It would definitely be a bit silly for the author to make a fake carrot disclosure, but I thought of it just because of how reading this article made me feel distrust toward the author. IDK, they just seem like kind of a jerk!
Now, I don't think the PRs with the Forgejo folks show a lot of warm collaborative energy on their side, either, but I can see how soft skills from the author would likely have taken their PRs a lot further in getting what they want.
But the author's whole attitude is that Forejo is such a mess and it's barely worth their time to try and clean it up. Nobody's twisting their arm to contribute to an open source project that they don't even like!
From the perspective of Forgejo maintainers, the author is just some random new contributor barging in and telling them to drop some legacy support that hasn't been discussed in detail yet. And of course, this new contributor hasn't actually followed the security policy to disclose it as a high severity issue to justify the change.
> But the author's whole attitude is that Forejo is such a mess and it's barely worth their time to try and clean it up. Nobody's twisting their arm to contribute to an open source project that they don't even like!
> From the perspective of Forgejo maintainers, the author is just some random new contributor barging in and telling them to drop some legacy support that hasn't been discussed in detail yet. And of course, this new contributor hasn't actually followed the security policy to disclose it as a high severity issue to justify the change.
It does affect my own willingness to use Forgejo, as a current non-user. It sounds like it has some security vulnerabilities that the maintainers aren't taking seriously, perhaps because they think the people who report those vulnerabilities are jerks. Are the Forgejo maintainers themselves sure that their software isn't going to get pwned in a way they don't have the right techniques to mitigate? I'd rather know that before I run it on my own infra.
> It sounds like it has some security vulnerabilities that the maintainers aren't taking seriously
It may, and they may or may not, but the author hasn't actually reported any. They're explicitly ignoring the security policy and vagueposting instead.
The author of this blog post essentially never reported the exploit to the Forgejo maintainers. They merely submitted a security-related PR.
The maintainers aren't mind readers. They have never been directly informed that a proven exploit exists, and the author of the article actively ignored the project's reporting process despite being aware of it.
And it's not a particularly complicated report process. You literally just email them.
Idunno, I think this model of disclosure feels more natural to me. The "coordinated" model can have the smack of extortion to it.
And yes, I very much want there to exist people whose specialty is finding security bugs. I wouldn't expect such a person to be a diehard contributor to any particular project. Their motivation isn't making one tool better, but keeping users safe. We need those people and the work they do badly!
The author's attitude is so off-putting. What gives? Did Forgejo hurt you?
The Forgejo disclosure process looked pretty simple and straightforward to me. The bold and all-caps words that bothered the author are just making sure you know how to disclose vulnerabilities safely without leaking zero-day exploits to a wider audience than necessary.
I'm also not impressed with a carrot disclosure that looks like this. Running a python script to compromise a locally hosted instance? Bruh, you have physical hardware and host shell access. That python script could be doing anything including running as root.
> I'm also not impressed with a carrot disclosure that looks like this. Running a python script to compromise a locally hosted instance? Bruh, you have physical hardware and host shell access. That python script could be doing anything including running as root.
> Show us the exploit hitting a remote server.
Watch out, their script works on HN too, as a proof here's me logging in to YOUR computer's root account (a bit more redacted for obvious reasons):
$ python3 ./poc/chain_alpha.py --target dangus > out.txt
$ grep Backdoor out.txt | sed -r 's@[^:]+$@ [REDACTED]@g'
[+] Backdoor admin created: [REDACTED]
$ grep IP out.txt | sed -r 's@[^:]+$@ [REDACTED]@g'
[+] IPv4 address for dangus: [REDACTED]
$ grep 'debug2: shell' out.txt
[+] debug2: shell request accepted on channel 0
$ tail -n12 out.txt
================================================================
[+] COMMAND EXECUTION CONFIRMED!
