Notices by Wolf480pl (wolf480pl@mstdn.io), page 7

@kura @quad
> PewDiePie is a normie

*was

look at the glint in his eyes when he's talking about freedom

when he's taking about having the power to fix things

either he's a very good actor, or he's one of us :D

@quad @kura
How to learn 2 linux:
1. Windows fucked up the registry, can't boot
2. Your dad can't fix it until next week
3. You're bored and all you have is Knoppix live CD

@cjd hmm idk, without being a mechanic I wouldn't dare to remove the engine head from the block.

And my uncle who's a mechanic has pulled many engines out of the engine bay to disassemble them into pieces... though I guess most of them were inline-4 2.0 or smaller

@cjd and then there are mechanics who can't get manuals and have to make up for it by being smart...

@cjd does the electronics impact things that much tho?

AFAIK the main thing it changes is you hook up an an OBD tool to read the error code before you start replacing parts, and then once you're done replacing a part you clear the error and see if it pops up again.

@ayo btw what do you call it in Dutch?

@ayo in Polish it's "wolne oprogramowanie", where "wolne" can mean both "free as in freedom" and "slow", which is quite funny :D

@ignaloidas @amonakov @uecker
> node
> long-term maintenance

Cotation needed

@uecker @ignaloidas @amonakov
trick question:

how much time does each of you (Martin in C, Ignas in Python) spend checking whether the library authors promise backwards compatibility, security updates, and whether they're likely to still be around 3 years from now?

@ignaloidas @amonakov
NSS
GnuTSL
OpenSSL
LibreSSL
BoringSSL
WolfSSL
mbedTLS
AWS-LC

did I miss any?

@amonakov what about things that cannot be implemented in a portable way (like stdio, file io, sockets, etc) ?

@rin @jonossaseuraava are you sure this isn't upside-down arabic? :thinkeyes:

@algernon moral of the story: computers are fast, we're just using them wrong most of the time?

@ayo so, I don't know how perl packaging works, but assuming it works like pip:

typically language-level package managers don't have the ability to add a dependency on OS-level tzdata... so I don't see an advantage of getting the source from a language-specific package repository as opposed to straight from the maintainer's website / github / etc

@ayo (if there was, it'd be packaged by your distro, not on CPAN)

@makdaam @domi @lanodan
oh, and also about goals

At my $dayjob, the reason I do anything about vulns at all is compliance with a standard.

But I look at the standard, try to figure out why someone would put a particular requirement in the standard, and try to think of something that we could do that is actually useful, that could also be argued to check the box.

I think this might be a rare attitude.

@makdaam @domi @lanodan
Now, you could argue that if the checkbox didn't shield companies from liability, they would care more about security, because simply ignoring vulns would get them sued to oblivion.

And maybe that is the case in some fields.

But IME it's more about the choice between trying to meet an impossible standard, and not giving a fuck thus doing nothing.
2/2

@domi @lanodan
IME the hardest part of the problem is that if a python library has 50 functions

one of them is vulnerable

and you use a different one

with input that is not user-controlled

it's still getting flagged, and there's no way to filter that out without someone who understands the code taking a look at it.

In an ideal world, vulns would be expressed through a type system.
1/

@domi @lanodan
but IRL, if I could just

take all known exploits

automatically run them against our public endpoints, to find all the things a script kiddie can easily find

and patch only those things

that'd probably prevent 80% of the likely attacks for 10% of the effort

@makdaam @domi @lanodan
don't worry about thread necromancy, it hasn't even been a week yet

So you're saying that the checkbox exists purely for performative/blameshifting purposes?

I think even if that is true, the side effect of complying with the checkbox is doing some good things. In this case - how do you make the CVE scanner happy without patching at least some vulns?

And if you patch some vulns, you're already doing better than those who don't give a fuck.

1/