I’ve had someone screenshot my code, circle a buggy line in red, and blog about it instead of submitting a PR.

I can’t say I’ve ever sent a security related bug report without at least some work done trying to understand how to fix it. Surely the caliber of people working for Project Zero can do that too, otherwise hi Google I’ll take one job please.

Wonder if they can build on top of eBPF? I think Windows is trying to implement it too

If this is happening via a VPN you almost definitely already have transit encryption

“Jet fuel can’t melt steel beams” was probably a gateway drug for so many of the crazies today

A lot of people claiming advertising doesn’t work on them don’t grasp this. I realized how hard it is to get around this when I first went to buy car insurance.

Look at this person over here using branches, show off

For loops with find are evil for a lot of reasons, one of which is spaces:

$ tree
.
├── arent good with find loops
│   ├── a
│   └── innerdira
│       └── docker-compose.yml
└── dirs with spaces
    ├── b
    └── innerdirb
        └── docker-compose.yml

3 directories, 2 files
$ for y in $(find .); do echo $y; done
.
./are
t good with fi
d loops
./are
t good with fi
d loops/i

erdira
./are
t good with fi
d loops/i

erdira/docker-compose.yml
./are
t good with fi
d loops/a
./dirs with spaces
./dirs with spaces/i

erdirb
./dirs with spaces/i

erdirb/docker-compose.yml
./dirs with spaces/b

You can kinda fix that with IFS (this breaks if newlines are in the filename which would probably only happen in a malicious context):

$ OIFS=$IFS
$ IFS=$'\n'
$ for y in $(find .); do echo "$y"; done
.
./arent good with find loops
./arent good with find loops/innerdira
./arent good with find loops/innerdira/docker-compose.yml
./arent good with find loops/a
./dirs with spaces
./dirs with spaces/innerdirb
./dirs with spaces/innerdirb/docker-compose.yml
./dirs with spaces/b
$ IFS=$OIFS

But you can also use something like:

find . -name 'docker-compose.yml' -printf '%h\0' | while read -r -d $'\0' dir; do
      ....
done

or in your case this could all be done from find alone:

find . -name 'docker-compose.yml' -execdir ...

-execdir in this case is basically replacing your cd $(dirname $y), which is also brittle when it comes to spaces and should be quoted: cd "$(dirname "$y")".

Not exactly “memory address 0”; there be dragons there. https://c-faq.com/null/index.html

I love nix and NixOS, but yes the documentation is incredibly insufficient. I’d recommend a normal distro + the nix package manager first for a personal laptop. You have be ok occasionally taking a detour to learn how to build some random program from source in a sandbox with no networking every once in a while so it’s kinda clunky as a daily use OS imo. It shines on servers though

NixOS is fun but requires tinkering for a desktop/laptop. You can use the nix package manager on any other distro though. At work I use Fedora and still use the nix package manager a ton when I want to, but I’m not locked into it when something needs to just work quickly. I have NixOS on my personal laptop and I kinda wish I didn’t. I have it on my home server and I’m very happy I did that.

PC load letter? What the fuck does that mean?

Not at all. Root access would be a way over safety rails.

Also the context of this post is that Google is attempting to make “side loading” harder.

I meant, what things do you do on your phone that wouldn’t be possible on a website if you were on another platform?

This is still begging the question: your question contains the assertion that the current smart phone model must continue. If you only think about the things you currently do with it, then of course you can do a lot of the same things with a browser model: they’re both restrictive sandboxes in similar ways. Interestingly though, I can name a few things already that are currently easy on an Android phone but not in a browser, the most obvious being running any sort of network server. You can’t take advantage of Linux’s configfs and functionfs APIs on a device that is ironically the best device made to use them. I mean, browsers were never even designed to allow filesystem access so an API would need to be added for that even, something so trivial. There are an almost infinite number of things you can do with direct access to an OS compared to through browsers; browsers are required to treat every single thing they do on behalf of the server they’re talking to as malicious. That’s the whole threat model, and it’s completely correct, but I don’t want that threat model applied to my entire device.

I think we’re just thinking of different things. You seem to be thinking about how to remake the current smart phone experience, and that’s pretty easy to do with a browser model. I think the current smart phone experience is pretty bad and incredibly limiting, so I see a move to the browser model pretty much… no different. I wouldn’t be particularly excited. I never understood the Boot2Gecko excitement anyway.

I’d like to see a smart phone that is just a small computer that happens to also have phone functionality. Where you actually have an entire Linux system available to you, and you’re allowed unconfined root access. You simply can’t get that if you’re being sandboxed by anything. To be honest if Android just stopped all the insanity around full, meaningful root access and unmodifiable hardware roots of trust, I wouldn’t need anything else. I like the availability of the tightly controlled application sandboxes. I love the use of SELinux throughout.

With respect to the development ecosystem… we can agree to disagree I guess. I’d rather leave the industry than deal with modern web development, but that’s just my personal opinion.

Google does at least maintain fairly solid web standards

I have to strongly disagree with this though. Google wants to bring it’s attestation APIs to browsers. What a nightmare. They also try to move browser addon development in user hostile ways, like trying to kill ad blocking. I don’t trust Google to have the user’s best interest in mind for a single second.

Anyway, I asked where you’re coming from so thanks for sharing.

Yes there is a general ignorance to this problem among law makers, in my country at least, as well as a bit of regulatory capture with respect to tech in general. The boogie man of “security” is also a very persuasive concept for a lot of people. This is not a problem that will be solved easily.

I sometimes have to go to Miami and I’m legit scared of the highways there.

Yea… Like some of those parking applications. Ugh.

We’ll always need safety rails, I think the thing you’re missing in most of the arguments you’re seeing here is that people want ways over or around those safety rails, and that those safety rails do not need to be as strict as they’re becoming. That is not the case currently and that is definitely not the direction AOSP or iOS are interested in going.

Also, just for the record, comparing the modern era of computing to the limewire era is bananas.

Sure, but imagine a world where you could run a JVM (just as an example please don’t focus on that lol) on your phone (and yes I know Android is JVM-esque, but you aren’t just running JVM code on there willy nilly due to the way it’s designed). There is no longer an Android vs iOS in that case with respect to JVM and even desktop or laptop applications. Of course there would need to be work done on the development side to deal with screen size and all that fun stuff, but these are all solvable problems and things you already have to deal with. QT has very easy to use Python bindings if you want an easy entry to that so that’s no big deal. I don’t write a lot of GUI code so I don’t know the landscape that well, but I’ve had success with PyQt6 and Kotlin + JavaFX.

Anyway that’s all kinda besides the point. We know how to build VMs; we’ve done it plenty of times. There is nothing magic about JavaScript; it’s just a VM. Are browsers incredibly complex and well designed programs? Yes, but they’re not special and their role as the backbone of everything doesn’t seem inevitable or wise to me.

I think they’re both pretty big problems. An open OS and hardware that supports it seems to be a huge hurdle, but at least there is a clear vision of how to solve it. The problem you bring up though… It seems like we’ve almost gone too far at this point and it’s gonna be really hard to put the cat back in the bag. It seems like something we need to solve with legislation potentially?