================================================================
Server-side output (received via SSH, with `set -x`):
+ id -u
0
+ id -g
0
================================================================
$ sha256 ./poc/chain_alpha.py
c10d28a5ff74646683953874b035ca6ba56742db2f95198b54e561523e1880d7 ./poc/chain_alpha.py
While I agree with you that this blog post (and the "carrot disclosure" described in it) is ill-considered, the pull request is not really "new code", it adds quotes to HTML attributes that are missing them. I think it's entirely reasonable for a contributor to assume that a new test case would not be needed for this small change, and that the maintainer's response ("So a simple question: is this code covered under a test? If not, you will have to add one.") is more abrasive than necessary.
To hell with writing a test for you. That’s what you say to someone who gets paid by you. If the project doesn’t want the fix. That’s their issue, not the reporter’s.
Look at the big picture. The maintainers likely deal with many low-quality bug reports and PRs coming in, especially from AI, and the incentive to spam these is not going away anytime soon. How should they best allocate their limited attention?
One way is for the PR maker to signal their own attention to detail/effort/commitment by jumping through the (quite reasonable) hoop of writing a test.
Is this extra effort? Yes. But if your motivation in opening the PR in the first place is genuinely to improve the world, then do the slightly harder thing that actually improves the world given the constraints on maintainer attention it operates under, not the thing that is slightly easier for you but leaves your contribution indistinguishable from the sea of slop out there.
I know zero about this code path, but suppose it's expected that `${$(this).data('href')}` is already a properly quoted value, like `"https://example.com"`. Then the first line expands to:
which would have all kinds of room for mischief. Or suppose the template engine auto-quotes values that it injects, so the quotes aren't necessary at all, which is a pretty common approach. The point is that you don't randomly want to throw quotes into HTML or single quotes into SQL just for giggles. You have to write tests demonstrating that the existing common use cases still work after the change, even if it's simply adding 4 quotes.
This “slowly dying” effect is what happens to every company that gets acquired by big monster slug companies like Microsoft.
What Microsoft acquisitions still have any of their original spark left in them? Or Oracle? Or IBM? Or Google? Etc…
Hell, some Microsoft originals from
inside the company like Xbox have even lost their edge.
Money is great and I’m sure I’d take the big check, too, but I’m surprised more tech founders don’t think of their legacy in this way when they decide to sell out.
It’s considered a grand accomplishment to essentially lead the wonderful thing you created to its slow demise and hand it over to apathetic quarterly earnings zombies.
Notice how the graphs have no Y axis. That's how you know it's manipulative.
This company is owned by one of the major causes of the AI boom and is hiding behind difficulty scaling, despite its parent company also being a premier source of scaling solutions.
GitHub: don't gaslight your customers.
It is not your customers' problem that you're having trouble scaling. Nobody cares. Give us the service we are paying you for and make it reliable, or else we'll choose something else.
After the words "Both of those incidents are not acceptable" the blog post should have been over. Nobody needs to hear a sob story about how your service is too popular.
In a large enterprise if you task a front end team with solving a performance issue that is caused by the back end, invariably they’ll hack together some workaround… in the front end.
People only ever solve problems in the areas they have control over, whether that’s where the root cause is or not.
Waymo and other taxi services are inherently bad for cyclists compared to increasing transit utilization and providing more ways to walk and cycle that feel and are safe.
They’re even bad for drivers as they are more detrimental to traffic than personal car ownership. They take up space on the road even when they aren’t being used to transport anyone.
I think we should spend less time worrying about ride share policy and spend more time working on the root cause of the need to drive so often.
Achieving this goal is not something that necessitates giving up single family homes, or suburbs, or small towns, or the ability to own a personal car, or anything like that.
Being around a Waymo makes me feel WAY safer than being around a human driver. If more cars were replaced, I would probably bike even more.
Seriously, Waymos follow at a respectful distance and overtake me safely. They stop at stop signs. Sometimes they even stop and wait for me to make a decision about which way I'm heading.
No, it's the human driver vs the Waymo. I'm not going to entertain fantasies where all the cars magically disappear from the road; there's no political will for that and no politician is dumb enough to try.
To be perfectly clear, the difference between an empty road and a Waymo is mostly academic if you're on a bike. The Waymo is just that good at respecting space.
