Fork me on GitHub
#off-topic
<
2021-12-14
>
Cora (she/her)05:12:50

(alt: a 6-panel comic of a person laying in bed sleeping. second panel has a brain saying "log4j on your toaster". third panel has the person in bed saying "that's not a thing". fifth panel the person looks angry. sixth panel the person is awake looking at their phone angrily, apparently looking up whether their toaster has log4j)

seancorfield05:12:09

I totally got this from your alt text, without needing to expand and look at the image itself -- thank you (I have all images collapsed on Slack).

💜 2
seancorfield05:12:24

p.s. "log4j on the Mars Rover!" 🙂

1
😨 2
borkdude10:12:45

Are they going to do that REPL thing in space again? :)

adi18:12:35

Oh man, that would be a rad story. Sadly, the folklore laments that the days of Lisping at the JPL / NASA are long past. I read something about FORTH flying on their spacecraft in the 2010s, but not about Lisps.

adi18:12:51

Maybe they secretly do, but let everyone believe it's all really just C and Python.

borkdude18:12:59

What I meant was, this log4j thing is actually a REPL by accident

1
chrisblom21:12:31

they should use the vulnerability to patch the vulnerability

adi03:12:53

> What I meant was, this log4j thing is actually a REPL by accident Aaah ok... by "REPL thing in space 'again'" I thought you meant this: https://flownet.com/gat/jpl-lisp.html

akond12:12:51

i've just watched https://youtu.be/BcHI3U0FuoY?t=2797 and i wonder what idea is behind these diagrams that cognitect uses? a book, or a paper, or is it completely home made?

fearnoeval12:12:34

Not sure if it's exactly what you're looking for, but I believe the idea is to just understand the flow of things visually as part of the design process. Tangentially, I don't know if it was used to create this specifically, but Rich has mentioned Omnigraffle many times.

akond12:12:23

no, i am quite clear on the tool and the general idea. i thought that usually there is someone else's book behind the idea, which goes in details about the topic.

Alex Miller (Clojure team)13:12:15

It's not really based on anything afaik

Alex Miller (Clojure team)13:12:47

Other than just basic data flow diagrams or ERD

akond13:12:17

so the notation is adhoc. i see.

Sam Ritchie16:12:00

Woah I had not seen Stuart's flowing locks before!!

Alex Miller (Clojure team)16:12:13

he's a man of many hair styles

😂 2
andy.fingerhut17:12:39

Rich often uses Omnigraffle on a Mac for drawings, so I've heard, but that isn't the crucial factor in these drawings, other than look & feel

andy.fingerhut17:12:36

I've heard one or more of the Clojure core team emphasize the importance of drawings in software system design work.

andy.fingerhut17:12:12

Although not specifically industry standard kinds of things like UML diagrams. Mainly any drawing that makes the ideas and structure clear.

👍 1
Cora (she/her)19:12:30

following on the heels of log4j's vuln, logback has a critical update: http://mailman.qos.ch/pipermail/announce/2021/000164.html

Cora (she/her)19:12:47

I guess I could put this in announcements since it's a release

dharrigan21:12:25

At the risk of making this more than it sounds, nowhere in the ticket, nor announcement does it mention it is a critical update.

Cora (she/her)21:12:02

they link to a PoC for RCE with logback. they don't call it critical but I do https://github.com/cn-panda/logbackRceDemo

dharrigan21:12:17

Whilst you do, it's not up to us how we label such things.

dharrigan21:12:26

It may cause undue panic.

Cora (she/her)21:12:57

who says it's not up to us?

dharrigan21:12:08

Who says it is?

Cora (she/her)21:12:34

I can call a vulnerability, and the associated update, critical if I want to. I have hereby claimed that authority

dharrigan21:12:35

You don't speak for the authors of the library I imagine. I would let them speak for themselves on how they announce it to the world.

Cora (she/her)21:12:16

you would, and if you were announcing it to people then you could, but you didn't and I did and I feel like I'd be doing an injustice by not stressing that it's critical

Cora (she/her)21:12:34

call it a difference of opinion

Cora (she/her)21:12:44

see the thread in #announcements about why it's not overblown to call it critical

dharrigan21:12:31

Unfortunately, what you post reaches a larger audience than deeming it a difference of opinion. What is shared here matters, so the choice of words and how we communicate that out to the channel has to be thought of carefully. The ticket (in jira) does not mark it as critical. I would rather hear from the authors who are responsible for the library than some 3rd party voice in some other community.

dharrigan21:12:48

Yes, I have read your comment in #announcements too.

Cora (she/her)21:12:13

I linked to it, read at your leisure

Cora (she/her)21:12:23

and your replies in here stand as a contrary opinion for anyone who wants to read more about it, so you've done your duty for where you place authority. I can assess security threats myself and my organization is treating it as critical

dharrigan21:12:40

How you treat it in your organisation is entirely up to you. I go by the authors of the library. They have not said at all it is a "critical" update.

genekim01:12:35

Thanks for posting, @U02N27RK69K — I must admit, I spit out my coffee when I read this: > We have also removed all database (JDBC) related code in the project with no replacement. Logback can reach out to JDBC? 😂😂 😭😭😱😱:face_vomiting::face_vomiting:

🙀 3
Cora (she/her)19:12:06

done. leaving here for visibility because of the chaos of the last week around logging