That’s not how it actually works: in practice, browsers download them all. They may prioritise them differently, but they’ll still download them all in the end.

> i wrote an internet standard https://www.ietf.org/archive/id/draft-meow-mrrp-00.html (it's published on ietf.org so you know it's real and official and endorsed by the ietf)

Sounds like a reaction to the IPv8 draft, pointing out that anyone can publish anything there and it means nothing.

That sure sounds like bad faith to me.

Ooh, now I want to try convincing people to return from JS-heavy single-page apps to multi-page apps using normal HTML forms and minimal JS only to enhance what already works without it—in the name of security.

(C’mon, let a bloke dream.)

I wonder what fraction of the space is occupied at any given time.

It would be much better to write all of this as binary data, omitting separators.

• Since it’s fixed-width and simple, inspecting the data is still pretty easy—there are tools for working with binary data of declared schema, or you could write a few-liner to convert it yourself. You don’t lose much by departing ASCII.

• You might want to complicate it a little by writing a version tag at the start of the file or outside it so you can change the format more easily (e.g. if you ever add a third column). I will admit the explicit separators do make that easier. You can also leave that for later, it probably won’t hurt.

• UUID: 36 bytes → 16 bytes.

• Offset: 20 bytes (zero-padded base-ten integer) → 8 bytes.

• It removes one type of error altogether: now all bit patterns are syntactically valid.

• It’ll use less disk space, be cheaper to read, be cheaper to write, and probably take less code.

I also want to register alarm at the sample code given for func FindUserBinarySearch. To begin with, despite a return type of (*User, error), it always returns nil error—it swallows all I/O errors and ignores JSON decode errors. Then:

  entryID := strings.TrimRight(string(buf[:36]), " ")

  cmp := strings.Compare(entryID, id)

  offsetStr := strings.TrimLeft(string(buf[37:57]), "0")

  dataOffset, _ := strconv.ParseInt(offsetStr, 10, 64)

As a user of a desktop environment other than gnome-shell, I only have webkitgtk-6.0 installed because I chose to install Epiphany—it’s a good proxy for testing on Safari, which Apple makes ridiculously expensive.

Does the difference matter? You must decide that.

As for your dismissing SQLite: please justify why it’s a bad idea. Because I strongly disagree.

1. While approaching the land, the Amalekites had attacked them, preying on the weak. God had said that they would be destroyed. Now, probably partly as a test for their first king (he failed, didn’t eradicate them), God said, get on and do it.

2. God had promised the land to Abraham and his descendants, but said they’d only get it in four hundred years’ time, because “the iniquity of the Amorites is not yet complete”—they still had time to choose God’s ways. Only once they were irredeemable were they to be destroyed.

But now you might get things like “unlimited” 1Gbps… which reverts to 10Mbps (1% speed) or worse after 3.6TB (eight hours). And so your new theoretical maximum is about 6.8TB per month rather than 330TB.

In order to block the distributor from going rogue, you need to be able to guarantee that the user device can only install/run code signed by the provider, who must never give those keys to the distributor. My impression is that Android is the only major platform that ever had this, but that Google ruined it a few years ago in the name of lighter bundles by insisting that they hold the keys. (I once had VLC from Google Play Store, but replaced it with a build from F-Droid under the same app ID; Google Play Store shows it has an update for it, but that it can’t install it.)

In order to block the provider or distributor sending specific users a different build, you need something more like Certificate Transparency logs: make it so that devices will only run packages that contains proof that they have been publicly shared. (This is necessary, but not sufficient.)

And if you’re using web tech, the mechanisms required to preclude such abuse do not at this time exist. If you’re shipping an app by some other channel, it can do a resource integrity check and mandate subresource integrity. But no one does things that way—half the reason for using web tech is specifically to bypass slow update channels and distribute new stuff immediately!

Who’s responsible for the vulnerability? Your text editor? The version control system with a useful feature that also happens to be a vulnerability if run on a malicious repository? The thing you extracted the repository with? The thing you downloaded the malicious repository with?

Windows + NTFS has a solution, sometimes called the “mark of the web”: add a Zone.Identifier alternate data stream to files. And that’s the way you could mostly fix the vulnerability: a world where curl sets that on the downloaded file, tar propagates it to all of the extracted files, and Git ignores (and warns about) config and hooks in marked files. But figuring out where the boundaries of propagation lie would be tricky and sometimes controversial, and would break some people’s workflows.

As for the Emacs thing, it feels utterly unfair to blame Emacs. The issue is 100% Git, and it’s unreasonable and undesirable for things like Emacs to try to put guard rails around parts of its functionality. Especially guard rails that may harm functionality. They were right to decline the suggested patch.

I don’t know how the sessions actually ran, but the Vim one probably started with “low-hanging fruit, let’s start by seeing if modeline has accidentally become insecure yet again”, and the emacs with “meh, don’t know anything offhand, before delving into code let’s see if… ooh look it runs Git, so can we apply the ol’ fsmonitor chestnut there?”

This, however, is mislabelled: it’s not remote code execution at all, only local. It would only become RCE if there was some path to remotely triggering Vim to open the attack file, or Emacs the attack repository, or if a normal way of fetching a repository automatically set up and executed the hook.