blocks still make up a surprisingly small minority of the code.

Porting this package was one of my first experiences working with rust, and it was a big "aha!" moment for me. Debugging the C implementation was a nightmare, because a lot of bugs caused obscure memory corruption problems. They're always a headache to track down. When I first ported the C code to rust, one of my tests segfaulted. At first I was confused - rust doesn't segfault! Then I realised it could only segfault from a bug in an unsafe block. There were only two unsafe functions it could be, and one obvious candidate. I had a read of the code, and spotted the error nearly immediately. The same bug would probably have taken me hours to fix in C because it could have been anywhere. But in rust I found and fixed the problem in a few minutes.

In normal user-mode rust, not running inside the kernel at all, you can open /dev/mem and write whatever you want to any process's memory (assuming you are root). This does not require "unsafe" at all.

Another thing you can do from rust without "unsafe": output some buggy source code that invokes UB in a language like C to a file, then shell out to the compiler to compile that file and run it.

Sure, but those are non-central to what the program is doing. Writing to the wrong register offset and hosing main memory is a thing that happens when developing drivers (though usually it breaks obviously during testing).

Right, you're not wrong that this is a possible failure mode which Rust's guarantees don't prevent.

I'm just pointing out that "your program manipulates the external system in such a way that UB is caused" is outside the scope of Rust's guarantees, and kernel development doesn't fundamentally change that (even though it might make it easier to trigger). Rust's guarantees are only about what the Rust code does; anything else would be hard or impossible to guarantee and Rust doesn't try to do so.

> And yet modern assembly does not correspond 1:1 to the micro-ops the CPU runs or even necessarily the order in which they run.

Nobody claimed that. It corresponds to the instructions the CPU runs and their observable order.

Also it's really only x86 that uses micro-ops (in the way that you mean), and there are still plenty of in-order CPUs.

sure, I was thinking of large OO cores. "Correspondd to the instructions the cpu runs and their observable order" is how I'd characterize C as well, but to each their own.