I feel lucky to have avoided this so far. It’s really not like this on my team. I write a fair bit of code and review a ton of code.
- 0 Posts
- 11 Comments
Joined 1 year ago
Cake day: June 11th, 2023
You are not logged in. If you use a Fediverse account that is able to follow users, you can follow this user.
1·4 months agoWhen someone is having a computer problem I ask them to restart first. Not because I think they don’t know to do it, but just in case. Some people don’t know. Sometimes people forget. Obvious advice is useful sometimes.
0·4 months agoI dunno about stdx as a solution. It’s just not a big enough list.
At work we build a big java thing and we:
- Manually import all dependencies, including transitive dependencies.
- Bless them by committing their hash to our repo. I think the cargo lock file does something similar.
- Audit the dependencies by hand. Sometimes that’s reading them all and sometimes thats less. Honestly, it’s often less. A few times it’s being members of the upstream community.
- Don’t allow running as root
- Drop all permissions we don’t need with seccomp including reading a bunch of stuff
- Sandbox each thread based on what’s on the stack. Untrusted code can do less stuff.
It’s still not enough. But it helps.
Maybe a web of trust for audited dependencies would help. This version of this repo under this hash. I could see stdx stuff being covered by the rust core folks and I’m sure some folks would pay for bigger webs. We pay employees to audit dependencies. Sharing that cost via a trusted third party or foundation or something feels eminently corporate. Maybe even possible.
We knew spooks were all up in the phone network. They’d show up and ask installers to run them some cables and configure ports in a certain way. I was friends with folks who were friends with the installers.
I work on software for finding things and summarizing stuff. We were one of those Apache 2 -> other relicenses a while back.
I can’t really talk about specifics. But we all have a working imagination though. I think about it a lot. But I still do the job. There are good folks doing good things with it.
I’m a pretty good engineer. Not the best I’ve ever met by a long shot, but I’m good. But I’m very outgoing for an engineer.
Ironically, that’d describe both my parents too.
Windows -> RedHat -> Windows -> Gentoo -> Ubuntu -> RHEL -> Ubuntu -> Debian -> Arch
I’ve been using a sonicare for years now. I think it was expensive but it’s lasted forever and does a great job.
I was bored on an airplane a while back and discovered a Japanese movie adaptation of A Door Into Summer: https://www.rottentomatoes.com/m/the_door_into_summer
It’d been 25 years since my mom read the story to me so I can’t tell you how accurate the adaptation is but it hit the parts I remembered.
Try your local library.