Programming thread

[${Sandy}]

>Read the docs
>Do exactly what it says
>Doesn't work

Every fucking time

 

[Goose the Redeemer]

If you want some help with that book/guide/whatever, I'd gladly contribute.

I think the thing that I need help with the most is seeing the language as something other than a joke.

I read a section from "the book" every now and then and I usually end up questioning how anyone takes this seriously. It has to be a joke, like when some guy shows off his Minecraft server that he wrote in Brainfuck or whatever. Even just the installation instructions; curl some script from a totally legitimate looking URL and pipe it directly into sh, you don't need to read it first it's just a silly little shell script, just put your password in when it asks... I might only have 4 satoshis in my wallet, but I'll be damned if I'm letting some lobster steal them!

Given how much they go on about the built-in package manager being a feature and complaining that C doesn't have one, I would not expect "check your package manager" to be an alternative installation method, especially on Linux.

Other than that, it will probably be a while before I finish my current project, and it will likely end up getting tied to my real name so I don't know how directly I want it to be tied to this forum. Thanks for the offer anyway, I'll let you know closer to the time if I change my mind (and if I remember).

 

[${Sandy}]

>Read the docs
>Do exactly what it says
>Doesn't work

Every fucking time

Did everything right except for one thing.

/* const users = db.collections('users');
wrong
*/

const users = db.collection('users'); //right

None of the error messages were telling me about this very subtle fucking mistake.

 

[stares at error messages]

Ahahaha, yeah, NetworkManager is so bad it makes systemd-networkd look good. At least, when I use systemd unit files, the behaviour is what I expect. NM seems to be a fractal of bad design, doing arbitrary things for no discernible reason.

/dev/sd* is ordered in the order the devices start up. It's a kernel behaviour. IDK why you don't experience it in non-RH distroes; I've gotten it in Arch, Debian, Gentoo... I actually knew one of my drives was dying because it would occasionally take a while to start and screw up order. For everything from Grub onward, you really ought to be identifying drives at least by LABEL if not UUID. GPT PARTLABEL and PARTUUIDs are also great for this.

The only one time I used /dev/ mappings I felt like a retard when I realised I hadn't used UUIDs and then changed it back manually. You always got to use UUID.

 

[Belisarius Cawl]

I was thinking about what I wrote earlier and Python does actually have something that loosely corresponds to Ruby's case statement since 3.10:

https://benhoyt.com/writings/python-pattern-matching/

It's kind of scuffed compared to being able to use === in a more or less uniform way (and also Ruby has had structural pattern matching since 2.7 I just learned) but it's there.

 

[args]

curl some script from a totally legitimate looking URL and pipe it directly into sh, you don't need to read it first it's just a silly little shell script, just put your password in when it asks... I might only have 4 satoshis in my wallet, but I'll be damned if I'm letting some lobster steal them!

Given how much they go on about the built-in package manager being a feature and complaining that C doesn't have one, I would not expect "check your package manager" to be an alternative installation method, especially on Linux.

There are many good reasons to dislike curl | sh installations, but I never understood this one. When you install a package from a package manager you're still running arbitrary scripts and binaries required for that package on your system.
It's the same chain of trust, just with more people in between.

 

[Goose the Redeemer]

It's the same chain of trust, just with more people in between.

But it's the people in between that I trust. I don't trust the source at all. The packages from the official repository are signed with keys that are regularly rotated, and I believe there are also checksums to verify integrity too. There's a lot more that has to go wrong for malware to make it into the official repositories. One of the benefits of a package manager is that it does all of this stuff for the user, none of which is done for this script.

It wasn't even about the potential malware, but the insanity of it. Most of the script seems to be checking if certain commands are available and trying to detect the host architecture/operating system so it can download the appropriate binary (which is the actual installer). The script exists to solve a problem that was already solved by the package manager.

 

[args]

But it's the people in between that I trust. I don't trust the source at all. [...] There's a lot more that has to go wrong for malware to make it into the official repositories.

The XZ Utils backdoor should be a reminder that you can't trust the vetting process of official repos or the vendor. LTS Repositories that pride themselves for their long term security have and will be backdoored - just like installer scripts or binaries you download from official websites have been compromised.

The script exists to solve a problem that was already solved by the package manager.

The problem would've been solved if there existed one (singular) package manager everyone uses. Instead we live in a world where vendoring packages for package managers is such a notorious pain in the ass that nobody wants to do it.
curl | sh installs really do suck but they have their usecases.

 

[Belisarius Cawl]

The problem would've been solved if there existed one (singular) package manager everyone uses. Instead we live in a world where vendoring packages for package managers is such a notorious pain in the ass that nobody wants to do it.
curl | sh installs really do suck but they have their usecases.

