Skip Navigation
til

Today I Learned

  • developer.mozilla.org Private properties - JavaScript | MDN

    Private properties are counterparts of the regular class properties which are public, including class fields, class methods, etc. Private properties get created by using a hash # prefix and cannot be legally referenced outside of the class. The privacy encapsulation of these class properties is enfo...

    Private properties - JavaScript | MDN
    0
  • TIL: Go is actually pretty amazing

    I am able to use different programming languages. I know most of the well-known languages โ€‹โ€‹without any problems: C, C++, Java, Python, JavaScript, Typescript, PHP...

    However, I wanted to expand my horizon. Zig didn't do much for me neither did Rust, but now that I've written some Golang. I admit, I'm intrigued by the language.

    I love the fact it's compiled to native machine language. There is still one caveat: despite Go being a GC language, you often still need to manage your memory. Sound strange right? But I needed to use io.Copy instead of io.ReadAll to avoid memory issues. But also you need to explicitly call defer res.Body.Close() to avoid Go not cleaning-up the HTTP response.. Ow well, so you learn it the hard way. Overall, I'm still very optimistic with Go. And looking forward to use it more often in some of my open-source projects.

    See my first project in Go: https://gitlab.melroy.org/melroy/gitlab-artifact-deployer-go. Which I wrote in 3 days.

    Did you try Go? What are your thoughts?

    33
  • A friendly reminder that you can actually click "Reject all" cookies and still use all the Google service

    https://www.performancemarketingworld.com/article/1754300/reject-cookies-new-google-button-makes-privacy-easier-%E2%82%AC150m-fine

    1
  • Each AI generated polar bear, kills one real polar bear.

    Each AI generated polar bear, kills one real polar bear.

    #meme #ai #generated #gemini #openai #dall-e #dalle #midjourney #stablediffusion #chatgpt #deepmind #polar #bear #climatechange #climate #heat #til

    17
  • Today I learned there are $/โ‚ฌ 35 WiFi 6 routers

    So thanks to OpenWRT (it's a fork but still..), we have a Banana Pi Wifi 6 router for just 35 dollars/euros.

    3
  • DistroHopping: Void Linux?

    I have used many many distros in the past, from Debian to Gentoo, from Ubuntu to Arch, etc. etc.. But I need a system that works and does the job well, hence I'm using Linux Mint for the past few years. Linux Mint XFCE Edition to be precise.

    However, always during the end of the Linux Mint support cycle.. I have the issue that it's based on Ubuntu LTS, also known as long term support (instead of the latest release), causing a lot of issues in my daily work.

    I just want to use the latest clang format & compiler. Or a newer GCC compiler. And/or other tools I love and use on a daily basis... The problem now I need to add a lot of manual package repos / PPA's to the version I want. Furthermore, it introduce sometimes package conflicts. Do NOT get me started with PHP8 from ondrej + Wine stable from WineHQ.

    I do not want an unstable distro like Arch, my time is limited (sorry Arch lovers). I also tried Manjaro. Also broke my system once I think, I do like Manjaro. I like Linux Mint a bit more, except at the end of the support cycle (where we are now at).

    That all being said, I think I'm ready for something new... Void Linux! That is right, I think I will move over to Void Linux, created from scratch. Using a rolling release, but focused on stability (we will see). It's therefore also using it's own package manager (XBPS). As well as it's own init system: "runit". Non-free packages might be a bit harder to find, but I mainly use VSCodium, Element (Matrix), Nextcloud, KeePass, Firefox, Telegram, Transmission, Wine (Windows games :P), Mumble, Inkscape and of course various dev tools: npm, go, php, gcc/clang, pip, you name it... I use them all. I think Void Linux will be a good fit. I will keep you posted.

    Feel free to leave a comment if you have ideas/feedback or your own story on your distro you're using. Are you planning to distro hop again?

    6
  • TIL: Using Inkscape instead of GIMP

    I used to work with Photoshop for years (industry standard, I thought). Moving to Linux, GIMP was the next to go logical step. I was never good in manually drawing vectors or embracing the vector image manipulation tooling in general which I regret now that I didn't move to Inkscape from day one. Yes, I used Inkscape back and forth but I used Gimp more in the past years.

