This page is not created by, affiliated with, or supported by Slack Technologies, Inc.
2021-09-24
Channels
- # announcements (30)
- # asami (9)
- # babashka (37)
- # beginners (120)
- # calva (26)
- # cider (3)
- # clara (9)
- # clj-commons (7)
- # clj-kondo (17)
- # cljsrn (2)
- # clojure (32)
- # clojure-europe (56)
- # clojure-nl (1)
- # clojure-norway (13)
- # clojure-uk (4)
- # clojurescript (34)
- # conjure (1)
- # copenhagen-clojurians (8)
- # core-async (21)
- # cursive (2)
- # datahike (2)
- # datascript (5)
- # events (4)
- # fulcro (32)
- # graalvm (10)
- # heroku (3)
- # introduce-yourself (1)
- # jobs (2)
- # lsp (3)
- # luminus (1)
- # malli (8)
- # meander (15)
- # minecraft (1)
- # nrepl (2)
- # off-topic (57)
- # pathom (2)
- # polylith (35)
- # reagent (6)
- # reitit (8)
- # releases (1)
- # rewrite-clj (7)
- # shadow-cljs (21)
- # timbre (4)
- # tools-build (1)
- # tools-deps (33)
- # vrac (8)
https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity how can it work? if the html page can be altered so can the hash value.
If a malevolent script already can alter your HTML, you have bigger problems than it being able to change a hash - it can embed any JS whatsoever.
SRI works by preventing malevolent parties from altering the sources that you request. It's like a checksum that you use to ensure that the downloaded file is correct.
I think the assumption is that the hashed content lives on a different server, e.g. a CDN, than the content that references the hashed content, e.g "the html page." So an attacker would have to modify the hashed content on the CDN as well in every place where the hashed content is referenced
more generally: in all cases where you compare a file to a hash, an attacker can undermine by altering the hash, but when an attacker has access to alter the hash, they have already infiltrated much deeper
Adoptium (the new branding for AdoptOpenJDK) now has OpenJDK 17 ready for download if anyone is looking to upgrade. https://adoptium.net/index.html?variant=openjdk17&jvmVariant=hotspot
Needed to do an ad-hoc data migration for a customer in production. REPL-ed into the production app from emacs. Direct linking got in the way a bit... (alter-var-root #'clojure.core/*compiler-options* (constantly {:direct-linking false}))
. And it all worked out. Phew... :P
It's also against our community rules about not bashing other languages @U0545PBND so I deleted it.
Err…. okay @U04V70XH6, but that was really tongue in cheek given that lisp, which Clojure falls under, was having both the knight, the horse and the princess stark raving mad after the rescue
Generative testing can help surface some weird bugs. Ones that probably aren't even relevant in the actual application.
Just found that #inst "-705-12-03T18:20:49.415-00:00"
turns into "-000705-12-03T18%3A20%3A49.415Z"
when you call .toISOString
on it (CLJS), and goog.date.UtcDateTime.fromIsoString
can't parse that.
Well, it explicitly says that -YYYYYY
is fine.
However:
• https://clojure.atlassian.net/browse/CLJ-2347
• https://github.com/google/closure-library/issues/1142
So now I have this "beauty":
(s/and inst? #(let [y (.getFullYear ^js/Date %)]
(< 0 y 10000)))
it says it is fine as long as both parties pre agree to it first, and handling it is optional, and I believe if you are going to use it, it mandates the user +/-, so all dates start with either + or -
> if you are going to use it, it mandates the user +/- Only if it's 6 digits, if my understanding is correct.
I’ve had bugs because someone decided that epoch needed to be the year 0, and one piece of code assumed proleptic Gregorian, and another piece of code bravely started swapped between Gregorian and Julian in 1582. So inevidably, days were lost.
So unnecessary, an epoch in 2000 would have been fine in our product
But also; I kinda enjoy strange timezone stuff. Just because how ridiculous it becomes sometimes.
A very relevant and also very recent XKCD: https://xkcd.com/2519/
yes that kind of stuff is amazing
For one, The Netherlands used to have a timezone of +00:19:32, because someone measured the exact distance between Amsterdam and Greenwich
this is why the naive way of writing date generators for generative testing (just generate integers) is bad. you end up finding bugs with dates so far in the past or future you don't care about them
yeah, we have some pretty ridiculous period generation because of that
like, either very VERY long periods. Or zero duration somewhere in the far future
ideally you break a date into its component parts write a generator for each part with the proper ranges, and then assemble them into a date
the other way is to generate deltas from now, generate random integers and add them to the current date
yeah that was what I was thinking
although, now is side effectful, wouldn’t that mess with reproducibility
> you break a date into its component parts write a generator for each part with the proper ranges Wouldn't it immediately create issues with leap years and seconds and whatever else might exist? Or would such a generator simply always skip them?
there are a number of issues you have to decide what yo do with, like when your generate a month of 2 and a day from 29 to 31
for leap seconds it is easy enough, iso8601 specifcally allows for seconds to be 00 to 60 instead of 00 to 59, so the range of seconds just needs to be larger, then when asembling the date you decide what to do with leap second (if it isn't the end of a month get rid of it?)
I'd use the approach of adding a random number of seconds to a base date, but with a set date instead of (now)
as the basis. Like the date as of when you first implemented this scheme. Then you can set the range to +/- 100 years or whatever
15 in which calendar? 😅
Dates in IT are so interesting. We don’t know how to do them right. It’s such a common data type but so incredibly awkward. Java.time is fairly recent. Browsers are now adopting a new API (finally) and there has been much discussion about that too, in part controversial. Some modern languages throw their hands up and don’t include dates in their std library at all. I suspect that the underlying, cultural model is simply too inconsistent like some of you suggest. Maybe it is time (!) to have some sort of simplification around this, similar to how the metric system did.
TAI is a thing, so we do know how to do them "right" for a computer's purposes. But good luck getting people to think in terms of "kilosecs since epoch" or whatever