this post was submitted on 22 Jun 2023
131 points (100.0% liked)

Programming

17373 readers
172 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities [email protected]



founded 1 year ago
MODERATORS
 

I've heard people mention curl and imagemagick. Any others that you know about?

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 36 points 1 year ago (4 children)

Log4j was a fun one to watch unfold everywhere when things went haywire

[–] [email protected] 17 points 1 year ago (2 children)

The neat thing about the log4j thing was even a cursory explanation of the vulnerability made anyone with a passing familiarity with security say, "Why the fuck would that even be a feature?!"

[–] [email protected] 7 points 1 year ago (1 children)

Wait until you learn that PDFs support embedded Javascript.

load more comments (1 replies)
[–] [email protected] 6 points 1 year ago (3 children)
[–] [email protected] 4 points 1 year ago* (last edited 1 year ago)

Basically it involved parsing JNDI stuff which involved grabbing remote code (but that was a niche feature of JNDI in the Dev's defense). Basically, you may think it is just something like variable substitution but can involve much crazier stuff.

Edit: and for more context, JNDI is typically a thing for getting a database connection stored on the application server. The idea being you just ask for "customer database" and don't have to define the connection in the code. The server has it defined elsewhere. So in each environment it works the same. Basically glorified and standardized config file type of thing.

load more comments (1 replies)
[–] [email protected] 5 points 1 year ago (4 children)

That was not a fun week to be a developer.

[–] [email protected] 9 points 1 year ago (1 children)

As a non-java company developer at the time, I think our biggest challenge was explaining to everyone that Log4j didn't affect us. It took a non-zero amount of effort because a lot of customers panicked. To be fair, it was also an industry where confidentiality is important.

[–] [email protected] 5 points 1 year ago

Also a lot of people were pulling it transitively.

load more comments (3 replies)
load more comments (2 replies)
[–] [email protected] 30 points 1 year ago

cURL was one of these for a while (according to my limited understanding)

It was made in the 90s and it didn't get commercial support until a few years ago.

[–] [email protected] 26 points 1 year ago (1 children)

Werner Koch, the guy who created, and who has maintained for 25 years now, pretty much all by himself, GnuPG, the modern email encryption replacement for PGP.

Just the other day, I realized I actually live just a few kms away from the guy, here in Germany ... very tempted to reach out to him someday and actually buy him an actual coffee.

load more comments (1 replies)
[–] [email protected] 25 points 1 year ago (2 children)

Sci-Hub anyone?

Alexandra Elbakyan manages this truly awesome source of scientific papers completely on her own. She got sued twice and lost, had to change the URL multiple times due to takedowns and only gets along by donations.

[–] [email protected] 8 points 1 year ago (1 children)

It is a crime to humanity to lock knowledge behind a huge paywall. She does God's work.

And it's not like the actual scientists/academics support knowledge being locked away either, or profit from it.

[–] [email protected] 3 points 1 year ago

shit, scihub is easier to use than the library, so we're all grateful to her too.

load more comments (1 replies)
[–] [email protected] 20 points 1 year ago* (last edited 1 year ago) (6 children)

Left pad https://arstechnica.com/information-technology/2016/03/rage-quit-coder-unpublished-17-lines-of-javascript-and-broke-the-internet/

Had GPT summarize what happened.

The "left pad" incident refers to a controversy that arose in 2016 when a developer named Azer Koçulu removed his JavaScript package called "left-pad" from the NPM (Node Package Manager) registry. This caused a ripple effect, breaking numerous projects that relied on this package and highlighting the potential risks of relying on external dependencies. The incident sparked a debate about the stability and trustworthiness of the open-source ecosystem and led to discussions about best practices for managing dependencies in software development.

[–] [email protected] 10 points 1 year ago

This is the one I came to post about. The fact there's a library for this is so stupid to me.

I feel like it demonstrates how npm and modules have probably to some degree gotten out of hand.

[–] [email protected] 3 points 1 year ago

This famously broke builds at Facebook.

load more comments (4 replies)
[–] [email protected] 19 points 1 year ago (1 children)

Public NTP time servers have occasionally been that piece of infrastructure.

NTP is used for synchronizing computer clocks, ultimately using highly-accurate time sources such as atomic clocks. The most authoritative public time servers tend to be run by research universities, national labs, and so on.

Multiple home router vendors have sold devices configured to poll university NTP servers vastly excessively; effectively running a denial-of-service attack against public infrastructure. In a few cases, public time servers have closed down because of abuse by misconfigured consumer devices.

https://en.wikipedia.org/wiki/NTP_server_misuse_and_abuse

[–] [email protected] 5 points 1 year ago

I really like that the https://www.ntppool.org project exists for that purpose now.

[–] [email protected] 18 points 1 year ago (1 children)

The core-js library is used by 1000s of top websites and is maintained by one guy
https://github.com/zloirock/core-js

[–] [email protected] 14 points 1 year ago (3 children)
[–] [email protected] 8 points 1 year ago (1 children)

It's honestly a fascinating read. We count so much on these kinds of people to keep our way of life intact, but when they ask for a little help in their own life, they get spat on.

[–] [email protected] 6 points 1 year ago

It's really, really sad that this sort of stuff doesn't get picked up and funded for the greater good. Stuff like the NLnet Foundation exists, which has helped fund some pretty major projects (including the development of Lemmy), but something this critical I feel should be consistently funded by even larger entities in order to keep things working right.

[–] [email protected] 4 points 1 year ago

That feels it went seriously bad

load more comments (1 replies)
[–] [email protected] 16 points 1 year ago

TzData is basically maintained by 2 guys. Pretty much every computer, phone and language relies on this database for timezone information.