    Inkscape is 20 years old and improved a lot in terms of usability in the past 10 years! I still think the right-sidebar options are too much hidden to be honest. For some unknown reason to me the Inkscape UI was just confusing for me. But I get the hang of it now (I think :D). Except exporting to plain SVG is still a bit strange where the image size I entered is not becoming the SVG document size during a SVG export. Inkscape still has a lot of room for improvements in those kind of areas.

    That being said, I embrace SVG images more and more! I use it for business logo designs and recently also for Mbin logo designs.

    I'm not going back to Gimp for logos that is for sure. And you shouldn't either, use Inkscape!

    1
  • ๐Ÿฉธ A Killing In The Market ๐Ÿ“ˆ

    ๐Ÿฉธ A Killing In The Market ๐Ÿ“ˆ

    (or)

    that time in the 1820s when war was traded openly on the stock market ๐Ÿ’€

    New comic โฌ‡๏ธ <https://www.historyshapes.com/a-killing-in-the-market/>

    @[email protected]

    #History #Histodons #Comics #WebComics #Cartoons #TIL #TodayILearned #DidYouKnow #DYK #Greece #GreekIndependence #OttomanEmpire #1820s #UKHistory #EuropeanHistory #England #EnglishHistory #BritishHistory #ComicStrip

    0
  • Til: data harvesting inside Ledger Live app

    protos.com Researcher finds data harvesting inside Ledger Live app

    Ledger Live, the most popular crypto hardware wallet software, is tracking and transmitting sensitive user data to third parties.

    Researcher finds data harvesting inside Ledger Live app
    0
  • Optimizing PostgreSQL is key

    If you are running big applications on top of PostgreSQL or having a lot of queries your performance might be impacted. By default the default PostgreSQL configuration is to say the least, less than ideal. Same is true for MariaDB but that is out of scope now.

    Performance fine tuning your server configuration is key for better overall improvements and making the best use of your hardware! Increasing several key configuration settings in PostgreSQL can already make a huge impact! In the guide below I explain which configuration you need to pay extra attention to and also advise to increase huge pages under Linux when you're using PostgreSQL or MariaDB for that matter.

    Please follow the latest PostgreSQL configuration I shared here for Mbin specifically, but can be applied to any application using a PostgreSQL DB: https://github.com/MbinOrg/mbin/blob/main/docs/admin\_guide.md#postgresql-configuration

    For more information on fine tuning MariaDB, Nginx, PHP or other Linux kernel configurations, I advise you to checkout my snippets on my GitLab instance: https://gitlab.melroy.org/-/snippets/609, https://gitlab.melroy.org/-/snippets/92, https://gitlab.melroy.org/-/snippets/87

    2
  • you can use a ! in front of a lemmy link.

    2
  • Use env variables in Docker Compose file

    Some people might think you can only use or set environment variable of the service in docker compose eg.:

    ``` my-service: image: lts-alpine environment: MY_SECRET_KEY: ${MY_SECRET_KEY}

    ```

    But the same ${} syntax can be used to set a version of Docker image of PostgreSQL, like in this example below:

    ``` my-service: image: postgres:${POSTGRES_VERSION:-13}-alpine

    ```

    If nothing is set, version 13 is the fallback value. Now you can set POSTGRES_VERSION environment via your shell. Or leverage the .env file of Docker:

    ``` POSTGRES_VERSION=16

    ```

    When running: docker compose --env-file .env up, Docker should now use PostgreSQL v16 Alpine as Docker image.

    Bonus: The docker-compose.yml filename is an old filename, use compose.yml from now. Same for other Compose files like compose.override.yml.

    More info: https://docs.docker.com/compose/environment-variables/set-environment-variables/ and https://docs.docker.com/compose/environment-variables/set-environment-variables/

    1
  • TIL: Merge a specific commit from another Git remote

    When you want to cherry pick a specific commit from another remote, you do NOT need to manually copy files or fetch a patch. It's git after all...

    So when I try to cherry pick a commit from Kbin and merge it back into Mbin in cases we want changes back in Mbin as well you can use git cherry-pick.

