Christopher Lemmer Webber @cwebber@octodon.social

Some lessons:
- never trust anything that says it's "localhost-only". It probably isn't. Use unix domain sockets instead.
- Someone can always blame someone else for confused deputy attacks because in a sense, the program is behaving "correctly"
- Object capability people will continue being cassandras crying about why perimiter security is a failure and will be *right*. Perimiter security is eggshell security. But nobody listens anyway because "why not, ACLs seem to work"

if anyone wants a fun story about just how dangerous confused deputies can be, see https://lists.gnu.org/archive/html/guile-user/2016-10/msg00007.html which is a security vulnerability I bumped into which allowed for arbitrary code execution against guile processes that were being used for local development

ugh, I also need to prevent against confused deputy attacks against localhost because we're not running ocap operating systems and perimiter security is a failure

Glad my Racket-based ActivityPub tooling didn't go live *after* I discovered that Racket's http tooling will, by default, retrieve file:// urls from disk when using the http get tools

As an aside to other things I've been talking about lately, I do have thoughts on what good governance may mean and it's been on my mind lately regardless of other conversations happening on the fediverse. I thought about starting a thread but I didn't really want to get pulled into debates about a project that isn't mine... I don't think that's necessarily helpful.

But maybe I'll write up something soon. Governance in free software is a tough subject, but one with much history to learn from..

Criticism is welcome, but remember to give constructive criticism, which includes consideration of how your criticism will affect the other person emotionally. The golden rule applies: how would you feel if you read the message was directed at you? It's hard for someone to constructively make use of criticism if receiving it is an emotional drain.

Something I also miss: threaded conversations were the norm. Yes, in microblogging! Some of the most intense and interesting conversations about free software philosophy and licensing happened in threads that shot way off to the edge of the page

Oldschool fediverse phrases, from about 10y ago:

- TZAG: Time Zone Appropriate Greeting (preferred over "good morning")
- TZAF: Time Zone Appropriate Farewell
- #contextpatrol : when someone posted a response which wasn't linked to the original conversation, someone might link the conversation with #contextpatrol (the old StatusNet (ie, GNU Social) interface made not doing this accidentally easily)
- #vaguejokes : an obscure joke that was not really worth or more fun unexplained

I am, admittedly, the former even when I shouldn't be. But hey, it'll pay off if I ever get paid by the line of code.

Yesterday I saw someone's code though that passed 200 characters wide O_O

Tag urself on lisp indentation style:

;; I'm afraid of passing 80 characters
(proc1
arg1 arg2
(proc2
arg1 arg2
(cond
[(foo)
(bar 'baz 'quux)]
[else
(beep boop 'bop)])))

;; Everyone has wide monitors these days anyway right?????
(proc1 arg1 arg2
(proc2 arg1 arg2 (cond [(foo) (bar 'baz 'quux)]
[else (beep boop 'bop)])))

One of my other favorite hacking music-artists was Pogo... but I stopped listening to their music because I was really weirded out by them making a music video celebrating Trump (and seeing them doing so outside of their music too). I dunno, I can't get behind an artist uncritically embracing the driving force behind the undermining of democracy.

sadly I can't find its download page any more, looks like mrsimon took down their bandcamp (or someone issued a takedown)