I also personally ask myself how a PyPI Admin & Director of Infrastructure can miss out on so many basic coding and security relevant aspects:
Hardcoding credentials and not using dedicated secret files, environment variable or other secret stores
For any source that you compile you have to assume that - in one way or another - it ends up in the final artifact - Apparently this was not fully understood (“.pyc files containing the compiled bytecode weren’t considered”)
Not using a isolated build process e.g. a CI with an isolated VM or a container - This will inevitable lead to “works on my machine” scenarios
Needing the built artifact (containerimage) only locally but pushing it into a publicly available registry
Using a access token that has full admin permissions for everything, despite only requiring it to bypass rate limits
Apparently using a single access token for everything
When you use Git locally and want to push to GitHub you need an access token. The fact that article says “the one and only GitHub access token related to my account” likely indicates that this token was at least also used for this
One of the takeaways of the article says “set aggressive expiration dates for API tokens” - This won’t help much if you don’t understand how to handle them properly in the first place. An attacker can still use them before they expire or simply extract updated tokens from newer artifacts.
On the other hand what went well:
When this was reported it was reacted upon within a few minutes
Some of my above points of criticism now appear to be taken into account (“Takeaways”)
Yes kids, the only stuff in ANY repo (public or otherwise) should be source code.
If it is compiled, built, or otherwise modified by any process outside of you the developer typing in your source code editor, it needs to be excluded/ignored from being committed. No excuses. None. Nope, not even that one.
Two choices: Either the production software isn’t in the exact state the repo was when the software was built. Or I can’t get build timestamps in the software.
Well from my personal PoV there are a few problems with that
You can’t detect all credentials reliably, they could be encoded in base64 for example
I think it’s kind of okay to commit credentials and configuration used for the local dev environment (and ONLY the local one). E.g. when you require some infrastructure like a database inside a container for your app. Not every dev wants to manually set a few dozen configuration entries when they quickly want to checkout and run the app
I think it’s kind of okay to commit credentials and configuration used for the local dev environment (and ONLY the local one).
No. Never.
E.g. when you require some infrastructure like a database inside a container for your app. Not every dev wants to manually set a few dozen configuration entries when they quickly want to checkout and run the app
In this situation, it would be better to write a simple script that can generate fresh and unique values for the dev.
Wether it’s on the internet or at a bar counter, I like to engage in debate to better myself. If your goal is to turn every fanatic that crosses your path, you’re gonna be depressed real soon.
If your goal in an argument is to change the other person’s mind, then changing your mind (by taking in new information, learning, and understanding a different point of view) is seen as losing. That’s a terrible way to look at what is ultimately personal growth.
As I’ve just said in two other comments, “changing someone’s mind” is just a return to barbarism and Middle Ages. When a few literate theology doctors would publicly “defeat” their opponents, the barely literate mass of their audience (monks, nobles and such) would watch and approve, and the illiterate mass would kinda get that those pesky heretics\infidels got totally owned by facts and logic.
So any person arguing with that emotion and visible goal should just be left to eat other such ignorami. Nobody worth arguing with has those.
There’s no hope in changing the mind of every fanatic you come across.
But we generally don’t have internet debates in DMs, we do it in public forums. The goal isn’t to sway the fanatics, it’s to publicly quash their arguments. To sway curious onlookers away from fanaticism before they become fanatics themselves.
You aren’t going to kill an idea with name calling online either. You’ll, hopefully, be rightfully called out for using pointless ad hominem attacks and be shot down on the spot, pushing people to the fanatic you’re arguing against.
Unless we’re talking about Twitter, then yeah, louder idiot wins.
Posting “posting isn’t praxis” isn’t praxis either. But like, there is value in theory, and you must believe that or else you would’ve believed it was pointless to post “posting isn’t praxis”.
