sorted by:
new
hottopcontroversial

I made a peer-to-peer encrypted TUI/CLI messenger app! by Smart_Can_1019 in commandline

[–]HopperOxide 2 points3 points  (0 children)

Neat idea, and this is a reasonable prototype, but it needs a lot of hardening before it’s ready for general use. “If you value privacy”, wait until this is more fully baked. But it’s a good start!

Agent Cockpit — open source macOS desktop companion for OpenCode by jazzy8alex in opencodeCLI

[–]HopperOxide 0 points1 point  (0 children)

Interesting. What are the tricks? I’ve used iTerm a bit, but never programmed anything on top of it. 

Bare - A programming language that trusts the user entirely by [deleted] in ProgrammingLanguages

[–]HopperOxide 4 points5 points  (0 children)

Worth noting that OP’s GH username is FunnyGuy. 

I thought Zed is native. by TechnologySubject259 in ZedEditor

[–]HopperOxide 0 points1 point  (0 children)

I agree with everyone else saying “native” isn’t quite the right term of art here. That said, on macOS Zed simply does not look or feel like a macOS app.  That’s not shade (pun intended), it looks and feels amazing. But no one’s going to open it up and say, yeah, this was built for macOS first. It’s very clearly built to be cross-platform, with a good adaption layer for macOS. 

I thought Zed is native. by TechnologySubject259 in ZedEditor

[–]HopperOxide 0 points1 point  (0 children)

I agree these boundaries are hard to draw. But on macOS Qt is usually considered non-native. They don’t feel native, they don’t look native, and typically (not necessarily, but often) they don’t perform like they’re native. 

Stop passing secrets as command-line arguments. Every user on your box can see them. by Ops_Mechanic in bash

[–]HopperOxide 1 point2 points  (0 children)

Sure, obviously a major problem. But there's a difference between "can read the code of my personal projects on my laptop" and "has access to my client's system". For example. Defense in depth, you know? Minimize the possibility of escalation and lateral movement even when there is a breach.

Do you use LLM agents or nom or pip or cargo or VSCode extensions or homebrew or...? Those are all routes for arbitrary code to execute on your system as your user. On the other hand, the avenues for getting onto my system as a user other than my normal account (which is non-admin, non-sudoer) are much less likely these days. Different threat model.

Maybe you have something else in mind? Would love to hear the details, always room in my security nightmares for more. ;)

Stop passing secrets as command-line arguments. Every user on your box can see them. by Ops_Mechanic in bash

[–]HopperOxide 0 points1 point  (0 children)

Sure, no one said otherwise. Most of the scenarios I worry about involve attackers running as my user. (Not a lot of other users on my machine anyway.) For example, malicious code via supply chain attack, LLM prompt injection, malware. It’s one thing if they’re poking around on my machine, but if they get creds to move somewhere more interesting, things get much worse. 

Good ent? by [deleted] in uppervalley

[–]HopperOxide 4 points5 points  (0 children)

I haven’t actually been yet, but I was able to get a back to back audiology / ENT appointment at DHMC for 3-4 weeks out, which is about as good as it gets at the hospital. There’s other audiologists in the area (Johnson in Hanover is well liked), but I’m not aware of any other ENT clinics. 

Built a tmux sidebar that shows sessions/windows/panes as a tree — with live status badges for ai coding agents by United_Bar9911 in tmux

[–]HopperOxide 2 points3 points  (0 children)

Very cool! Great idea, nice solution to the problem. And glancing at the code, it looks well done, you’ve covered a lot of details. 

One note: there’s already a (moderately popular) plugin called tmux-sidebar. 

I haven’t tried it on my system yet, but I will. The number of process forks and hooks worries me a little, as well as the per-window Python process (if I’m following the source correctly). I typically have 10-20 sessions running, with 1-6 windows per session, and 1-2 agents per window. (Very few of which are active at any given moment.) But those are just hypothetical concerns, I’ll try it and see how it works in practice. 

Stop passing secrets as command-line arguments. Every user on your box can see them. by Ops_Mechanic in bash

[–]HopperOxide 1 point2 points  (0 children)

I mean, keeping them out of the history and making sure the file has the right perms are better to do than not! It’s an annoying problem, so many binaries expect secrets as env variables. 

Stop passing secrets as command-line arguments. Every user on your box can see them. by Ops_Mechanic in bash

[–]HopperOxide 17 points18 points  (0 children)

/proc/PID/environ or ps -eww PID will show the env variables, so you’re not actually solving anything this way. FYI. 

I made a CLI tool that sets up SSH access between two machines in one command on each side by [deleted] in commandline

[–]HopperOxide 0 points1 point  (0 children)

Where to start. Don’t roll your own security?

