Clojurians Log v2

Clojure programming
Channels
# 100-days-of-code# aatree# admin-announcements# adventofcode# ai# alda# aleph# all-the-channels# announcements# arachne# architecture# asami# atlanta-clojurians# atom-editor# autochrome-github# avi# aws# aws-lambda# babashka# babashka-sci-dev# bangalore-clj# beginners# berlin# biff# bigdata# bitcoin# boot# boot-dev# boulder-clojurians# braid-chat# braveandtrue# brevis# bristol-clojurians# business# calva# capetown# carry# cbus# cestmeetup# chestnut# chlorine-clover# cider# circleci# clara# clj-commons# cljdoc# cljfx# clj-http# clj-kondo# clj-on-windows# cljs-dev# cljs-experience# cljsfiddle# cljsjs# cljsrn# cljtogether# clojars# clojure# clojure-android# clojure-argentina# clojure-art# clojure-austin# clojure-australia# clojure-austria# clojure-bangladesh# clojure-bay-area# clojure-beijing# clojure-belgium# clojure-berlin# clojure-boston# clojure-brasil# clojurebridge# clojurebridge-ams# clojure-canada# clojure-chennai# clojure-chicago# clojure-china# clojure-colombia# clojure-conj# clojurecup# clojure-czech# clojured# clojure-denmark# clojure-denver# clojure-derby# clojuredesign-podcast# clojure-dev# clojure-dusseldorf# clojure-ecuador# clojure-egypt# clojure-estonia# clojure-europe# clojure-filipino# clojure-finland# clojure-france# clojure-gamedev# clojure-germany# clojure-greece# clojure-guangzhou# clojure-hamburg# clojure-hk# clojure-houston# clojure-hungary# clojure-india# clojureindia# clojure-indonesia# clojure-ireland# clojure-israel# clojure-italy# clojure-japan# clojure-kc# clojure-korea# clojure-losangeles# clojure-madison# clojure-mexico# clojure-miami# clojure-mk# clojure-mke# clojure-morsels# clojure-my# clojure-new-zealand# clojure-nl# clojure-nlp# clojure-norway# clojure-poland# clojure-portugal# clojure-provo# clojure-quebec# clojureremote# clojure-romania# clojure-russia# clojure-sanfrancisco# clojurescript# clojurescript-ios# clojure-sdn# clojure-seattle# clojure-serbia# clojure-sg# clojure-shanghai# clojure-spain# clojure-spec# clojuresque# clojure-survey# clojure-sweden# clojure-switzerland# clojure-taiwan# clojure-turkiye# clojure-uk# clojure-ukraine# clojureverse-ops# clojurewerkz# clojurewest# clojurex# clojure-za# clojurian-chat-app# clojutre# cloverage# cloxp# clr# code-art# code-reviews# community-development# component# conf-proposals# conjure# consulting# contributions-welcome# copenhagen-clojurians# core-async# core-logic# core-matrix# core-typed# cryogen# crypto# css# cursive# cz-clojure# d2q# datacrypt# datahike# datalevin# datalog# data-oriented-programming# data-science# datascript# datavis# dato# datomic# defnpodcast# deps-new# depstar# devcards# devops# dirac# docker# docs# domino-clj# duct# dunaj# eastwood# editors# emacs# error-message-catalog# etaoin# ethereum# euroclojure# events# exercism# expound# figwheel# figwheel-main# flambo# fulcro# funcool# functionalprogramming# funimage# garden# ghostwheel# girouette# gis# google-cloud# gorilla# graalvm# graalvm-mobile# graclj# graphql# gratitude# gsoc# hammock-driven-dev# helix# heroku# hispano# holy-lambda# honeysql# hoplon# hugsql# humor# hypercrud# hyperfiddle# immutant# improve-getting-started# incanter# indycljs# inf-clojure# instaparse# integrant# interceptors# interop# introduce-yourself# iot# iotivity# ipfs# jackdaw# jaunt# java# javascript# javelin# jobs# jobs-discuss# jobs-rus# joker# jukebox# juxt# jvm# kaocha# keechma# kekkonen# keyboards# klipse# kosmos# lambdaisland# ldnclj# ldnproclodo# lein-figwheel# leiningen# liberator# liquid# livestream# local-first-clojure# london-clojurians# lsp# luminus# lumo# mail# malli# mathematics# meander# melbourne# membrane# mental-health# microservices# mid-cities-meetup# midje# minecraft# minimallist# missionary# monads# mount# music# new-channels# new-clojure# nextjournal# nginx# nrepl# numerical-computing# nyc# observability# off-topic# om# om-next# onyx# other-languages# other-lisps# overtone# pamela# parinfer# pathom# pedestal# perun# philosophy# phzr# planck# plastic# play-clj# podcasts# polylith# portal# portkey# portland-or# powderkeg# practicalli# precept# prelude# programming-beginners# project-updates# proletarian# proton# protorepl# pulsar# pure-frame# qa# qlkit# quil# random# rdf# react# reactive# reading-clojure# reagent# reclojure# re-frame# reitit# releases# remote-jobs# respo# rethinkdb# reveal# rewrite-clj# ring# ring-swagger# robots# rum# schema# sci# sfcljs# shadow-cljs# _silence# sim-testing# sioux-falls# slack-help# sneer# sneer-br# spacemacs# specmonstah# specter# speculative# spirituality-ethics# sql# startup-in-a-month# sydney# test200# test-check# testing# thejaloniki# timbre# tmp-json-parsing# tools-build# tools-deps# trading# tree-sitter# uncomplicate# unrepl# untangled# utah-clojurians# videos# vim# vrac# vscode# wasm# web-security# windows# xtdb# yada# yleinen
Apps

clojure-europe

For people in Europe... or elsewhere... UGT https://indieweb.org/Universal_Greeting_Time
djm 2021-02-04T07:07:39.254Z

