#dev 2025-06-17

2025-06-17 UTC
bterry joined the channel
# 00:49 
[morganm] Rant; Its been so long, years, since I have stood up a public facing auth and user login flow. I did it with a bunch of libraries in the past and I cant even name them right now. Ive just been focusing on fun static websites and learning CSS/HTML with sprinkles of JS, basically my dynamic coding skills have denatured.
# 00:49 
[morganm] Rave; If I wanted to pick it back up again, I could
mateusrc, bugliker0 and jak2k joined the channel
# 06:39 
mandaris I wrote this with Fractal Kitty in mind. I don't know if she's in here.
# 06:39 
mandaris https://mandarismoore.com/2025/06/16/the-mathening.html
# 06:39 
mandaris [edit] I wrote this with Fractal Kitty in mind. I don't know if she's in here.
# 06:39 
mandaris https://mandarismoore.com/2025/06/16/the-mathening.html
# 07:10 
mandaris My next project is to redo authorship and references in my site. I really want to be able to understand it.
# 07:11 
mandaris Maybe I can get it done before the 20th anniversary of microformats
barnaby, Guest6 and [KevinMarks] joined the channel
# 10:46 
[KevinMarks] I remember someone looking at the microformats logo and saying "I only see three mats"
jak2k and mateusrc joined the channel
# 14:39 
[social] Excellent
[mattl] joined the channel
# 16:06 
[mattl] Started publicly tracking the daily stats for http://libre.fm so I can see how much its being used or not used on a daily basis
# 16:07 
[mattl] https://turtle.libre.fm/stats.csv
# 16:41 
[KevinMarks] anyone good at AWS wrangling? If I want to run a single python script that takes ~12 hours to import some data, which Amazon thingy should I use?
# 16:42 
perryflynn on demand? probably elastic container service. lambda has a time limit of 15 minutes.
# 16:43 
perryflynn maybe a EC2 instance with launch template would work too. but you have to make something to launch and destroy the instance.
# 16:43 
[KevinMarks] Yes, I saw the lambda issue. I suppose I could segment the task and chain lambdas to do it, but that may well be more work.
# 16:44 
perryflynn I would launch a ec2 instance via terraform or aws event bridge and give the role inside of the ec2 instance the permission to terminate itself.
# 16:45 
[KevinMarks] Step Functions looks like it's supposed to be for this kind of thing, but I think that still need the code wrapping in something to work.
# 16:45 
perryflynn yea that could work as well. heard about step function but never worked with it.
rosipov5 joined the channel
# 17:11 
[snarfed] [KevinMarks] is this ongoing? or one time (or a few)? if the latter, maybe run it locally?
# 17:14 
[KevinMarks] Its about every 6 weeks - I have been running it locally, but i want to hand it over to someone else to run on AWS
jak2k and [jgarber] joined the channel
# 19:01 
[jgarber] Goodness.
# 19:01 
[jgarber] https://mastodon.social/@bagder/114699535048946201
# 19:02 
Loqi [preview] [daniel:// stenberg://] No more embargoed security issues for libxml2: https://gitlab.gnome.org/GNOME/libxml2/-/issues/913
# 19:03 
[jgarber] The linked issue is quite a read.
angelo, GuestZero and barnaby joined the channel
# 19:56 
[schmarty] 👏 👏 👏
# 20:02 
[snarfed] I'm torn. on one hand, ecosystem security matters, and responsible disclosure is important and useful. on the other hand, obviously open source maintainers should be supported and not unduly burdened
# 20:02 
[snarfed] no easy answers
# 20:03 
perryflynn the users of the libraries have now the chance to act/react.
# 20:03 
[snarfed] hmm no they always did. this change means there will be a window when they _don't_ have the chance to act/react, there's no patch available yet, but they're vulnerable and on blast because attackers know about the vulnerability
# 20:03 
[schmarty] totally agree it is not easy, but i applaud an unpaid volunteer for saying no to unreasonable demands from companies that profit off their work.
# 20:04 
[snarfed] of course. it just also has clear downsides that I wish we had better answers for
# 20:04 
[snarfed] groups like https://tidelift.com/ , https://openssf.org/community/alpha-omega/ , etc are useful ideas here
# 20:04 
[schmarty] flip the script on the relationship between capital and labor??? 😈
# 20:05 
[jgarber] [schmarty] Good day, comrade!
# 20:05 
[snarfed] too abstract, not sure how to apply that here
# 20:05 
[snarfed] OSQIs are also a helpful idea here, https://www.tbray.org/ongoing/When/202x/2024/04/01/OSQI
# 20:07 
[schmarty] interesting that a lot of these are written for what i would call an enterprise audience
# 20:08 
[schmarty] "bad open source packages", "open source quality". notes for the discerning shopper with a corporate card.
# 20:08 
[schmarty] i enjoyed this recent Chris Ferdinandi post about working the other direction:
# 20:08 
[schmarty] https://gomakethings.com/the-kelp-commons-license/
# 20:10 
[schmarty] build and license for the commons, first. if you leverage it to make money, you pay back in.
# 20:11 
[snarfed] it's complicated. I fully agree, but I also don't think you can realistically try to *require* that, at least if you publish open source code with a traditional open source license
# 20:12 
[snarfed] "open source is a gift" a la https://world.hey.com/dhh/the-open-source-gift-exchange-2171e0f0
# 20:12 
[snarfed] if you try to somehow retain and enforce control, that's the way of the mad king a la Matt Mullenweg
# 20:12 
[snarfed] https://snarfed.org/2025-06-11_55126
# 20:12 
[schmarty] i guess i mean: it is interesting to see folks wring their hands at the under-resourced maintainers of the thin twig of a package in the XKCD comic. but where is the attention on the downstreamers who adopt these packages in exploitive ways?