    But first follow these steps below, which assumes you already have cloned Mbin repository locally and are in the working directory of Mbin (eg. main branch):

    ``` git remote add kbin https://codeberg.org/Kbin/kbin-core.git git fetch kbin git checkout -b call-it-what-you-want # Creates a new local feature branch

    Now check the log on the other remote and other branch

    git log kbin/develop

    Finally, cherry pick the commit you want, use the commit hash here

    git cherry-pick <commit_hash>

    ```

    3
  • TIL: Mbin is using Referer headers, change security headers

    To all instance owners. If you are using Nginx and use the following security header:

    ``` add_header Referrer-Policy "no-referrer" always;

    ```

    Please, consider changing this setting to (note: same-origin):

    ``` add_header Referrer-Policy "same-origin" always;

    ```

    Which should be safe enough for users, while also fixing all the redirect issues the user (or you) might experience with your own Mbin instance.

    Referer headers are used to store the previously requested pages/URLs. This can be used to navigate back from which the user came. There are also alternative methods like putting this information in the query string or adding a cookie or session data.

    Either way, for now consider changing to same-origin when using Mbin.

    Ps. if you are using Apache or Caddy.. Well you know what to do^^

    0
  • TIL: YouTube blocks adblockers

    Yes, I also saw the popup today. Youtube trying to block me because of ublock origin. I will move away from youtube if I can't use ad blocker anymore.

    5
  • TIL Bun v1.0.3 is out, but not ready for production

    Today Bun v1.0.3 has been released. But it's still not ready for production in most cases. Eg. cluster module is not implemented yet.

    I also wrote a blog post about Bun (the pros and cons): https://blog.melroy.org/2023/bun-v1.0/

    Whether you will try to migrate to Bun it up to you, just know that Bun isn't a fully drop-in replacement of NodeJS. Maybe it will never be? Just like Deno is also not a replacement of Node.

    2
  • TIL AMD Zen2 processors are bleeding as well

    The new AMD vulnerability discovered by @taviso and his team makes all AMD zen2 processors vulnerable. Also known has Zenbleed.

    I compiled the demo code and there we go, I can see lot of information getting leaked from the memory. Not great, it's the AMD variant of the meltdown/spectre bug basically. It uses however an "optimization" operator (cvtsi2sd) to trigger the vulnerability in the CPU allowing to read 30kb/core/second of data. No special permissions required. Works on all platforms, all operating systems, VM or docker, it doesn't matter...

    This vulnerability was found using fuzzing, which is an automated way of injecting wrong input values and see when or if something breaks or not.

    Currently only EPYC processors have received a fix. All other AMD Zen 2 processors are still fully vulnerable. There are also no BIOS firmware updates yet. I doubt wherever this premature public release from AMD was intentional or not...

    More info: https://lock.cmpxchg8b.com/zenbleed.html

    17
  • TIL how to enable HTTP/3 and QUIC on Nginx. AND WHAT IS IT?

    Officially HTTP/3 is already released since 2022, but Nginx still didn't created a stable release with HTTP/3 and QUIC support.

    However... I'm now using the so called mainline Nginx repository to get the latest Nginx version. Which I use on all my domains as my primary reverse proxy software. I enabled HTTP/3 and QUIC now on all my domains, incl. kbin.melroy.org.

    What is HTTP/3 and QUIC??? ----------

    That is a great question! Currently if you browse a site with HTTPS (TLS) enabled, like basically every website nowadays... The browser starts with TCP connection towards the server, then back a response, then a whole TLS sequence back and forward again between you and the server.. And finally the actual data you want to request and receive..

    Both HTTP/3 and QUIC technologies combined will all change this within just 2 requests total instead of 4 requests. Also QUIC will use UDP instead of TCP. See the attachment. I won't go into more details.

    TLDR; Browsing the encrypted web just has become faster again.

    1
  • TIL of COCONUTS-2b, a giant gas planet that takes over 1 million years to orbit around its star

    2
  • TIL getting continuous integration working on Codeberg

    Today I got CI/CD pipeline of Codeberg Actions working on the Codeberg kbin project. Which is based on GitHub Actions actually.

