Right? I find submissions titles like this so frustrating: it's simply not possible to be aware of every project out there. Please, please provide me some context in the title. This would be way better with a title something like "ISC releases KEA DHCP server 3.0 as LTS"
- I am on a team that oversees a bunch of stuff, some of which I am very hands-on with and comfortable with, and some of which I am vaguely aware exists, but rarely touch
- X, a member of the latter category, breaks
- Everyone who actually knows about X is on vacation/dead/in a meeting
- Fortunately, there is a document that explains what to do in this situation
- It is somehow both obsolete and wrong, a true miracle of bad info
So that is the problem this is trying to solve.
Having discussed this with the creator some[1], the intent here (as I understand it) is to build something like a cross between Jupyter Notebooks and Ansible Tower: documentation, scripts, and metrics that all live next to each other in a way that makes it easier to know what's wrong, how to fix it, and if the fix worked
It shouldn't but often still is... and maybe a runbook like this is easier to handle than a script with possibly 1000 lines and not a single comment.
Of course, in your ideal world maybe nothing of this applies and you never have any incidents ;)
> It is somehow both obsolete and wrong, a true miracle of bad info
How does Atuin solve that problem? It seems to me that inaccurate and obsolete information can be in an Atuin document as easily as in a text document, wiki, etc., but possibly I'm not seeing something?
I'm just a community mod, not a dev on the project, so take this with a grain of salt:
I believe the intent is that you get bidirectional selective sync between your terminal and the docs, so that if what's in the docs is out of date or wrong, then whatever you did to actually fix things can be synced back to the docs to reduce the friction of keeping the docs updated.
To me, it seems like it's because the thing you're fixing is actually the "runbook" that's being run. Instead of separating the documentation from the code, they're married together so it's easier to keep them in sync because you aren't having to remind yourself to go edit this secondary location when you make a quick change.
I'm cautiously curious about something like this, although I haven't tried it personally.
Yes, seems like right now pendulum is going in other way and separation is no longer in fashion and now fashionable thing is to have everything in one place.
The idea seems interesting to me just cause I do not really like terminals and having something more visually appealing and with better history and comments is an improvement though I am also not sure if Atuin is best way to achieve all of that.
Ok I think I see where this is coming from. I actually think seeing you description that it might even be a benefit to none technical people with no knowledge of what's going on. They can follow instructions and easily execute the relevant code what with it all sitting together.
However I don't see how it solves the obsolete or wrong documentation thing. You still have to make sure the runbook is correct, if it's not you've got the exact same problem.
Having a centralised place for all your scripts is an advantage with inline docs. But then this is a local desktop version...
Using the arrow keys to navigate the current input is well supported on most modern terminals, and has been for most of my adult life. If this isn't working properly in your terminal, then I'd recommend experimenting with the various settings available to you.
Some terminals also support mouse navigation, so keep an eye out for that as well.
I'm sorry that you've been dealing with this frustration for so long and under the impression that it was just supposed to be that way and not fixable. The good news is that it's NOT supposed to be that frustrating and you CAN fix it
Edit: you edited your comment somewhere between my first seeing it and my reply posting. I haven't had to modify the default settings on my terminal to fix things like this in about 20 years. I've changed them to tweak various preferences like scrollback, cursor shape/size, etc. But arrow navigation has worked out of the box for me for so long that I literally can't remember when I last had to fix it. I don't know why our experiences have been so different, but I'm sorry that a tool that has been so useful for me has been so frustrating for you.
Right, but that was the exact nature of the attack: it's a small commit that doesn't look like it needs a lot of scrutiny. Like, I get that you meant "it wouldn't take much scrutiny to find this" but I mean "it doesn't look like it needs to be scrutinized". Especially because, as mentioned in the first comment of the investigation, the change to an unsafe behavior is deliberately obscured by the formatting of the diff.
It's like Where's Wal(do|ly): once you know where to look, it's obvious, but if you don't even know you're supposed to be looking for it, you may never find it
Right-- A busy maintainer sees a weird looking commit-- but it's three lines long, submitted from a known contributor, and the tests pass. It was very carefully planned to be innocuous-looking enough to not trigger any concerns with a casual once-over (oh, it just changes the way an error is printed) and obfuscated enough to not be obviously malicious because of the diff formatting, and submitted by a reliable known contributor. Each piece was designed to make a rigorous code review as unlikely as they could possibly make it.
Sure, that's not how it's SUPPOSED to happen, but I'll eat my hat if at least 95% of people who've approved a PR at some point couldn't have been walked down that path by a dedicated attacker over time. Hopefully this has been enough of a jolt to make that less likely the next time someone tries it.
People often cite death and taxes as the only certainties in life-- we could easily include human fallibility.
Sounds about right. Although some number of those could be classified as plane interface errors or process deficiencies, nobody is perfect. Beyond that, in those situations, nobody was deliberately trying to get them to crash the plane!
In the years I worked as a nightclub bouncer, dozens or hundreds of people would try to fool me every night... and sometimes they did! I had a lot of experience foiling them, but they had a lot more time on their hands to scheme whatever thing they were scheming than I had to pay attention to them, individually.
As people pointed out, this was a technically simple attack-- the meat of the attack was psychological and emotional. In practice, particularly smart people are more susceptible to attacks like this because they subconsciously assume they'll catch everything that comes at them, and make a lot of assumptions about the attack vectors of problems based on what they're good at, like the classic XKCD about cryptography vs a wrench.
The malicious commit was designed to be confusing, as noted in the first comment of the investigation:
> but calls to safe_fprintf were replaced with calls to the unsafe fprintf. The diff doesn't make this obvious due to the removal of a newline in a parameter list.
It wasn't noticed because it was specifically designed not to be obvious.