[–] [email protected] 15 points 1 year ago
[–] [email protected] 14 points 1 year ago

A developer maintained a NodeJS package called left-pad that would add leading whitespace to strings. He unpublished the package and broke basically the entire Node ecosystem until the repo owner forcibly republished it against the author's wishes.

https://www.theregister.com/2016/03/23/npm_left_pad_chaos/

[–] [email protected] 14 points 1 year ago* (last edited 1 year ago) (6 children)

Node frameworks are famous for this purely because of a lack of standard library. I feel like most languages have a standard library that balance being generic but still providing utilities of common used stuff. So a company that doesn’t want to rely on a random guy’s library can build their own with only the features they want. But with Node, any complicated feature is using a tree of hundreds of random packages that you have no idea who created them.

[–] [email protected] 4 points 1 year ago (1 children)

Someone ought to write a Node.js fork that includes native implementations of popular modules that are unlikely to need maintenance like isodd. Then come with a custom version of NPM that refuse to install the packages.

[–] [email protected] 6 points 1 year ago (1 children)

Deno basically did this by including a standard library that removes the need for the most popular modules. It's the best js/ts experience I've ever had.

load more comments (1 replies)
load more comments (5 replies)
[–] [email protected] 12 points 1 year ago (2 children)
[–] [email protected] 8 points 1 year ago

Looks like there has at least been a small team working on ffmpeg for some time. https://en.m.wikipedia.org/wiki/FFmpeg#History

load more comments (1 replies)
[–] [email protected] 11 points 1 year ago (1 children)

Basically every Windows sysadmin is indebted to Mark Russinovich and SysInternals. Fortunetly, PowerToys has come a long way because I'm pretty sure sysinternals haven't been updated since Windows XP.

[–] [email protected] 5 points 1 year ago (1 children)

Mark Russinovich now works for Microsoft and they own Sysinternals. Also the tools get updated quite regularly.

[–] [email protected] 11 points 1 year ago (1 children)

"Mark works for MS" is a massive understatement. He's CTO of Azure now.

And speaking of Sysinternals, arguably the most exciting update was when ProcessExplorer got a dark mode late last year :)

[–] [email protected] 4 points 1 year ago

Wait? ProcessExplorer has dark mode???!

[–] [email protected] 11 points 1 year ago (1 children)

Not a package but FilleZilla is developed by Tim Kosse for over 20 years. I know that there are a lot of other FTP-Clients but FilleZilla is my favorite. Easy to use and very very stable. There is a pro version sure, but most of the time the regular one does the job. My company throws thousands of dollars a month at Adobe, Microsoft and others. But they would never even think about giving anything to Tim Kosse and others, even though I've probably saved days of work with tools like this.

load more comments (1 replies)
[–] [email protected] 10 points 1 year ago

In the same kind of vein as imagemagick, Dave Coffin's dcraw tool at least partly underlies almost every non-proprietary RAW image decoder, and some of the commercial ones (if they don't use code, they use constant matrices and such).

He's not a sole maintainer to any of his major projects anymore, but honorable mention to Fabrice Bellard who initiated both ffmpeg and qemu among other notable activities.

IIRC the Expat XML parser that's embedded everywhere was basically on spare-time maintenance by Clark Cooper and Fred Drake for a couple decades, but I think they have a little more resources now.

SQLite is a BDFL situation more than single-maintainer, but D. Richard Hipp still has his hands on everything, and there are only a relatively small number of folks with commit access.

[–] [email protected] 9 points 1 year ago

OpenSSL / Heartbleed was the event when this comic came out IIRC.

[–] [email protected] 8 points 1 year ago

I didn't even know about core-js until the dev complained about all the sites which use it. https://github.com/zloirock/core-js/blob/master/docs/2023-02-14-so-whats-next.md

[–] [email protected] 7 points 1 year ago* (last edited 1 year ago) (2 children)

Edit: maybe it was core js. I don't remember the name exactly.

Standard JS. It's a library maintained by one guy in Russia who went to jail for some car accident (I don't have the full context). He needed money and had trouble getting it. Then the Ukraine invasion happened and that only made it more difficult for him to get money. Also he was harassed by less technical people seeing his code on websites thinking it was malicious.

It's really a sad story to me.

[–] [email protected] 4 points 1 year ago* (last edited 1 year ago)

Yeah it was quite shocking for me to read his story. Link for everyone who hasn't come across it yet. https://github.com/zloirock/core-js/blob/master/docs/2023-02-14-so-whats-next.md

Edit: Just noticed that he used the exact same comic in this write up.

[–] [email protected] 3 points 1 year ago* (last edited 1 year ago) (1 children)

You mean coreJS, not standard JS, right? But yes, it's a sad story.

load more comments (1 replies)
[–] [email protected] 6 points 1 year ago (3 children)

Would you like to hear an OpenSSL joke?

It's 64k letters long and you can repeat it back to me when I'm done.

It's "A".

https://www.heartbleed.com/

load more comments (3 replies)
[–] [email protected] 5 points 1 year ago (1 children)
[–] [email protected] 4 points 1 year ago

Salvatore Sanfilippo - creator of Redis.

Well, he actually received many appreciations from the community. But it's worth knowing IMO.

https://www.eu-startups.com/2011/01/an-interview-with-salvatore-sanfilippo-creator-of-redis-working-out-of-sicily/

[–] [email protected] 3 points 1 year ago (2 children)

Look up a machine called Therac-25. great example of this. Terrifying.

load more comments (2 replies)
load more comments
view more: next ›