Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Dec 31 2022 04:18
    MasterEric closed #72
  • Dec 07 2022 06:50
    kevinresol opened #178
  • Dec 07 2022 06:47
    kevinresol commented #149
  • Nov 07 2022 16:58
    GlassySundew commented #138
  • Oct 22 2022 13:44
    kevinresol commented #73
  • Oct 22 2022 13:22
    Aidan63 opened #73
  • Oct 18 2022 19:13
    pfoof opened #177
  • Aug 10 2022 00:16
    pzmarzly edited #176
  • Aug 10 2022 00:16
    pzmarzly edited #176
  • Aug 10 2022 00:12
    pzmarzly opened #176
  • Aug 10 2022 00:08
    pzmarzly commented #65
  • Aug 10 2022 00:06
    pzmarzly commented #65
  • Aug 10 2022 00:04
    pzmarzly commented #65
  • Jul 27 2022 22:51
    player-03 commented #167
  • Jul 10 2022 18:40
    back2dos closed #174
  • Jul 10 2022 18:40
    back2dos commented #174
  • Jul 06 2022 01:34
    TheDrawingCoder-Gamer closed #175
  • Jul 06 2022 00:05
    TheDrawingCoder-Gamer commented #175
  • Jul 06 2022 00:03
    kevinresol commented #175
  • Jul 05 2022 23:53
    TheDrawingCoder-Gamer opened #175
grepsuzette
@grepsuzette
ah, this is when the original package is served over HTTP. Yes in that case it... is a little pointless
grepsuzette
@grepsuzette
if on a local LAN you could just use a scheme like host:/path and have it served over scp, no need for http. I feel I would just never use http to serve code even on a LAN
on localhost hum, I would just copy the haxe_library/file.hxml from another project or forge it by hand ^^
but never used complex cases with lix, can not really say
Gabriel Hayes
@piboistudios
I'm not at all familiar with PMs (particularly unfamiliar with how post download hooks work), but is this pretty much only a problem with dependencies served over plain HTTP?
i.e. is it still unadvisable to use Lix strictly over https?
(again pardon ignorance here.. I don't even really know how lix and haxeshim all fit together)
Juraj Kirchheim
@back2dos
HTTP is unsafe to use ... lix allows using HTTP ... that's the "vulnerability"
using lix over HTTPS is "safe", at least to the extent that package managers are - which itself is a minefield: https://www.theregister.co.uk/2018/11/26/npm_repo_bitcoin_stealer/
Juraj Kirchheim
@back2dos
given that Haxe libraries have smaller dependency graphs and are much less used (making them a less attractive target), compared to npm, lix is safer ^^
Gabriel Hayes
@piboistudios
Yeah that's what I was just about to say
My entire life I've been apart of groups just below the radar. It always pays off in these nice little ways lol
grepsuzette
@grepsuzette
we don’t want to have lix marked as unsafe though. Maybe haxe seems to be almost nowhere now, maybe we think we are on our own, but i think in truth if we embrace this seemingly silly game of fixing the marked vulns it will be beneficial. Down the road I think Lix brings a lot of potential for haxe-illiterate linux and osx users to build all kind of things (apps, servers, services, idk literally anything). Same as any other language (even, take compilation-less languages like python, ruby, perl or node; would haxe programs really be more difficult to build using lix than it sometimes is to install a ruby app if you’re a beginner?)
But if we allow lix to remain marked as vulnerable, although we know the reason is unsound and it actually will reasonnably not happen, we then likely lose this formidable use case for both haxe and lix
Juraj Kirchheim
@back2dos
lix is about as vulnerable curl | bash
which by the way is the proposed method of installing nvm, the most wide spread node version manager: https://github.com/nvm-sh/nvm#installing-and-updating
grepsuzette
@grepsuzette
My point being that i wonder if it actually matters how actually vulnerable or not it is.
Juraj Kirchheim
@back2dos
it doesn't
but I care about people who do use lix more than about people who might
grepsuzette
@grepsuzette
Ideally we probably would want a wrapper allowing unsafe http protocol, but i don’t know if the current lix architecture would allow it
Eg Ideally lix is safe, and downloading a lix_http wrapper people who have reasons to do otherwise could still work with http?
Juraj Kirchheim
@back2dos
my last client relies on the ability to load libraries via http ... I'm not willing to break their work flow because of some imbeciles from subcontractor of npm inc harassing me over made up issues
grepsuzette
@grepsuzette
:smile:
Juraj Kirchheim
@back2dos
yes, we need a solution, but I don't see that it's particularly urgent
grepsuzette
@grepsuzette
And someday i want to see idiots being able to compile and deploy awesome programs in haxe as they do right now for stuffs in haskell, rust, ruby and so on
Juraj Kirchheim
@back2dos
one would be to try to approaching the auditors with a well crafted argument why this is not an issue
grepsuzette
@grepsuzette
But agree it’s not urgent
Oh, arguments will never work^^
Juraj Kirchheim
@back2dos
another would be to deprecate http, at least to some extent
hmm ... who knows ... it's their job to err on the side of caution, but that doesn't mean they can't be convinced ... they do that professionally, which is different from trying to convince a programmer from another religion that your programming religion has the better false gods
I don't hold out too much hope, but it's a path I don't want to leave unexplored
however I've burned much of my last 3.5 years dealing with stupid bureaucracy, so my willingness to cope with more of such nonsense is currently insufficient to do it properly ^^
grepsuzette
@grepsuzette
My belief in bureaucracy is about zero as well…
Juraj Kirchheim
@back2dos
hmm ... no, it's not hopeless, but it is extremely draining and right now I'm having a pretty good run improving things that are about as fully under my control as it gets ^^
Kevin Leung
@kevinresol
is there a reason travix not running on interp ("main" in haxelib.json)? I can't recall anything related
looks like lix run does not support "main" in haxelib.json?
Juraj Kirchheim
@back2dos
yep
Peter Achberger
@Antriel
Kevin Leung
@kevinresol
oh right
My macbook was sent to servicing because of the swollen battery. Now I am stuck in windows
poor me...
Juraj Kirchheim
@back2dos
Kevin Leung
@kevinresol
nope, that should mean I should not work. just go play some video games
grepsuzette
@grepsuzette
or work on servers (they have a nice text game called mille in bsd-games package). But yes I agree with the statement
clearly it did find it, the ascii art is right above...
Kevin Leung
@kevinresol
i think the script that compile the hxcpp tools runs something like haxelib run hxcpp ...?
or the hxcpp-tools.hxml contains -lib hxcpp?
Jens Fischer
@Gama11
you mean tools/hxcpp/compile.hxml?
it does not