Notices by Howard Chu @ Symas (hyc@mastodon.social)

@dalias it's a DoS but not the same as an actual crash, which is unanticipated. There is zero security exposure from an assert failure: no data leak, no unauthorized access, no possibility of code injection. The trigger conditions are clearly spelled out in the assert itself, so it's trivially remedied. Calling it a security issue dilutes the word "security" to meaninglessness.

@bagder OpenLDAP is seeing more AI-assisted bug reports that claim to be security issues, but aren't.

E.g., calling a crash in a commandline tool a DoS (no, it's not a service).

@bagder the other one we see is calling assert failures crashes. It's not a SEGV, there's no possibility of data exfiltration or RCE. There's no security exposure, it's just a bug. One that was anticipated hypothetically by the original developer, but whose final disposition wasn't decided upon way back when.

E.g. /* can this even happen? */

They toss in an assert, and it lives quietly in the code for decades before someone definitively shows yes, it can happen...

Destruction of knowledge - this was always the inevitable end of the AI road https://scholar.social/@Iris/115020211902735145

@skinnylatte jealous... just had dim sum in Dublin last week. Such limited selection, no sesame rice balls. Sad.

Reminder: AI "generated" code is 100% plagiarized. You must not accept code of unknown provenance into your code base. Doing so opens you up to potential copyright infringement lawsuits. Nobody needs a repeat of the SCO vs IBM lawsuit over ownership of Unix.

Accepting AI-assisted code is just legally untenable. That's black and white, there's nothing to debate. Projects that accept it are idiots and should be shunned.

https://mastodon.social/@hyc/114777864519941643

@libreleah agreed. I wrote LMDB this way as well, return from functions is an error code or 0 for success; any values to be returned go thru the parameter list.

The C standard string functions suck. https://mastodon.social/@hyc/111596133680619519

Family of B-Trees | Database Internals #6

Today we explores several B-Tree variants designed to overcome the limitations of traditional database indexing, specifically targeting issues like write amplification and concurrency overhead. The author categorises these systems into distinct strategies: Copy-on-Write models like #LMDB ensure data integrity through immutability,...

https://m.youtube.com/watch?v=k-N2eT7wWeg

@dalias my Huawei phones have an "Optimizer" app that tells me it is periodically deleting "junk" but never tells me what got deleted. Only barely better than useless.

The other feature I hate is Android now silently removing permissions from apps I "haven't used recently" even though they're always running in the background. Like microG services, which breaks periodically because its permissions get removed, even though Settings shows them still enabled.

@dansup @matrix @xmpp signal still just crashes on startup on my Huawei phone. It apparently uses google APIs so it certainly isn't escaping from BigTech.

@skinnylatte huh. I was taught "ma ling shu" for "potato".

RE: https://c.im/@cdarwin/115914320802090355

Duhhh...

@gsuberland the actual bug report was made public a week ago. https://jira.mongodb.org/browse/SERVER-115508

The bug was reported a week before that. So is this really a 0day?

@ariadne @dalias I wish I had static IP addresses at home...

@alarig @job y'know, you could have just stored the names in forward order, and set the MDB_REVERSEKEY option...

@dalias so annoying!! but you can just swipe it to the side to get rid of it.

@skinnylatte yeah, my parents always laughed at Ametican restaurants advertising homestyle cooking. Why go out for something we can make at home? Going out had to be for really special stuff...

@stefano I've always been disgusted with the proliferation of docker and containerization. Just insane.

At this point, application vendors should be shipping monolithic apps with statically linked libraries. No need for any further isolation from system dependencies.

@babe gawd. You just triggered flashbacks...

https://lists.gnome.org/archives/networkmanager-list/2009-April/msg00240.html

https://mail.gnome.org/archives/networkmanager-list/2011-January/msg00029.html

Think of the stupidest possible approach to anything, and that's the one they pick. That was also what introduced me to the bloat of glib and dbus. <shudder>

@nikitonsky maybe. The majority of code I've seen shows that not everybody is capable of writing a properly functioning cache, and most programmers shouldn't bother with it.