HackerTrans
TopNewTrendsCommentsPastAskShowJobs

febusravenga

172 karmajoined 4 anni fa

comments

febusravenga
·4 giorni fa·discuss
No but those have less or no guards against it - so _we the society_ ;) stand and try guard them.

Rest of us have some chance to stand against persuasion.
febusravenga
·12 giorni fa·discuss
Our customers are CEOs and CTOs - kinda checks out.
febusravenga
·12 giorni fa·discuss
If you're telling dirty jokes, there are many flavors and those ive' mentioned are not special.

This is example. There are _bad_/_hard_/_dark_ jokes about women, grandmas, blacks, whites, east-asia. They have place - unless you're harming someone they are _ok_ for situation.

But only for situation. When recorded, stored and reheard years after it's not longer that situation. By recording, you're basically extending every private situation to infinity.

People in private situation, in close groups behave in ways they consider private - they cross boundaries, they "challenge" authorities/boundaries and it's ok.

It's not ok to take this freedom by assuming you can't say anything controversial in any setting.
febusravenga
·13 giorni fa·discuss
Its not about saying illegal things. It's mostly about saying things that can get you canceled in future in future culture.

Dark jokes and strong opinions are example - you something filthy - let's say dark Holocaust/Nazi joke but funny in situation In group that accept it and it's ok. But if it's recorded, it'll stay forever and will surface in most unexpected moment, like job interview or some other screening by gov/corpos.

Don't say that dirty jokes should be punished in future if in given situation they were received as ok and only later someone else, not in situation is going to judge it
febusravenga
·20 giorni fa·discuss
when I entered site, all bubbles contained dicks/balls and combination of these... so... someone found words that are not banned, but still abused forum in most primitive way ..

you're wrong, moderation is needed in ventures like this
febusravenga
·2 mesi fa·discuss
> hostname: tauceti

The other Hail Mary reference is on top of HN today.

Well done Andy Weir.
febusravenga
·2 mesi fa·discuss
> always been simple: to help you ask anything on your mind

No, it was to search. Search within resources that are external to Google. Like index in library.

(stating the obvious). Starting article like this - that is with attempt to rewrite history - is very sad.
febusravenga
·2 mesi fa·discuss
It's not failure of npm/js ecosystem. It's Github Actions failure that allowed this to happen.
febusravenga
·2 mesi fa·discuss
This is GitHub FU.

Key issue here is cache poisoning, that is feature/bug that exist in utility functions/actions provided by Github.

Even if there was misconfiguration on tanstack side, then root cause is on. GH for even allowing insecure workflows to interfere with secure ones.

Here people are trying to fix defaults - not to write cache in insecure context -> https://github.com/actions/cache/issues/1756

(even if sufficiely smart attacker would find the key somewhere and skip this kind of prodection, not sure where but write-allowing-key it must exist somewhere in runtime if actions/cache can us it)

Someone else on this thread:

> On GitLab even if you set the same cache key it will not cross between unprotected and protected runs.
febusravenga
·2 mesi fa·discuss
> This is a critical insight: SLSA provenance confirms which pipeline produced the artifact, not whether the pipeline was behaving as intended. A compromised build step can produce a validly-attested but malicious package.

They basically confirm that this whole provenance only proves origin. That origin was broken/flawed and was coerced to do something bad. (?)

Again, untrusted workflows can't write anywhere - cache poisoning was they key problem. If cache would be clean, release build/run would be clean too.
febusravenga
·2 mesi fa·discuss
I think more proper solution is to limit writes of untrusted actions - they shouldn't be allowed to update cache. Only read - for perf reasons.
febusravenga
·2 mesi fa·discuss
I think biggest concern here was cache poisoning.

Well, one of simplest mitigation is that `pull_request_target` jobs shouldn't have access to write to cache, they can read for performance, but not write.

To extrapolate rule, the `pull_request_target` shouldn't have any ways to invoke external side effects.

In most strict scenario, they shouldn't have access to network at all ... or only to GET <safeUrl> - where safeUrls are somehow vetted previously on main, derived from yarn.locks and similar manifests. Pita to setup, no wonder nobody does that.
febusravenga
·3 mesi fa·discuss
In other words, he's cutting branch he's sitting on.
febusravenga
·3 mesi fa·discuss
I can only juggle 3, but I prefer clubs. Balls are so boring they are so small and not spectacular. Clubs on the other hand, man they are rotating. Once, twice, treetimes, backwards. I believe that if someone stuck at this basic level of juggling 3 balls, he should try clubs - at least for me it's pure satisfaction watching these rotating in various variants before.
febusravenga
·4 mesi fa·discuss
Och, hello fellow monotone user.
febusravenga
·4 mesi fa·discuss
"If you hate react" feels like very bad argument in engineering.

Anyway, interesting approach for up to medium pages (not apps!). Totally not replacement for react.
febusravenga
·4 mesi fa·discuss
How bugs are still possible now when we all write everything in Rust?
febusravenga
·4 mesi fa·discuss
In my company, overuse of LLm and sloppy pasta is feature of those that you can't fire.

For me it destroyed company as aligned group of people, at C level, it's just bazaar of drones throwing AI slow at each other.
febusravenga
·4 mesi fa·discuss
Good to hear, some countries already have some privacy laws protecting is from this type of products. Anyone has share more specifics about those laws, how's that they are effective in this case (unlike GDPR which is annoying and usually toothless).
febusravenga
·5 mesi fa·discuss
First sentence we would understand from Dolphins language: thanks for all the fish!