Fork me on GitHub
#clojure-uk
<
2018-01-09
>
thomas08:01:54

moin moin morning

guy08:01:39

morning!

rickmoynihan10:01:14

Does anyone know what the situation is with Spectre/Meltdown? Given that there were patches recently for Spectre/Meltdown in Webkit - presumably we also need patches the JVM/nodejs/rvm/python etc? And can’t just rely on O/S patches?

dominicm10:01:51

@rickmoynihan There's chrome/firefox patches because they run arbitrary code e.g. js. But you can rely on O/S patches.

rickmoynihan10:01:09

Ok, but the same can be true of the JVM (depending on context) e.g. JVM can run java applets (though most people probably have that disabled these days)… also classloading can sometimes work in similar contexts… for example Jini/River (though few people will be using things like that these days).

dominicm10:01:26

I suspect the JVM will just defer to the O/S on this. It is a bit weird that browsers have patches, but I suspect that's because browsers run in older environments where they self-update but don't expect users to update their OS.

rickmoynihan10:01:16

Makes sense. Thanks for the clarification :thumbsup:

dominicm08:01:49

>Meltdown has already been mitigated by operating system changes, so even if WebKit lacked any Spectre mitigations, it should no longer be possible to mount a Meltdown attack via WebKit. Any future Spectre mitigations will make it even less likely that WebKit could be used for a Meltdown attack, since the Spectre stage of that attack will be harder.

rickmoynihan11:01:34

Yeah that article was what motivated my question yesterday - read it on my commute though so missed that bit 🙂 Should’ve reshared it.

yogidevbear10:01:00

How many people here make use of a socket REPL on their servers?

dominicm11:01:21

We've done it in the past. I've even debugged kiosks in remote countries via vim, hot-loading new functions to fix them in real time. Can't do it on the current project though due to security levels.

seancorfield13:01:52

Yup we run a socket REPL in one of our processes where we might want to hot fix it but we generally just use it for debugging.

yogidevbear13:01:28

What would the main differences be to using a socket REPL and an nREPL to connect to the code/process?

seancorfield13:01:42

Weight. nREPL drags in a lot of dependencies. Also you can choose to start a socket REPL at the JVM process level (command line arguments) for any process.

seancorfield13:01:26

The downside of a socket REPL is the interaction is more primitive.

yogidevbear13:01:00

Cool, thanks for the extra info 🙂

seancorfield13:01:41

We used to run nREPL servers but then we needed explicit machinery to start (and stop) them and had to have all those dependencies in production. Ugh!

yogidevbear13:01:16

Yeah, I was reading through https://lambdaisland.com/guides/clojure-repls/clojure-repls which is what prompted me to ask the question

seancorfield13:01:50

We actually have an automated test that uses the socket REPL programmatically to override the behavior of a function in a separate process (and restore it again) for a particular test. Do not try this at home! 😈

yogidevbear13:01:44

Hahaha! I won't. Not yet anyway 🙂

dominicm14:01:46

Unravel/Unrepl means socket repls are viable again

dominicm14:01:51

(or will be)

rickmoynihan11:01:31

It’s something I’ve thought about exploring… i.e. using it to attach to an admin interface/namespace… but not really sure I have that many usecases for it.

mccraigmccraig11:01:12

i've thought about it - i do have some jvm agents (e.g. yourkit) and sometimes jmx things on my production instances - but i also haven't found a real usecase for a socket repl on production

rickmoynihan11:01:23

yeah I’ve tended to expose metrics through things like jmx/datadog… and have other entrypoints (or a basic commandline option system) for admin tasks… etc… I think the reasons to do it are when you want a safety net on a system you can’t bring down… but these days you tend to solve those problems at the process or cloud level, rather than within the same process. It’d make sense for a mars rover where you don’t know what can wrong and need a safety net to patch/inspect things dynamically; but there are other ways these days… Though despite my reservations I have some attachment to the idea…

mccraigmccraig11:01:25

i'm not sure i'd want a repl to be my interface for updating a mars rover... typos could turn out quite expensive

rickmoynihan11:01:36

pretty sure that’s what NASA did 🙂 but REPL doesn’t necessarily mean the user manually types into it 🙂

rickmoynihan11:01:47

hoping they didn’t have a TREPL (Type Read Eval Print Loop) 😉

dominicm11:01:21

We've done it in the past. I've even debugged kiosks in remote countries via vim, hot-loading new functions to fix them in real time. Can't do it on the current project though due to security levels.

chrisjd17:01:56

Evenin’. 👋