# 20:13 
[snarfed] there's plenty of that attention, people make this connection very regularly
# 20:14 
[snarfed] and the ecosystem is trying to adapt, eg the links I posted earlier. corporate OSPOs exist, they do support open source materially, etc. is it enough, or in the right shape? probably not. but it's not missing entirely
# 20:14 
[schmarty] there is a stark asymmetry
# 20:14 
[snarfed] of course
# 20:14 
[tantek] [snarfed] IMO if the assumption is "you're giving up control" then that must be paired with "use at 100% your own risk", as in all security problems are the problems of the consumer of the open source, not the publisher
# 20:15 
[snarfed] totally! agreed
# 20:15 
[tantek] "giving up control" goes both ways
# 20:15 
[snarfed] stenberg is entirely within his rights to make that call. companies should support open source more. all true. but that doesn't make the security side wrong. both can be right, they're just in tension because there isn't enough open source support yet
# 20:16 
[tantek] this to me says there's a "market opportunity" (only half 🙂 ) for someone to start a "Enterprise Validation™" service for open source packages that Enterprises can subscribe to (pay regularly for) for "Validated" releases of open source packages
# 20:16 
[snarfed] that's Tidelift, and others
# 20:16 
[snarfed] linux and other distributions, etc
# 20:16 
[tantek] right, so any complaints of "wah I don't get security for free" have no sympathy rankly
# 20:16 
[tantek] frankly*
# 20:16 
[snarfed] the problem is that "validation" can never guarantee that anything is vulnerability free
# 20:17 
[tantek] guarantee is not the point. someone you can call for support (that you're paying) is the point
# 20:17 
[snarfed] I don't know that anyone's crying that. the original complaint here was the expectation of responsible (confidential) disclosure and prioritization
# 20:17 
[snarfed] which, absolutely, if you aren't paying, you can't expect
# 20:19 
[snarfed] (...heh ok, fair, prioritization is a milder version of "security for free")
barnaby, lain`, jak2k, btrem and aaronpk_ joined the channel
# 21:35 
btrem I need some debugging advice .. \
# 21:36 
btrem ]@#*$@#  Hit return by accident. Sorry.
aaronpk_ joined the channel
# 21:43 
btrem I need some debugging advice. I created an .ics calendar feed in a Drupal site, but I cannot subscribe to it. The format appears to be correct. I've tried two calendar apps: Gnome Calendar, which prompts for username/password but does nothing more; and Thunderbird calendar, which claims "could not find calendars here" OSLT.
# 21:43 
btrem I have successfully subscribed to Indieweb events, also .ics, using both apps. I'm thinking maybe the response headers for my feed are wrong, but I can't figure out how to see them. Firefox Dev Tools doesn't work, I think because Drupal redirects the page from log in too quickly. Any thoughts on how I might proceed?
# 21:45 
perryflynn does downloading the ics and adding it locally into thunderbird works?
# 21:48 
btrem perryflynn: Hmm, good idea. I'll try that next. I did just validate the file using an online validator. It reports "no errors," though there are 10 warning about the line length being "longer than 75 characters." Sounds more like a linting issue, rather than a validation one.
# 21:54 
btrem @#$@!#  applications and their broken interfaces. I can't access the "import all" button. Who in the @!#@! designs this stuff?!
# 21:58 
btrem So aggravating. Well, I managed to access "import all" events, but nothing actually shows up in the calendar. So something is maybe amiss in the .ics. Thanks for the idea, perryflynn++
# 21:58 
Loqi perryflynn has 7 karma in this channel over the last year (15 in all channels)
# 21:58 
perryflynn yw
# 22:01 
btrem Unfortunately, the lack of an error message leaves me completely in the dark. Nothing worse than a silent fail.  :-/
# 22:03 
perryflynn I would now take a iCal parser in a language I know and try to parse it with that. then it could be debugged.
# 22:05 
btrem Currently doing that, and the json version of the cal looks fine.
# 22:05 
btrem shrugs
# 22:06 
btrem Well, I'll keep at it, and report back if I find anything interesting.
# 22:06 
perryflynn did you checked the whitespaces? so do you use the correct line endings (\n vs. \r\n), does the file encoding is correct and also does the file have a unicode BOM at the beginning which is maybe not allowed?
# 22:07 
perryflynn (I have no clue about iCal, just shots into the dark)
# 22:08 
[artlung] I use https://github.com/u01jmg3/ics-parser in PHP with composer to read and display events. FWIW. That main page on GitHub also mentions several gotchas around the ICS spec.
# 22:08 
Loqi [preview] [u01jmg3] ics-parser: Parser for iCalendar Events • PHP 8+, 7 (≥ 7.4), 5 (≥ 5.6)
# 22:18 
btrem perryflynn: BOM isn't relevant for the web feed, is it? As for whitespace, I dunno. I did validate it, and supposedly there are no errors.
# 22:19 
btrem [artlung]++ thanks I'll have a look at that validator as I continue chasing this undomesticated waterfowl.  ;-)
# 22:19 
Loqi [artlung] has 16 karma in this channel over the last year (86 in all channels)
# 22:24 
perryflynn btrem: not sure. Just have seen it in other projects that BOM can break especially old specs.
# 23:27 
[snarfed] also check that you're serving it with the right mime type
# 23:31 
[mattl] “In the early days of the internet, most web developers wrote their own CSS to structure and style webpages.”
# 23:32 
[tantek] lol
# 23:32 
[tantek] "early days"
# 23:33 
[mattl] “in the early days of 1998-2006.”