Tootfinder

@… whew, could’ve saved a lot of tooling complexity!

Finally got a chance to set myself up with the AndroidX #Gradle lints and already found a handful of problems! Super glad this exists now and I can rely on tooling to automatically find these things.
https://

feat(build): add androidx.lint checks to build-logic · msfjarvis/compose-lobsters@9a6d7d2
Claw for Android: Unofficial read-only client for https://lobste.rs, built using Jetpack Compose. - feat(build): add androidx.lint checks to build-logic · msfjarvis/compose-lobsters@9a6d7d2

Attention: with the upcoming release of the updated/new scrapers, amendments will have a new field "comment", while committee agendas have a completely new schema.
If you use these datasets, i hope you will enjoy the wealth of new/improved data. But you probably have to adjust your tooling...

Plan für das Wochenende: Bildbearbeitungsworkflow auf Darktable (OSS-Tooling) unter Linux aufziehen. Betet, dass meine Seele keinen Schaden nehme!

#Rust #Tooling: 8 tools that will increase your productivity
https://dev.to/shuttle…

I believe more than ever that the modern aesthetic of software solutions (microservices, functions as a service, microsites, and micro-frontends) is over-compensating for inadequate tooling.

Finally got a chance to set myself up with the AndroidX #Gradle lints and already found a handful of problems! Super glad this exists now and I can rely on tooling to automatically find these things.
https://

feat(build): add androidx.lint checks to build-logic · msfjarvis/compose-lobsters@9a6d7d2
Claw for Android: Unofficial read-only client for https://lobste.rs, built using Jetpack Compose. - feat(build): add androidx.lint checks to build-logic · msfjarvis/compose-lobsters@9a6d7d2

All of the open ECP5 tooling work is cool and all, but a little on the small/slow side for my taste.
Is anyone working on open tools for Lattice Avant-X yet?

udev-hid-bpf: quickstart tooling to fix your HID [Human Interface Devices] devices with #eBPF:
https://who-t.blogspot.com/2024/04/udev-hid-bpf-quickstart-too…

Towards AI Accountability Infrastructure: Gaps and Opportunities in AI Audit Tooling
Victor Ojewale, Ryan Steed, Briana Vecchione, Abeba Birhane, Inioluwa Deborah Raji
https://arxiv.org/abs/2402.17861

Towards AI Accountability Infrastructure: Gaps and Opportunities in AI Audit Tooling
Audits are critical mechanisms for identifying the risks and limitations of deployed artificial intelligence (AI) systems. However, the effective execution of AI audits remains incredibly difficult. As a result, practitioners make use of various tools to support their efforts. Drawing on interviews with 35 AI audit practitioners and a landscape analysis of 390 tools, we map the current ecosystem of available AI audit tools. While there are many tools designed to assist practitioners with settin…

Am I missing something or is it basically impossible to have `cargo update` actually select dependencies that are acceptable for the specific minimal `rust-version`? Like, even if you install old #RustLang version, `cargo update` from this version will update `Cargo.lock` to dependencies that require a newer Rust version and render the package non-buildable?
So yeah, I suppose you either end up requiring newer Rust (but you don't really know which version, since you don't know what's the highest minimal requirement in your dependencies), or you update `Cargo.lock` by hand. Such a great tooling!
#Gentoo

Python as a language is fine, I guess, but the tooling around it is such a fucking nightmare it has been the single biggest obstacle to me doing anything “AI” these days. A minute installing a single python dependency is ten minutes wasted.

Here is another nice portable development setup with the Milk-V Duo S (SG2000) and our tooling.
Make a change in @…, run sg_boot, and you get immediate feedback. 🥳✨👩‍💻
https://github.com/orangecms/…

GitHub - orangecms/sg_boot: loader for CVItek/Sophgo SoCs (CV1800B, SG200x)
loader for CVItek/Sophgo SoCs (CV1800B, SG200x). Contribute to orangecms/sg_boot development by creating an account on GitHub.

