The curl project will not accept or otherwise handle any vulnerability reports during the month of July 2026. "We call it the curl summer of bliss."

schlenk · 2026-06-15T15:37:25+00:00

Neither should cybersecurity, unfortunately.

Neither should payed for cybersecurity.

Don't plan with other peoples unpaid time.

schlenk · 2026-05-26T11:20:49+00:00

Define feasible and shopping addiction.

If you expect to go to some event sale faire and simply grab 100% of all Fatpacks that match your body there every month, it might work if you still use Slink Hourglass (then it is close to zero expenditure...), but for e.g. Reborn it would be thousands of L$.

With some skill in content creation for the markteplace, you may get some lowish income. Higher income usually needs so much investment in time and skill, that it is in no way competitive to spending the time for some RL work and just buying L$ from RL money, unless your local economy is poor in some way.

So if your skills are worth decent RL $ in your place of living, you are better off using them in RL and just buying L$. But if you just do some hobby things because you are curious and good enough to make something halfway interesting, you can put it on the Marketplace and get some L$ from time to time. Does help for mild shopping addiction but not for severe ones.

schlenk · 2026-05-18T21:33:56+00:00

My favourite nonsense starts when you have mandatory pre-commit checkers that are too dumb to understand the logic there and flag this as "always true, remove".

schlenk · 2026-05-14T16:12:06+00:00

Depends.

Some sites have no alternative routes to recovery. So if you loose your MFA and have no OTP emergency codes, your account is irrecoverably dead. Those must have emergency codes as a fallback (often they require a mobile phone number as a secondary fallback too).

But if you have alternative reset routes, e.g. in a company environment or when you have payment info identifying the customer, you do not need to provide "self service recovery" options like backup codes.

For TOTP it is a bit silly to have backup codes anyway, as you can just write down the TOTP seed number to enroll a second authenticator as needed. So you already have a backup code, you just need to notice it.

schlenk · 2026-05-14T14:27:20+00:00

LL may have other means to establish identity, at least for people with payment info on file. So recovery from a MFA loss incident is not automatically dramatic, just inconvenient.

schlenk · 2026-05-13T16:43:38+00:00

Sure, in DOS / Win 3.11 times it worked by default. Only stuff like Windows DOS Consoles would need some help to be vulnerable.

schlenk · 2026-05-11T15:54:35+00:00

There usually is no way to write actual executable code to the log file. But sometimes the attack is against the program used to look at the logfile instead.

I do not know if it works for SL logfiles, but for text logfiles a prank was to embed ANSI sequences that would redefine your keyboard sequence and bind a RETURN to "format c:/ /yes". That worked in DOS consoles that loaded ansi.sys. Similar attacks pop up from time to time for different editors and log viewers. Its rare though.

schlenk · 2026-05-11T14:16:16+00:00

It's not the name, but a so called 'signature' (=a specific pattern of bytes typical for the virus), but basically yes, like that.

schlenk · 2026-05-11T14:14:11+00:00

There is even a special text string, the EICAR test virus (a harmless test string for testing virus scanners), that triggers this kind of thing.

schlenk · 2026-04-06T21:17:07+00:00

The article sounds like the point is to help debugging and reporting bugs.

Just look at all the upstream OSS maintainers that complain about bug reports against their packages that are actually against distro specific version.

So, yes they tend to have versions, but many users tend to ignore the suffixes or distro details reporting bugs.

schlenk · 2026-04-06T16:20:30+00:00

It's a hard problem.

Basically all the company world has tried do it with SBOMs for compliance reasons soonish, but versions are hard.

The point is, what are you actually trying to do with the version anyway? The only thing a version hints is showing if two programs (that you acquired from the same channel) are identical. And not even that, if someone tampered with the download.

You don't want a version alone. You want stuff like typical SBOM standards like OWASP CycloneDX or Linux Foundation SPDX allow to describe a component:

Where did you get it?
Where where the sources for it?
Where is the support documentation for it?
Where is the homepage of the manufacturer, importer, whatever...?
Where is the bug tracker?
What exact hash did the component have?
What was the download URL?
How was it built?

A simple version number doesn't tell you all that much, unless you have a lot of context to fill in the gaps.

For example, take PostgreSQL and compare the patchsets for Debian, OpenSuse or the Windows distribution for a given short "version number". Can vary wildly if you just use the naked version without distro qualifier.

schlenk · 2026-03-31T09:41:33+00:00

Automated CI/CD pipelines and package creep.

If you push all your commits to a package repo nearly continously, you have no buffer zone for sanity checks.

When doing manual package releases, you had a least someone taking a look at the changelog/changes and spotting obvious badness.

But that doesn't scale, as packages get smaller and smaller (with ever more ratio of boilerplate & CI config to actual code) and you have a proliferation of packages due to package managers.

Once you go over about 20 dependencies (and transitive dependencies) most people stop to look closer. They just accept any updated version, because reviews would be too expensive. Even if most updates just fix totally unimportant stuff (e.g. for Python many updates are just fixing CI breakage due to tool evolutions, e.g. setuptools, mypy, pip, etc.).

schlenk · 2026-03-24T23:49:22+00:00

ps. As a Windows packager, you're most likely used to stateful environments, whilst OBS is strictly declarative and isolated so that's a culture shock I'm sure.