Edit: wow, they deleted the entire chain. I’ve still got it in my inbox, but honestly it’s probably for the best that it’s gone. That was incredibly unhinged behaviour. Whilst I would normally not take a deletion as an admission of being wrong, one of the things that I said, multiple times, was that their arguments were circular, self-defeating and had no point. Deleting them would seem to be a strong agreement that they were indeed pointless. Since their main position was that nobody can be convinced by online posting, it seems like them changing their mind about posting implies that something in our exchange convinced them they were wrong and that makes that position wrong as well. Do they agree? Who knows, they deleted it all. Their opinion is now missing. If they don’t like that well… I guess they could post about it.
This is unbelievably convoluted. You’ve talked yourself in knots but also somehow believe that your argument is so airtight that any attempt to refute it only invalidates my beliefs.
Your argument is circular, self-defeating and also missing some really obvious things, one of which I already pointed out.
The only thing left to do is to ask if you’re actually curious to understand what I mean.
So to be clear, you’re not curious to understand because you believe you can read my mind and understand the secret motivations behind my words that renders them invalid?
I very much didn’t lay out my motivations, I think you may have me confused for someone else.
But again, you’re not curious to understand because you think you already know everything you need to know about me.
For what it’s worth, I am actually curious to understand what you mean, but I’m struggling to for reasons I’ve laid out. Your reasoning is very circular and self-contradictory and also a lot of the sentences are very hard to parse out.
I am asking about whether you are curious to understand because I would like to have a real discussion, and I want to know if you are willing to also have one. So far you seem so convinced I would never actually listen to you that you therefore won’t listen to me. Unless and until that changes I don’t see this particular conversation achieving much.
So what you’re saying is that you personally can’t be convinced by a post, and you’re extending that out to everyone else.
This seems like a form of solipsism. If you don’t believe the posts you’re surrounded by are authentic, then nothing anyone says can convince you otherwise.
Like for instance, I could tell you I’ve been convinced by things people have said online. Sometimes it’s in a context of debate, sometimes not. But if you think I’m only cynically saying that for the points, then I’m obviously just lying. It’s a perfect circle of protection.
Ultimately only you can decide if you’re open to being convinced. The problem comes when you decide that’s everyone else’s problem. I can’t say what’s in your head and it’s hard to figure out what you mean here.
I’d be interested to know what your online media diet is, because honestly I think most debate bros out there aren’t doing much of any worth, except again maybe performing to an audience. I don’t know what to say here. You say your head’s a mess, and I tend to agree. I can’t make head nor tails of what you’re saying. It sounds like you’re monologuing to yourself, and I’m not really qualified to interpret it. Only you are.
At this point, you’re just kind of bloviating. Like, none of the points on their own is particularly confusing - although if you don’t see the inherent contradictions I wonder if you’re even listening to yourself, you seem to explicitly acknowledge them - I just don’t know what the point of it all is. Like, you need to do some work to help me understand what you’re actually trying to say. I’m not your therapist. Either you have something you want me to respond to or you don’t.
The initial response of “you must believe posting can change minds or you wouldn’t be posting”…you understand that’s the point I started focusing on correct?
That is literally not what I said. I could repeat it, but you would have to tell me you’re curious to understand me or I’m not going to bother at this point. I’ve already asked you that and you ignored it, but you seemed troubled so I let it slide. I’m done with that. If you won’t meet me halfway in this conversation then you can carry on wanking in the corner, but I’m not going to watch.
“you must believe posting can change minds or you wouldn’t be posting”
vs
But like, there is value in theory, and you must believe that or else you would’ve believed it was pointless to post “posting isn’t praxis”.
Those are two different things.
Also:
you insisting I’m losing a debate.
Yet another thing that I literally never said. You couldn’t have made it clearer that you’re not listening and not interested in anything I have to say.
You haven’t convinced me that it’s impossible to change minds, but you have convinced me that you personally can’t be convinced of anything as you are right now, and that you personally are incapable of convincing other people of anything on purpose. I guess I agree that you’re a mess, that’s something you said and which I took on board. Does that count?
If you can’t see how your behavior isn’t a real discussion I don’t want to have one.
You literally said it’s impossible to have a real discussion online, and now you’re criticising someone for not engaging you in the way you want to have a “real discussion”?