BlackBerry MDM Has Some Authentication Flaws https://emptynebuli.github.io/tooling/2024/04/22/blackberryMDM.html

I just had a "the tooling is now too good for me" moment with #RustLang: browsing a small crate, I jumped from definition to definition, found the code to be too low-level to grasp immediately, looked online for references, just to find the code in a different crate. Now who copied from whom? Nobody did: `gd` just sent me to my local cache of some dependency crate :-D
Thanks

Proposal for a conference talk: How to configure #PHPStorm and all its tooling extensions (xdebug, phpstan, php-cs-fixer, etc.) to use a docker container consistently.
That could easily fill a tutorial...
#PHP #PHPTek

Job posting: https://jobs.target.com/job/brooklyn-park/senior-engineer-security-tooling-development-intel-tools/1118/62636103712

Unveiling Internet Censorship: Analysing the Impact of Nation States' Content Control Efforts on Internet Architecture and Routing Patterns
Joshua Levett, Vassilios Vassilakis, Poonam Yadav
https://arxiv.org/abs/2402.19375

Unveiling Internet Censorship: Analysing the Impact of Nation States' Content Control Efforts on Internet Architecture and Routing Patterns
Heightened interest from nation states to perform content censorship make it evermore critical to identify the impact of censorship efforts on the Internet. We undertake a study of Internet architecture, capturing the state of Internet topology with greater completeness than existing state-of-the-art. We describe our methodology for this, including the tooling we create to collect and process data from a wide range of sources. We analyse this data to find key patterns in nation states with high…

I love that WebAssembly is becoming a bytecode for Swift tooling.
Pure, unadulterated, high-octane fuel for a he swift ecosystem:
https://github.com/apple/swift/pull/73031

[Macros] Add support for wasm macros by kabiroberai · Pull Request #73031 · apple/swift
This PR introduces support for WebAssembly-based macros via -load-plugin-executable Foo.wasm#Foo. Wasm macros are blazing fast (no SwiftSyntax build required for consumers!) and secure (fully sandb...

Time to hear from @… at #civonavigate about the pros and cons of using third party tooling

@… React has shown itself to be pretty slow! That said, there is a spectrum of React tooling. I’d rate Astro > Gatsby > Next.js for fast outputs of React stuff

It is wild, WILD, I tell you, to think that "taint checking" [sic], a skill I learned in 1999 for LAMP stack CGI tooling, is coming back into fashion.
here's the gist:
Sanitize your inputs, or don't eval user generated content, ever.
It's like Robert Tables grew up and had kids
Bobby Ignore All Previous Instructions Junior
And his sister Sarah Repeat Previous Prompt

Kenn White (@kennwhite@mastodon.social)
Attached: 3 images Incredible research at BlackHat Asia today by Tong Liu and team from the Institute of Information Engineering, Chinese Academy of Sciences (在iie.ac.cn 的电子邮件经过验证) A dozen+ RCEs on popular LLM framework libraries like LangChain and LlamaIndex - used in lots of chat-assisted apps including GitHub. These guys got a reverse shell in two prompts, and even managed to exploit SetUID for full root on the underlying VM!

“Hundred Rabbits is a resilience research lab aboard a sailboat. Our focus is on exploring and documenting minimum viable solutions for living and technological tooling.”
gemini://gemini.circumlunar.space/users/hundredrabbits/

#Clojure folk, are you (or is anyone you know) making serious use of Clojure CLR (the port of Clojure to Microsoft's dot-net virtual machine)?
Is the project stable? Is there a good community, good tooling? Is anyone using it in production?

#ESPHome and #ESP32Cam are just awesome! Great tooling, great wizard, great documentation! Setting up a cheap (~10€) wifi cam and integrating it into #HomeAssistant can be done in no tim…

Anybody know of tooling that can read a JPEG-compressed TIFF file that has >2^31 pixels?
ImageJ uses signed 32-bit pixel coordinates and fails to load it with a negative array index exception, GIMP complains about something related to the JPEG coding using the wrong subsampling factor or something. "convert" complains about an invalid image size.

@ddprrt did a talk about refactoring in Rust - using the language tooling like traits and error handling to write idiomatic code!
Check it out: https://www.youtube.com/watch?v=DH9HIBbpktY

Packers’ Jordan Love believes 2024 is ‘perfect time’ for chance at Super Bowl: ‘People know what we’re about now’ https://www.nfl.com/news/packers-jordan-love-believes-2024-is-perfect-time-for-chance-at…

Packers’ Jordan Love believes 2024 is ‘perfect time’ for chance at Super Bowl: ‘People know what we’re about now’
Green Bay has spent the offseason tooling up for another run. Jordan Love felt strongly about the Packers' chances to challenge for a Super Bowl in the upcoming season before then, and the team's approach to free agency has only affirmed the quarterback's beliefs.

@… Possibly unhelpful, but I don't think data scientists should learn more than the basics, and ideally they learn patterns that also work in dash and ash. Anything with a whiff of complexity should take advantage of the testability and modularity and tooling of e.g. Python or similar. Other shells aren't going to be available in many environments anywa…

I get why people are apprehensive of #JetBrains tooling in #dotnet.
After years of writing code in a solution, you open it and realize you now have to run a marathon through lax code maintenance practices, issues, and errors you didn't even realize you had.
But you have to start at…

Tooling Offline Runtime Verification against Interaction Models : recognizing sliced behaviors using parameterized simulation
Erwan Mahe, Boutheina Bannour, Christophe Gaston, Arnault Lapitre, Pascale Le Gall
https://arxiv.org/abs/2403.03083

Tooling Offline Runtime Verification against Interaction Models : recognizing sliced behaviors using parameterized simulation
Offline runtime verification involves the static analysis of executions of a system against a specification. For distributed systems, it is generally not possible to characterize executions in the form of global traces, given the absence of a global clock. To account for this, we model executions as collections of local traces called multi-traces, with one local trace per group of co-localized actors that share a common clock. Due to the difficulty of synchronizing the start and end of the reco…

"stick a few versions back"
"wait a few days after any particular version pushes"
what I kinda want is
1) "wait for bugs to be reported on that version"
or
2) "wait for other people's integration/smoke tests in production to pass"
but 1 doesn't have good tooling or could be abused
and 2 is asking other companies to try it first
(hey, maybe they have better 2% rolling/gradual deploys)

Been thinking again about recent #ThingUmbrella survey results and also what @… emphasized recently, i.e. that "Software development is an intensely social discipline.". I fully agree.
Too much power in a programming language/tooling means no…

https://wedistribute.org/2024/03/lemmy-image-problem/
"The fact that Lemmy’s core team is taking a fairly laissez faire position on moderation, user safety, and tooling is problematic, and could be a serious blocker for communities currently hosted on Lemmy.&…

Now that the 100baseT1 tooling is done, it's time to move on to gigabit.
The same PCB supports 1000baseT1 with a few BOM changes so I'll start building that version next. Kid is almost done with her nap though, so it'll have to wait until after bedtime.
In the meantime to speed things along I counted out all of the large ICs, passives, and surface mount connectors that are visually distinctive (i.e. only one component value on the board for a given package size so I c…

@… This is *incredible* and I LOVE to see tooling that encapsulates the core issues of web font performance. Not just a “unused JS” for web fonts but showing the glyphs that visibly swap too! 🏆

#HTMX and #WebComponents: a Perfect Match
https://binaryigor.com/htmx-and-web-co

"stick a few versions back"
"wait a few days after any particular version pushes"
what I kinda want is
1) "wait for bugs to be reported on that version"
or
2) "wait for other people's integration/smoke tests in production to pass"
but 1 doesn't have good tooling or could be abused
and 2 is asking other companies to try it first
(hey, maybe they have better 2% rolling/gradual deploys)

So @… and I just published the first episode of Strongly Hyped, where we discussed adding #TypeScript, #JSX, and

@… hmmmmm—looks like I can do issue maintenance on this repo, I wonder if I can merge PRs 😬
https://github.com/GoogleChromeLabs/toolin…