    I'm running my own forgejo-runner. And register a new runner that works together with Codeberg.org. Now new jobs will be automatically picked-up by my runner. This is required to avoid regression on PRs, run automatically build and various tests. In the future also deploy to acceptance environment(s).

    The Actions tab is now also enabled as well in the kbin project, showing the current running jobs or completed jobs.

    I'm leveraging Docker for the build and unit-tests jobs. Currently requiring both NodeJS, Yarn and PHP in a single Docker image. Forgejo runners can also accept LXC containers, but that comes with vulnerability issues so I only allow Docker.

    Officially, Codeberg/Forgejo Actions is still in early beta. They don't provide hosted runners yet. That all being said, it seems to work fine for now. I try to talk with the Forgejo developer to also get the cache action working. Since currently we have an issue with that. Caching should allow us to have faster CI/CD runs and less load on NPM and Composer package registries.

    0
  • TIL Lemmy has an XSS vulnerability in the tagline, the sidebar and in the legal information field - sh.itjust.works

    sh.itjust.works (URGENT) Lemmy has an XSS vulnerability in the tagline, the sidebar and in the legal information field - sh.itjust.works

    # DO NOT OPEN THE โ€œLEGALโ€ PAGE โ€” lemmy.world is a victim of an XSS attack right now and the hacker simply injected a JavaScript redirection into the sidebar. It appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if this is also true for community sidebars. [https://sh.itjus...

    DO NOT OPEN THE โ€œLEGALโ€ PAGE โ€” lemmy.world is a victim of an XSS attack right now and the hacker simply injected a JavaScript redirection into the sidebar. It appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if this is also true for community sidebars. [https://sh.itjust.works/pictrs/image/707c0f16-3d5c-4888-b865-34228d968ee6.png] EDIT: the exploit is also in the tagline that appears on top of the main feed for status updates, like the following one for SDF Chatter: [https://sh.itjust.works/pictrs/image/2dc8838f-4611-4b62-92d2-ab45d7b1c560.png] [https://sh.itjust.works/pictrs/image/9195ec9c-166e-4190-a991-26d218089602.png] EDIT 2: The legal information field also has that exploit, so that when you go to the โ€œLegalโ€ page it shows the HTML unescaped, but fortunately (for now) heโ€™s using double-quotes. "legal\_information":" !" onload="if(localStorage.getItem(h) != true){document.body.innerHTML = \u003Ch1\u003ESite has been seized by Reddit for copyright infringment\u003C\u002Fh1\u003E; setTimeout(() =\\u003E {window.location.href = https:\u002F\u002Flemmy.world\u002Fpictrs\u002Fimage\u002F7aa772b7-9416-45d1-805b-36ec21be9f66.mp4}, 10000)}" ==========

    2
  • TIL of Cรกin Adomnรกin, "Europes first human rights treaty". Created in 697 CE, were a set of laws - which kings across Ireland & Scotland agreed to follow - guaranteeing safety of non-combatants in war

    >The Cรกin Adomnรกin, also known as the Lex Innocentium (Law of Innocents), was promulgated amongst a gathering of Irish, Dรกl Riatan and Pictish notables at the Synod of Birr in 697. It is called the โ€œGeneva Accordsโ€ of the ancient Irish and Europeโ€™s first human rights treaty, for its protection of women and non-combatants, extending the Law of Patrick, which protected monks, to civilians. The legal symposium at the Synod of Birr was prompted when Adomnรกin had an Aisling dream vision wherein his mother excoriated him for not protecting the women and children of Ireland.

    0
  • TIL Lemmy.world got hacked - Details

    Lemmy was/is vulnerable for XSS attacks.

    Hackers try to inject JavaScript code that tries to steal your (ideally admin) cookie credentials. It seems that the admin account of lemmy.world was compromised this way (MichelleG). Other instances aren't safe either. Which could point to the custom emojis feature in the federate comments, meaning a lot of external instances could be effected by now.

    Incorrect escaping of user input data could lead to these issues. Kbin just recently discovered a similar regression issue and which has been solved by now. But it seems that Lemmy was or still is vulnerable to this attack factor.

    Mitigation action Lemmy users: You might want to disable JavaScript in the meanwhile.