The goal isn’t to sway the fanatics, it’s to publicly quash their arguments. To sway curious onlookers away from fanaticism before they become fanatics themselves.
As I’ve said in another comment, this is return to Middle Ages. Debating skills have not much in common with reasoning skills.
For my argument it’s sufficient that they are very much not the same.
This is similar to saying that a big company leading in some area can be benevolent and do good things. Yes, it can, like DEC, Sun, at some point even IBM. Doesn’t prove the statement that every social institution and mechanism out there must be replaced by markets.
You’re the only one making that argument, and it doesn’t follow from my initial point. I’m not even really sure what point you’re trying to make.
How does anything you’re saying negate the fact that people make bad but persuasive points online, and gullible people fall for that persuasion? Or that those gullible people lack the entrenchment of the bad actors, and can be redirected from those bad points to better ones if persuasive arguments are presented directly in response to the bad ones?
he goal isn’t to sway the fanatics, it’s to publicly quash their arguments. To sway curious onlookers away from fanaticism before they become fanatics themselves.
Friendly reminder that the above is what I answered first.
Sorry, but this is a load of bollocks. It’s you putting yourself above some “gullible people” and still using debate skills to deceive them, just in some “good” direction. Maybe you are really right, but they believe you for the wrong reasons, and the process itself doesn’t reinforce that you are right in any way.
If they’re already going to believe the wrong things for the wrong reasons, why not present the right things for the wrong reasons? Those who need the right reasons to change their mind are beyond the scope of this approach.
This is outreach to the gullible for harm reduction when they might otherwise filter themselves into a dangerous pipeline. This isn’t using debate skills to deceive, it’s using them to counter those who do use their debate skills to deceive. Even if the content may possibly be wrong, by presenting it in contrast to preceding content it necessarily widens the debate-space from an unopposed confident statement to a dialogue that the onlooker can take into consideration while making their own decision.
it necessarily widens the debate-space from an unopposed confident statement to a dialogue that the onlooker can take into consideration while making their own decision.
That part would be right if we weren’t talking about social media, which are designed to neuter this effect.
People always forget about the lurkers. Most people with less-informed, more impressionable views on a given topic aren’t posting and debating, they’re reading and learning (despite the unfortunate exceptions). Seeing some wacko extremist nonsense or voter suppression tactic go unchallenged by a more reasonable argument may be enough to sway a not-yet-fanatic in the wrong direction.
But - debates don’t better yourself. Only your debating skills in particular get better. It’s a return to Middle Ages with theologists publicly “defeating” heretic and Jewish and Muslim philosophy.
And “turn” is an interesting word, making the association even stronger.
If you’re debating in good faith you are bettering yourself by improving your understanding of a different view point, and letting your own views be challenged so you can reassess if you still hold them.
Well, this comment of yours doesn’t look like a good faith argument.
What I meant is that it takes two sides for one. And when two people are ready to argue in good faith, one may downgrade the level of contention from “argue” to “discuss” without any loss.
(For me and my sister it would still be “argue”, but we are just rude to each other.)
Well, this comment of yours doesn’t look like a good faith argument.
Neither did your comment of
So who debates in good faith and how often?
Someone JAQing off is not having a good faith argument, and it does not invalidate my argument if I don’t waste effort on someone who isn’t continuing in good faith.
I see the argument you’re hinting at, and it doesn’t invalidate the argument either, but I’m not going to spend time debating an argument you haven’t bothered to actually make.
Better range, better speeds, better control panel, and some extra features that can be great for gaming or self-hosting servers (eg: network-wide adblocker, nat loopback)
I have exhaustively evaluated consumer routers for supporting the IPv6 standard, and it’s quite spotty with the best of them requiring an ideal lucky match between the way your ISP issues addresses and the way your router does. The only consistent way for the home user I found to get support for that standard on their home network is to use the provided device. It’s a shame.
