Where communities thrive

Join over 1.5M+ people
Join over 100K+ communities
Free without limits
Create your own community

Explore more communities

Lix/Lobby

People

Repo info

Activity

Dec 31 2022 04:18

MasterEric closed #72
Dec 07 2022 06:50

kevinresol opened #178
Dec 07 2022 06:47

kevinresol commented #149
Nov 07 2022 16:58

GlassySundew commented #138
Oct 22 2022 13:44

kevinresol commented #73
Oct 22 2022 13:22

Aidan63 opened #73
Oct 18 2022 19:13

pfoof opened #177
Aug 10 2022 00:16

pzmarzly edited #176
Aug 10 2022 00:16

pzmarzly edited #176
Aug 10 2022 00:12

pzmarzly opened #176
Aug 10 2022 00:08

pzmarzly commented #65
Aug 10 2022 00:06

pzmarzly commented #65
Aug 10 2022 00:04

pzmarzly commented #65
Jul 27 2022 22:51

player-03 commented #167
Jul 10 2022 18:40

back2dos closed #174
Jul 10 2022 18:40

back2dos commented #174
Jul 06 2022 01:34

TheDrawingCoder-Gamer closed #175
Jul 06 2022 00:05

TheDrawingCoder-Gamer commented #175
Jul 06 2022 00:03

kevinresol commented #175
Jul 05 2022 23:53

TheDrawingCoder-Gamer opened #175

grepsuzette

@grepsuzette

ah, this is when the original package is served over HTTP. Yes in that case it... is a little pointless

grepsuzette

@grepsuzette

if on a local LAN you could just use a scheme like host:/path and have it served over scp, no need for http. I feel I would just never use http to serve code even on a LAN

on localhost hum, I would just copy the haxe_library/file.hxml from another project or forge it by hand ^^

but never used complex cases with lix, can not really say

Gabriel Hayes

@piboistudios

I'm not at all familiar with PMs (particularly unfamiliar with how post download hooks work), but is this pretty much only a problem with dependencies served over plain HTTP?

i.e. is it still unadvisable to use Lix strictly over https?

(again pardon ignorance here.. I don't even really know how lix and haxeshim all fit together)

Juraj Kirchheim

@back2dos

HTTP is unsafe to use ... lix allows using HTTP ... that's the "vulnerability"

using lix over HTTPS is "safe", at least to the extent that package managers are - which itself is a minefield: https://www.theregister.co.uk/2018/11/26/npm_repo_bitcoin_stealer/

Juraj Kirchheim

@back2dos

given that Haxe libraries have smaller dependency graphs and are much less used (making them a less attractive target), compared to npm, lix is safer ^^

Gabriel Hayes

@piboistudios

Yeah that's what I was just about to say

My entire life I've been apart of groups just below the radar. It always pays off in these nice little ways lol

grepsuzette

@grepsuzette

we don’t want to have lix marked as unsafe though. Maybe haxe seems to be almost nowhere now, maybe we think we are on our own, but i think in truth if we embrace this seemingly silly game of fixing the marked vulns it will be beneficial. Down the road I think Lix brings a lot of potential for haxe-illiterate linux and osx users to build all kind of things (apps, servers, services, idk literally anything). Same as any other language (even, take compilation-less languages like python, ruby, perl or node; would haxe programs really be more difficult to build using lix than it sometimes is to install a ruby app if you’re a beginner?)

But if we allow lix to remain marked as vulnerable, although we know the reason is unsound and it actually will reasonnably not happen, we then likely lose this formidable use case for both haxe and lix

Juraj Kirchheim

@back2dos

lix is about as vulnerable curl | bash

which by the way is the proposed method of installing nvm, the most wide spread node version manager: https://github.com/nvm-sh/nvm#installing-and-updating

grepsuzette

@grepsuzette

My point being that i wonder if it actually matters how actually vulnerable or not it is.

Juraj Kirchheim

@back2dos

it doesn't

but I care about people who do use lix more than about people who might

grepsuzette

@grepsuzette

Ideally we probably would want a wrapper allowing unsafe http protocol, but i don’t know if the current lix architecture would allow it

Eg Ideally lix is safe, and downloading a lix_http wrapper people who have reasons to do otherwise could still work with http?

Juraj Kirchheim

@back2dos

my last client relies on the ability to load libraries via http ... I'm not willing to break their work flow because of some imbeciles from subcontractor of npm inc harassing me over made up issues

grepsuzette

@grepsuzette

:smile:

Juraj Kirchheim

@back2dos

yes, we need a solution, but I don't see that it's particularly urgent

grepsuzette

@grepsuzette

And someday i want to see idiots being able to compile and deploy awesome programs in haxe as they do right now for stuffs in haskell, rust, ruby and so on

Juraj Kirchheim

@back2dos

one would be to try to approaching the auditors with a well crafted argument why this is not an issue

grepsuzette

@grepsuzette

But agree it’s not urgent

Oh, arguments will never work^^

Juraj Kirchheim

@back2dos

another would be to deprecate http, at least to some extent

hmm ... who knows ... it's their job to err on the side of caution, but that doesn't mean they can't be convinced ... they do that professionally, which is different from trying to convince a programmer from another religion that your programming religion has the better false gods

I don't hold out too much hope, but it's a path I don't want to leave unexplored

however I've burned much of my last 3.5 years dealing with stupid bureaucracy, so my willingness to cope with more of such nonsense is currently insufficient to do it properly ^^

grepsuzette

@grepsuzette

My belief in bureaucracy is about zero as well…

Juraj Kirchheim

@back2dos

hmm ... no, it's not hopeless, but it is extremely draining and right now I'm having a pretty good run improving things that are about as fully under my control as it gets ^^