Notices by Filippo Valsorda (filippo@abyssdomain.expert), page 2

@cks @whitequark @mei I had in mind to reach out to you, so hi :)

People are reading more into my off-hand pager comment than I intended. Google asks for two email addresses of “representatives” just so that there’s a fallback if eg there’s a vulnerability and the main person in on vacation. They don’t actually page anyone. It’s fine if the SRE work is done by a single person in the end.

@whitequark @mei I am listening! For example?

@whitequark @mei I am curious too! To be fair it's the least urgent pager ever. 22h of allowed downtime!

If we get zero new logs, we'll finish the work on Verifiable Indexes (which replace the need to scrape the whole log, drastically reducing outbound) and try again next year.

@glyph @whitequark oh 100%

However, I'd be fine with a policy of "it's not the moderators' job to educate you, either take this spontaneously as a learning opportunity, or leave".

@whitequark @glyph I don't know enough about the specifics of the Nix issue, but that sounds like a values mismatch with leadership, and I acknowledge that strict moderation enforces the leaders' values. If they are different from yours or mine, we won't be a good fit! There are settings where you can't just say "find better leaders and make another community" but there are settings in which you can! I wish we explored the latter more.

@whitequark @glyph I see the risk in theory, but I can't remember from my experience a jerk in IETF-like spaces who was a legitimately upset stakeholder rather than a dude with opinions.

FWIW I think gish gallops should also get moderated brutally. I am not asking for politeness, I am asking for subjective moderation action that matches what everyone is saying in the parallel emotional support group chats.

I wish we had spaces to collaborate on technical work where being a jerk was just not allowed. Like, actual proper fearless moderation.

Your reply starts with "No." on its own line? Two weeks ban. Learn to behave.

You go on a tear about another participant? One year ban. No warning.

I'm a privileged white dude with 20k followers and even I hesitate to contribute to some spaces because of the mailing list hand-to-hand combat.

Imagine how many contributions by talented folks we are wasting!

@jcoglan gee, trying new ideas for open source maintenance sustainability, I should consider trying that

Looks like the same poorly implemented Android CT library that broke a lot of apps a couple years ago... did it again 🤦♂️

https://github.com/appmattus/certificatetransparency/issues/143#issuecomment-2993688741

@julijane it’s not so black and white. If you are an unpaid maintainer you have no obligation to put in extra work, for sure. But if you do take down the banking system of a country once (still not your fault!) and people tell you your library is broken… I think you start having a responsibility to either deprecate it, fix it, or at least warn users. We live in a society.

@dalias Note that the "🤡🚗 browser" is the one that was already working on an actual definitive solution that would ship by default to all their users instead of the subgroup that installed the right extension.

https://localmess.github.io/#disclosure

And yes, uBO Lite (the MV3 ad-blocker I keep being told doesn't work but works) has the LAN intrusion list.

I'm so tired of vibe-based criticisms that ignore factual reality.

I usually get where big tech is coming from, but this is just malicious tracking. If you're an engineer and you're asked to implement something like this, it's time to whistleblow.

I hope the IE DPA will look into it.

Anyway, Local Network Access (https://github.com/explainers-by-googlers/local-network-access) can't come soon enough.

https://localmess.github.io

I am writing an application that really cares about durability of created files (a Certificate Transparency log), and... oof.

I fsync the file. I fsync the directory. Ok.

But... how do I test it? Even targeting a specific filesystem, I have to make VMs and try to race killing them?

Oof. Reportedly, if you got a certificate from SSL.com by putting “example[@]gmail.com” at _validation-contactemail.example.com, they would add gmail.com (!!!) to your verified domains.

A good reminder to use the CAA record, and to sign up for CT monitoring (e.g. Cert Spotter).

https://bugzilla.mozilla.org/show_bug.cgi?id=1961406

@yossarian something related that I'm getting convinced of is that in e.g. crypto/tls we should do profiles instead of config options.

We take responsibility for the defaults, but then we say "if they don't fit, here are all the dials". Instead, we should have opinionated FIPS 140, compatibility, modern, etc. profiles, just like we have the default profile.

It’s disheartening to see AI reactionism lead my community to a 180° on copyright.

Everyone is merrily attacking LibGen now. If it didn’t exist, big tech companies would still find training data, it just wouldn’t be accessible to regular people.

@whitequark to be fair the clever campaign that everyone seems to be falling for lets you search for your books in the dataset, but still disappointing from people that I would have never imagined calling for the shutdown of TPB or ZLib

Ever wanted to benchmark RSA key generation but found it too slow and variable, like benchmarking a lottery? No? Just me?

Well, I nerd-sniped myself into producing average representative inputs that can be used to benchmark, profile, and compare RSA keygen.

Happy New Year(?)!

https://words.filippo.io/dispatches/rsa-keygen-bench/?source=Mastodon

Reusable vectors and generator at https://c2sp.org/CCTV/keygen.

age v1.2.1 fixes a security vulnerability in the CLI and in the plugin Go package.

An attacker that controls a recipient, identity, or plugin name could cause age to execute arbitrary binaries. On Linux and macOS, the attacker needs some control over $TMPDIR.

Advisory: https://github.com/FiloSottile/age/security/advisories/GHSA-32gq-x56h-299c
Release: https://github.com/FiloSottile/age/releases/tag/v1.2.1
Also fixed in rage: https://github.com/str4d/rage/security/advisories/GHSA-4fg7-vxc8-qx5w

Thanks to ⬡-49016 for reporting this!

The Go team plans to issue a security fix for the golang.org/x/crypto/ssh package in the golang.org/x/crypto module on Wednesday, December 11th.

https://groups.google.com/g/golang-announce/c/ZA1tNV10Mcs