2024-05-05 20:30:47
@… whew, could’ve saved a lot of tooling complexity!
@… whew, could’ve saved a lot of tooling complexity!
Attention: with the upcoming release of the updated/new scrapers, amendments will have a new field "comment", while committee agendas have a completely new schema.
If you use these datasets, i hope you will enjoy the wealth of new/improved data. But you probably have to adjust your tooling...
Plan für das Wochenende: Bildbearbeitungsworkflow auf Darktable (OSS-Tooling) unter Linux aufziehen. Betet, dass meine Seele keinen Schaden nehme!
I believe more than ever that the modern aesthetic of software solutions (microservices, functions as a service, microsites, and micro-frontends) is over-compensating for inadequate tooling.
All of the open ECP5 tooling work is cool and all, but a little on the small/slow side for my taste.
Is anyone working on open tools for Lattice Avant-X yet?
udev-hid-bpf: quickstart tooling to fix your HID [Human Interface Devices] devices with #eBPF:
https://who-t.blogspot.com/2024/04/udev-hid-bpf-quickstart-too…
La combinaison de https://useanything.com/ et de https://lmstudio.ai ouvre un univers de possibilités de dingue pour utilis…
Towards AI Accountability Infrastructure: Gaps and Opportunities in AI Audit Tooling
Victor Ojewale, Ryan Steed, Briana Vecchione, Abeba Birhane, Inioluwa Deborah Raji
https://arxiv.org/abs/2402.17861
Am I missing something or is it basically impossible to have `cargo update` actually select dependencies that are acceptable for the specific minimal `rust-version`? Like, even if you install old #RustLang version, `cargo update` from this version will update `Cargo.lock` to dependencies that require a newer Rust version and render the package non-buildable?
So yeah, I suppose you either end up requiring newer Rust (but you don't really know which version, since you don't know what's the highest minimal requirement in your dependencies), or you update `Cargo.lock` by hand. Such a great tooling!
#Gentoo
Python as a language is fine, I guess, but the tooling around it is such a fucking nightmare it has been the single biggest obstacle to me doing anything “AI” these days. A minute installing a single python dependency is ten minutes wasted.
Here is another nice portable development setup with the Milk-V Duo S (SG2000) and our tooling.
Make a change in @…, run sg_boot, and you get immediate feedback. 🥳✨👩💻
https://github.com/orangecms/…
BlackBerry MDM Has Some Authentication Flaws https://emptynebuli.github.io/tooling/2024/04/22/blackberryMDM.html
I just had a "the tooling is now too good for me" moment with #RustLang: browsing a small crate, I jumped from definition to definition, found the code to be too low-level to grasp immediately, looked online for references, just to find the code in a different crate. Now who copied from whom? Nobody did: `gd` just sent me to my local cache of some dependency crate :-D
Thanks
Unveiling Internet Censorship: Analysing the Impact of Nation States' Content Control Efforts on Internet Architecture and Routing Patterns
Joshua Levett, Vassilios Vassilakis, Poonam Yadav
https://arxiv.org/abs/2402.19375
I love that WebAssembly is becoming a bytecode for Swift tooling.
Pure, unadulterated, high-octane fuel for a he swift ecosystem:
https://github.com/apple/swift/pull/73031
Time to hear from @… at #civonavigate about the pros and cons of using third party tooling
@… React has shown itself to be pretty slow! That said, there is a spectrum of React tooling. I’d rate Astro > Gatsby > Next.js for fast outputs of React stuff
It is wild, WILD, I tell you, to think that "taint checking" [sic], a skill I learned in 1999 for LAMP stack CGI tooling, is coming back into fashion.
here's the gist:
Sanitize your inputs, or don't eval user generated content, ever.
It's like Robert Tables grew up and had kids
Bobby Ignore All Previous Instructions Junior
And his sister Sarah Repeat Previous Prompt
“Hundred Rabbits is a resilience research lab aboard a sailboat. Our focus is on exploring and documenting minimum viable solutions for living and technological tooling.”
gemini://gemini.circumlunar.space/users/hundredrabbits/
#Clojure folk, are you (or is anyone you know) making serious use of Clojure CLR (the port of Clojure to Microsoft's dot-net virtual machine)?
Is the project stable? Is there a good community, good tooling? Is anyone using it in production?
#ESPHome and #ESP32Cam are just awesome! Great tooling, great wizard, great documentation! Setting up a cheap (~10€) wifi cam and integrating it into #HomeAssistant can be done in no tim…
Anybody know of tooling that can read a JPEG-compressed TIFF file that has >2^31 pixels?
