Notices by cliffle@hachyderm.io

@dalias also, under the right circumstances, new functions that _are not overloads_ but alter the behavior of argument dependent name lookup ("Koenig lookup")

@dalias fair. Sometimes it can be difficult to predict which interfaces wind up being external, of course. For instance, if one component can be tricked into skipping a validation layer and handing a block of code to a more internal component, any issues in that internal component could be accessible.

Really though, what we're getting at is that distinguishing internal from external can be hard and takes a judgement call.

@dalias While I think you've got a point here, the main caveat I'd offer is around security vulnerabilities. I keep finding "no dependency" programs (which in practice means they vendored, or just copy-pastad, some code) with out-of-date and vulnerable versions of things.

If every program did this, the process of stamping out those vulns would be very involved.

@dalias I mean, it _is_ a vulnerability, just not in _your_ threat model. (Or mine.) They should probably not have included arbitrary memory read/write commands in the HCI. Seems sketchy.

But this isn't going to allow drive-by rooting of your coffee pot or whatever, as far as I can tell.

@dalias the more detailed discussions use the term "HCI," which would be the _host controller_ interface -- the serial link from the ESP32 to the device it's installed in. This suggests that it's a way to root the (certified, fixed-firmware) bluetooth module from a device it's installed in, which does sound useful, but is not at all a remote-accessible backdoor.

All the advisories are damn short on details though. I could be completely wrong.

@dalias hard agree.

@dalias you doing a 4S pack?

@dalias @shironeko just remember to vent the hydrogen somewhere if you're doing this indoors. (Lead-acid wants venting.)

@dalias Well, that saves me some time! Thanks!

@dalias ugh, yes, that does sound annoying. One of the projects in my backlog is a little board that takes DC and negotiates PD source at the voltage you tell it to, because I can't find one on the internet.

@dalias it's true. TBH I feel like USB-PD is my favorite thing that's happened to DC supplies recently. I get folks' frustrations with USB-C more broadly, but this whole "power supply is smart and can negotiate while still being cheap" thing is neat.

@dalias I charge laptops and things from limited DC supplies kind of a lot, and as far as I can tell, every one made in the last 20+ years carefully regulates how much power it draws from the charger. Your laptop might be _able to_ charge at 100W, but if the voltage starts drooping at 45W, it'll work that out.

So, yeah, ignore this "expert," those PD-to-barrel cables are great.

@dalias Since you asked for feedback in the message:

I might consider swapping the position of "automated tools" and "AI" in some of the sentences, because I think a certain subset of people will hit "AI" and decide it doesn't apply to (say, hypothetically) the low quality static analyzer they're beating you with. Making it a slightly more general "no patches generated by automated anything unless you've convinced yourself they're fixing something real" might help stop that noise from good-intentioned actors.

Non-good-intentioned actors, of course, won't be stopped by a policy. So we can ignore those for now.

@dalias just wanted to leave this here:

https://link.springer.com/article/10.1134/S0361768814050041

"acceptable quality of analysis (30-80% of true positive warnings"

I'm unfamiliar with this journal.

@dalias if the goal is to poke certain dudes in the insecurity, using gender-neutral language will probably further that goal!

@mekkaokereke there's also increasing evidence (I don't have the study at hand, but I could probably track it down if you haven't seen it) that regions with high "natural" biodiversity in the Amazon are actually heavily cultivated areas, maintained over thousands and thousands of years by the folks living there.

(Who, incidentally, have been saying that the whole time.)

The forests just don't look like European-style row crops, so we don't see them.

@dalias that's true, though it's not great at getting things from _under_ the keys. My J key was being squishier than it should've.

Flipping the laptop upside down and blowing should do, if the keyboard doesn't come out easily.

My tote bag is attracting a lot of questions that I was pretty sure were answered by my tote bag.

Well, great. My #FrameworkLaptop 16 has stopped detecting displayport alt mode connections on any of its expansion ports.

It's been working okay since I replaced the non-functional keyboard and webcam they initially sent me, but I'm starting to run out of patience with the hardware issues on this expensive-ass laptop.

New theory: the Intel microarchitecture naming scheme's secret unifying theme is "places where you could imagine being hunted by wolves"