HackerTrans
TopNewTrendsCommentsPastAskShowJobs

febusravenga

172 karmajoined 4 ปีที่แล้ว

comments

febusravenga
·5 วันที่ผ่านมา·discuss
No but those have less or no guards against it - so _we the society_ ;) stand and try guard them.

Rest of us have some chance to stand against persuasion.
febusravenga
·12 วันที่ผ่านมา·discuss
Our customers are CEOs and CTOs - kinda checks out.
febusravenga
·12 วันที่ผ่านมา·discuss
If you're telling dirty jokes, there are many flavors and those ive' mentioned are not special.

This is example. There are _bad_/_hard_/_dark_ jokes about women, grandmas, blacks, whites, east-asia. They have place - unless you're harming someone they are _ok_ for situation.

But only for situation. When recorded, stored and reheard years after it's not longer that situation. By recording, you're basically extending every private situation to infinity.

People in private situation, in close groups behave in ways they consider private - they cross boundaries, they "challenge" authorities/boundaries and it's ok.

It's not ok to take this freedom by assuming you can't say anything controversial in any setting.
febusravenga
·13 วันที่ผ่านมา·discuss
Its not about saying illegal things. It's mostly about saying things that can get you canceled in future in future culture.

Dark jokes and strong opinions are example - you something filthy - let's say dark Holocaust/Nazi joke but funny in situation In group that accept it and it's ok. But if it's recorded, it'll stay forever and will surface in most unexpected moment, like job interview or some other screening by gov/corpos.

Don't say that dirty jokes should be punished in future if in given situation they were received as ok and only later someone else, not in situation is going to judge it
febusravenga
·21 วันที่ผ่านมา·discuss
when I entered site, all bubbles contained dicks/balls and combination of these... so... someone found words that are not banned, but still abused forum in most primitive way ..

you're wrong, moderation is needed in ventures like this
febusravenga
·2 เดือนที่ผ่านมา·discuss
> hostname: tauceti

The other Hail Mary reference is on top of HN today.

Well done Andy Weir.
febusravenga
·2 เดือนที่ผ่านมา·discuss
> always been simple: to help you ask anything on your mind

No, it was to search. Search within resources that are external to Google. Like index in library.

(stating the obvious). Starting article like this - that is with attempt to rewrite history - is very sad.
febusravenga
·2 เดือนที่ผ่านมา·discuss
It's not failure of npm/js ecosystem. It's Github Actions failure that allowed this to happen.
febusravenga
·2 เดือนที่ผ่านมา·discuss
This is GitHub FU.

Key issue here is cache poisoning, that is feature/bug that exist in utility functions/actions provided by Github.

Even if there was misconfiguration on tanstack side, then root cause is on. GH for even allowing insecure workflows to interfere with secure ones.

Here people are trying to fix defaults - not to write cache in insecure context -> https://github.com/actions/cache/issues/1756

(even if sufficiely smart attacker would find the key somewhere and skip this kind of prodection, not sure where but write-allowing-key it must exist somewhere in runtime if actions/cache can us it)

Someone else on this thread:

> On GitLab even if you set the same cache key it will not cross between unprotected and protected runs.
febusravenga
·2 เดือนที่ผ่านมา·discuss
> This is a critical insight: SLSA provenance confirms which pipeline produced the artifact, not whether the pipeline was behaving as intended. A compromised build step can produce a validly-attested but malicious package.

They basically confirm that this whole provenance only proves origin. That origin was broken/flawed and was coerced to do something bad. (?)

Again, untrusted workflows can't write anywhere - cache poisoning was they key problem. If cache would be clean, release build/run would be clean too.
febusravenga
·2 เดือนที่ผ่านมา·discuss
I think more proper solution is to limit writes of untrusted actions - they shouldn't be allowed to update cache. Only read - for perf reasons.
febusravenga
·2 เดือนที่ผ่านมา·discuss
I think biggest concern here was cache poisoning.

Well, one of simplest mitigation is that `pull_request_target` jobs shouldn't have access to write to cache, they can read for performance, but not write.

To extrapolate rule, the `pull_request_target` shouldn't have any ways to invoke external side effects.

In most strict scenario, they shouldn't have access to network at all ... or only to GET <safeUrl> - where safeUrls are somehow vetted previously on main, derived from yarn.locks and similar manifests. Pita to setup, no wonder nobody does that.
febusravenga
·3 เดือนที่ผ่านมา·discuss
In other words, he's cutting branch he's sitting on.
febusravenga
·3 เดือนที่ผ่านมา·discuss
I can only juggle 3, but I prefer clubs. Balls are so boring they are so small and not spectacular. Clubs on the other hand, man they are rotating. Once, twice, treetimes, backwards. I believe that if someone stuck at this basic level of juggling 3 balls, he should try clubs - at least for me it's pure satisfaction watching these rotating in various variants before.
febusravenga
·4 เดือนที่ผ่านมา·discuss
Och, hello fellow monotone user.
febusravenga
·4 เดือนที่ผ่านมา·discuss
"If you hate react" feels like very bad argument in engineering.

Anyway, interesting approach for up to medium pages (not apps!). Totally not replacement for react.
febusravenga
·4 เดือนที่ผ่านมา·discuss
How bugs are still possible now when we all write everything in Rust?
febusravenga
·4 เดือนที่ผ่านมา·discuss
In my company, overuse of LLm and sloppy pasta is feature of those that you can't fire.

For me it destroyed company as aligned group of people, at C level, it's just bazaar of drones throwing AI slow at each other.
febusravenga
·4 เดือนที่ผ่านมา·discuss
Good to hear, some countries already have some privacy laws protecting is from this type of products. Anyone has share more specifics about those laws, how's that they are effective in this case (unlike GDPR which is annoying and usually toothless).
febusravenga
·5 เดือนที่ผ่านมา·discuss
First sentence we would understand from Dolphins language: thanks for all the fish!