grayhatter (u/grayhatter)

grayhatter commented on It seems like the AI crawlers learned how to solve the Anubis challenges social.anoxinon.de/@Codeb... · Posted by u/moelf

xena · 12 days ago

Thanks. It means a lot. Today has not been a good day for me. It will be fixed. Things will get better, but this has to rank up there in terms of the worst ways to find out about security issues. It sucks lol.

grayhatter · 12 days ago

I'll double down on what veqq said; Thoes that can, do. Those who have no idea where to start complain on internet threads.

There will always be bots, they were here before anubis, they'll be there long after you block them again. Take care of yourself first. There's no need to make a bad day worse trying to sprint down a marathon.

grayhatter commented on Ask HN: What alternatives to GitHub are you using? · Posted by u/yakattak

grayhatter · 15 days ago

I'm using srctree https://srctree.gr.ht/repo/srctree

Hopefully you'll forgive me for shilling my own project. It's a source code sharing site with a few primary goals. First, don't break the back button. I started the project right around the time github broke too many critical features in short succession. The back button, the URL bar, and ctrl+f in the code view. I also want it to be easy to use as a federated collaboration tool. Ideally you'd start your own instance locally, get a familiar GitHub like interface for submitting patches anywhere, even by email. Or if you're hosting a project, you could have an always up instance that others could connect to.

The part I've been thinking about deeply the past few days is how to improve the discoverability of peer repos and forks. I want to create something github like in terms of collaboration, but also try to incorporate some of the best lessons from mailing list based repos where it's easy to grab and try patchsets (exposed as branches) from a 'fork' without losing the value of a cannon 'upstream' and without insisting that any specific upstream is where every single commit belongs.

The whole thing is written in zig without any dependencies other than git for some of the repo management features I haven't ported yet. (and for generating git blames) If you do use it, or notice any issues, or think it's missing features do let me know. I'm currently trying to decide which is the next most important thing to hack on :)

see also https://github.com/GrayHatter/srctree if you want to subscribe to updates (still a feature srctree lacks lol)

grayhatter commented on Zig's new I/O: function coloring is inevitable? blog.ivnj.org/post/functi... · Posted by u/ivanjermakov

woodruffw · a month ago

I don’t see how that can be the case, given that Io is in the closure. Anything that wants to do I/O needs that token; that’s what virality is.

grayhatter · a month ago

I think I almost agree with what I think you mean, but I'm not sure, hopefully you'll entertain a few questions?

Say you have two functions one that does some kind of IO, (say a pair of bidirectional read, write, from stdin and stdout) and another that returns a block of memory of a constant size. Would you say that one is colored, and the other isn't?

I'll also try to make an attempt at the idea I'm trying to figure out too. I genuinely can't predict which side you'll answer for, but I'm assuming you'll say that it's not colored, because while it does do IO, but only directly though the global file descriptors which have no baring on the calling conventions. Which means the decisions and impact about which color this IO function doesn't ever apply to the callers and callees. This I think is the virality you mean where the callers and callees are required to know [something] about the semantics? I probably agree you could call this coloring and defend it... It's interesting that this might be closer to the "accepted" definitions of what any language means when it says this function is colored. But I don't think this understanding most people have about the concept of coloring. Most I see are arguing about the semantic effects, much more than the "accepted" definition. I have the distinct impression that when most say coloring, the most significant implication is when and where you resolve the specific color. Will it be sync or async code, when, where, and who gets to decide.

Or perhaps I'm wrong, and you would say that one function is colored, but the other isnt? Then I'd ask if you can tell it's colored, can you tell me which color?

In both cases I'd argue it's better to embrace the semantic widening of the concept of function coloring, because what I understand from how you describe it, I feel that saying this is coloring is strictly less enlightening about the reality of the code and system together, than calling this function alpha. With zig's new IO interface, I can't tell you what the RGB values are for the color, but I can confidently say, it's alpha channel is 0xff. You might not be able to tell me what color it is, but it without a doubt isn't a pure function, interacts with IO and does have a null byte in the alpha channel.

grayhatter commented on Why does Debian change software? blog.liw.fi/posts/2025/wh... · Posted by u/tapanjk

ryandrake · 3 months ago

Infuriating. The developer is just making excuses and refusing to address the users' actual concern. And why are they phoning home in the first place? What is this critical use case that requires this intrusion?

    "This daily count of users is what keeps us working on the project, because otherwise we have feel like we are coding into a void."

So, they wrote code to phone home (by default) and then digging in and defending it... just for their feelings? You've got to be kidding me!

grayhatter · 3 months ago

> So, they wrote code to phone home (by default) and then digging in and defending it... just for their feelings? You've got to be kidding me!

Is that better or worse than phoning home to serve ads?