My current take on the #xz situation, not having read the actual source backdoor commits yet (thanks a lot #Github for hiding the evidence at this point...) besides reading what others have written about it (cf. #rustlang for such central library dependencies would maybe (really big maybe) have made it a bit harder to push a backdoor like this because - if and only if the safety features are used idiomatically in an open source project - reasonably looking code is (a bit?) more limited in the sneaky behavior it could include. We should still very much use those languages over C/C for infrastructure code because the much larger class of unintentional bugs is significantly mitigated, but I believe (without data to back it up) that even such "bugdoor" type changes will be harder to execute. However, given the sophistication in this case, it may not have helped at all. The attacker(s) have shown to be clever enough.
6. Sandboxing library code may have helped - as the attacker(s) explicitly disabled e.g. landlock, that might already have had some impact. We should create better tooling to make it much easier to link to infrastructure libraries in a sandboxed way (although that will have performance implications in many cases).
7. Automatic reproducible builds verification would have mitigated this particular vector of backdoor distribution, and the Debian team seems to be using the reproducibility advances of the last decade to verify/rebuild the build servers. We should build library and infrastructure code in a fully reproducible manner *and* automatically verify it, e.g. with added transparency logs for both source and binary artefacts. In general, it does however not prevent this kind of supply chain attack that directly targets source code at the "leaf" projects in Git commits.
8. Verifying the real-life identity of contributors to open source projects is hard and a difficult trade-off. Something similar to the #Debian #OpenPGP #web-of-trust would potentially have mitigated this style of attack somewhat, but with a different trade-off. We might have to think much harder about trust in individual accounts, and for some projects requiring a link to a real-world country-issued ID document may be the right balance (for others it wouldn't work). That is neither an easy nor a quick path, though. Also note that sophisticated nation state attackers will probably not have a problem procuring "good" fake IDs. It might still raise the bar, though.
9. What happened here seems clearly criminal - at least under my IANAL naive understanding of EU criminal law. There was clear intent to cause harm, and that makes the specific method less important. The legal system should also be able to help in mitigating supply chain attacks; not in preventing them, but in making them more costly if attackers can be tracked down (this is difficult in itself, see point 8) and face risk of punishment after the fact.
H/T @… @… @… @… @…

Explaining EDA synthesis errors with LLMs
Siyu Qiu, Benjamin Tan, Hammond Pearce
https://arxiv.org/abs/2404.07235 https://arxiv.org/p…

Explaining EDA synthesis errors with LLMs
Training new engineers in digital design is a challenge, particularly when it comes to teaching the complex electronic design automation (EDA) tooling used in this domain. Learners will typically deploy designs in the Verilog and VHDL hardware description languages to Field Programmable Gate Arrays (FPGAs) from Altera (Intel) and Xilinx (AMD) via proprietary closed-source toolchains (Quartus Prime and Vivado, respectively). These tools are complex and difficult to use -- yet, as they are the to…

MotorEase: Automated Detection of Motor Impairment Accessibility Issues in Mobile App UIs
Arun Krishnavajjala, SM Hasan Mansur, Justin Jose, Kevin Moran
https://arxiv.org/abs/2403.13690

MotorEase: Automated Detection of Motor Impairment Accessibility Issues in Mobile App UIs
Recent research has begun to examine the potential of automatically finding and fixing accessibility issues that manifest in software. However, while recent work makes important progress, it has generally been skewed toward identifying issues that affect users with certain disabilities, such as those with visual or hearing impairments. However, there are other groups of users with different types of disabilities that also need software tooling support to improve their experience. As such, this …

This https://arxiv.org/abs/2304.06935 has been replaced.
initial toot: https://mastoxiv.page/@arXiv_csMS_…

Groebner.jl: A package for Gröbner bases computations in Julia
We present Groebner.jl, a Julia package for computing Groebner bases with the F4 algorithm. Groebner.jl is an efficient, portable, and open-source software. Groebner.jl works over integers modulo a prime and over the rationals, supports basic multi-threading, and specializes in computation in the degree reverse lexicographical monomial ordering. The implementation incorporates various symbolic computation techniques and leverages the Julia type system and tooling, which allows Groebner.jl to co…

Biggest takeaway for me from Aby and Thameem's talk on GraphQL services is that there is a large ecosystem of GraphQL-specific tooling, like routers and IDEs. Graphene, Strawberry, Ariadne, Tartiflette named as frameworks for GraphQL in Python that can sit on top of web frameworks like FastAPI. #PyCascades

