Fork me on GitHub
#beginners
<
2020-07-26
>
andy.fingerhut00:07:03

Perhaps more detail on comparators and sorting in Clojure than you might want to know, but this article might be useful: https://clojure.org/guides/comparators

aaroncoding00:07:02

I just watched this https://www.youtube.com/watch?v=CBL59w7fXw4 which basically talks about how bad security is for clojure web apps. Is there any update on this? It was 6 years ago... How secure are luminus and pedestal?

Alex Miller (Clojure team)10:07:07

Aaron’s talk spurred a lot of immediate improvements to the Clojure library default setups and addressed many of the issues. Joy Clark did a great talk covering the major OWASP security items in the context of Clojure a few years later https://www.youtube.com/watch?v=lRHPZXKQVLk

aaroncoding18:07:33

Thanks so much, that's exactly what I was looking for!

seancorfield01:07:36

They're as secure as whatever security/auth library you're using with them. I'm not sure if Luminus bundles anything in that space but I'm pretty sure Pedestal is a narrower focused web library.

seancorfield01:07:47

We don't tend to have "frameworks" in Clojure: we build web apps using our preferred composition of libraries. There's no "standard" approach that includes security in a particular way. So apps are exactly as secure as people decide to make them.

aaroncoding01:07:05

Fair enough. That was kind of my impression. Security scares me because it's so easy to get wrong. I'm no expert, so I was hoping there was something that could guide me a bit

seancorfield01:07:02

I remember attending that talk -- although I can't remember what specifically he was promoting in it. Buddy and Friend are probably the two security libs I hear the most about but I think at least one of them is no longer maintained.

seancorfield01:07:56

Looks like neither of them has been updated for three years...

aaroncoding01:07:05

Ya I'm looking at those now

aaroncoding01:07:38

But does that mean they're super stable, or just abandoned? 😛

seancorfield01:07:56

I think they're both fairly stable but I also think they are both unmaintained 🙂

seancorfield01:07:28

Here's an article from last year on the topic of Clojure & security, that references Aaron's talk from 2014 https://jemurai.com/2019/11/27/clojure-signal/

seancorfield01:07:21

It calls out security issues that aren't solved by a library but are systemic -- such as not using parameters in SQL queries. Security is a systemic issue. I've never used Friend or Buddy. We have built our own OAuth2 system at work -- we have separate Auth, Login, and API servers and built that on top of Apache OLTP stuff. We also have login-via-Facebook and we've talked about offering other auth services.

aaroncoding01:07:19

Thanks! Reading

matthieu10:07:14

Hello everybody! I just wanted to share the two small games I made to learn Clojure / Clojurescript. Any feedback welcome! Snake: https://github.com/Phantas0s/sokoban Sokoban: https://github.com/Phantas0s/sokoban

😮 3
3
akoppela10:07:04

Hey people. How much Java do you use/write together with Clojure?

sveri11:07:25

@akoppela Totally depends on your usecase. I general I would say less than 1%. When I do web dev I'd say it's less than 0.1% for me. That said, it's also considered idiomatic to use a java library when there is no good clojure fit.

👍 3
dinesh13:07:17

which editors generally you use to code in clojure script?

Chris McCormick13:07:16

there's more than one editor? :thinking_face:

sova-soars-the-sora13:07:53

everything from a magnetic needle with a microscope to emacs will do. depends on what you like. there's that gui, cursive for cljs, some people use Atom, some people use SublimeText you can see on the latest clojure user survey what the distributions are actually... linking one moment juanita in accounts receivable just a sec..

neilyio17:07:28

I'm playing around with transduce, and I thought I understood it with simple examples like (transduce (map inc) conj (range 10)), which returns the expected [1 2 3 4 5 6 7 8 9 10]. But if I throw a string into the collection argument, I get a strange result. Can anyone explain why this is happening?

(transduce (map inc) conj [0 1 2 3 4 5 6 7 8 9 "clojure"])
;; => [1 2 3 4 5 6 7 8 9 10 "clojure1"]

noisesmith17:07:00

is this clojurescript?

neilyio17:07:02

I expected this to error, as (inc "clojure") does.

neilyio17:07:57

Yes it's clojurescript. I realize Javascript has some weird string behaviours, but I'm surprised that (inc "clojure") errors when the transducer version doesn't.

noisesmith17:07:45

I'm guessing that (map inc) ends up calling + from js directly, and doing whatever weird thing js does for + on strings

noisesmith17:07:59

yeah

$ cljs
ClojureScript 1.10.758
(ins)cljs.user=> (+ "clojure" 1)
WARNING: cljs.core/+, all arguments must be numbers, got [string number] instead at line 1 <cljs repl>
"clojure1"
(ins)cljs.user=> (inc "clojure")
WARNING: cljs.core/+, all arguments must be numbers, got [string number] instead at line 1 <cljs repl>
"clojure1"

noisesmith17:07:25

those aren't errors, it returns the same string you saw

neilyio17:07:25

Hmm, for me in a shadow-cljs NodeJS repl, (inc "clojure") doesn't return "clojure1", it returns nil. But you're right, it's still a warning not an error. I also tried the (transduce (map inc) conj [0 1 2 3 4 5 6 7 8 9 "clojure"]) in a Clojure REPL, and it error-ed as expected.