I'm confused why this is being posted now? This thread appears to have taken place in the days immediately following the original XZ discovery, with no new activity since very early April. It was discussed heavily at the time that Jia Tan had made contributions to other projects and that those were being investigated as well.
Is there something new here I missed, or some additional context that makes this specific commit relevant right now?
Since the posted thread has been locked since April, even if there’s new information it can’t be on the posted page. I suspect a lot of votes come from people thinking there’s significant new information (otherwise why would this suddenly be #1?) when there’s none.
Ok, but to what end? Is there some karma-to-dollars pipeline that I don't know about? There a bunch of other platforms that superficially seem like much softer targets with more obvious payoffs.
Like, if we put it in the classic context of
1. Farm Karma
2. ?
3. Profit!
I'm not clear on step 2. What's step 2
And of course that pre-supposes malice (or at least greed), which is in violation of Hanlon's Razor.
Sorry, I don't understand the point you're making here. Are you saying that karma farming on HN leads to successful IPOs? Or are you saying that karma farming in general can be profitable? Because both of those are what I was trying to speak to when I said that I feel like there are much softer targets than HN: it seems much easier to me to profit from karma farming on other platforms than it would be here. Maybe I'm just not engaged enough and/or naive, but I don't think of even high-karma users on HN as being Influencers. Like, I don't see myself spending money on something specifically because tptacek endorsed it.
On Instagram, it makes sense to me:
1. I farm for likes and karma
2. I start endorsing low value crap from whatever fad is trending this hour
3. Profit
On HN, I have no idea what step 2 is: what is the middle step between farming and profit that doesn't involve, like, founding a startup? What's the specific tactic on this platform?
Sorry, I didn't see the "much softer targets" remark but I disagree anyway.
Marketing on HN can be very powerful. The mindshare gain can be enormous. Niches in general are very rewarding if the underlying platform (Google/Facebook/Amazon/Ebay) doesn't deplatform you.
I don't have time to look it up but I'm sure minimaxir (Certified HN Influencer) has made a study on it.
PG remarked on it in What I've Learned from Hacker News[1]:
"But what happened to Reddit won't inevitably happen to HN. There are several local maxima. There can be places that are free for alls and places that are more thoughtful, just as there are in the real world; and people will behave differently depending on which they're in, just as they do in the real world.
I've observed this in the wild. I've seen people cross-posting on Reddit and Hacker News who actually took the trouble to write two versions, a flame for Reddit and a more subdued version for HN."
Anecdata: just today I reactivated an account on a startup I learned about from a Show HN[2]
Ok, thanks, this is exactly what I needed. I'm apparently too much of a casual user here because I don't even recognize minimaxir as a username. So that's gotta be the disconnect for me: all the usual tactics apply, they're just less obvious to me because I'm not engaged enough.
I appreciate you taking the time to respond thoroughly. Thanks!
Edit: it occurred to me that another potential reason that the tactics used to monetize karma farming on HN may be less obvious to me than on other platforms is because here, the tactics are more specifically designed to target me
Asking in seriousness: did you comment without reading the link? If so, why? I legit don't understand why people comment on things without having read them, and I would like to
I'm not who you asked, but sometimes the comments are more interesting (or perhaps intriguing, enticing, is a better way to put it) than the submission itself. Sometimes of those times my interest in the submission grows with reading some of the discussion, and then I'll read it.
(Not to say I always do this, but I do definitely click first into comments more often than I go straight for the article - it allows a much lower bar for what seems initially interesting, and I've read a lot more fascinating stuff (submissions and discussions) than I would have otherwise that way.)
Interesting! But this sounds like an explanation why you read the comments without reading the article, not why you comment without reading, and those aren't inherently the same thing.
So to clarify: do you comment on the content of the post without reading it? I'm specifically interested in why people comment on links and articles they didn't read. And for maximum clarity here, I mean commenting on the content of the article, not just contributing to the various related discussions it spawns.
And to reiterate, I'm asking in earnest. It's not something I would do, so I'd like someone who does to weigh in.
Uh, maybe. Less likely to than just reading comments for sure.
But for example this thread is on such a tangent (and it could be a hell of a lot less) that TFA is completely irrelevant to what I would comment or how it would be received, so yes I might; almost certainly have on several occasions (over years and wouldn't-like-to-think-many comments).
Too late to edit but I just wanted to add never a top-level comment, but in thread probably quite a lot actually.
And as an example of how it could be much less of a tangent, more related but still not require reading TFA to comment, I saw something recently where a top-level comment was along the lines 'I would use strace for this personally', and then the thread was all about strace. Commenting in that thread, other than to compare it to whatever OP was doing, doesn't really require reading the article, because it's about something else now, and that's been made clear from the top-level comment.
I suppose it's kind of like joining a discussion at a party - you don't need to be excluded just because you missed the thing that started the conversation. Difference here is if you want/need to or are interested, you can still just go and read it without someone having to awkwardly/hurriedly fill you in.
Thanks for weighing in! But this is just speculation, right? Are you speaking from experience? I'm specifically looking for someone who does it to explain it.
I mean, I can make my own guesses about various forms of attention seeking and hopes to somehow cash in on high karma all day long but, to me it feels like HN is among the worst possible venues for that. I'm not aware of easy ways to convert HN karma into cash flow like you maybe could with followers on other platforms. So I don't immediately see a benefit in just farming karma for its own sake.
Is there some benefit to karma farming I'm not aware of? Like, some points-to-dollars conversion stream that I'm not in the loop on?
Those aren't meant to be apps representative of the Mobifree "platform", those are existing projects that have agreed to partner with Mobifree towards a common goal. They're bulletpoints in thd same list as Murena the E Foundation.
As far as answering your actual question, you'd probably need to ask the project devs for Quicksy and Conversations?
