- hdhzy parentThere are generally two schools of thought: one is that the programmer should know better, memorize the documention and specs. The other one is that if it violates the principle of least astonishment it's just badly designed. Personally I believe that the truth is somewhere in the middle. It's good to know one's tools (including docs and specs) but I wouldn't call this kind of "clever" code maintainable.
- Can't check it because of missing plugin but is it something like https://eternitywall.it/?
- A lot of them generate 404s but still it's a very valuable list, thanks!
-2017-11-26 22:15:18-- http://www.oreilly.com/design/free/files/2016-design-salary-survey-report.epub Reusing existing connection to www.oreilly.com:80. HTTP request sent, awaiting response... 404 Not Found 2017-11-26 22:15:18 ERROR 404: Not Found. - I wouldn't recommend XPS. I have version 9350 and it constantly have one problem after another. In no particular order: slow boot time (it can take 7 seconds to see dell logo after pressing power button), coil whine, a firmware update killed the laptop once. I don't know how much of these problems can be attributed to Intel but I fear hardware manufacturers have adopted "release early fix later through firmware" mind-set. Good things about Dell: next business day warranty where a guy will come and replace the motherboard in case the update renders it useless.
- > There are some kinds of battery that only work at those temperatures - molten salt batteries. Used on earth for a few types of missile and some grid batteries.
Not an expert in batteries but Wikipedia says molten salt batteries provide high amount of power only for a short period of time:
> Once activated, they provide a burst of high power for a short period (a few tens of seconds to 60 minutes or more), with output ranging from watts to kilowatts.
- > There are no standards and protocols in place for this, and there's no browser that enforces this.
And there will never be especially for web apps because there are no parties interested in this. Look at what happened with HPKP. It looked good on the surface but it turned out that extreme security is a little bit too extreme.
> If you think that taking something that's 80% there and filling in the last 20% for yourself counts as something that's "already" possible, then nothing is new and everything is already possible.
I'm just pointing out that you can already construct a scheme with the same security properties as what you described. If you'd rather wait for some hypothetical standard and implementation that will probably never happen then that's your decision.
> This is really janky and not at all what I'm talking about. What I'm talking about is as simple as what happens now, e.g., "GitLab/Mastodon/Whatever XX.x Released".
Perfect is the enemy of good and "GitLab/Mastodon/Whatever XX.x Released" seems to be just good enough. For paranoid people OpenPGP is there to verify build artifacts.
- I don't want to sound negative but I guess almost 100% of the web relies on quickly updating resources and being fresh so I wouldn't hold my breath for when "resource pinning" would happen.
For the record one can already do it if all resources would use Subresource Integrity. Hashes of leaf resources would be embedded in parent resources up to the root document that you could announce out-of-band (e.g. https://example.com on 23rd of November 2017 has hash 1234566...). Then you'd have a cryptographic proof (like a Merkle tree) that nothing in the page changed.
- > The webcrypto api also can't stop the server from sending malicious javascript to a user which when run uses the webcrypto key to decrypt the user's data and send it back to the server.
Yes, but virtually nothing protects against proxying requests. Non-exportable keys protect against using them when the device is powered off.
> Also, if the server is malicious on the first connection, then the server could just not use the webcrypto api to begin with, and just make use a key that the server knows instead.
Agreed, but it's kind of like Trust On First Use. I guess it depends on one's trust model if they consider it a good trade-off.
- > CACert is a weird example because their model was completely at odds with how everybody else (yes now including Let's Encrypt) does things.
Well, CACert insisted on validating people but it turns out that it's not really necessary to know your customer to issue DV certs according to Baseline Requirements. Let's encrypt understood it and just did a minimal required job to be accepted (it's still a lot of work).
Instead of verifying people I'd gladly see X.509 replaced with OpenPGP w.r.t. trust model so that I could see who trusts who and why. OpenPGP has a mode of hierarchical trust with trust signatures, additionally they can be limited to a domain, that could be used to give people power to issue their own certificates for their own domains.
- DeX is quite good but unfortunately only available on the top Samsung phones. I think the target market would be people that don't necessarily need a PC for most of the time. Someone that needs a bigger screen to easily do banking or word processing.
DeX has one HDMI port (1080p), two USB 2.0 and one Ethernet.
I can't wait for the Linux on Galaxy project to see how working with Ubuntu through DeX would feel like.
- > I was wondering if anyone has more details about setting up and using a hardware key like the Yubikey in conjunction with Pass works?
Find a guide on using Yubikey with gpg (such as this one [0]) and if you configure it it will work seamlessly.
Enabling touch-to-decrypt [1] can also reduce risk of decrypting stuff without you noticing.
[0]: https://www.yubico.com/support/knowledge-base/categories/art...
[1]: https://developers.yubico.com/PGP/Card_edit.html#_yubikey_4_...
- I found pass [0] to be extremely useful especially if one is using OpenPGP (e.g. GPG) already. For desktop there is QTPass [1] for Android Password Store [2]. There is pass-otc [3] for storing TOTP secrets. There is browser pass extension [4] for Chrome and Firefox. Coupling this with hardware token such as Yubikey one can require PIN and touch input to decode password. In the same time the password repository can be stored in private bitbucket git repository.
Personally it's a perfect combination of security and convenience. The design is incredibly simple, if all these apps fail I can just use gpg to decrypt secrets.
The only downside is that filenames are stored unencrypted in git repository so Bitbucket can see what sites do I use but can't see usernames or passwords (obviously).
[0]: https://www.fossmint.com/pass-commandline-password-manager-f...
[1]: https://qtpass.org/
[2]: https://play.google.com/store/apps/details?id=com.zeapo.pwds...
- Maybe quickly changing topics is what causes the confusion. I guess they picked github because it has enterprise offering and enterprise customers are interested in large git repos. So github is like a test lab for GVFS. In the mean time they upstream the changes to real git adjusting GVFS to what git maintainers think is right.
- I don't know what addresses they use but github engineering blog has a lot of examples of really useful contributions, e.g.:
> Shortly after our initial deploy, we also started the process of upstreaming the changes to Git so the whole community could benefit from them.
Source: https://githubengineering.com/counting-objects/
But I guess most of their git related work time goes to libgit2.
- No, they needed to do some modifications to the git suite of tools. Generally git expects all objects to be on disk and Microsoft wanted to have sparse checkouts of files in a specific revision.
Not really polluting but rather having some objects be fetched only on demand.
Source: https://blogs.msdn.microsoft.com/devops/2017/02/03/announcin...
> In addition to the GVFS sources, we’ve also made some changes to Git to allow it to work well on a GVFS-backed repo, and those sources are available at https://github.com/Microsoft/git.
For the record as far as I understand GVFS the article is correctly using git vs Github.
- Looks interesting. Could you share what do use git notes for? Comments about the review? (seems like a lightweight alternative to git appraise [0]).
- > Actually some basic features such as getters, setters
Do you mean generating getters and setters based on fields? Because I can't find this option (tried searching for "getter", "java", "generate", no luck) and I've got Red Hat LS installed (alongside the entire Microsoft's Java Extension Pack).
Thanks for you hard work! Language Server Protocol is a hidden gem of VS Code, the most important feature in my opinion.