I’m not talking about cars magically disappear from the road, I’m specifically talking about taxis and rideshares versus using another way to get around, which even includes personal car ownership.
Studies have shown repeatedly that rideshares lower transit usage and don’t reduce personal car ownership.
Improving transit and allowing Google to blow $100B on making cars drive themselves are not mutually exclusive.
In the US, in particular, last mile transportation is mostly done by car. Transit cannot economically serve low-density suburbs.
In a city? It depends on price versus convenience. As more and more cars drive themselves, the city can get away with taking back more and more space for transit and cyclists. People should choose mass transit because it's convenient, not because there's no way to call a car.
But the studies say that Google blowing $100B on self driving cars changes human behavior to take less transit which then costs taxpayers money because transit ridership and revenues decrease.
This idea that companies have to be allowed to do business however they want is not something we just have to do.
We can as citizens and governments say “no, you’re not allowed to run a robot taxi company because it’s overall bad for our city.”
Laissez Faire capitalism is an ideological cancer to American society.
> Waymo and other taxi services are inherently bad for cyclists compared to increasing transit utilization
Anecdote: I take transit way more in San Francisco with Waymo. Because booking is deterministic (it says 20 minutes, it will be there in 20 minutes, even if it’s a short ride), I can connect with the loose network of city and regional rail systems in a way that was tedious with human drivers.
(I lived in New York for 10 years, and eagerly take the subway there.)
Maybe. American suburbs are already spread out. It doesn’t make sense to run subways to every corner the way we do in urban centers. Doing last mile with shared transport—versus cars which park idle for most of the day around train stations—makes sense.
Meanwhile, Arlington, Texas has over 200,000 people with no bus system.
And before you say “oh it’s Europe it’s old” I will point out that the Netherlands had a huge car dependency problem in the mid-century and deliberately moved away from it during/after the oil crisis.
You can see multiple single family home developments that would be right at home in a US suburb in this video. The author even reaches a rural farm without a car.
What about if American transit authorities just did basic stuff like work together and perform actual regional planning rather than working in silos and having conflicts with each other?
For example, there’s zero reason why NJ transit should be a different agency than NYC’s transit authority. They should be the same agency that works toward a comprehensive regional transit system focused on the metropolitan area rather than arbitrary state borders.
Instead, they’re forced to do things like sell $100 World Cup train tickets because they haven’t been empowered to reap the rewards of the economic development they enable.
> For example, there’s zero reason why NJ transit should be a different agency than NYC’s transit authority. They should be the same agency that works toward a comprehensive regional transit system focused on the metropolitan area rather than arbitrary state borders.
This is something that I found pretty bizarre visiting the US. The transport is _so_ regionalised. San Francisco has a separate bus system to South San Francisco (which is as far as I can see just a suburb for practical purposes), for instance.
It doesn't generally make sense to split transport authorities strictly across administrative geographical lines, particularly where the administrative regions are small. For instance, London basically gets away with TFL occupying the same general geographic area as Greater London, but only because Greater London is _vast_. If you tried this with Dublin, it would never work, because the Dublin City administrative area is tiny (Dublin Bus operates in _seven_ local authorities, and its commuter rail lines all cross at least three).
> Here’s a nice video about how small suburbs and even farms don’t need to involve deep car dependence
I’ll watch in detail-thank you.
An important caveat, though, and it’s not about age but density. The Netherlands ex Amsterdam has just under 1,400 people per square mile. That’s still denser than every single U.S. state. (New Jersey and Rhode Island are the only two that break 1,000, and only the former if we exclude each state’s largest city.) The tenth-densest state, Pennsylvania, is still almost 5x less dense than the Netherlands, and again, I’m doing this for the Netherlands ex Amsterdam.
We can absolutely build more transit in our metropolitan centers. But the layout of America, in part driven by history, in part by our embrace of car culture, forces fundamentally different transport optima than almost anywhere in Western Europe.
> there’s zero reason why NJ transit should be a different agency than NYC’s transit authority
Same reason the Dutch and German authorities are separate.
I'm not sure why you would compare states to cities?