👋

slipset 2021-02-04T07:17:56.254200Z

Morning

dharrigan 2021-02-04T07:34:02.254400Z

Good Morning!

jkxyz 2021-02-04T07:42:00.254700Z

Good morning!

orestis 2021-02-04T07:48:43.254900Z

Morning

javahippie 2021-02-04T07:49:13.255100Z

Morning!

thomas 2021-02-04T08:16:47.255400Z

morning

thomas 2021-02-04T08:17:12.255900Z

and the ice does look ideal for ice skating @pez

plexus 2021-02-04T08:28:14.256100Z

Morning!

plexus 2021-02-04T08:28:41.256400Z

me: why is emacs getting so slow? htop:

plexus 2021-02-04T08:30:00.256700Z

23GB... something, somewhere, has gone horribly wrong

ordnungswidrig 2021-02-04T08:41:22.256900Z

I have this too, once in a while

ordnungswidrig 2021-02-04T08:41:40.257100Z

Restarting helps, I never had the motivation to debug this

ordnungswidrig 2021-02-04T08:44:52.258400Z

@pez when the time allows it I need to go to Skandinavia just of ice lake skating

2021-02-04T09:02:14.258500Z

You can use profile start/end and report to see what’s going on

pez 2021-02-04T09:47:37.260700Z

It is pretty rare with that kind of ice, though. I live by a lake since 21 years and have seen it happen three times. And in the archipelago it has to be even less common. But I’ll holler your way if I think it is about to happen. 😃

borkdude 2021-02-04T09:57:46.260800Z

maybe a sub-process getting out of control? (this is one reason I usually don't use jack-in)

slipset 2021-02-04T10:32:39.265300Z

So, hypothetically speaking. Let’s imagine a company uses friend , which is somewhat retired. Then it comes to the company’s attention that there is a CVE on friend, because a lib that friend depends on has a vulnerability. There is a newer version of the vulnerable lib available, which works. Now, do you 1. exclude said library in your project.clj and add an explicit dep on the newer version of said libary 2. beg cemerick to issue a new version of friend with a version bump on the dep 3. finally get clj-commons to take on friend and have them version bump the dep 4. rewrite to buddy and hope for the best 5. say f*ck it, the vulnerability is not likely to hit us.

slipset 2021-02-04T10:34:34.265600Z

https://nvd.nist.gov/vuln/detail/CVE-2015-0886

borkdude 2021-02-04T10:42:05.265800Z

4

borkdude 2021-02-04T10:43:02.266100Z

friends don't let friends use friend

borkdude 2021-02-04T10:43:56.266900Z

(half kidding, as I don't know friend very well, it seemed too complex for me to ever get started with, but I would not invest that much energy in a lib that was abandoned for too long)

ordnungswidrig 2021-02-04T10:46:05.267Z

@borkdude that’s probabily the main cause when it happened to me. E.g. having a repl producing 1M of output can easily freez your emacs.

ordnungswidrig 2021-02-04T10:47:02.268500Z

#1 and #2 are basically the same. Somebody would need to to a propery assesmenton the impact and verify the bug is actually fixed with the version bumb.

jkxyz 2021-02-04T10:47:28.269200Z

You could also re-write just the credential fn to use an updated BCrypt lib. That fn is quite simple

ordnungswidrig 2021-02-04T10:47:30.269300Z

Not familiar with that case but from what I read in the CVE the dependency bump should be stract forward.

✅ 1
ordnungswidrig 2021-02-04T10:48:34.270600Z

@josh604 that’s actually not a bad idea. But when it comes to crypto or security, you better used some canned libraries. Also because due dilligence in corporate environments.

ordnungswidrig 2021-02-04T10:48:46.271Z

Saying that “#4” might be the best option in the long run.

ordnungswidrig 2021-02-04T10:49:00.271300Z

(or #3)

slipset 2021-02-04T10:49:57.272900Z

The reason this came up, is that we ran lein-nvd on our backend, and it showed, well more than three cve’s, so there is some work ahead.

jkxyz 2021-02-04T10:50:49.273800Z

Well, Friend is just calling a fn in some Java lib to verify the password and hash, and returning a map or nil https://github.com/cemerick/friend/blob/master/src/cemerick/friend/credentials.clj#L20

jkxyz 2021-02-04T10:51:26.275Z

IIRC Buddy is more pluggable in that it has a separate hashing library which plugs into the auth stuff

slipset 2021-02-04T10:51:28.275200Z

(btw I used a patched version with this PR https://github.com/rm-hull/lein-nvd/pull/43, the patch is quite neat as it gives you not only the vulnerabilities, but the libs that includes them)

ordnungswidrig 2021-02-04T10:51:53.275700Z

@josh604 nice. Pluggability for the win!

borkdude 2021-02-04T11:00:14.276500Z

You can also use all of these hashing functions from babashka via https://github.com/babashka/pod-babashka-buddy

jkxyz 2021-02-04T11:02:58.277Z

Nice “plug” 😉

🔌 3
2021-02-04T12:09:39.277300Z

Cider has an option of clearing it’s buffers past a certain threshold. Would likely mitigate this

👍 1
ordnungswidrig 2021-02-04T16:44:47.277600Z

@hkjels I will dig into that