CloselyChunky's comments

The easier, less invasive but also less accurate option would be to publish an empty crate with a random name that does not exploit typos (just some random junk) and check how often that crate is downloaded. You can assume that almost all downloads for this crate are bot downloads and just subtract that amount from the downloads of the typo-squatted crate

AFAIK antivirus systems do (did?) not scan RAM, only persistent memory. So decrypting/decoding the malware in-memory and jumping into the code should avoid detection. That's how "runtime crypters" work or used to work a few years ago.

Well then you have to check the generated tests. That's just one more layer, isn't it?

Could you share a link to your repo? This setup sounds interesting. Currently I have two separate repos for NixOS and home-manager.

> Most of the tests I write aren't for pure functions

In response to this, I recommend the "Functional Core, Imperative Shell"[0] talk/pattern. The idea is to extract your business logic as pure functions independent of the data access layer. This pattern allowed me to test large portions of a code base using property tests. This works really well in most cases and gives me much more confidence in the product that will be deployed.

[0]: https://www.destroyallsoftware.com/screencasts/catalog/funct...

Dito for German: "vom Laster gefallen"

During the quarantine, I started photographing on film, developing the film at home and digitize the negatives using my DSLR. At least for B/W film, the process of developing film yourself is dead easy and I'm happy to have a hobby away from my computer. Also, having a price per picture and only a limited amount of shots helps me actually think about composing nice pictures instead of taking 5 almost identical images and moving on.

In general, film photography is having a comeback. Prices for used film cameras skyrocketed in the last years for a few models.

Personally, I find photographing on film really rewarding. Having a physical product in the end (be it a print of the image or only the negatives) makes the process more enjoyable. So if you have some old film cameras lying around, I can only recommend giving them a try. Maybe there are even old films with old memories in these cameras.

Sure, if you have an either/result type, the whole thing becomes a fold, where each validator is a function from user to Either<Error, User> and then

  validators.reduce(Either.right(user), (acc, next) -> acc.flatMapRight(next))

This way you'll end up with either the validated user, or the first error that occurred and all the other validators were skipped.

When validation gets complex (e.g. there are many criteria to check), I like to build a list/stream/array (what ever the language offers) of tuples of predicates (functions from the object that gets validated to boolean) and strings (or functions from the object to string so I can have context in my error messages).

Then iterate over the tuples, if a predicate fails, return the associated error message and throw an error/display the message to the user.

In the end it looks something like this:

  var validators = Stream.of(
    Map.entry(user -> user != null, "User must be defined"),
    Map.entry(user -> user.firstName != null, "Missing first name"))

  validators.filter(e -> e.getKey().apply(userToBeValidated)).map(Map.Entry::getValue).getFirst()

(This example uses Map.entry for tuples as Java lacks native support for tuples)

This limits branching and you have all validation criteria neatly organized in the same location.

In my opinion this pattern is better if you write it like this:

  _ = isDefined(user) || throw new Error("user must be defined")

This reads way more natural for me. "A user is defined OR throw an error"...

I've also seen this in Perl (`do_something() || die()`) and shell scripts (`grep -q || die "not found"`).

You can install nix side by side to your distro package manager and only install some packages using nix. You could also use something like lorri and direnv and let nix only manage your code projects and when entering the project directory, drop you into a shell with only the dependencies you need for this specific project installed.

Yeah should have validated that claim first. Seems like the form on hibp.com always submits your input to the server...

Still, if I had to chose between hibf.com and hibp.com, I'd lean to hibp.com since Troy is a known name in the industry and has offered this service for a long time without any complaints.

I think HIBP implements it like this: you hash your email/phone number and send only a prefix of the hash to the server. The server responds with a list of hashes matching the prefix. Now you can check if your hash is in the list. If so, you have been pwned. This way the server never knows which email you are requesting since it only ever sees a part of the hash.

From what I can see, this site sends your whole number to the backend to search for a number in the dump[0], while haveibeenpwned.com will hash the input, send only a prefix to the server and receive a list of hashes with the same prefix. If your hash is in the list, you've been pwned, but you can check without leaking your data to HIBP.

Edit: I just checked, seems like the form on the frontpage of HIBP also submits your complete email/phone number. Pretty sure I read about how you don't have to submit your personal data to validate against HIBP, not to long ago...

[0]: https://github.com/Fumaz/haveibeenfacebooked-api/blob/master...

IMO tinc is really awesome. I've been using it for years to connect my servers, laptops and desktops into a VPN.

Including my RPI (running PiHole in my LAN) into the tinc VPN gave me an easy way to access my home network from anywhere in the world. One of my dedicated servers would automatically take care of routing the traffic and I can just `ssh [email protected]` to connect to the RPI and be inside my home network.

IIRC tinc implements some tricks like TCP/UDP hole punching. So best case I end up with an actual p2p connection between my remote device and home network after connecting via tinc.

> Bitcoin consumes more energy than all of China

This is not true. Bitcoin energy consumption is somewhere between Chile and Argentina.

This is in reference to "Hashes cannot be undone".

One-way functions are functions that are easily computed given any input but where it is hard/impossible to compute the/a input if you only know the output. This is the property of hash functions that we make use of when hashing passwords, generating signatures, validating files and so on.

We assume that hash functions are one-way functions but to prove the existence of one-way functions is one of the big unsolved problems in computer science. Additionally it has been shown that if one-way functions exist, that P != NP.

With that in mind, we cannot confidently say that "Hashes cannot be undone". While it might still be impossible to find the exact input that was used (unlimited input range vs limited output range), it would be possible to find a possible input resulting in the output you are looking at.

The Wikipedia article [0] is a good starting point for more information.

[0]: https://en.wikipedia.org/wiki/One-way_function

Small nitpick: The existence of one-way functions has not been proven, yet. Actually proving this would also prove `P != NP` so this would be a big deal (interestingly enough, proving that one-way functions do _NOT_ exist, would _NOT_ prove that `P = NP`). Currently we can only assume and hope, they exist.