And while The Netherlands as a country is dense, the cities are not, partially due to the massive amount of urban sprawl that The Netherlands has (compared to other European countries).
Amsterdam has a density of just under 5,000 people per square kilometer. That is way less than New York City, and less than any of the Burroughs except Staten Island. Manhattan comes in at 28,000, so over 5 times more. Amsterdam Metropole has only 950 people per square kilometer.
NYC, San Francisco and Boston are massively more dense than Amsterdam. Chicago, Philadelphia and Miami are about the same. Washington D.C. and LA are only slightly less dense.
> But the layout of America, in part driven by history, in part by our embrace of car culture, forces fundamentally different transport optima than almost anywhere in Western Europe.
It’s worth pointing out here that,
1. Again, this is an ongoing choice and not an inevitability.
2. A large amount of America was built during the railroad era and a lot of urban fabric was actually just removed/demolished and could be replaced. A lot of it sits empty waiting to be rehabilitated (and to many cities’ credit, a lot of it has been rehabilitated).
3. When you watch the video you’ll see it’s not all about density, it’s also about road and street design. It’s about making spaces that feel safe to exist in as a pedestrian or cyclist. Many suburban Americans don’t actually travel that far to get around, they just can’t get places without getting in a car (e.g., a typical big box store area is a dense shopping area just like a typical high street but traversing it on foot is hostile).
To add, The Netherlands in the 1970s was going full-on towards suburbanization and urban sprawl. Even today it has one of the lowest amounts of apartments in Europe and the most urban sprawl. So if they didn't go for bicycles, it would have been America 2.0. Just look at Ireland.
In other countries bicycles aren't really needed because you can just walk everywhere.
We actually don’t have to work with what exists. We actively chose and continue to choose what exists. Every day new land is developed that perpetuates these choices. Every day we decide to keep things the same or implement change.
Here’s a nice video about how rural towns can be configured to not be car dependent:
You’ll notice that this isn’t some ancient European pre-automobile city stuff, you’ll see many single family home tract houses in the suburbs and small towns of the Netherlands that would be at home in any American suburb. The Netherlands did struggle with post-war car-oriented development that it has successfully pushed back against.
If you live in Arlington, Texas, you live in a city of over 200,000 people that doesn’t even have bus service.
> We actually don’t have to work with what exists.
Sure we do, by definition.
We can work to change things, sure. But for many places in the US (especially established cities) this is a monumental effort. For example, I live in San Francisco. I wish we had more subways. Our bus system isn't bad, and they've converted/added many bus-only lanes over the past several years, but buses are still at the mercy of traffic (as well as traffic lights). Our light rail has large above-ground portions, some of which has to deal with traffic, some not (but all have to deal with stop signs and traffic lights).
I live a block away from 3rd Street, where the T line runs up and down the eastern side of the city. However, nearly all of it is above-ground. There's an express bus that runs between where I live and Market street, similar to the T's path. The bus is usually significantly faster than the train. If the train was entirely underground, I'd expect it to be as fast as the express bus (at the very least, it would be more consistent than the bus).
How would I, personally, go about changing this? You say "we" actively choose, but what is "we"? I don't have control or even influence over the collective consciousness. I feel entirely powerless to change the status quo. Even if I could get the ball rolling on this, it would likely be 15+ years before the project is completed. Will I even be living here then? I'm not sure.
From your comment, it sounds like your suggestion might be to move to a small town, and work to change things there, where it might be easier for individuals to make a difference. While that's not completely unreasonable... I don't want to live in a small town in a rural area. I grew up in suburbs and semi-rural areas, and while I had a perfectly fine childhood, I much prefer an urban environment. Yes, I'm restricting my options this way, and perhaps missing opportunities to live in a place where I can change things. But I have a finite amount of time left in my life, and I need to be selective in how I spend it.
The summary of your comment is basically "why put in any effort at all?"
