Notices by jcoglan (jcoglan@mastodon.social)

@janneke not sure I understand what you mean by this, can you elaborate?

is there a critique of that Knuth article? lots of people are gushing about it just b/c it's him, but I'm not familiar enough with its subject matter to tell if it's legit. however, stuff like this feels really off:

"Filip Stappers tested Claude’s Python program for all odd m between 3 and 101, finding perfect decompositions each time. Thus he concluded, quite reasonably, that the problem was indeed solved for odd values of m."

like, that's not how maths works

@dalias @be_far @soatok yeah the perf arguments for this are weak. a better argument is minimising the amount of material you need to decrypt for each task. if you need to index on a particular thing, build that index and stick it in an encrypted doc like anything else

@dalias @be_far @soatok yeah I've always been skeptical of how much application structure is plaintext. in the doc store I work on, all docs are opaque and the ID index is also an encrypted blob

@be_far @soatok not using the AD in AEAD to pin the identities of such fields is also baffling

RE: https://furry.engineer/@soatok/116132036314035223

it is astonishing to me that this (i.e. security under an untrusted server) is novel research to these systems. ever since I started developing vault (2012) my model has been: I want to sync my secrets with dropbox, and I do not trust dropbox either not to look at my data or to preserve its integrity. these are ideas you would get from any basic introduction to cryptography

RE: https://furry.engineer/@soatok/116092111810620052

"Two popular AES libraries, aes-js and pyaes, “helpfully” provide a default IV in their AES-CTR API" nope. nope nope nope

this isn't a "this is suboptimal" problem this is a "the encryption is completely pointless" problem

@whitequark I think you're supposed to learn it from tv shows about the police

it is really astonishing that npm has not even publicly acknowledged the potentially ongoing credential-stealing worm attack. what is going on in there

this doesn't mean you can't *automate* publishing; there's a lot to like about automation and I won't pretend I love doing my publishing "manually". but you do need it to be *actively supervised* and prove that the package owner has specifically authorised each release

as long as npm continues to allow any form of unsupervised publishing, this will continue to be a problem. I don't think that reducing token lifetime will help; it is an annoyance that people will just work around. you have to *require* the active participation of the publisher

I'll also note that this is being framed as "supply chain security" when the actual problem is the combined set of capabilities of npm and github, both of which are the property of microsoft. this is a microsoft problem

no. no!

@whitequark right, just put nginx on any old commodity cloud server and you get instant page loads. all my own stuff is hosted like this. I'm only using github pages because it seemed slightly more convenient for publishing stuff about some work in progress but I'll probably move it

@whitequark and then it's still slow as hell to serve pages even when you know it cannot possibly be generating them on the fly because it doesn't know about the build tool you used

@whitequark the odd thing is that it's not even a lot of effort to use any other tool; I use mdbook for a bunch of things. but the workflow is very, uh, non obvious

a while ago I tested chatgpt specifically on the details of using AES-GCM correctly and it gave multiple dangerously wrong answers. a password manager dev should at least know to ask such questions, so they're better off than a naive user who doesn't even know what to check for, but this does not fill me with confidence https://blobfox.coffee/@Ember/115507736529184708

(disclosure: I make my own pw manager and encrypted DB and am generally hostile to genAI)

the ruby ecosystem, in particular the people running the package repo, have set a precedent that if you make something and it becomes important, it can be taken from you with no due process

like, nobody at RC seems to think they owe anyone an explanation for how they even came to have ownership of rubygems and bundler. they have never demonstrated any basis for this claim

the rubygems and bundler projects continue to change hands with nobody having ever explained how they came to be in the possession of ruby central https://www.ruby-lang.org/en/news/2025/10/17/rubygems-repository-transition/