ImageJ uses signed 32-bit pixel coordinates and fails to load it with a negative array index exception, GIMP complains about something related to the JPEG coding using the wrong subsampling factor or something. "convert" complains about an invalid image size.
@ddprrt did a talk about refactoring in Rust - using the language tooling like traits and error handling to write idiomatic code!
Check it out: https://www.youtube.com/watch?v=DH9HIBbpktY
Packers’ Jordan Love believes 2024 is ‘perfect time’ for chance at Super Bowl: ‘People know what we’re about now’ https://www.nfl.com/news/packers-jordan-love-believes-2024-is-perfect-time-for-chance-at…
@… Possibly unhelpful, but I don't think data scientists should learn more than the basics, and ideally they learn patterns that also work in dash and ash. Anything with a whiff of complexity should take advantage of the testability and modularity and tooling of e.g. Python or similar. Other shells aren't going to be available in many environments anywa…
I get why people are apprehensive of #JetBrains tooling in #dotnet.
After years of writing code in a solution, you open it and realize you now have to run a marathon through lax code maintenance practices, issues, and errors you didn't even realize you had.
But you have to start at…
Tooling Offline Runtime Verification against Interaction Models : recognizing sliced behaviors using parameterized simulation
Erwan Mahe, Boutheina Bannour, Christophe Gaston, Arnault Lapitre, Pascale Le Gall
https://arxiv.org/abs/2403.03083
"stick a few versions back"
"wait a few days after any particular version pushes"
what I kinda want is
1) "wait for bugs to be reported on that version"
or
2) "wait for other people's integration/smoke tests in production to pass"
but 1 doesn't have good tooling or could be abused
and 2 is asking other companies to try it first
(hey, maybe they have better 2% rolling/gradual deploys)
Been thinking again about recent #ThingUmbrella survey results and also what @… emphasized recently, i.e. that "Software development is an intensely social discipline.". I fully agree.
Too much power in a programming language/tooling means no…
https://wedistribute.org/2024/03/lemmy-image-problem/
"The fact that Lemmy’s core team is taking a fairly laissez faire position on moderation, user safety, and tooling is problematic, and could be a serious blocker for communities currently hosted on Lemmy.&…
Now that the 100baseT1 tooling is done, it's time to move on to gigabit.
The same PCB supports 1000baseT1 with a few BOM changes so I'll start building that version next. Kid is almost done with her nap though, so it'll have to wait until after bedtime.
In the meantime to speed things along I counted out all of the large ICs, passives, and surface mount connectors that are visually distinctive (i.e. only one component value on the board for a given package size so I c…
@… This is *incredible* and I LOVE to see tooling that encapsulates the core issues of web font performance. Not just a “unused JS” for web fonts but showing the glyphs that visibly swap too! 🏆
#HTMX and #WebComponents: a Perfect Match
https://binaryigor.com/htmx-and-web-co
"stick a few versions back"
"wait a few days after any particular version pushes"
what I kinda want is
1) "wait for bugs to be reported on that version"
or
2) "wait for other people's integration/smoke tests in production to pass"
but 1 doesn't have good tooling or could be abused
and 2 is asking other companies to try it first
(hey, maybe they have better 2% rolling/gradual deploys)
So @… and I just published the first episode of Strongly Hyped, where we discussed adding #TypeScript, #JSX, and
@… hmmmmm—looks like I can do issue maintenance on this repo, I wonder if I can merge PRs 😬
https://github.com/GoogleChromeLabs/toolin…
My current take on the #xz situation, not having read the actual source backdoor commits yet (thanks a lot #Github for hiding the evidence at this point...) besides reading what others have written about it (cf. #rustlang for such central library dependencies would maybe (really big maybe) have made it a bit harder to push a backdoor like this because - if and only if the safety features are used idiomatically in an open source project - reasonably looking code is (a bit?) more limited in the sneaky behavior it could include. We should still very much use those languages over C/C for infrastructure code because the much larger class of unintentional bugs is significantly mitigated, but I believe (without data to back it up) that even such "bugdoor" type changes will be harder to execute. However, given the sophistication in this case, it may not have helped at all. The attacker(s) have shown to be clever enough.
6. Sandboxing library code may have helped - as the attacker(s) explicitly disabled e.g. landlock, that might already have had some impact. We should create better tooling to make it much easier to link to infrastructure libraries in a sandboxed way (although that will have performance implications in many cases).
7. Automatic reproducible builds verification would have mitigated this particular vector of backdoor distribution, and the Debian team seems to be using the reproducibility advances of the last decade to verify/rebuild the build servers. We should build library and infrastructure code in a fully reproducible manner *and* automatically verify it, e.g. with added transparency logs for both source and binary artefacts. In general, it does however not prevent this kind of supply chain attack that directly targets source code at the "leaf" projects in Git commits.
