HackerLangs
TopNewTrendsCommentsPastAskShowJobs

fwlr

4,703 karmajoined 3 yıl önce
software craftsman; professional polyglot (particular to rust, typescript, lisp); open to talk or work [email protected] (re: employment - remote/office agnostic, right to work australian citizen)

comments

fwlr
·dün·discuss
Presumably, some initial information was fed into the start of this reporting process. Multiple stages of this process had near-total incomprehension of the information yet performed full ingestion and reconstitution of it anyway, leading to this terminally-confused output.
fwlr
·evvelsi gün·discuss
I found this post very refreshing! I’m sure it would have been very tempting to one-up the “PR-speak” of the Bun post. Likewise, it would have been very tempting to include the same set of facts that reflect negatively on Jarred, while studiously concealing one’s own opinion (eg “I heard people called him a stinky manager. I am not saying that, other people are, but I’m not”). I appreciated that it was just … genuine.
fwlr
·3 gün önce·discuss
I think we more or less agree, with the caveat that I think social engineering attacks are far more worrisome and threatening than SQL injection. The gold standard solution to sql injection (prepared/parameterized queries) is guaranteed effective, and does not impede the efficacy of SQL. The gold standard solution for social engineering attacks (role-based access control with minimum rights) is only almost guaranteed, as the attack could be made against the management or admin who ultimately holds the keys to full rights, and most certainly does impede the efficacy of the humans operating under it.
fwlr
·3 gün önce·discuss


    “Prompt injection attacks have become, to agentic AI, what SQL injections were to web applications: a systematic, category-wide vulnerability class that requires the same systematic strategies and defenses.”

???

Isn’t prompt injection far more fatal to LLMs than SQL injection is to SQL databases?

Like, the problem of SQL injection was that user input was forming part of the instruction string given to the SQL engine, and so malicious user input could include various SQL grammar terminals to end the current SQL command, followed by complete SQL commands of their own, and the engine would simply execute both commands. The fix was prepared statements: fixed/static/pre-compiled instruction strings, that can only ever perform fixed/static/pre-defined logic, and that logic can then be (more) safely applied to arbitrary user-input data.

The analogous mitigation for agents is to have fixed behaviors they can perform, such as “read repo 1” “read repo 2”, etc., and the user input is used as data to select which of these fixed behaviors to execute. But we already have this technology - it’s called a menu. The value of LLMs is specifically and intrinsically predicated on being more than a menu, while the value of SQL does not depend on being more than “pre-set logic operating on arbitrary data” - user input being part of the instruction string to SQL was incidental, for developer convenience.
fwlr
·3 gün önce·discuss
I do see the appeal, it’s easy to imagine that workflow working, and working well - but it’s hard to how it avoids this fate: https://youtu.be/QEzhxP-pdos
fwlr
·3 gün önce·discuss
Thank you for mentioning zmx. Reading through their repo, it’s like someone read my mind, took my instinctive, almost pre-verbal, half-formed/quarter-baked preference for `screen` over `tmux`, beautifully and precisely formalized it into an actually lucid opinion, and then instantiated it as an actually real piece of software. I’ve used it for an hour and it already feels like second nature; I somehow have muscle memory for features that I didn’t even know it had until I instinctively used them and they were right where I expected them to be. Seriously, thank you.
fwlr
·3 gün önce·discuss
“We use Claude Code too”

I understand that it’s probably impossible to sell non-AI-assisted solutions to AI-pilled companies (even when their headaches are AI-induced), but my gut reaction to “take an AI-inflated codebase and apply AI deflation to it” is something like “that’s akin to applying two rounds of lossy transcoding; the errors don’t cancel out, they cross-multiply”.
fwlr
·4 gün önce·discuss
While human-readable text is a better solution for that particular case, there might be a level of scale or rate of change where this idea wins out, and in that case I recommend barcodes instead. (A standard barcode label sticker can be wrapped around the cable and read from nearly any orientation)
fwlr
·12 gün önce·discuss


    let _ = …?
This is the Rust idiom for “I am intentionally ignoring this return value”. The linter would have caught

    self.poll_read()?;
and in fact one of the options the linter itself suggests in this case is exactly this “let underscore equals” idiom. (Arguably, this code exists because of the linter, not due to its absence!)