I have similar feelings about the AppImage format but sometimes I just can't be fucked to do things in a better way

 

[y a t s]

I remember reading about a type of attack that sends a different (would be malicious) script when the server detects use of curl vs a browser or wget. Always look over the shit you run in your shell.

 

[Belisarius Cawl]

I remember reading about a type of attack that sends a different (would be malicious) script when the server detects use of curl vs a browser or wget. Always look over the shit you run in your shell.

I remember spoofing User-Agent to scrape porn pics when I was in my late teens / early 20s. Same principle to avoid that attack?

 

[y a t s]

I remember spoofing User-Agent to scrape porn pics when I was in my late teens / early 20s. Same principle to avoid that attack?

I believe so, yes. Though I'm sure there are other more autistic ways to sniff out curl users.

The best way to avoid such an attack is pipe the script (curl output) to a file, read over the file to make sure there's nothing fucky in there, set executable, and then run it from the file.

Don't trust; verify.

 

[DavidS877]

I believe so, yes. Though I'm sure there are other more autistic ways to sniff out curl users.

The best way to avoid such an attack is pipe the script to a file, read over the file to make sure there's nothing fucky in there, set executable, and then run it from the file.

Don't trust; verify.

I'm reminded of this:

https://github.com/jlk/install_fixer

 

[Felis Meanis]

I can't say for sure if this article fits this thread, but I was impressed enough by the Swedish reporting of it to post it here:

LLaMA language model tamed by ancient Windows 98 computer with 128MB RAM - The groundbreaking BitNet architecture is key to CPU-friendly AI

"In brief: A group of artificial intelligence researchers has demonstrated running a powerful AI language model on a Windows 98 machine."

To think that such relatively old hardware could perform such great tasks. While it may be a superfluous statement, I suppose it bears mentioning that optimization really is at the core of efficient programming.

 

[Belisarius Cawl]

I'm reminded of this:

https://github.com/jlk/install_fixer

"In brief: A group of artificial intelligence researchers has demonstrated running a powerful AI language model on a Windows 98 machine."

To think that such relatively old hardware could perform such great tasks. While it may be a superfluous statement, I suppose it bears mentioning that optimization really is at the core of efficient programming.

I imagine this still means running not training? I remember running YOLO for object recognition on a Pi some years ago but I can't imagine it could ever train such a model.

 

[y a t s]

I can't say for sure if this article fits this thread, but I was impressed by the Swedish reporting of it to post it here:

LLaMA language model tamed by ancient Windows 98 computer with 128MB RAM - The groundbreaking BitNet architecture is key to CPU-friendly AI

"In brief: A group of artificial intelligence researchers has demonstrated running a powerful AI language model on a Windows 98 machine."

To think that such relatively old hardware could perform such great tasks. While it may be a superfluous statement, I suppose it bears mentioning that optimization really is at the core of efficient programming.

Here is a little blog post writeup they did on it

I imagine this still means running not training? I remember running YOLO for object recognition on a Pi some years ago but I can't imagine it could ever train such a model.

Yeah, it's disk-to-memory stuff, so any kind of training setup someone managed to pull off would be painfully inefficient. I'd hesitate to say it's impossible.

 

[Felis Meanis]

I imagine this still means running not training? I remember running YOLO for object recognition on a Pi some years ago but I can't imagine it could ever train such a model.

You're probably correct in your assumption, though you shouldn't put too much stock into my interpretation of technical news such as this... :-)
I'm very much a layman in these kinds of matters, after all.

Here is a little blog post writeup they did on it

Indeed, this is the link they provided in the article.

"If you're keen to join the locally-run models revolution, EXO Labs is actively seeking contributors. Just check out the full blog post to get a better idea of the mission."

Still, even if it's "just" a matter of running these AI models on this relatively old hardware, I still think it's a pretty kewl achievement.

 

[Belisarius Cawl]

Yeah, it's disk-to-memory stuff, so any kind of training setup someone managed to pull off would be painfully inefficient. I'd hesitate to say it's impossible.

With a long enough memory tape and time, anything (computable) is possible

Still, even if it's "just" a matter of running these AI models on this relatively old hardware, I still think it's a pretty kewl achievement.

I agree. I didn't expect to see anything like it. It does make the "democratization" of LLMs talked about in the article only partial though as you still might have to rely on cucked models produced by those with lots of resources.

 

[GNU Abyss]

I remember reading about a type of attack that sends a different (would be malicious) script when the server detects use of curl vs a browser or wget. Always look over the shit you run in your shell.

Is it this (A)? It's more of a bash detection through network buffer fuckery and a sneaky sleep command.

 

[y a t s]

Is it this (A)? It's more of a bash detection through network buffer fuckery and a sneaky sleep command.

Yeah that was it. I had remembered something about the fancy pipe detection stuff, but I wasn't sure. Kudos.