Tootfinder

Je viens de découvrir que #GitHub permet de configurer des formulaires pour créer des issues.
Exemple de fichier de configuration d'issue https://github.com/asdf-…

asdf-plugins/.github/ISSUE_TEMPLATE/feature_request.yaml at master · asdf-vm/asdf-plugins
Convenience shortname repository for asdf community plugins - asdf-vm/asdf-plugins

TIL #GitHub is limiting statistics/graphs for repos with more than 10,000 commits... Considering ~99% of those in https://thi.ng/umbrella are my own, it seems I've been rather busy... 😇

Broadly scoped ecosystem & mono-repository of 190 TypeScript projects for general purpose, functional, data driven development

Did #GitHub #Copilot really increase my productivity?
https://trace.yshui.dev/2024-05-copilot.h…

Morgen moderiere ich eine Lerneinheit zum Thema Github Actions. Fachlich wird es jemand anderes tun.
Trotzdem die Frage: was muss man nach einer HandsOn-Session mitgenommen haben?
(Runner, Workflows, Marketplace, Events, Starter Workflows stehen bisher auf unserem Zettel)
#githubActions #github

#GitHub is under attack.
“The flow of the campaign is simple:
1. Cloning existing repos (for example: TwitterFollowBot, WhatsappBOT, discord-boost-tool, Twitch-Follow-Bot, and hundreds more)
2. Infecting them with malware loaders
3. Uploading them back to GitHub with identical names
4. Automatically forking each thousands of times
5. Covertly promoting them across the …

GitHub besieged by millions of malicious repositories in ongoing attack
GitHub keeps removing malware-laced repositories, but thousands remain.

#TIL someone released the complete source for Machines - Wired for War on #Github: https://github.com/markol/machines…

GitHub - markol/machines: The 3D Real-Time Strategy video game from 1999 developed by Charybdis and distributed by Acclaim.
The 3D Real-Time Strategy video game from 1999 developed by Charybdis and distributed by Acclaim. - markol/machines

Don't trust any random file, just because it lies in a trustworthy #Github project. Because essentially anyone can create files under any project space.
#SecurityWarning

Writing this month's #GitHub sponsors update while watching The Cup Head Show on the side: https://github.com/sponsors/WyriHaximus
(It includes a blog post preview 😎 .)<…

Quick note while I am thinking about it. I was unhappy with Publii for a while because I couldn't get it to sync with github.
That has been fixed and I redid the authorization in my Github account and it works beautifully.
I prefer Publii because it is local markdown files and I can copy them over to Obsidian.
I have converted my old WP site to markdown and will publish it through Publii as well.

#GitHub #Copilot Enterprise is now generally available
https://github.blo…

Most AI applications are crap and a waste of electricity but I'm actually quite enjoying #Github's #Copilot for development. As I tell friends, development is 50% googling for how to do the thing you want to do, if Copilot can save me that time its a win.
I know its weird but when it finally suggests s…

#GitLab: uważa się za dobrą konkurencję dla #GitHub.
Także GitLab: nie jest w stanie dostarczyć przewidywalnych URL-i do plików, załączonych do wydania.
Nie, "/package_files/125623770/download" to nie jest przydatny adres.
(z

#TIL someone released the complete source for Machines - Wired for War on #Github: https://github.com/markol/machines…

GitHub - markol/machines: The 3D Real-Time Strategy video game from 1999 developed by Charybdis and distributed by Acclaim.
The 3D Real-Time Strategy video game from 1999 developed by Charybdis and distributed by Acclaim. - markol/machines

For folks still actively using #Github for their #libre software activities, this is worth a read: https://sfconservancy.org/Give…

Most AI applications are crap and a waste of electricity but I'm actually quite enjoying #Github's #Copilot for development. As I tell friends, development is 50% googling for how to do the thing you want to do, if Copilot can save me that time its a win.
I know its weird but when it finally suggests s…

Anyone got a GitHub repo you need contributors for?
Known languages & stuff:
- NodeJS/ JS
- Lua
- Some python
- Some TS
- Some Docker
Feel free to boost to increase exposure and this can sort of act as a list for anyone looking for repos to contribute to.
#github

Let me say that #GitHub is awful.
Directly create a new empty directory so I can upload some existing files into that subdirectory? Nope, you can't do that!

Doesn't #GitHub support signed push?
https://git-scm.com/docs/git-push#Documentation/git-push.txt---signedtruefalseif-asked and <…

#GitHub #Copilot General Availability in the #CLI

Honestly, "#reactions" are a mistake. Just imagine you've asked a question on a #GitHub issue, and someone replied to you by a "👍" reaction. Of course, you get no notification for that, and you have no clue that you've actually been replied to, unless you incidentally happen to revisit the bug.

Honestly, #GitHub could use a report spam feature in the UI instead of opening a ticket. Getting tagged in random issues hijacked with posts of crypto scams is getting ridiculous at this point.

A nonsense default configuration parameter string is needed for a program I'm writing, and I'm using #github #copilot.
I just randomly started with
`var stupidString="IlikeBIGbu` - and CoPilot immediately autosuggested:
`var stupidString="IlikeBIGbuttsandIcannotlie!Youotherbrother…

Eigentlich schon ganz gut so ein Reviewer CoPilot.
Ich hab den Fehler einfach nicht gesehen, habe die Elemente mehrfach gezählt usw. :(
#github #copilot

Yup, I fucked this one up. Had one PR do 1753 checks on #GitHub for a workflow change. Guess it's time to add some more filters on when to run what.