Intro sentence: We can't change anything, by definition. (This is a strange definition because last I checked the highway system was built, it didn't just fall on the earth from the sky)
Paragraph 1: It's too hard! Weird, because hard stuff like putting a highway underground in Boston seemed to be "worth the price" rather than investing in transit solutions. (The Big Dig cost $2.8 billion, over $7 billion adjusted for inflation, which would have built out a heck of a commuter rail system in Boston. They could have just removed the highway entirely rather than burying it)
Paragraph 2 and 3: How do I change things? Who is "we?" Well, a lot of people ask this very question and join up together in advocacy groups, run for public office, etc.
Paragraph 4: assigning false conclusions to my comments. I am not suggesting you move to a small town, I'm not sure where you got that idea. I'm not sure why you keep saying you can't change things. Have you tried to change things? How much time do you spend per week advocating for what you want to see in the world? How much physical effort are you putting into it? Change doesn't just manifest.
> Every day new land is developed that perpetuates these choices. Every day we decide to keep things the same or implement change
This is a great argument. Retrofitting America is one discussion. But building new developments such that they don't require a car–at least within themselves–should be doable.
I still think it’s worth observing the Netherlands as an example because they also had mid-century car-oriented development that they successfully retrofitted.
And of course, also, this doesn’t mean “nobody owns a car in the Netherlands.”
Personal cars also take up space on the road when they aren't being used. It would be much easier to build physically separated, safe biking lanes and drop off areas if we could use all the space we currently dedicate exclusively to personal vehicle parking on public streets.
Taxis (and Uber etc) also take up space on the road when they only have their driver and no fare paying passenger on board, so I don't see that a Waymo is any worse than that.
Both human-driven and robo-driven taxis are financially incentivised to spend as much time as possible carrying fare paying passengers and as little as possible driving empty to pick someone up.
Anyway, I agree that walking, cycling, and public transit, are all IMHO preferable to any form of taxi.
>> Waymo and other taxi services are inherently bad for cyclists compared to increasing transit utilisation and providing more ways to walk and cycle that feel and are safe.
This is nonsense. Even in places with great public transport a lot of people own cars because taxi's and Uber's are unreliable or unavailable. Given Waymo should be available at any time of day and not pick + choose rides as randomly a lot of car owners should be able to give them up.
Liquid Ass enters the chat, Apple can’t even make rounded corners anymore.
I was burned by the 2016 MacBook Pro keyboard, and once Liquid Ass was announced I knew it was time to get out.
Sold my MacBook Pro M2 Pro, which has a stupid gigantic notch that blocks the menu bar items with no built-in mechanism for getting to them when they overflow.
Now I’m on a Framework 13” and I’ve had zero issues with Linux. Everything just works. KDE Plasma is way more customizable than macOS or Windows. I’m finally able to ditch slow Homebrew and use a real package manager. I can finally play light PC games on my laptop without dealing with streaming or Crossover.
My preorder is in for the Framework 13 Pro, which looks to get even closer to delivering a MacBook Pro for Linux. Meanwhile, Apple hasn’t changed their chassis design in 5 years, while Framework updates their hardware constantly while maintaining cross-compatibility. A company with less than 500 employees is catching up to a trillion dollar corporation.
I’ve already got my fully modular LPCAMM RAM delivered and ready with no Apple tax. I’ll get better battery life watching YouTube videos than a MacBook Pro and the graphics are just as powerful as the M5 base chip.
And if something breaks I won’t have to deal with the nightmare I went through with my 2016 MacBook Pro.
I had to sell my 2016 MacBook Pro because Apple made a defective keyboard design and I had no recourse other than having it replaced with the same defective design. This repair required the replacement of the entire top case of the computer including a number of unrelated components. Without the widespread negative press and repair program, this repair would have cost hundreds of dollars.
I am willing to pay more for a product made by a company whose respect for its customers manifests itself in the design of the product.
I am willing to pay more for a product that has first-class support for non-commercial operating systems that aren’t trying to collect data and sell services.
Lately it’s become obvious to me that Linux is a better desktop experience than macOS or Windows. Liquid Glass ruined my Mac, and Windows is…well, I only ever ran it so I could play games.
