Kogasa

Yeah. Normal whoppers are crunchy. 1 in 4 whoppers is soggy and chewy and hard to eat

Whoppers are good but the risk of getting a bad one is not worth it. Ech

Sure, but hosting the wiki itself has a cost.

I worked with Progress via an ERP that had been untouched and unsupported for almost 20 years. Damn easy to break stuff, more footguns than SQL somehow

Bitcoin is more widely seen as a vehicle for speculation rather than a decentralized currency. Unlucky.

Before I blocked the instance I had nothing but miserable interactions with Hexbear users, and it had nothing to do with political opinions.

Docker is lighter and easier to manage than a VM. I run a collection of services as docker compose services inside a NixOS host VM. It’s easy to start, stop, monitor, update etc. even from a different computer (via ssh or docker contexts). It’s great.

deleted by creator

It’s just as easy to run in a Docker container and I would recommend this anyway.

I do not know what that means

If only we were still having the conversation.

That’s… not the point either. The point is that “reporting false positives isn’t a bad thing” is only true up to a point. The discussion is then “is this before or after that point.” Which, given the context of the bug, isn’t really a given. But I don’t want to have that discussion with you anymore because you’re annoying.

“What if the boy who cried wolf got lucky and didn’t get eaten in the end”? Seems to have missed the point of the parable a bit.

I didn’t say the CVE was valid. I explained why it was a mistake. I didn’t say “disclosing security bugs” is, in general, a bad thing, I said raising undue alarm about a specific class of bugs is bad. It’s not a matter of “less or more information,” because as I said, a CVE is not a bug report. It is not simply “acknowledgment of information.” If you think my argument has no merit and there is no reason why “more information” could be worse, you’re free to talk to someone who gives a shit.

Uh, no. But thanks for guessing. It’s frivolous because it violates several principles of responsible disclosure. Yes, the scope of impact is relevant; the availability of methods of remediation is relevant; and the development/patch lifecycle is relevant. The feature being off-by-default and labeled experimental are indirect references to the scope of impact and availability of remediation, and the latter is an indirect reference to the state of development lifecycle. Per the developer(s)’ words, this is a bug that had limited risk and was scheduled to be fixed as part of the normal development schedule. Escalating every such bug, of which the vast majority go without a CVE, would quickly drown out notices that people actually care about. A CVE is not a bug report.

It’s not worthy of a CVE and whether it applies to me is irrelevant. I didn’t say a CVE is a black mark. Frivolous reporting of CVEs damages trust in the usefulness of the system in identifying critical vulnerabilities. This is a known issue related to resumé padding by newcomers to the cybersecurity industry.

To a point. Ever heard of the boy who cried wolf?

Frivolous CVEs aren’t a good thing for security. This bug was a possible DOS (not e.g. a privilege escalation) in a disabled-by-default experimental feature. It wasn’t a security issue and should have been fixed with a patch instead of raising a false alarm and damaging trust.

Perhaps if you used more than two fingers on desktop

78wpm 92% gboard

~200wpm on a physical desktop keyboard