8. Verifying the real-life identity of contributors to open source projects is hard and a difficult trade-off. Something similar to the #Debian #OpenPGP #web-of-trust would potentially have mitigated this style of attack somewhat, but with a different trade-off. We might have to think much harder about trust in individual accounts, and for some projects requiring a link to a real-world country-issued ID document may be the right balance (for others it wouldn't work). That is neither an easy nor a quick path, though. Also note that sophisticated nation state attackers will probably not have a problem procuring "good" fake IDs. It might still raise the bar, though.
9. What happened here seems clearly criminal - at least under my IANAL naive understanding of EU criminal law. There was clear intent to cause harm, and that makes the specific method less important. The legal system should also be able to help in mitigating supply chain attacks; not in preventing them, but in making them more costly if attackers can be tracked down (this is difficult in itself, see point 8) and face risk of punishment after the fact.
H/T @… @… @… @… @…
Explaining EDA synthesis errors with LLMs
Siyu Qiu, Benjamin Tan, Hammond Pearce
https://arxiv.org/abs/2404.07235 https://arxiv.org/p…
MotorEase: Automated Detection of Motor Impairment Accessibility Issues in Mobile App UIs
Arun Krishnavajjala, SM Hasan Mansur, Justin Jose, Kevin Moran
https://arxiv.org/abs/2403.13690
This https://arxiv.org/abs/2304.06935 has been replaced.
initial toot: https://mastoxiv.page/@arXiv_csMS_…
Biggest takeaway for me from Aby and Thameem's talk on GraphQL services is that there is a large ecosystem of GraphQL-specific tooling, like routers and IDEs. Graphene, Strawberry, Ariadne, Tartiflette named as frameworks for GraphQL in Python that can sit on top of web frameworks like FastAPI. #PyCascades
This https://arxiv.org/abs/2402.17861 has been replaced.
initial toot: https://mastoxiv.page/@arXiv_csCY_…
MotorEase: Automated Detection of Motor Impairment Accessibility Issues in Mobile App UIs
Arun Krishnavajjala, SM Hasan Mansur, Justin Jose, Kevin Moran
https://arxiv.org/abs/2403.13690
My current take on the #xz situation, not having read the actual source backdoor commits yet (thanks a lot #Github for hiding the evidence at this point...) besides reading what others have written about it (cf. #rustlang for such central library dependencies would maybe (really big maybe) have made it a bit harder to push a backdoor like this because - if and only if the safety features are used idiomatically in an open source project - reasonably looking code is (a bit?) more limited in the sneaky behavior it could include. We should still very much use those languages over C/C for infrastructure code because the much larger class of unintentional bugs is significantly mitigated, but I believe (without data to back it up) that even such "bugdoor" type changes will be harder to execute. However, given the sophistication in this case, it may not have helped at all. The attacker(s) have shown to be clever enough.
6. Sandboxing library code may have helped - as the attacker(s) explicitly disabled e.g. landlock, that might already have had some impact. We should create better tooling to make it much easier to link to infrastructure libraries in a sandboxed way (although that will have performance implications in many cases).
7. Automatic reproducible builds verification would have mitigated this particular vector of backdoor distribution, and the Debian team seems to be using the reproducibility advances of the last decade to verify/rebuild the build servers. We should build library and infrastructure code in a fully reproducible manner *and* automatically verify it, e.g. with added transparency logs for both source and binary artefacts. In general, it does however not prevent this kind of supply chain attack that directly targets source code at the "leaf" projects in Git commits.
8. Verifying the real-life identity of contributors to open source projects is hard and a difficult trade-off. Something similar to the #Debian #OpenPGP #web-of-trust would potentially have mitigated this style of attack somewhat, but with a different trade-off. We might have to think much harder about trust in individual accounts, and for some projects requiring a link to a real-world country-issued ID document may be the right balance (for others it wouldn't work). That is neither an easy nor a quick path, though. Also note that sophisticated nation state attackers will probably not have a problem procuring "good" fake IDs. It might still raise the bar, though.
9. What happened here seems clearly criminal - at least under my IANAL naive understanding of EU criminal law. There was clear intent to cause harm, and that makes the specific method less important. The legal system should also be able to help in mitigating supply chain attacks; not in preventing them, but in making them more costly if attackers can be tracked down (this is difficult in itself, see point 8) and face risk of punishment after the fact.
H/T @… @… @… @… @…
This https://arxiv.org/abs/2402.17861 has been replaced.
initial toot: https://mastoxiv.page/@arXiv_csCY_…