This https://arxiv.org/abs/2402.17861 has been replaced.
initial toot: https://mastoxiv.page/@arXiv_csCY_…

Towards AI Accountability Infrastructure: Gaps and Opportunities in AI Audit Tooling
Audits are critical mechanisms for identifying the risks and limitations of deployed artificial intelligence (AI) systems. However, the effective execution of AI audits remains incredibly difficult. As a result, practitioners make use of various tools to support their efforts. Drawing on interviews with 35 AI audit practitioners and a landscape analysis of 390 tools, we map the current ecosystem of available AI audit tools. While there are many tools designed to assist practitioners with settin…

MotorEase: Automated Detection of Motor Impairment Accessibility Issues in Mobile App UIs
Arun Krishnavajjala, SM Hasan Mansur, Justin Jose, Kevin Moran
https://arxiv.org/abs/2403.13690

MotorEase: Automated Detection of Motor Impairment Accessibility Issues in Mobile App UIs
Recent research has begun to examine the potential of automatically finding and fixing accessibility issues that manifest in software. However, while recent work makes important progress, it has generally been skewed toward identifying issues that affect users with certain disabilities, such as those with visual or hearing impairments. However, there are other groups of users with different types of disabilities that also need software tooling support to improve their experience. As such, this …

My current take on the #xz situation, not having read the actual source backdoor commits yet (thanks a lot #Github for hiding the evidence at this point...) besides reading what others have written about it (cf. #rustlang for such central library dependencies would maybe (really big maybe) have made it a bit harder to push a backdoor like this because - if and only if the safety features are used idiomatically in an open source project - reasonably looking code is (a bit?) more limited in the sneaky behavior it could include. We should still very much use those languages over C/C for infrastructure code because the much larger class of unintentional bugs is significantly mitigated, but I believe (without data to back it up) that even such "bugdoor" type changes will be harder to execute. However, given the sophistication in this case, it may not have helped at all. The attacker(s) have shown to be clever enough.
6. Sandboxing library code may have helped - as the attacker(s) explicitly disabled e.g. landlock, that might already have had some impact. We should create better tooling to make it much easier to link to infrastructure libraries in a sandboxed way (although that will have performance implications in many cases).
7. Automatic reproducible builds verification would have mitigated this particular vector of backdoor distribution, and the Debian team seems to be using the reproducibility advances of the last decade to verify/rebuild the build servers. We should build library and infrastructure code in a fully reproducible manner *and* automatically verify it, e.g. with added transparency logs for both source and binary artefacts. In general, it does however not prevent this kind of supply chain attack that directly targets source code at the "leaf" projects in Git commits.
8. Verifying the real-life identity of contributors to open source projects is hard and a difficult trade-off. Something similar to the #Debian #OpenPGP #web-of-trust would potentially have mitigated this style of attack somewhat, but with a different trade-off. We might have to think much harder about trust in individual accounts, and for some projects requiring a link to a real-world country-issued ID document may be the right balance (for others it wouldn't work). That is neither an easy nor a quick path, though. Also note that sophisticated nation state attackers will probably not have a problem procuring "good" fake IDs. It might still raise the bar, though.
9. What happened here seems clearly criminal - at least under my IANAL naive understanding of EU criminal law. There was clear intent to cause harm, and that makes the specific method less important. The legal system should also be able to help in mitigating supply chain attacks; not in preventing them, but in making them more costly if attackers can be tracked down (this is difficult in itself, see point 8) and face risk of punishment after the fact.
H/T @… @… @… @… @…

This https://arxiv.org/abs/2402.17861 has been replaced.
initial toot: https://mastoxiv.page/@arXiv_csCY_…

Towards AI Accountability Infrastructure: Gaps and Opportunities in AI Audit Tooling
Audits are critical mechanisms for identifying the risks and limitations of deployed artificial intelligence (AI) systems. However, the effective execution of AI audits remains incredibly difficult. As a result, practitioners make use of various tools to support their efforts. Drawing on interviews with 35 AI audit practitioners and a landscape analysis of 390 tools, we map the current ecosystem of available AI audit tools. While there are many tools designed to assist practitioners with settin…