    Mitigation action for Lemmy server owner: Disable custom emoji:

    ``` DELETE FROM custom_emoji_keyword; DELETE FROM custom_emoji;

    ```

    Clean-up the exploit content:

    ``` UPDATE comment SET content = '<REMOVED BY ADMIN>' WHERE content LIKE '%![" onload%'; UPDATE private_message SET content = '<REMOVED BY ADMIN>' WHERE content LIKE '%![" onload%'; UPDATE post SET body = '<REMOVED BY ADMIN>' WHERE body LIKE '%![" onload%'; UPDATE post SET name = '<REMOVED BY ADMIN>' WHERE name LIKE '%![" onload%';

    ```

    Rotate your JWT secret (invalidates all current login sessions):

    ``` UPDATE secret SET jwt_secret = gen_random_uuid();

    ```

    Note: Even just opening a link to a vulnerable Lemmy instance could allow hackers to steal your cookies or sessions credentials. Therefore I will not share or allow people to share URLs of comprised / vulnerable instances.

    6
  • TIL that errors are easily made

    Without proper CI/CD workflow jobs, errors are easily made without noticing it (or noticed too late). Especially when multiple developers are contributing towards your code base. Maybe your project is open-source?

    When developing in a (large) piece of software, automated building & testing are crucial aspects to avoid regression impact of the code archive and even deployment.

    The latest best practices are to setup a good and stable continues integration. Ideally also add a continues delivery setup for your project. Meaning that each pull request you receive will automatically try to build, test and deploy the code. With testing I mean unit testing, functional tests, integration and E2E tests. And maybe UI tests if your application has a frontend as well.

    Personally, I use GitLab for all my own projects, GitLab has a great CI/CD pipeline feature built-in their software. I'm running multiple GitLab runners, ready to pick-up requests. Which could be a unit-test running a Docker container, software build using GCC compiler or deploying my code live towards dev, acc and production.

    Lacking such a well thought out CI/CD pipeline might result is build issues, regression issues or in the worst case down-time or unhappy users. Try to avoid this by using CI/CD for each of your open-source projects.

    Have fun programming!

    0
  • TIL how-to disable a magazine on /kbin

    Kbin moderation tools are still in the making. In the meanwhile Kbin admins should not be afraid of PostgreSQL....

    TIL I learned that the magazine table has a visibility column that can be set to "trashed". It will not remove the magazine, but it will hide the magazine on your site.

    You can use the psql command to login with your username/password credentials (eg. psql -U kbin or using the default user: psql -U postgres). Then connect to the kbin database using: \c kbin. Then try this SQL query:

    ``` UPDATE magazine set visibility ='trashed' where name ='[email protected]';

    ```

    Replace the name with the magazine you want to hide on your server. You can exit this command using \q.

    0
  • TIL that Lemmy.ml is actively blocking user-agent string kbin

    One of the main instances of Lemmy (lemmy.ml) is blocking 'kbinbot' user agent requests on their instance. Basically, they are blocking kbin instances. This is not a bug, but on purpose.

    I couldn't find anything related in their source-code, so this is block is only present on lemmy.ml (or maybe some other Lemmy instances).

    This is causing quite a lot of federation issues with Kbin instances. Resulting in various failed messages (from the messenger handler).

    ``` $ curl -I --user-agent "kbinbot" https://lemmy.ml HTTP/2 403 server: nginx date: Wed, 28 Jun 2023 18:35:27 GMT content-type: text/html content-length: 146 vary: Accept-Encoding

    $ curl -I --user-agent "notkbin" https://lemmy.ml HTTP/2 200 server: nginx date: Wed, 28 Jun 2023 18:35:42 GMT content-type: text/html; charset=utf-8 content-length: 163388 vary: Accept-Encoding x-powered-by: Express content-security-policy: default-src 'self'; manifest-src *; connect-src *; img-src * data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; form-action 'self'; base-uri 'self'; frame-src *; media-src * etag: W/"27e3c-LCqXylkqSkDOy3K+3w2TijtMn14" strict-transport-security: max-age=63072000 referrer-policy: same-origin x-content-type-options: nosniff x-frame-options: DENY x-xss-protection: 1; mode=block

    ```

    4
1 Active user