I've just learned that there's #StaleBot after their bug reports.
If you want to mark my bug report stale, at least bother doing it personally, just like I bothered filing it. Or ideally, run my reproducer if I managed to provide one.
#GitHub #OpenSource

Lolwut #github

My current take on the #xz situation, not having read the actual source backdoor commits yet (thanks a lot #Github for hiding the evidence at this point...) besides reading what others have written about it (cf. #rustlang for such central library dependencies would maybe (really big maybe) have made it a bit harder to push a backdoor like this because - if and only if the safety features are used idiomatically in an open source project - reasonably looking code is (a bit?) more limited in the sneaky behavior it could include. We should still very much use those languages over C/C for infrastructure code because the much larger class of unintentional bugs is significantly mitigated, but I believe (without data to back it up) that even such "bugdoor" type changes will be harder to execute. However, given the sophistication in this case, it may not have helped at all. The attacker(s) have shown to be clever enough.
6. Sandboxing library code may have helped - as the attacker(s) explicitly disabled e.g. landlock, that might already have had some impact. We should create better tooling to make it much easier to link to infrastructure libraries in a sandboxed way (although that will have performance implications in many cases).
7. Automatic reproducible builds verification would have mitigated this particular vector of backdoor distribution, and the Debian team seems to be using the reproducibility advances of the last decade to verify/rebuild the build servers. We should build library and infrastructure code in a fully reproducible manner *and* automatically verify it, e.g. with added transparency logs for both source and binary artefacts. In general, it does however not prevent this kind of supply chain attack that directly targets source code at the "leaf" projects in Git commits.
8. Verifying the real-life identity of contributors to open source projects is hard and a difficult trade-off. Something similar to the #Debian #OpenPGP #web-of-trust would potentially have mitigated this style of attack somewhat, but with a different trade-off. We might have to think much harder about trust in individual accounts, and for some projects requiring a link to a real-world country-issued ID document may be the right balance (for others it wouldn't work). That is neither an easy nor a quick path, though. Also note that sophisticated nation state attackers will probably not have a problem procuring "good" fake IDs. It might still raise the bar, though.
9. What happened here seems clearly criminal - at least under my IANAL naive understanding of EU criminal law. There was clear intent to cause harm, and that makes the specific method less important. The legal system should also be able to help in mitigating supply chain attacks; not in preventing them, but in making them more costly if attackers can be tracked down (this is difficult in itself, see point 8) and face risk of punishment after the fact.
H/T @… @… @… @… @…

#GitLab: claiming to be a good competition to #GitHub.
Also GitLab: unable to provide predictable URLs for files attached to releases.
No, "/package_files/125623770/download" is not a useful URL.
(from #Gentoo #packaging

My current take on the #xz situation, not having read the actual source backdoor commits yet (thanks a lot #Github for hiding the evidence at this point...) besides reading what others have written about it (cf. #rustlang for such central library dependencies would maybe (really big maybe) have made it a bit harder to push a backdoor like this because - if and only if the safety features are used idiomatically in an open source project - reasonably looking code is (a bit?) more limited in the sneaky behavior it could include. We should still very much use those languages over C/C for infrastructure code because the much larger class of unintentional bugs is significantly mitigated, but I believe (without data to back it up) that even such "bugdoor" type changes will be harder to execute. However, given the sophistication in this case, it may not have helped at all. The attacker(s) have shown to be clever enough.
6. Sandboxing library code may have helped - as the attacker(s) explicitly disabled e.g. landlock, that might already have had some impact. We should create better tooling to make it much easier to link to infrastructure libraries in a sandboxed way (although that will have performance implications in many cases).
7. Automatic reproducible builds verification would have mitigated this particular vector of backdoor distribution, and the Debian team seems to be using the reproducibility advances of the last decade to verify/rebuild the build servers. We should build library and infrastructure code in a fully reproducible manner *and* automatically verify it, e.g. with added transparency logs for both source and binary artefacts. In general, it does however not prevent this kind of supply chain attack that directly targets source code at the "leaf" projects in Git commits.
8. Verifying the real-life identity of contributors to open source projects is hard and a difficult trade-off. Something similar to the #Debian #OpenPGP #web-of-trust would potentially have mitigated this style of attack somewhat, but with a different trade-off. We might have to think much harder about trust in individual accounts, and for some projects requiring a link to a real-world country-issued ID document may be the right balance (for others it wouldn't work). That is neither an easy nor a quick path, though. Also note that sophisticated nation state attackers will probably not have a problem procuring "good" fake IDs. It might still raise the bar, though.
9. What happened here seems clearly criminal - at least under my IANAL naive understanding of EU criminal law. There was clear intent to cause harm, and that makes the specific method less important. The legal system should also be able to help in mitigating supply chain attacks; not in preventing them, but in making them more costly if attackers can be tracked down (this is difficult in itself, see point 8) and face risk of punishment after the fact.
H/T @… @… @… @… @…

How stupid can an #ai be ? 🙄 🤦‍♂️
see yourself and don´t waste your money on #tabnine and stay with #github #Copilot

How stupid can an #ai be ? 🙄 🤦‍♂️
see yourself and don´t waste your money on #tabnine and stay with #github #Copilot

Charity / looking for work
I've updated my #KoFi and #GitHubSponsors profiles today. Since the bio is pretty limited in length, I've changed its main focus to the fact that I'm collecting money to feed the cats I've adopted, and that I'm struggling to find employment (type I diabetes combined with ASD), or make any real income. Or, to put it in other words, that I'm not trying to collect money for my #Gentoo work (that would be against the law) but #charity. But I'm also looking for employment and contracts, particularly related to Gentoo and/or #Python.
If you can spare a few coins, that would help a lot. Especially small amounts (~$1000 over a period of 6 years from a single person are tax-free, and therefore I don't need your detailed personal information).
#ActuallyAutistic #GetFediHired