Fork me on GitHub
#off-topic
<
2021-09-24
>
Apple15:09:01

https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity how can it work? if the html page can be altered so can the hash value.

p-himik15:09:55

If a malevolent script already can alter your HTML, you have bigger problems than it being able to change a hash - it can embed any JS whatsoever.

p-himik15:09:30

SRI works by preventing malevolent parties from altering the sources that you request. It's like a checksum that you use to ensure that the downloaded file is correct.

tvaughan15:09:55

I think the assumption is that the hashed content lives on a different server, e.g. a CDN, than the content that references the hashed content, e.g "the html page." So an attacker would have to modify the hashed content on the CDN as well in every place where the hashed content is referenced

p-himik16:09:18

Indeed. Although, to be clear, I was talking about dynamic changes to the HTML page.

noisesmith19:09:31

more generally: in all cases where you compare a file to a hash, an attacker can undermine by altering the hash, but when an attacker has access to alter the hash, they have already infiltrated much deeper

Chase17:09:33

Adoptium (the new branding for AdoptOpenJDK) now has OpenJDK 17 ready for download if anyone is looking to upgrade. https://adoptium.net/index.html?variant=openjdk17&amp;jvmVariant=hotspot

1
👍 2
borkdude18:09:08

Needed to do an ad-hoc data migration for a customer in production. REPL-ed into the production app from emacs. Direct linking got in the way a bit... (alter-var-root #'clojure.core/*compiler-options* (constantly {:direct-linking false})) . And it all worked out. Phew... :P

👀 3
vemv18:09:18

Was the intent being able to repeatedly def from the repl?

borkdude18:09:32

yeah, I was developing some script

👍 1
borkdude18:09:14

but when I only updated one var, the other calls did not see it

vemv18:09:58

Got it Nice to interactively carve out a script in prod :thumbsup:

borkdude18:09:18

Wrote some ad-hoc SQL in the process. Thanks #hugsql :)

borkdude18:09:16

Now I'm going to close my emacs and take a shower.

😰 1
🚿 1
simple_smile 1
🧼 1
bherrmann22:10:25

I always take a shower after doing sql too.

emil0r19:09:15

Have to post this again, because I think it's so darn funny

😂 2
seancorfield19:09:42

It's also against our community rules about not bashing other languages @U0545PBND so I deleted it.

💜 1
emil0r23:09:36

Err…. okay @U04V70XH6, but that was really tongue in cheek given that lisp, which Clojure falls under, was having both the knight, the horse and the princess stark raving mad after the rescue

p-himik21:09:02

Generative testing can help surface some weird bugs. Ones that probably aren't even relevant in the actual application. Just found that #inst "-705-12-03T18:20:49.415-00:00" turns into "-000705-12-03T18%3A20%3A49.415Z" when you call .toISOString on it (CLJS), and goog.date.UtcDateTime.fromIsoString can't parse that.

hiredman21:09:58

the iso8601 standard is not great around dates before year 0

hiredman21:09:45

(which is the date format inst uses)

p-himik21:09:51

So now I have this "beauty":

(s/and inst? #(let [y (.getFullYear ^js/Date %)]
                  (< 0 y 10000)))

hiredman21:09:32

it says it is fine as long as both parties pre agree to it first, and handling it is optional, and I believe if you are going to use it, it mandates the user +/-, so all dates start with either + or -

hiredman21:09:19

and it isn't even year 0 that is the cut off

hiredman21:09:29

years before 1583 are not automatically allowed by the standard.

p-himik21:09:12

> if you are going to use it, it mandates the user +/- Only if it's 6 digits, if my understanding is correct.

p-himik21:09:18

Oh, I'm definitely mixing stuff up because of how js/Date handles it already.

Lennart Buit21:09:32

I’ve had bugs because someone decided that epoch needed to be the year 0, and one piece of code assumed proleptic Gregorian, and another piece of code bravely started swapped between Gregorian and Julian in 1582. So inevidably, days were lost.

Lennart Buit21:09:54

So unnecessary, an epoch in 2000 would have been fine in our product

Lennart Buit21:09:52

But also; I kinda enjoy strange timezone stuff. Just because how ridiculous it becomes sometimes.

p-himik21:09:12

A very relevant and also very recent XKCD: https://xkcd.com/2519/

Lennart Buit21:09:59

yes that kind of stuff is amazing

Lennart Buit21:09:30

For one, The Netherlands used to have a timezone of +00:19:32, because someone measured the exact distance between Amsterdam and Greenwich

hiredman21:09:29

this is why the naive way of writing date generators for generative testing (just generate integers) is bad. you end up finding bugs with dates so far in the past or future you don't care about them

hiredman21:09:55

(which is what clojure does by default for inst?)

Lennart Buit21:09:49

yeah, we have some pretty ridiculous period generation because of that

Lennart Buit21:09:03

like, either very VERY long periods. Or zero duration somewhere in the far future

hiredman21:09:52

ideally you break a date into its component parts write a generator for each part with the proper ranges, and then assemble them into a date

hiredman21:09:04

the other way is to generate deltas from now, generate random integers and add them to the current date

Lennart Buit21:09:14

yeah that was what I was thinking

Lennart Buit21:09:34

although, now is side effectful, wouldn’t that mess with reproducibility

hiredman21:09:45

it depends on your tests how likely that is to break things

p-himik21:09:24

> you break a date into its component parts write a generator for each part with the proper ranges Wouldn't it immediately create issues with leap years and seconds and whatever else might exist? Or would such a generator simply always skip them?

hiredman22:09:46

there are a number of issues you have to decide what yo do with, like when your generate a month of 2 and a day from 29 to 31

hiredman22:09:44

for leap seconds it is easy enough, iso8601 specifcally allows for seconds to be 00 to 60 instead of 00 to 59, so the range of seconds just needs to be larger, then when asembling the date you decide what to do with leap second (if it isn't the end of a month get rid of it?)

Michael Gardner23:09:36

I'd use the approach of adding a random number of seconds to a base date, but with a set date instead of (now) as the basis. Like the date as of when you first implemented this scheme. Then you can set the range to +/- 100 years or whatever

lilactown22:09:22

the only 💯 solution is to abolish all calendars and clocks

✔️ 9
hiredman22:09:38

just use event clocks, everyone gets a clock set to 0 when they are born

p-himik22:09:23

And colloquially it would work without any changes - "when I was 15" and so on.

Vincent Cantin03:10:31

15 in which calendar? 😅

dgb2322:09:05

Dates in IT are so interesting. We don’t know how to do them right. It’s such a common data type but so incredibly awkward. Java.time is fairly recent. Browsers are now adopting a new API (finally) and there has been much discussion about that too, in part controversial. Some modern languages throw their hands up and don’t include dates in their std library at all. I suspect that the underlying, cultural model is simply too inconsistent like some of you suggest. Maybe it is time (!) to have some sort of simplification around this, similar to how the metric system did.

Michael Gardner22:09:58

TAI is a thing, so we do know how to do them "right" for a computer's purposes. But good luck getting people to think in terms of "kilosecs since epoch" or whatever

dgb2322:09:45

Yes, dates need to map well to days, months and seasons. But those are all relative and inconsistent so we end up with all these traps.

dgb2322:09:00

It’s maybe a good thing. A constant reminder that we’re just modelling stuff.