Thanks for the feedback, forwarding this to the marketing people!
No problem. Good luck finding new colleagues.
Readit NewsBjornW commented on Ask HN: Who is hiring? (October 2023) · Posted by u/whoishiring
Quatt.io | Amsterdam, Netherlands | Full-time | Hybrid/ONSITE | https://quatt.io | climate tech
I'm head of Software at Quatt, a quickly growing startup building hybrid heatpumps to help fix climate change. Heating and cooling is 50% of all energy used in the EU, and heatpumps have a 10x higher return on investment for CO2 saved per Euro invested than electric cars. We're building the most accessible and smartest heatpump on the market. Our product is live, being installed daily, and I really like the impact we're having.
I'm looking for 3 roles for my team, as we believe having the best software will allow us to have the best product.
* Full stack developer (Node/typescript + React) * Data warehouse engineer * Low code developer.
Now is a great time to join, as the software team is still small but growing quickly. These and other vacancies are on our careers page: https://www.quatt.io/working-at-quatt
Email me directly ( hacker-news-username@quatt.io ) for questions or apply via the career page.
Had a look at Quatt's website. Just a quick remark:
Requiring to fill in information for a brochure about your product, feels weird & I'm not willing too, but ok. However, automatically agreeing to receiving 'marketing communication' & agreeing with your cookie policy when pressing download is definitely not ok. Not from my personal standpoint, but more importantly also not by law (GDPR) although IANAL. Might be a good idea to tell your marketing colleagues about this. Please remind them not to be behave like assholes. Nobody likes forced "marketing communication"...it's just a euphemism for spam. Take care.
Yes, I ran & still run a Jitsi instance and a website which would connect you to one of 12 participating Jitsi server at random applying to our guidelines in the EU.
My goal was offering a low-barrier open for all way to connect with loved ones. During the peak of the Covid pandemic for many people it was easier to connect with colleagues than family members or friends. So I contacted a few sysadmins and public organizations of whom I knew were running Jitsi and asked if it could be shared via our public website. A few agreed and a few dropped by and wanted to help out. After a few days a commercial hosting company decided to sponsor us with one VPS as well.
Our idea was to connect the servers and use the API to select a server with the lowest load. In the meantime we used a randomizer...we've never used the API after all, the randomizer worked well enough ;)
People told us they've used our free service for yoga classes, library book reading clubs, hackerspaces & celebrating birthdays with grandma.
Overall I'm still very proud what we've achieved in a few days with some servers, opensource software and bit of work.
Many thanks to @saghul, 8x8 and all other people contributing to Jitsi. Thank you!
BjornW commented on Outdated vs. Complete: In defense of apps that don’t need updates vivqu.com/blog/2022/09/25... · Posted by u/ingve
A similar thing happens in the Open Source WordPress plugin repository.
All of my WordPress plugins are free & Open Source. Most are tiny plugins using functionality (filters, actions) part of WordPress core. Unless WordPress becomes backwards-incompatible they will function perfectly fine for the foreseeable future. From my perspective these plugins are feature complete & unless there's a bug, don't need any attention from me. Sadly the WordPress repository expects me to update the version number or else the plugin will be become less visible in search results and a notice will be placed above the plugin's title stating: "This plugin hasn’t been tested with the latest 3 major releases of WordPress. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress."
So for some of my plugins I occasionally 'bump' the version number to make sure people can still find it in the search & for some plugins I just leave it be because I have better things to do. However it didn't feel quite right to keep people using my work in the dark, so I've added a text to communicate this to them. This is the text from my 'Redirect To Homepage' plugin:
"Is this plugin actively being developed? Yes and no. Let me explain: I consider this plugin to be feature complete and unless bugs are found there will be no development on this plugin. In other words this plugin is in maintenance mode and will be maintained for the foreseeable future. Due to other obligations I’m not always able to keep up with WordPress version’s and updating this readme’s ‘Tested up to’ version number. However, unless WordPress significantly changes the way the login_redirect filter works it should work perfectly fine even though the ‘Tested up to’ might be of a lower version number. As always, when in doubt, test it (and when it does give you issues, feel free to leave a comment)."
I think this balances both interests, those of people using (perhaps depending on) my work as well as my own. A similar approach could be used by commercial app stores to restore autonomy & balance interests.
In the Netherlands (Europe), where I reside there are plenty of jobs offering 36 or 32 hours. I think most employers are ok with it since they often also work 36 or 32 hrs. Quite a lot of people share the 'load' of bringing up a family, taking care of parents or sick family members & basic house chores & therefor will (have to) work a bit less than 40hrs.
This project needs marketing people on the team.