Also, if feels misleading to me to call fetching a motd phoning home. You know Ubuntu does this too right? That feels more worthy of outrage than this.

If someone tells me, this software phones home, and it's not transmitting anything other than a ping; kinda feels like they're lying to me about what it's actually doing.

I'm not upset by the author wanting a bit of human connection to the people who enjoy his software. I empathize with the desire to see people enjoy the stuff I've made. Is it a privacy risk? Perhaps, but it's not even on the top 1k that I see daily. There's more important windmills to tilt at.

But... if you really just wanna be outraged; I recently wrote a DNS server that I use as the default for my home system. Currently It prints every request made, you might wanna try something like that. If you're that upset about this, you're gonna be blown away by what else is going on you didn't even know about.... and that's just dns queries, it's not even the telemetry getting sent!

grayhatter commented on AMP and why emails are not (and should never be) interactive buttondown.com/blog/whate... · Posted by u/maguay

kevin_thibedeau · 4 months ago

SMTP can use intermediate relays. TLS doesn't guard against the middlemen.

grayhatter · 4 months ago

When I suggested using TLS, signed by a trusted cert authority; and you're imagining some system, where a message sender connects to some 3rd party middleware box to relay the message, and this middleware box has a cert for the destination domain?

grayhatter commented on AMP and why emails are not (and should never be) interactive buttondown.com/blog/whate... · Posted by u/maguay

SoftTalker · 4 months ago

Yes but the server itself has full visibility on the message while it is handling it. It can scan it for viruses, parse it for ad insertion, feed it to train an LLM, just keep a copy of everything, whatever.

grayhatter · 4 months ago

yeah... that's why it's important to be able to trust your email provider... I assumed you meant anyone passing along the message, like a router, or rogue ISP. I was more going for the idea that you can make SMTP secure from sender domain to destination domain. If you don't trust your host, nothing else really matters, in all cases.

grayhatter commented on AMP and why emails are not (and should never be) interactive buttondown.com/blog/whate... · Posted by u/maguay

SoftTalker · 4 months ago

There's no way to guarantee that. SMTP is not a secure protocol. Your message could be read by any intermediary along its delivery route.

grayhatter · 4 months ago

It is possible to deliver emails IFF the receiving server presents a valid TLS connection and cert. I don't think I've seen anyone actually enforce that though.

grayhatter commented on Zig's new LinkedList API (it's time to learn fieldParentPtr) openmymind.net/Zigs-New-L... · Posted by u/todsacerdoti

xxs · 4 months ago

>Especially if you're trying to be memory efficient

Linked list have higher const cost memory wise compared to array backed structures. Even when an array back structure is half empty it's still takes less memory.

grayhatter · 4 months ago

> Even when an array back structure is half empty it's still takes less memory.

uh... what?

grayhatter commented on Replacing CVE gavinhoward.com/2025/04/r... · Posted by u/gavinhoward

grayhatter · 4 months ago

> This idea I had months ago will surely fix all the problems I just started thinking about today.

I very rarely find myself agreeing with some take the author has made. To the point where I almost said never agree. But I always read though, because even though the suggestion is always surface level, it's also always well written and well expressed. I like the help in reasoning through my own thoughts, and his musings always give a good place to start explaining and correcting from.

I hate, with a passion, CVE farmers. Because sa much of it is noise these days. But everyone complaining^1 so far have all completly missed the forest for the trees. The reason everyone uses CVEs still is because the value from having a CVE was never to know the severity. (The difference between unauthenticated remote arbitrary code execution, and might create a partial denial of service in some rare and crafted cases, is 9.9 and 9.3) The value has always been the complete lack of ambiguity when discussing some defect with a security implication. You don't really understand something if you can't explain it, you can explain it if you don't have the words or names for it. CVE farming is a problem, but everyone uses CVEs because it makes defects easier to understand and talk about without misunderstandings or miscommunication.

I'd love to see whatever replaces CVEs included a super set, where CVEs, also have CRE, where Vulnerability is replaced by Risk and only when [handwavey answer about project owner agreement], which would ideally preserve the value we get from the current system. But would allow the incremental improvement suggested by the original comment this essay is responding to. I would like my CVEs to be exclusively vulns that are significant. But even more than I want that, I don't want to have to argue about where the bar for significant belongs!

No company wants to manage CVEs, there's nothing that's going to meaningfully change that in the short term. Which means no one is looking for a better CVE system. Everybody wants the devil they know, I have complaints about the CVE system. But don't want to try to replace it without accounting for how it's used, in addition to how it works (and breaks).

1^: it's still early, and the people rushing to post are often only looking at the surface level. I'm excited to hear deeper more reasoned thoughts, but that's likely to take more than just 24h