cljdoc

Cora (she/her) 2022-05-05T20:59:37.574139Z

I wonder if we couldn't use clj-kondo like this does in order to do analysis? https://clojurians.slack.com/archives/C06MAR553/p1651775259680219

lread 2022-05-05T21:46:58.129289Z

Heya @corasaurus-hex! I’ve been working on just that, on and off, for a while: https://github.com/cljdoc/cljdoc/issues/543

Cora (she/her) 2022-05-05T21:47:17.021179Z

oooooh

lread 2022-05-05T21:47:37.507429Z

Kinda related is: https://github.com/cljdoc/cljdoc/issues/565

Cora (she/her) 2022-05-05T21:49:10.991799Z

not sure I agree with "Static analysis is safe"

lread 2022-05-05T21:50:03.086969Z

How so? I only meant safe in that it does not load/run namespaces to glean the API.

Cora (she/her) 2022-05-05T21:50:11.234849Z

extremely complicated untrusted input can do some gnarly things

lread 2022-05-05T21:50:29.343759Z

Which we currently do for dynamic analysis.

Cora (she/her) 2022-05-05T21:50:31.733349Z

it's safer than dynamic by a long shot

lread 2022-05-05T21:50:51.018159Z

Ah gotcha. Fair point, I suppose.

Cora (she/her) 2022-05-05T21:52:57.565229Z

https://signal.org/blog/cellebrite-vulnerabilities/

Cora (she/her) 2022-05-05T21:53:12.875369Z

a very funny example of that sort of analysis

Cora (she/her) 2022-05-05T21:54:05.075959Z

the short of it is a forensics toolkit was set up to read signal messages off of phones. signal turned around and used that to exploit their scanners

lread 2022-05-05T21:55:15.878039Z

Interesting! Well we can certainly still isolate static analysis if we need/want to.

Cora (she/her) 2022-05-05T21:56:26.034769Z

I doubt we'd run into issues but it's one of those things where if it's easy not to do it then it's probably a good idea. I wouldn't go to extremes to avoid it given the context

lread 2022-05-05T21:57:12.605769Z

Ya, it is a good point.

lread 2022-05-05T21:57:39.135849Z

I was making good headway when I hit a big of a snag with ClojureScript APIs and macros. Theoretically all Clojure macros are accessible from ClojureScript. In practice we (and codox) on purpose (or by chance) only see macros that have been explicitly loaded during cljs analysis by the library. I need to explore/understand ClojureScript and macros and public APIs a bit more.

Cora (she/her) 2022-05-05T21:58:04.460599Z

ahhh interesting

Cora (she/her) 2022-05-05T21:58:10.417279Z

that's a neat learning opportunity

lread 2022-05-05T21:59:28.617189Z

Hope so! Jotted some notes https://github.com/borkdude/api-diff/issues/19#issuecomment-1107520705.

Cora (she/her) 2022-05-05T21:59:53.547369Z

god this is just so funny, from that post

Cora (she/her) 2022-05-05T21:59:59.369159Z

> In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage. These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software. Files will only be returned for accounts that have been active installs for some time already, and only probabilistically in low percentages based on phone number sharding. We have a few different versions of files that we think are aesthetically pleasing, and will iterate through those slowly over time. There is no other significance to these files.

lread 2022-05-05T22:04:59.042449Z

cheeky!

➕ 1