Hacker Newsnew | past | comments | ask | show | jobs | submit | exfascist's commentslogin

Open source and large dependency trees are orthogonal. You can depend on closed modules in compiled languages, many people do. You can write open source software and only depend on the standard library, many people do.


I don't run nigtly browser builds because that's too much to keep up with. I have actually read quite a bit of the code for the browser I use. I read almost everything I deploy because I'm responsible for it. Using other people's code absolves you from maintenance but not responsibility, that's something people need to start understanding. It's a very reasonable expectation that you read through your dependencies, if it's too much then it's time to trim some fat.


If empathy isn't your thing then consider the secondary consequences of this. Many of those people the "pendulum" is swinging away from already feel pretty excluded by society and have little reason to participate. It's driving a mass movement, it's likely what got Trump elected, and it's likely to swing the pendulum back very hard in the direction you don't want it to go.

You need to make sure you're not pushing people too hard.


Empathy is pretty important to me and as I understand it's the primary motivation of folks looking to shift communication in public code repositories towards more inclusive language, actually. It's remarkable that asking for that empathy is somehow a bridge too far and the onus to be empathetic and not 'push too hard' is on those looking to make life a bit friendlier towards gender minorities.


I never interact with cookie banners at all as some sites interpret that as consent (despite what the law says.) If it's in the way I delete it with the web inspector.


Mobile OS dev makes Windows look nice. At least windows has some cross platform toolkits (TCL/TK, Wx etc.)


One nice thing about recent versions of SSH is that they include support for signing arbitrary messages with your ssh key. I know you're not supposed to re-use keys but there have been situations where I needed to prove my identity to people who only had my ssh public key. This would have been super useful in the past.


The OpenSSH arbitrary signing comes with a rationale for why this is actually safe. Basically they know these keys are intended for SSH, for which they will sign messages with a particular structure, and so they can choose the structure signed for the "arbitrary data signing" feature so that the two are necessarily disjoint - so no possible "arbitrary data" signature can be confused for a "I'm signing in to this SSH server" signature, and you're at no risk.

Thus, even if you allow some adversary to literally pick the arbitrary data, when you'll sign that data and so on, your signing it cannot possibly allow them to impersonate you to a SSH server.

This is easier to pull off than the rationale for key re-use in encryption because signing opaque blobs is a neutral action your SSH client already does, if adversaries could learn your keys or whatever from seeing you sign such a blob, then SSH authentication itself would be unsafe already. In contrast decrypting data an adversary sent to you might reveal something, especially if you can be persuaded (as happened for HTTPS with older TLS versions and most popular implementations) to tell the adversary what happened when you tried so this will usually be dangerous and a rationale for why it's safe must be thorough if we want non-experts to do it.


> In contrast decrypting data an adversary sent to you might reveal something, especially if you can be persuaded (as happened for HTTPS with older TLS versions and most popular implementations) to tell the adversary what happened when you tried so this will usually be dangerous and a rationale for why it's safe must be thorough if we want non-experts to do it.

What exactly happened for HTTPS with older TLS versions? Sounds like you’re alluding to some sort of oracle attack.


A sort of oracle, yes. I believe there's a vulnerability with servers that are willing to attempt RSA kex (which no longer exists in TLS 1.3 and has been a bad idea for many years), where you can (at least in principle) arrange for them to do an operation which either reveals some bits of their private RSA key (extremely bad) or is equivalent to RSA signing a message of your choosing. RSA kex involves the server attempting to RSA decrypt messages chosen by an adversary.

It's fuzzy, perhaps somebody will remind me of the specifics.


> there have been situations where I needed to prove my identity to people who only had my ssh public key

Just wondering what kind of situation can this be where someone has only your ssh public key? Usually people know each other via say, github user names or irc handles but ssh public keys? (genuinely curious)


For github: https://github.com/$user.keys


In reality X (who are actually citizens, part of the issue with statistics is that people have been playing games with the border and 1/10 X are not from here now which actually does disproportionately affect X but no one wants to talk about it since it's not popular (or part of the common PR.)) tends to have an ID and the suggestion that it's difficult for them is a little condescending.


It's statistics, government policy and literally the words of people who enacted these laws.

UK doesn't require photo ID to vote as well. No mail-in voting has provisions for photo ID, as well.


I'm still not convinced it isn't partially related to the word "base" as in "bad" or "cool" which has been used for a pretty long time.


I think its origin is being high on crack cocaine (freebase) and feeling good as a result


From “All your base are belong to us.” Not a new term. It’s a gamer thing.


If they had simply removed the default password entirely without removing the default user both groups would be satisfied. It's not clear to me why they removed both.


There's a very simple argument for hygiene and convention: The halting problem should make code unreadable, it doesn't largely because of hygiene and the shared knowledge formed by programmer culture. These things restrict the language to something that's just Turing complete and much easier to read.

There is a such thing as legitimately unreadable code, I've had to deal with it. Usually it's abusing things like the blurry line between objects and hashmaps in languages like js and Ruby.


(1) I understand your point: consistently obeying sensible conventions makes code understandable and maintainable. That's a fairly good argument in favor of consistently using Error for all thrown things.

(2) One unrelated point: I suspect that the halting problem doesn't prove what you think it proves. The halting problem states that one can't build a tool to reliably analyze whether a given piece of code will end or will run forever. Some people seem to believe that this means some code will be "incomprehensible" -- that no code analysis can figure out what it does.

I am quite interested in the question of whether code can be made "incomprehensible" -- it has significance for things like securely protecting source code. But the halting problem would still be true even if "incomprehensible" code obfuscation is impossible and all programs can be "understood". Here's a good example of a program that might or might not halt:

  stop_at = input_number()
   x = 2
   while x < stop_at:
       if is_prime(x) and is_prime(x + 2):
           break
       x += 1
If the twin prime conjecture is true than that program always halts. If the twin prime conjecture is false than that program is an infinite loop whenever its input is larger than the largest twin prime.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: