Tim Bray
This is beautiful; pure poetry: https://obsidian.md/blog/less-is-safer/
(Obsidian’s dependency-management philosophy.)
I have a suggestion: If you have a project or repo that's getting popular, stop writing features for a few months and implement this instead.
Paul Cantrell
I do have to chuckle a bit when one of dependencies they list in their minimal, disciplined list is Electron — a behemoth of a black box with more complexity than some entire operating systems.
Paul Cantrell
@juandesant @timbray
I do agree to a large extent — or at least hope for it to be true! — but your sentiment suggests that •quality• of maintenance matters at least as much as the sheer •quantity• of dependencies.
Dr. Juande Santander-Vela
@inthehands true, but that is indeed a large library, and that means it will only be updated consciously.
/cc @timbray
Paul Cantrell
This set me off on a long train of thought, which I didn’t want to jam in your mentions but in case you’re interested: https://hachyderm.io/@inthehands/115237749357270051
jwz
@inthehands @timbray It's important to stay bug-compatible with the WebP exploit du jour! https://jwz.org/b/ykEL
Paul Cantrell
Yuuuuuup.
Paul Cantrell
@shriramk @juandesant @timbray
I’m out of my depth here, and know nothing about OCAP systems applied to software. Can you say more? (Are we talking about out-of-control action plans here? Or is OCaps something else and I’m even more out of my depth than I think?)
Shriram Krishnamurthi
@inthehands
But all this keeps pushing the issue back onto humans, and ignoring that there are technical solutions we can and should be implementing.
POLA is a thing, and OCaps-type systems help us have our reuse cake along with our POLA confinement.
I don't find the Obsidian post "beautiful" or "pure poetry"; I view it as a symptom of broken tools.
@juandesant @timbray
Paul Cantrell
@buherator @timbray
Maybe? But if people are keeping sensitive data in their private Obsidian notebooks, exfiltration via a supply chain attack could be devastating.
buherator
Shriram Krishnamurthi
@inthehands
OCap = object capabilities
Probably the best place to learn more is to follow pointers from here:
http://www.erights.org/
@juandesant @timbray
Paul Cantrell
@shriramk @juandesant @timbray ooooohh! Well, I was certainly barking up the wrong tree (and am still well out of my depth).
I am always warm to any alternative to the current model of computing that starts with the assumption that every program should have privileges identical to the human who chose to install/run it.
Paul Cantrell
@shriramk @neilmadden @juandesant @timbray
Wasn’t me. I’m still learning! It was here:
Shriram Krishnamurthi
@neilmadden
Also @inthehands just pointed me to this:
https://justinpombrio.net/2021/12/26/preventing-log4j-with-capabilities.html
Neil Madden
@shriramk @inthehands @juandesant @timbray
Kate Sills’ evergreen article is a great place to start, IMO:
https://medium.com/agoric/pola-would-have-prevented-the-event-stream-incident-45653ecbda99
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.