Sure, Apple is cheaper, because they make more money selling you services than selling Macs and iPads combined. These are services that are advertised to you within basic settings panels of the operating system, including apps like News that cannot be uninstalled (even Microsoft allows you to uninstall apps like that!)
I don’t want to pay less for a Mac that feels slick during the warranty period but has no upgrade path and no reasonably priced way to repair even minor issues.
I grow tired of the MacBook Neo gloating and almost like a light version of bragging in articles like this. It's coded as a critique of the iPad but it feels a lot more like "I'm typing this on a MacBook Neo and it's oh soo amazing!"
Apple is essentially selling the modern version of the eMac, and I would say the Neo is almost as bad of a purchase as that product. The real selling point of the device is that it's newly in box with a warranty. If you actually go to the used market, it's easy to find a gently used machine that is much better. Any MacBook Air with an M2 and 16GB of RAM is a better purchase.
The Neo situation is the equivalent of buying a brand new $500 Acer machine versus buying a $500 eBay ThinkPad T14 or something like that. You'll get a much better laptop by buying a used laptop versus buying that brand new Acer.
The same story goes for the MacBook Neo. It'll be successful in sales, and it's a nice machine in a lot of ways, but it's one of the most overhyped devices of our present times.
It will go down in history as a device like the iPhone 5C. Save a few bucks now, but pay for it in the near future with the kind of performance you're actually getting from it. Even basic casual tasks will chug in the very near future.
Apple is selling a device that is approximately equivalent to the $1000 laptop they were selling 5 years ago and we are acting like this is a revolutionary product. And, by the way, it's not a $500 product unless you can use the education store. It's actually $600, or $700 if you are buying a configuration that actually makes some level of sense and has enough storage. $700 will buy you a 16GB/512GB MacBook Air M2, a much better machine (better screen, battery, speakers, processor, keyboard, trackpad, I/O, etc).
> If you actually go to the used market, it's easy to find a gently used machine that is much better.
A huge percentage of the population (at least in the US) is completely unwilling to buy any used consumer products. For some it is the ick factor, for others it is fear of being scammed.
> Any MacBook Air with an M2 and 16GB of RAM is a better purchase.
Is this really a better alternative if it stops getting macOS updates several years sooner? I wouldn’t buy an 8gb laptop, but they are fine for many use cases.
It seems like macOS updates have a lot more to do with underlying hardware and specs than year of release alone.
Going back to the iPhone 5C example, that phone lost updates much earlier than the 5S released the same year because it didn’t support 64-bit processors.
There are also a number of Intel and PowerPC systems that weren’t supported long due to architecture transitions.
I could very easily imagine a future version of macOS only being available on systems that shipped with 16GB of RAM.
Although on the other hand, I think Apple decides on support based on userbase as well. I imagine if they find a device is barely used or don’t sell well in the first place they would perhaps be more likely to drop support.
The Mac Neo is a great product for a large percentage of people out there who wanted to get a Mac that is well made and affordable it is very usable for the overwhelming majority of non tech people that want to use a personal computer today. Most of the tech sites were skeptical still are but thank goodness Apple didn’t listen to them.
The same applies to the iPad. It is fine the way it is if I personally wanted a laptop, I would’ve bought one but my preference is a desktop computer.
I don’t sit around wishing every laptop computer was a desktop computer nor do I want an iPad to be a laptop or even a desktop computer it is what it is had purchase, if you don’t like it just buy what you want, the Neo appears to be a hit, so it appears that Apple knows what they’re doing again.
Now, I don't think the PRs with the Forgejo folks show a lot of warm collaborative energy on their side, either, but I can see how soft skills from the author would likely have taken their PRs a lot further in getting what they want.
But the author's whole attitude is that Forejo is such a mess and it's barely worth their time to try and clean it up. Nobody's twisting their arm to contribute to an open source project that they don't even like!
From the perspective of Forgejo maintainers, the author is just some random new contributor barging in and telling them to drop some legacy support that hasn't been discussed in detail yet. And of course, this new contributor hasn't actually followed the security policy to disclose it as a high severity issue to justify the change.
reply