I’m interested in peertube it’s an exciting concept. When I when to that page I expected a simple, clean design inviting me to download it or use it or whatever. Instead there’s a rambling unfocused page without a call to action.
YouTube is the Mike Tyson of video…. you’ve gotta be much better than this to get in the ring with YouTube.
The url points to a blogpost at Framasoft with information on the release canidate. If you visit the homepage of Peertube (https://joinpeertube.org) you'll likely find the information you are looking for.
BjornW commented on Ask HN: How do you security-audit external software using NPM packages? · Posted by u/BjornW
Sonatype Lifecycle is designed to analyze a built package and figure out what's inside it, specifically when there aren't manifest files to tell you what's -supposed- to be there. It can obviously do a lot more, but the analysis is designed to solve the exact problem you're describing.
https://blog.sonatype.com/mapping-the-javascript-genome-for-...
Will have a look at this. Thanks for sharing.
BjornW commented on Ask HN: How do you security-audit external software using NPM packages? · Posted by u/BjornW
You’re primarily talking about proactive auditing here, but if something does sneak in you’ve got problems. In the best spirit of layered security you should also build up a strong Content Security Policy and include that with your pages to make sure that there’s a whitelist of the servers the page can talk so, and that technologies you know you’re not using are locked down.
I agree. Pro-active audits will only go so far, there is definitely a need for other measures (which are implemented as well). A Content-Security-Policy is as far as I know still really hard to implement well (as in truly protecting assets instead of being a policy tick-off) on WordPress with external plugins and themes. Sadly, a CSP will not protect against attacks running on a post npm install in your development environment, as this is also a risk of using npm packages.
BjornW commented on Ask HN: How do you security-audit external software using NPM packages? · Posted by u/BjornW
My first question here would be: What is the attack vector you are worried about? If your wordpress instance is taken over, what is the problem? That the intruder gains access to data they should not have? Or that they will use your machine in some way that would harm you?
There are multiple attack vectors I can think of, although most can be mitigated using other security measures. I don't want to rely on audits only off course. To give you an example: using the WordPress environment as a stepping stone to gain more access, running client-side software without out permission (stealing data from visitors, our resources e.g. crypto miners), defacement/fake-news, etc.
BjornW commented on Ask HN: How do you security-audit external software using NPM packages? · Posted by u/BjornW
A WordPress plugin may contain hundreds of interdependent npm packages all neatly bundled and minified. Without access to a package.json or package-lock.json it is quite hard to find out which individual packages have been used. Quite often there is also no public repo available of the development files.
To give an example of my process thus far:
Someone in my team wants to see if we can use plugin X. I’m downloading the plugin to have a look at the code. Luckily this plugin has included a non-minified version of the js file. I can derive the use of npm packages from this file. Using Snyk I have a look at the first package mentioned. It’s axios. The included version is vulnerable (high & medium severity) and has been for almost a year (Note: the last version of the plugin is 3 months old and does not exclude this vulnerable version in it’s package.json which I found in a Github repo later on).
Since I have no package.json nor package-lock.json (all I have is the distributed build) I can’t easily update the npm package. I have no clue as to how this package relates to the other packages and how their version might depend on each other. Even if I would update the package, all other users of this plugin are still vulnerable. I contacted the plugin author. He tells me he will update the plugin as soon as possible. The plugin is (as of today) still not updated & has not released a new version. In the meantime there have been two new versions of the axios package released.
Every user of plugin X is still vulnerable to the issues mentioned on Snyk, but is this a real problem in this specific WordPress plugin context? I’m not sure how to interpret the high & medium severity in the context of this plugin. How exploitable are these issues & what is the impact of the exploits in the context of this plugin? Do I need to be a logged in user? Is this something which can be triggered by any visitor? What am I able to do when I can exploit these vulnerabilities? I can only try to find answers to these questions if I’m willing to invest a lot more time into this, which more or less beats the purpose of using a ‘ready-made’ WordPress plugin. And this is just one package of multiple npm packages used in this plugin. Packages which also have their own dependencies as well….
At this moment I’m wondering if any WordPress plugin using npm packages can be trusted at all.
ps: The way the npm ecosystem is structured is, in my view at least, problematic. Often packages are not like libraries as I’d expect, but look more like a function call or method call. I’d prefer to write these short pieces of code myself instead of depending on external code which also includes extra risks. The very rapid release schedules makes it even harder to trust external software (like a WordPress plugin) using npm packages as it seems they cannot keep up with it.
I’m sorry if this seems like a npm rant, but I’m seriously looking for methods on how to deal with these issues so we can use external software (like WordPress plugins) built with npm packages.