noisesmith17:07:30

sounds like shadow-cljs does some level of sanity checking cljs doesn't (or my cljs is badly out of date)

neilyio17:07:00

I guess so. Just one more detail to remember I guess. Please tell me this gets easier.

neilyio17:07:56

+ Thanks once again for your help @noisesmith!

noisesmith17:07:47

in my experience cljs has more weird edges compared to clj

noisesmith17:07:00

mostly due to the vm

neilyio17:07:39

Seems like it. I suppose it's better to run into them now rather than in the middle of a large application.

neilyio17:07:26

Oof, it does it for error objects too. That hurts.

(transduce (map inc) conj [0 1 2 3 4 5 6 7 8 9 (ex-info "My error" {})])
;; => [1 2 3 4 5 6 7 8 9 10 "#error {:message \"My error\", :data {}}1"]

neilyio17:07:21

I guess what really threw me off is 1. transduce swallowing the warning, and 2. (inc "clojure") returning nil instead of "clojure1". Very weird.

noisesmith17:07:29

operator overloading is my least favorite language feature, I'd rather use a language where you need two different versions of + for int / float (eg. ml) than one where every data type does a different thing when you call + on it

neilyio17:07:33

Yep, it's hard to imagine how anyone could to pass a JS object to + and want it to mean "convert my object to a string and concatenate a 1 to the end of it".

Stuart17:07:21

how would i round floats in clojure? e.g. 0.29868686 to 0.299 Id rather not have to convert to a string or anything...

neilyio17:07:43

@qmstuart I'm looking around too because I was curious, it looks like you just call the corresponding Java functions like in https://stackoverflow.com/questions/28551000/what-is-the-best-way-to-round-numbers-in-clojure .

neilyio17:07:58

I don't know Java at all, but rounding to the nth decimal place might require a little extra work, like in https://www.baeldung.com/java-round-decimal-number.

Stuart17:07:29

yeah, i too know very little java. I think thats my problem here

noisesmith17:07:26

to be clear those are methods, not functions, and yeah for something like that interop is the answer

noisesmith17:07:43

you can hack it with multiply/truncate/divide but the java methods are the right way

noisesmith17:07:52

user=> (with-precision 4 :rounding FLOOR (/ 1 3M))
0.3333M
that's not so bad

aaroncoding18:07:22

Hey can someone please explain what "com" and "org" are? I'm guessing it's a Java convention, but this is my first foray into the JVM :man-shrugging:

dpsutton18:07:31

https://docs.oracle.com/javase/tutorial/java/package/namingpkgs.html a way to distinguish packages is my using the organization's name in them. so you know an official version of clojure is named org.clojure/clojure

dpsutton18:07:44

and its reversed domain. http://clojure.org -> org.clojure. https://stuartsierra.com/ means that component (a popular library) is com.stuartsierra/component

dpsutton18:07:22

its common in clojure to see the tld dropped and just the organization used. For instance, all of sean corfield's packages are named seancorfield/next.jdbc or what have you.

noisesmith18:07:58

or to disregard owning the name entirely, and creating non-existent projects implicitly with the same generic name as the library (I think this is actively discouraged though)

Jake Schreuder18:07:38

Any recommendations for a good (up-to-date) tutorial or book on building webpages with Clojure? I know just enough of the language to hack around and break things, but I’m extremely unfamiliar in the ways of web programming.

Drew Verlee18:07:09

Are you looking to apply patterns you know in clojure? Or want to just try something very new and see where it takes you?

Jake Schreuder18:07:43

Just looking to try something new, and I was hoping to use Clojure to do it

Drew Verlee18:07:12

> building webpages Are you thinking of a full end to end system or just HTML/css?

Jake Schreuder18:07:53

Ideally, I’d like to the learn the entire system, but I was mostly curious if there were some good to tutorials people liked to recommend.

Drew Verlee18:07:47

Gotcha. Maybe https://www.learnreagent.com/ Or https://purelyfunctional.tv/courses/web-dev-in-clojure/ For tutorials. But keep in mind the web dev space is so large that you your never "done". It's interesting to just pick a project like rum, fulcro, reagent, etc.. and see what problems they're trying to solve.

Drew Verlee18:07:00

Beta version of this book might be out soon https://pragprog.com/titles/dswdcloj3/

Drew Verlee18:07:14

That would likely be a good start.

Jake Schreuder18:07:18

Interesting. Looks like some promising resources. Appreciate it!

aaroncoding19:07:44

+1 for reagent. If you know react at all, it's like that but better in so many ways

neilyio19:07:55

+1 For http://purelyfunctional.tv. I love Eric's teaching style.

Jake Schreuder00:07:31

Appreciate the replies. I will look at the http://purelyfunctional.tv article and look into reagent