HackerTrans
TopNewTrendsCommentsPastAskShowJobs

gnl

no profile record

comments

gnl
·5 months ago·discuss
I don't know, but if there were, I wouldn't expect them to do anywhere near as good a job or – perhaps somewhat counterintuitively – be anywhere near as reliable. Static rules only go so far when it comes to this stuff. And assuming that you're starting from a trustworthy base, and Claude Code (or similar) can focus its attention on recent changes to the repo in particular, I imagine sneaking actual malware in there would be pretty hard without throwing up a bunch of red flags.

See also:

- [0-Days \ red.anthropic.com]( https://red.anthropic.com/2026/zero-days/ )

EDIT: The main challenge here is more likely to be the noise, as the LLM is more likely to flag too much than too little, so I'd recommend putting together a prompt that has it group whatever it finds by severity and likelihood of malicious intent.

EDIT 2: Re Anthropic link above – worth pointing out that finding intentionally introduced malware when you have access to the source code and git history is a hell of a lot easier than finding a 0-day. The malware has to exfil data eventually or do ransomware stuff, good luck hiding that without raising the alarm, plus any attempt at aggressive obfuscation will raise the alarm on its own. I'm not saying it's impossible, I am saying that I think it's very very hard.
gnl
·5 months ago·discuss
Yeah that one's too much for me too, I used to do this years ago, but not anymore. Especially since I found out Brave supports network blocking for extensions, which is something you generally set up once and then forget about it. I'm just giving people tools and ideas I didn't see mentioned elsewhere in the comments, it's up to everyone to figure out their particular threat scenarios and tradeoffs individually.

This could probably be automated though if someone wanted to tackle it. git pull, agentic code review, auto-build from source, install.
gnl
·5 months ago·discuss
Couple of quick thoughts on how to protect yourself from having a formerly trustworthy extension go rogue on you:

- https://github.com/beaufortfrancois/extensions-update-notifi...

And then you can do whatever you feel is an appropriate amount of research whenever a particularly privileged extension gets updated (check for transfer of ownership, etc.)

- brave://flags/#brave-extension-network-blocking

You can then create custom rules to filter extension traffic under brave://settings/shields/filters

e.g.:

  ! Obsidian Web
  *$domain=edoacekkjanmingkbkgjndndibhkegad
  @@||127.0.0.1^$domain=edoacekkjanmingkbkgjndndibhkegad

- Clone the GitHub repo, do a security audit with Claude Code, build from source, update manually
gnl
·8 years ago·discuss
Much as I love Clojure, I agree that clojure.spec, while very powerful, has a mess of a UX. That's why – shameless plug – I wrote Ghostwheel [1], which, to me, turns it into a whole other thing, especially when gen-testing, spec-instrumentation and tracing are used together.

Having inferred types in addition to this would be even better, but types are no replacement for generative testing or vice versa.

They really complement each other quite nicely, but also have a large overlap in terms of how much they can reduce the need to do manual debugging and enable clean changes/refactorings with minimal effort.

[1] https://github.com/gnl/ghostwheel
gnl
·8 years ago·discuss
clojure.spec+generative testing help a lot, but yeah.
gnl
·8 years ago·discuss
Have some monads and stuff: http://funcool.github.io/cats/latest/#maybe
gnl
·8 years ago·discuss
Author of Ghostwheel here – clojure.spec is certainly not a replacement for static typing, but it goes a long way to covering many of the same use cases, in fact longer than one might think at a cursory glance.

With Ghostwheel you write your function specs similar to how you'd write a type signature and you get automatic generative testing (including higher order function support) and side effect detection which – when combined with spec instrumentation (+ the upcoming evaluation tracing for the test execution) – can often tell you quite precisely where you screwed up in a much more immediate and granular manner than a simple unit test or mucking about in the REPL could. It really is a quite different experience from plain Clojure.

That being said, I'd love types in addition to this and I'm keeping a keen eye on ReasonML.