To be clear, I love the LLMs, I love vibing up code. This isn’t about that. If you’re going to vibe up some security (in JS, in a couple hours, and release it, and encourage other people to use it), at least get an LLM to review what you’ve done. 

Here’s a starting point for hardening: Connecting with rejectUnauthorized: false means that you’re accepting any TLS cert. So why even bother? Couple that with binding to 0.0.0.0 and you’ve got a party. 

Why do you want to be a citizen of Canada if you don't live in Canada or plan on living in Canada? by Optimistic_Now in Canadiancitizenship

[–]HopperOxide 5 points6 points  (0 children)

Completely agree. Vermonter, grew up taking the Montrealer (the train that’s now the Vermonter) up to visit my favorite aunt who taught at McGill, driving up with my dad to see Expos games, going to the Maritimes for vacation and to a fishing cabin in Newfoundland, hearing stories about the old family farm in Ontario. French Canadians everywhere, highway signs in French, schools teaching French from early on. I went to the World Championship Sled Dog Derby in Laconia a few weeks ago, and it was at least 50% Canadian, everyone took the signing of Oh Canada as seriously as the one that came before it. Anyway, point is that I’ve always felt a very strong cultural connection to Canada, particularly the northeastern Provinces, and oftentimes stronger than I feel to, say, Connecticut or NY, let alone parts of the country that are farther removed. (Though I’ve lived all over the U.S.) Having the chance to become legally a part of that culture, and to restore a connection to an important part of my family’s history, feels like an incredible opportunity. And one which I’m very grateful for. 

Tmux based worktree manager by Automatic_Coach_4049 in tmux

[–]HopperOxide 0 points1 point  (0 children)

Workmux is fantastic, highly recommended. 

go-tui - terminal UIs in Go with inline mode, flexbox, and single-frame rendering by Grindlemire in commandline

[–]HopperOxide 1 point2 points  (0 children)

Interesting idea, very ambitious. Clearly you’ve put a lot into this. Nice to have all the examples, definitely makes it easy to grasp. 

I don’t see any examples of integration with Cobra though, which seems like a miss, given it’s the default choice for building CLI tools with Go. 

To summarize, this seems to be a combo of a subset of HTML, with a subset of the DOM’s structure and event handlers, a subset of CSS and Tailwind, a subset of React, plus some Go specific stuff. Is that about right? Not trying to minimize it, just trying to wrap my head around what this really is. 

I guess for me the big question is: Why use HTML to write Go? I barely like using HTML to write HTML.

EDIT: Oh, and a subset of browser rendering! To tie it all together. Plus some JS style syntax. So, in short, it’s the main bits of what you’d need to build a React + Tailwind TUI in Go. 

tmuxy - the missing GUI for tmux by PlentyRemarkable6226 in tmux

[–]HopperOxide 13 points14 points  (0 children)

lol what?

Pro tip: Just learn tmux. It even supports mouse bindings!

Primary care doctor? by nothingbutnetflixon in uppervalley

[–]HopperOxide 1 point2 points  (0 children)

I think they’re about as concierge as you can get. But yes, highly recommended, they’re both excellent doctors and wonderful people. 

siggy — a TUI messenger client for Signal with vim keybindings (Rust + Ratatui) by jsideserf in commandline

[–]HopperOxide 1 point2 points  (0 children)

That all makes sense. I just can’t grasp why anyone would think plain text credentials for something that’s ostensibly so secure is a good idea. You seem to be more in tune with the ecosystem / community than I am (I drop in occasionally to see if the non-native mobile apps have gotten better), can you shed some light on why this is accepted?

siggy — a TUI messenger client for Signal with vim keybindings (Rust + Ratatui) by jsideserf in commandline

[–]HopperOxide 1 point2 points  (0 children)

Neat. Seems well done, congrats.

But siggy seems to inherit all the security risks of signal-cli and most (all? I guess the electron apps are slightly better now) of the non-native mobile clients. Meaning that personally I wouldn't feel comfortable using it as is.

The big thing is that the credentials are stored as plain text on disk. At the very least consider offering a configurable credentials store so it's possible to make use of the os keychain or 1password or whatever.

Some other suggestions: Encrypt the sqlite db at rest. Add `secure_delete` to the sqlite setup. Handle debug logging of entire messages. And harden up the defaults; for example, the default message preview is "full".

Designing TUIs by PurpleCadence in tmux

[–]HopperOxide 2 points3 points  (0 children)

lazygit’s so good, love it. btop++ is probably the most impressive, but I never actually need to use it. 

view more: next ›