HackerTrans
TopNewTrendsCommentsPastAskShowJobs

exyi

no profile record

comments

exyi
·hace 29 días·discuss
You know that prompt injection is a thing, right? Giving opencode access to bash and malicious input is not very far from piping it right into bash.
exyi
·el mes pasado·discuss
Exactly. Although if you do >> 8 while working with uint8, it will be the fastest :)
exyi
·el mes pasado·discuss
It's 3 cycles for float multiplication (and 1 for shift right):

https://uops.info/table.html?search=mulss&cb_lat=on&cb_tp=on...

https://uops.info/table.html?search=shr&cb_lat=on&cb_tp=on&c...

In throughput it's even less of a difference: 2 per cycle vs 3 per cycle.
exyi
·hace 2 meses·discuss
Then you also have to auto-update the containers, if it's a public facing service. Either you'll have to build containers yourself or hope the developer pushes a new update whenever the base image has relevant security fixes.
exyi
·hace 2 meses·discuss
VSCode extensions often contain binary blobs, so it won't catch basically anything. It would also be a bit expensive.
exyi
·hace 2 meses·discuss
At least my password won't leak as often with yubikey, but the attacker can still hack my shell to execute fake sudo. Even if I type /bin/sudo explicitly, there is ptrace, LD_PRELOAD or just replacing the entire bash binary.

In practice yubikey sudo keeps you much safer today, as almost nobody uses it and malware won't be prepared for it
exyi
·hace 2 meses·discuss
Ok, so the malware runs a keylogger / clipboard logger, gets the password and runs sudo on it's own. Or replaces your shell by putting exec ~/hackedbash into your bashrc

Password on sudo is only useful if you detect the infection before you run sudo
exyi
·hace 2 meses·discuss
Whitelisting also quite likely doesn't work ("of course I will allow my agent to run find, that can do no harm")
exyi
·hace 3 meses·discuss
Same tool is very handy if you hypothetically wanted to control spread of anything else, like anti ice apps for instance.

Also hash matching is so easily bypassed you can be sure they really want to add some "AI" detector as well
exyi
·hace 3 meses·discuss
and cross-platform UI
exyi
·hace 4 meses·discuss
Do you know if there is override this specifically when I want to install a security patch? UV just claims that package doesn't exist if I ask for new version
exyi
·hace 4 meses·discuss
Except that LiteLLM probably got pwned because they used Trivy in CI. If Trivy ran in a proper sandbox, the compromised job could not publish a compromised package.

(Yes, they should better configure which CI job has which permissions, but this should be the default or it won't always happen)
exyi
·hace 4 meses·discuss
If you change this you break a common optimization:

https://github.com/python/cpython/blob/3.14/Lib/json/encoder...

Default value is evaluated once, and accessing parameter is much cheaper than global
exyi
·hace 4 meses·discuss
Every sane approach to security relies on checking you are doing permitted actions on the server, not locking down the client.
exyi
·hace 4 meses·discuss
Python does not need that, as it has built-in type annotation support. The annotation is any expression, so you can in theory express anything a custom type-only language would allow you (although you could make it less verbose and easier to read).

However, the it IMHO just works much worse than TS because: * many libraries still lack decent annotations * other libraries are impossible to type because of too much dynamic stuff * Python semantics are multiple orders of magnitude more complex than JavaScript. Even just the simplest question: Is `1` allowed in parameter typed `float`? What about numpy float64?
exyi
·hace 5 meses·discuss
... or they teached GPT to use em-dashes, because of their love for em-dashes :)
exyi
·hace 6 meses·discuss
Ok, run the same prompt on a legitimate bug report. The LLM will pretty much always agree with you
exyi
·hace 6 meses·discuss
Local would imply the date is in the current machine timezone, while PlainDateTime is zoneless. It may be in the server timezone, or anything else. The main difference is that it does not make sense to convert it to Instant or ZonedDateTime without specifying the timezone or offset
exyi
·hace 6 meses·discuss
Only until you work with a type array (Int32Array, Float64Array, etc), then it becomes 10x slower: https://jsperf.app/doyeka/11
exyi
·hace 7 meses·discuss
Usually yes, but it's still a neat trick to be aware of. For interpreted scripting languages, parsing can actually be a significant slowdown. Even more so when we start going into text-based network protocols, which also need a parser (is CSS a programming language or a network protocol? :) )