Fork me on GitHub
Cora (she/her)20:05:37

I wonder if we couldn't use clj-kondo like this does in order to do analysis?


Heya @corasaurus-hex! I’ve been working on just that, on and off, for a while:

Cora (she/her)21:05:10

not sure I agree with "Static analysis is safe"


How so? I only meant safe in that it does not load/run namespaces to glean the API.

Cora (she/her)21:05:11

extremely complicated untrusted input can do some gnarly things


Which we currently do for dynamic analysis.

Cora (she/her)21:05:31

it's safer than dynamic by a long shot


Ah gotcha. Fair point, I suppose.

Cora (she/her)21:05:12

a very funny example of that sort of analysis

Cora (she/her)21:05:05

the short of it is a forensics toolkit was set up to read signal messages off of phones. signal turned around and used that to exploit their scanners


Interesting! Well we can certainly still isolate static analysis if we need/want to.

Cora (she/her)21:05:26

I doubt we'd run into issues but it's one of those things where if it's easy not to do it then it's probably a good idea. I wouldn't go to extremes to avoid it given the context


Ya, it is a good point.


I was making good headway when I hit a big of a snag with ClojureScript APIs and macros. Theoretically all Clojure macros are accessible from ClojureScript. In practice we (and codox) on purpose (or by chance) only see macros that have been explicitly loaded during cljs analysis by the library. I need to explore/understand ClojureScript and macros and public APIs a bit more.

Cora (she/her)21:05:04

ahhh interesting

Cora (she/her)21:05:10

that's a neat learning opportunity

Cora (she/her)21:05:53

god this is just so funny, from that post

Cora (she/her)21:05:59

> In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage. These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software. Files will only be returned for accounts that have been active installs for some time already, and only probabilistically in low percentages based on phone number sharding. We have a few different versions of files that we think are aesthetically pleasing, and will iterate through those slowly over time. There is no other significance to these files.