In summary, if you want the new type of Internet addresses, it’s a pain if you want to own your own router.
either the provider router/dhcpv6 and delegation or the cpe (your router) is misconfigured. ipv6 support on consumer equipment really is pretty straightforward
Mostly directional range, but mine also offers a huge suite of features so I can have total control over my network, as well as wifi 6 which is nice and a bunch of high speed ports
Lot of comments but the real answer is that generally router firmware is pretty shitty and price does not equal performance. If you want something good for cheap get a 50-100 dollar (can find even cheaper especially if you don’t have crazy internet speeds) computer (like a raspberry pie clone) stick on open wrt, and get a separate Wi-Fi access point. Will blow past any consumer grade premium router because a lot of them are sold the be “all in one” with the cheapest, low power hardware imaginable and while not universal, software that never updated. Also, Something like openwrt has something called cake sqm which can massively reduce latency as well as constant software updates that fix vulnerabilities.
An ISP provided router is generally going to be the cheapest device they can buy that will be functional on their service.
This means that if you are using more than a handful of devices it can overwhelm the processing power of the router leading to lag, drop outs, loss of connection, sites taking ages to load, etc.
When you buy your own router you get to choose a device that fits your (and your families) needs.
If you shop at an actual tech shop instead of your local big box store, you will find a huge number of different devices available that are far more capable than either the ISP’s or big boxes stores offerings.
There are even entry level professional units that can support about a hundred devices connected to it without breaking a sweat.
When I switched from ADSL to fiber years ago I purchased a D-Link DIR-879 router which at the time was good enough for my needs but had some drop out issues so I have recently upgraded to a MikroTik RB960PGS Router which is both a wired only router (no inbuilt WiFi) and much more powerful both in performance and features.
I can use a Wifi access point or two to get WiFi where I need it and it can be upgraded as new WiFi standards come out without replacing the router.
Last week I installed Windows 11 on a new laptop that came with FreeDOS installed. It was a really dreadful experience, I never thought it was this bad.
The windows 11 installer couldn’t find any hhd partitions or hard drive, while FreeDOS could. After googling for a while I had to download an Intel Rapid Something driver from the manufacturer’s website and load it up when installing windows 11.
After installing Windows it required an internet connection to proceed but I assume the wi-fi drivers were not installed. USB tethering didn’t seem to be working either so I had to continue the setup elsewhere, where I had physical access to the router.
I had to skip a lot of things throughout the installer, which kinda shocked me. Office 365 and even games, before I even booted the actual OS.
Fully updating Windows took 2 hours. Fresh ISO, gigabit Ethernet connection, nvme HDD. Damn.
Pretty miserable experience and completely impossible to an unexperienced user.
For point 1 you need to toggle a setting in UEFI that switches between RAID (Rapid Storage) and AHCI. It sounds like you are in RAID mode and in this mode Linux will be unable to probe the disk. If you toggle the setting then the current Windows install will break but both Windows (clean install) and Linux will be able to see the disk. Point 3, yeah I heard that in reddit too. Enshittification in full swing. Points 2 & 4 no comment lol
The windows 11 installer couldn’t find any hhd partitions or hard drive, while FreeDOS could. After googling for a while I had to download an Intel Rapid Something driver from the manufacturer’s website and load it up when installing windows 11.
I recently got back into the homelab hobby. Fucking around with installer drivers has been eye opening. I had to fight to get drives recognized and the same with NICs. Funny, Proxmox worked without any issues (virt-io was leveraged, but the internet made that obvious before I even downloaded the ISO for it).
Actually, after a grueling 7 hours installation journey, i removed those peasky things by tossing an LUKS LVM filesystem over it and using that drive as a secondary drive on my desktop. Fuxk windows
My last windows 11 installation took over 7 hours divided over 3 or 4 days, I dont even remember, I’m trying to forget. It was an absolute horror show and indont get why anyone accepts this. If I want to pay and get fucked I’ll find an escort, but I have Linux AND a wife.
Idk man, I regularly reinstall Windows (cca. every 6 months) to get rid of bloatware and random stuff I installed and don’t need anymore. It’s a pretty smooth experience, though it would be a major pain if your circumstances ever occured.
lemmy.world
Oldest