Hacker News: zwp

New comment by zwp in "Open Source Security at Astral"

zwp — Thu, 09 Apr 2026 07:45:02 +0000

> pip allows it but it's with a timestamp

A PR to be able to use a relative timestamp in pip was merged just last week

https://github.com/pypa/pip/pull/13837/commits

New comment by zwp in "The Future of Programming (2013) [video]"

zwp — Wed, 19 Nov 2025 15:29:24 +0000

You might like https://cs.brown.edu/~spr/codebubbles/

New comment by zwp in "Learn Makefiles"

zwp — Fri, 20 Jun 2025 12:33:20 +0000

I used to like having a "depend" target to make the dependencies explicit and so minimize build time, although that fiddles with the contents of the Makefile (some discussion at https://wiki.c2.com/?MakeDepend).

The standalone makedepend(1) that does the work is available in package xutils-dev on Ubuntu.

New comment by zwp in "Setting up a trusted, self-signed SSL/TLS certificate authority in Linux"

zwp — Tue, 18 Feb 2025 10:59:52 +0000

Is it coming? I notice that OpenSSL now has support for raw public keys.

The spec (RFC 7250, "Using Raw Public Keys in Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)") suggests DANE/DNSSEC as a mechanism to bind identities to public keys (section 6).

https://datatracker.ietf.org/doc/html/rfc7250

Will this really be simpler?

New comment by zwp in "Handling cookies is a minefield"

zwp — Fri, 22 Nov 2024 08:58:45 +0000

We already have Macaroons

https://en.wikipedia.org/wiki/Macaroons_(computer_science)

https://en.wikipedia.org/wiki/Macaroon

New comment by zwp in "Title drops in movies"

zwp — Wed, 06 Nov 2024 08:51:13 +0000

And Layer Cake

New comment by zwp in "Vulnerabilities show why STARTTLS should be avoided if possible (2021)"

zwp — Wed, 28 Aug 2024 09:25:42 +0000

There was a sense of "wasting a port". A modern Linux /etc/services has only 200 or so reserved TCP ports (out of a possible ~50k) so that fear might have been overblown.

I suspect the bureaucratic overhead of needing to go to IANA to reserve a new port might have had a chilling effect. See:

  https://www.iana.org/protocols/apply

  https://www.iana.org/form/ports-services

New comment by zwp in "Vulnerabilities show why STARTTLS should be avoided if possible (2021)"

zwp — Wed, 28 Aug 2024 09:17:52 +0000

> you are supposed to still continue if you strictly follow the standard

Which standard? RFC 3207 (for STARTTLS over SMTP), 2002, says: "If the client receives the 454 response [TLS not available], the client must decide whether or not to continue the SMTP session".

New comment by zwp in "Anonymous Block Forwarding in Ruby"

zwp — Thu, 15 Feb 2024 10:50:04 +0000

    def execute(f)
      f.call "test response"
    end

    perform = TOPLEVEL_BINDING.method(:execute)

    perform.call Kernel.method(:puts)

New comment by zwp in "Why use strace in 2023? [video]"

zwp — Mon, 08 Jan 2024 10:12:12 +0000

You still need to pull out the paths?

A sprinkling of grep/perl (awk/sed/ruby/...) is mostly good enough eg:

strace -e trace=%file cat /etc/passwd 2>&1 >/dev/null | grep ^open | grep -Po '(?<=").*(?=")'

New comment by zwp in "Why use strace in 2023? [video]"

zwp — Mon, 08 Jan 2024 08:48:30 +0000

You can use "-e trace=open" to trace only open(2) calls

Alternatively "-e trace=%file" to get all file-related system calls (will catch eg failing pre-emptive checks using access(3) -> stat(2)).

New comment by zwp in "Passive SSH Key Compromise via Lattices [pdf]"

zwp — Tue, 07 Nov 2023 11:47:54 +0000

> whatever "SSH-2.0-SSHD" is (the authors don't know either)

I think this is from the j2ssh/maverick SSH server, used in a bunch of enterprisey Java products.

https://jadaptive.com/en/products/java-ssh-server

https://github.com/sshtools/j2ssh-maverick/blob/ce11ceaf0aa0...

New comment by zwp in "Remote code execution in OpenSSH’s forwarded SSH-agent"

zwp — Thu, 20 Jul 2023 08:51:45 +0000

Tangential question: there is one reason to use NODELETE in the dlopen(3) man page: https://man7.org/linux/man-pages/man3/dlopen.3.html

  RTLD_NODELETE (since glibc 2.2)
    Do not unload the shared object during dlclose().
    Consequently, the object's static and global variables
    are not reinitialized if the object is reloaded with
    dlopen() at a later time.

Are there any other times when it's beneficial to use NODELETE?

New comment by zwp in "Every Signature Is Broken: Insecurity of Microsoft Office’s Ooxml Signatures"

zwp — Mon, 12 Jun 2023 12:58:01 +0000

The PDF ("sec23summer...") has metadata creation/modification timestamp of 20221004165319Z (October 2022). So presumably the paper was written last October and released for Usenix 2023.

(Reference [12] is from Usenix July 2022. See "Prior work" in the introduction).

New comment by zwp in "Fixing macOS Zsh Terminal History Settings"

zwp — Thu, 13 Oct 2022 10:09:17 +0000

Slightly silly sketch (bash):

    sqlite-utils create-table ~/commands.db commands id integer text text --pk id
    PROMPT_COMMAND="( fc -n -l -1 | perl -p -e 's/^\s+//; chomp if eof' | sqlite-utils insert --text ~/commands.db commands - & )"

It's slow, has perl & python external deps, needs a timestamp column, call subshell to avoid job control messages, ...

A nicer single "prompt command" wrapper is certainly possible though.

New comment by zwp in "Show HN: Shale – a Ruby object mapper and serializer for JSON, YAML and XML"

zwp — Tue, 31 May 2022 15:30:04 +0000

I think one of the motivations for splitting the stdlib into gems was for exactly for this kind of scenario: some users might not be able to update their Ruby immediately. The ruby-lang advisory explicitly recommends bumping the REXML version.

New comment by zwp in "Show HN: Shale – a Ruby object mapper and serializer for JSON, YAML and XML"

zwp — Tue, 31 May 2022 13:18:25 +0000

Rexml has been gemified. Shale's gemspec doesn't require a specific version of rexml and rexml<3.2.5 is vulnerable to CVE-2021-28965. I just checked Ubuntu 20.04 LTS and got Ruby 2.7 with rexml 3.2.3 by default so this seems like a realistic concern and it would be safer if shale required a minimum rexml version.

See http://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-v...

New comment by zwp in "NPM Vulnerability Discussion on Twitter"

zwp — Tue, 10 May 2022 13:17:13 +0000

This old dog is reminded of trn(1), "threaded read news".

See top right: https://upload.wikimedia.org/wikipedia/commons/d/d8/Trn_cons...

New comment by zwp in "Ruby 3.2 preview 1 with support for WASM compilation"

zwp — Fri, 08 Apr 2022 10:16:50 +0000

Cute! But I get an error if I try "require 'resolv'", is this expected?

:85:in `require': cannot load such file -- socket (LoadError)

New comment by zwp in "Words known better in the US than in the UK, and vice versa"

zwp — Thu, 10 Feb 2022 09:32:17 +0000

I wasn't aware of the figurative connotation, I will remember this next time I'm retreating from a climb.

"HMS carabiner" is also common amongst anglophone climbers (for the "Halbmastwurfsicherung" knot you might use as an alternative to your sticht plate).