darrhiggs's comments

So this is my first open source project.

I am creating a rails app that helps move data between two sites and I wanted to keep the users informed of the complex, and slow, background work that was being performed outside the http request response cycle. The functionality that comes with Sidekiq Pro was a half decent solution but I wanted the progress on the front-end to show something more detailed than something like 16/42 units of work complete, especially as some units of work were far more time consuming than others.

The result is Sidekiq::TrackableBatch[0]. Check out the demo app[1] that shows how it could be used in the context of a e-commerce site. The demo (source[2]) uses action cable to update the UI.

I hope somebody finds it useful.

[0] https://github.com/darrhiggs/sidekiq-trackable_batch#usage [1] https://sidekiq-trackable-batch-demo.herokuapp.com/ [2] https://github.com/darrhiggs/sidekiq_trackable_batch_demo_ap...

I don't know about the article, but DOT[0] + graphviz[1] could be used for this.

[0] https://en.wikipedia.org/wiki/DOT_(graph_description_languag... [1] http://www.graphviz.org/

Sorry to dump nothing more than links, but I think they should provide what you are looking for.

(requests) https://developer.mozilla.org/en/docs/Web/API/Fetch_API http://caniuse.com/#feat=fetch

(css selectors) https://developer.mozilla.org/en-US/docs/Web/API/Document/qu... https://developer.mozilla.org/en-US/docs/Web/API/Document/qu... http://caniuse.com/#search=queryselector

Hey, thanks for this.

With regards to redux-thunk, have you taken a look at redux-saga[0]? Any thoughts?

[0] https://github.com/yelouafi/redux-saga

I do. V1 UUIDs, due to the generation via timestamps makes them sortable. This is a obvious boon for DB indexing.

Specifically with Postgres I use the v1mc version as it provides the added benefit of using "a random multicast MAC address instead of the real MAC address of the computer"[0].

[0] http://www.postgresql.org/docs/9.4/static/uuid-ossp.html

Yes: http://i.imgur.com/BqN7iCF.jpg

Do you use task manager (Hotdog menu > More tools) to kill tabs that you are not currently using? Also chrome 46 looks to be getting much better[0]; although I have also noticed a sizeable improvement with 45.

[0] http://thenextweb.com/apps/2015/08/20/chrome-is-finally-gett...

I use schemas[0] for this. Could someone explain what advantage is gained from RLS in comparison, either to views or schemas?

[0] http://www.postgresql.org/docs/current/static/ddl-schemas.ht...

Link to research [0] (Ultralow-fatigue shape memory alloy films), for those that have access.

[0] http://www.sciencemag.org/content/348/6238/1004

It seems as though there is precedence, especially in Nepal, as earthquakes tend to shift stress along the fault lines[0].

[0] http://www.bbc.com/news/science-environment-32472310

It's not one country. Differences between France and South Korea include - not exclusively - Russia, Mongolia, and Namibia.[0][1]

[0]https://en.wikipedia.org/wiki/Visa_requirements_for_French_c... [1]https://en.wikipedia.org/wiki/Visa_requirements_for_South_Ko...

It's common for en_GB, I can't speak for en_US though. Here[0] is a test with it used twice.

[0] http://www.bristol.ac.uk/arts/exercises/grammar/grammar_tuto...

I believe they are referring to the article

> The skills and time load sections both re-inforce that Python is more heavily linked to Data Science than Ruby. Ruby is more of a web technology with strong affinity to front-end technologies and iOS.

Exactly what I was looking for, thanks. 90 days seems to ring a bell with what google is doing at the moment with microsoft, apple etc. Maybe not so much for (in this case) simply adding the http flag to your plain text user session cookie. But this is what I was looking for, best practices.

Again, thanks for the advice.

Reply to your edit:

Thanks.

Maybe the xxx.org came across wrong. My intention was a government organisation, nothing nefarious.

Exactly. That's how I thought it sounded.

But is it my responsibility to spend time reporting this to them? Should I leave the vulnerability for others to take advantage of, if they come across it? How do I know that others aren't already doing so?

With this specific vulnerability it could be used it to build an address book of emails, {home,work}addresses, telephone numbers etc; given the nature of the app.

So here seems like as good a thread as any.

What do you do when you think a company would just fix the bug based on your report and not pay out anything? I have seen so many bugs in the wild like this. For example a site in the uk where I can get access to any account I wish.

Are there any data protection laws that would provide leverage? How would you make first contact with a company that doesn't advertise a bug bounty program?

Does this kind of email seem ok?

    "Hi, I have seen a security vulnerability on your site. How do I report it? What do you pay?…

    May you respond in the next 7 days or I will be forced to take this to xxx.org for the protection of your users"

I think that could also be solved relatively easily. Just flash that you are sending an account activation email to the person trying to create an account and email the already registered user with a notification that someone tried to sign up with their email address.

Given that I have received downvotes I'll try more concrete example. Imagine that you start dating a someone and they discover your email, maybe you email them. Now they then take that information and try and log into a site that you do not wish that others know you use, this may be a porn site, it may be a group that you associate yourself with, say even a feminist forum. Now if you respond that it's the wrong password people are able to deduce (given that there is also a wrong username error) that you are a user of that service.

Imagine you put your email on your cv and this is done to see if you a member of a democrat or republican website, and you are not offered a job based on your political views.

Imagine that you use your email to sign up for a government service and they take that email, do as described above, and use the information in the future to discredit you in some way.

Maybe I have missed the point, but I personally think that this is a also privacy issue and only looking at it from the perspective of UX may have undesired consequences for people.

The article misses the point that on many sites this is not a security feature, more a privacy one. I have used the 403 http status rather than 401 in the past for this exact reason.

RFC 7231[0] suggests something similar

"An origin server that wishes to "hide" the current existence of a forbidden target resource MAY instead respond with a status code of 404 (Not Found)."

with RFC 7235[1] suggesting the use of 403.

"A server that receives valid credentials that are not adequate to gain access ought to respond with the 403 (Forbidden) status code […]."

[0] https://tools.ietf.org/html/rfc7231#section-6.5.3 [1] https://tools.ietf.org/html/rfc7235