In any case, the return value is being “handled” - the question mark examines the result and breaks the loop if the result is not `Ok(…)`, ie if the call is not successful.

Intentionally ignoring the successful return value isn’t necessarily terrible, either - you could be calling the function for its side effect, and you don’t care what the specific result of that effect is, just as long as there is some effect. E.g. maybe you have a state machine, and this is the code that repeatedly drives it.

(Not coincidentally, polling is what you do to Futures, and Futures are state machines that you need to repeatedly drive…)

In conclusion, I do not think this is prima facie terrible code, nor is it an obvious bug. Async rust is subtle and complicated, and not always fully understood by those who nevertheless have to use it.
fwlr
·15 gün önce·discuss
Traditionally, loudly declaring your exit like this was met with the reply, “And nothing of value was lost.”
fwlr
·19 gün önce·discuss
True for this decade, but in the previous decade it was very much the opposite. Before you used any kind of browser api or nice language feature you would feature-detect it:

    if (typeof Array.prototype.includes === ‘undefined’) { …
And if it wasn’t there you would define it yourself, it was called “polyfilling”. This was so commonplace that we built significant tooling like babel to standardize feature detection tests and fallback implementations - for a few years you could write

    request.then(response => response.json())
And behind the scenes the Rube Goldberg machine would turn this into something that would run in a JavaScript environment that had neither arrow functions nor promises.
fwlr
·23 gün önce·discuss
I highly recommend consuming Casey Muratori content, particularly if it’s blue shirt Casey standing in a black void with yellow handwriting. Those are his high-production serious lectures, and they’re worth every minute. (It took me a while to find his YouTube channel because it’s called “MollyRocket”.)
fwlr
·23 gün önce·discuss
As Casey Muratori likes to say, “My superpower is that I’m old, so I remember when computers used to be fast.”
fwlr
·23 gün önce·discuss
If there is one card in this pile and no cards in the other, the probability of dropping the card from this pile is one. If instead there are some cards still in the other, a) the probability is less than one, and b) we move one step closer to the first state. So by construction it must be proportional - perhaps a poorly behaved proportionality, but that is still enough for the math to work.
fwlr
·27 gün önce·discuss
Arguably, someone who has chosen to replace their own human expression with machine words has already dehumanized themselves - although this is perhaps a too-literal reading the word “dehumanized”?
fwlr
·geçen ay·discuss
The genuine answer is that many people who hold a lot of power over me (the executive suite of my industry) intend to do me harm with it (put me out of a job).
fwlr
·geçen ay·discuss
Every second paragraph, it seems very impressed to re-discover that CQT matches human aural perception.

Unfortunately, I have a faint recollection that CQT was expressly designed to match human aural perception, which leaves me markedly less perpetually astonished.
fwlr
·geçen ay·discuss


    Calling prompt injection "not malware" … is like saying a phishing email is not [malware] …
I would say phishing emails are not malware, I think most people would agree that phishing emails are not malware, and if pressed to defend this point on its own merits I would say something like “they are deceptive instructions that rely on a human executing them to do harm”. I think the “phishing” analogy supports the case for not calling it malware (it is a different, also bad thing).
fwlr
·geçen ay·discuss
Yes it is, which is why I disapprove of it, and have said as such in every comment. I’m suggesting we disapprove of it in a more responsible way.
fwlr
·geçen ay·discuss
In this case, yes (hence my disapproval of this action) - but in the main, “the programming language is natural language” is what I’m worried about. Most uses of natural language are not intended for execution, nor should they need to be crafted with consideration for such.