Wow, I did a plot google search to find the title of "As Good As it Gets", and I found this piece of long form bigotry denouncing movies with gay characters as "clearly not made for revenue". Looked at the book's title. "Porn Generation: How Social Liberalism Is Corrupting Our Future". There are surely voters that read this cover to cover...

You can't make this up. Nomx is now claiming that their un-authenticated CSRF leading to admin privileges on a public URL poses "non-existing threat" because "the user must visit a hacked website".
That's it. CSRF is solved folks! You wanted to rework the OWASP Top 10 anyway, no?

Uh, I would have expected Alpine to have a reproducibility story. 🙁 It usually picks up the most simple/secure practices first.

Figured it out! 🙌 And got it to reproduce 💥

The default GOROOT matters to the build ID because it's written to zversion.go, which is intentionally hashed in to detect toolchain changes.

Not, as I thought, because of the filepaths in the stdlib build IDs. The tree is recomputed with the current GOROOT instead. So every time you change GOROOT, the stdlib *is* rebuilt. (My previous tweet was wrong!)

All bets are off, it's Filippo is stupid.

Show thread

But! Go binaries also get the *default* GOROOT copied in. The one that the compiler will use if no GOROOT is set, which was set at (compiler) compile time. Binaries need to know it to behave exactly like the compiler that built them.

So this is a fixed diff. But I don't see how it would affect the build ID.

Interesting read:

Show thread

Three hours in. I know much more about embedded GOROOT paths.

Interestingly, the compiler will patch the paths of the symbols in the stdlib to match the GOROOT. That's smart, avoids recompiling the stdlib at every GOROOT change, but allows debuggers to find the stdlib files.

Also, should make reproducible builds just work.

So it's not this.

Show thread

Why you never need to nuke your $GOPATH/pkg. I love the Go toolchain.

The whole pkg.go file is a good read.

🙌 BA just upgraded us to Club World on an overnight 8h 787 flight! Never had that happen before check-in 😃

Trying to reproduce the release build of a popular Go software. There are Makefiles and it's pretty basic, but coming up with slight differences. Taking bets:

1/10 Backdoor
3/5 Filippo is stupid
3/10 Owner messed up

"In Praise of Drop-In Libraries"

Just today I was mentioning how SQLite (drop-in library) and youtube-dl (drop-in Python "script") are case studies in how simplicity of adoption can make the success of something (even complex).

Sigh. Ninjalicious would probably not be happy with where the world is almost 15 years later.

From "Access All Areas", 2004

Started a fuzzing job, forgot to add a way to extract crashes. Immediately found 2 crashes. Restarted it with logging. 2 hours with no results. Ok.

Just wasted over 2 hours (partially) dockerizing what seems to be a standard Gulp-based static site generator. It only works if node_modules is generated at the repo root, with that precise sequence of commands, that changed three times in the last year. Every mistake is fatal and the only solution is to start over.

Good tooling is judged by how it adapts, how narrow its scope is, and how does it works when you step off the happy path.

More from my federation wish list: MastodonaaS, a hosted Mastodon service to point your own domain to, for identity ownership and vanity, just like custom email domains.

Show older

The original server operated by the Mastodon gGmbH non-profit