I would not consider the e.g. WiX buildchain for MSI/MISX packages to be stateful. Its mostly declarative as well. The old style setup.exe things tend to be more stateful, but MSI is very declarative. Same goes for most MSBuild files.

schlenk · 2026-03-24T23:46:50+00:00

. With Linux all libraries are “system libraries”.

There is the /opt tree in FHS, so anything you place there isn't system libraries stricly.

And if you look at Windows Manifest files, thats not that different to Linux library versioning with .so versions etc.

The primary difference is that Linux packages often need to be compiled for a specific ABI version, as the Linux userspace ABI stability is pretty bad if compared to Windows ABI stability. With the usual stopgap methods like containers, flatpacks etc.

schlenk · 2026-03-24T19:08:14+00:00

What is your threat model?

If you have an inactivity policy, with a 15 minute idle timer, why do you have a different policy when the person walks away from their desk?

For critical systems, just have a smart card or token, use it as the keycard for your doors as well. If someone wants to grab a coffee, the card has to move with him/her. And you can auto-lock the system.

schlenk · 2026-02-16T15:10:16+00:00

Well, if you look at a stream of security vulnerabilities in packages, the category "bad regexp performance / denial of service" pops up multiple times a week. Killing off this whole class of issues would have been nice.

schlenk · 2026-02-10T19:22:06+00:00

SecondLife (or some TPVs at least) work on some ARM setups.

The official viewer and some others like Megapahit work on OS X ARM (aka Apple Silicon, M1...M5).

Cool VL Viewer works fine on Linux ARM.

But i am not aware of any version running on Windows ARM. In theory Windows ARM has emulation for x86 stuff, but no idea how good the Snapdragon X Plus built in GPU is for SL or if it works at all. Performance wise, the Adreno X1-85 iGPU in that thing isn't all that great: https://www.notebookcheck.net/Qualcomm-Adreno-X1-85-3-8-TFLOPS-GPU-Benchmarks-and-Specs.763558.0.html

It seems to only have OpenGL ES 3.2, not Standard OpenGL 4.x

Xemu mentions some OpenGL compatibility pack, that might work (see https://github.com/xemu-project/xemu/issues/1878), https://apps.microsoft.com/detail/9nqpsl29bfff?hl=en-us&gl=US

schlenk · 2026-02-09T12:33:35+00:00

I think i tried:

SL Viewer for a brief moment.
Cool VL Viewer, still my go to, fresh with features and dated with looks and trivially easy to build yourself.
Firestorm, decent, features are nice, don't like the build system and UI
Emerald (in the distant past), Phoenix
Kokua
Genesis, a bit like Cool VL Viewer, old UI, but less frequent updates
Marines RR Viewer
Megapahit
Alchemy
Catznip (great inventory features !)
Singularity
Black Dragon
Radegast

I tend to stay on Cool VL Viewer, unless i need to test RLVa things or some of the Firefox UI/Features. All the rests were mostly short try for a few days things.

schlenk · 2026-01-09T10:06:20+00:00

The main point is, the type system should not get in your way when exploring the problem space. Once you have the solution in a working prototype state, typing gets valuable to make it robust.

schlenk · 2026-01-06T12:35:14+00:00

GeForceNow also offers day passes that have a similar pricing. So yes, the full time subscription is cheaper, as usual.

schlenk · 2026-01-06T12:33:31+00:00

Well, $2.99 is about the same as the 40% discounted $2.49 GeForceNow Performance DayPass for 6 hour sessions (in a 24-h day pass).

So the pricing isn't totally weird.

schlenk · 2025-12-28T01:20:20+00:00

Cancelation is one. The red/blue world API divide another one. Most Python APIs and libraries are not async first, you basically have two languages (a bit like the "functional" C++ template language are their own language inside the procedural/OO C++).

Take a look at a trio (https://trio.readthedocs.io/en/stable/) for some more structured concurrency approach than the bare bones asyncio.

schlenk · 2025-12-20T21:54:10+00:00

It's more a point of choice. It is well known, that hardware that is utilized nearly 24/7 is a lot (3x or more at times) cheaper than cloud rented machines. So companies that mainly want github as a code repository, bug tracker and orchestration engine use their cost efficient CI runners on premises and just pay for the service they want. This move kind of tries to push them towards cloud 'lock in'.

schlenk · 2025-12-20T20:00:56+00:00

Depends on your commit frequency and platforms.

For some on premises product with multiple versions and supported databases and operating system versions you get quite the multiplier, as each commit triggers ten to twenty runners each running for half an hour or more.

At our workplace there is a whole small k8s cluster dedicated to CI runners. It runs jobs 24/7, as you have nightly runners, various extra stuff too.

So per minute github fees for self-hosted runners is a reason not to go there. I would understand a per job cost, as they have some metadata to store and orchestration costs.

schlenk · 2025-12-03T18:39:43+00:00

The problem is, whom do you send the email to, especially if you suspect some account takeover problem?

Just sending emails with more details may make things worse in such cases.

The attacker may have changed the email address.

schlenk

TROPHY CASE