jeff 👨💻What are some examples of xkcd 2347?
OneDimensionPrinterLeft pad https://arstechnica.com/information-technology/2016/03/rage-quit-coder-unpublished-17-lines-of-javascript-and-broke-the-internet/
This is the one I came to post about. The fact there's a library for this is so stupid to me.
I feel like it demonstrates how npm and modules have probably to some degree gotten out of hand.
AnonymousLlamaFrom memory the NPM blokes had to have a think about how they handle important packages because of that. Didn't they revert the changes to left pad to ensure everything else didn't break?
Fascinating to see the house of cards some of these solutions / libraries are built off
Yeah I'm pretty sure Github themselves restored the package if I recall correctly
JackbyDevYes. They added it back. The policy now is that you can't remove packages that are depended on (or something to that extent, I don't know the specifics).
SpiritreaderThat's always the one I'm thinking of when anyone mentions the xkcd.
npm is one crazy infrastructure.
themoonisacheeseThis famously broke builds at Facebook.
kateWho maintains ffmpeg?
Looks like there has at least been a small team working on ffmpeg for some time. https://en.m.wikipedia.org/wiki/FFmpeg#History
There was some drama in the past with the Libva fork, but it's mostly all passed by now.
Log4j was a fun one to watch unfold everywhere when things went haywire
The neat thing about the log4j thing was even a cursory explanation of the vulnerability made anyone with a passing familiarity with security say, "Why the fuck would that even be a feature?!"
What was it?
sillypuddyhttps://theconversation.com/what-is-log4j-a-cybersecurity-expert-explains-the-latest-internet-vulnerability-how-bad-it-is-and-whats-at-stake-173896
Basically it involved parsing JNDI stuff which involved grabbing remote code (but that was a niche feature of JNDI in the Dev's defense). Basically, you may think it is just something like variable substitution but can involve much crazier stuff
Wait until you learn that PDFs support embedded Javascript.
????????? What the what now?
elracThat one was so annoying because you had to be using the log server to have any issues. If your network was locked down, the log server was disabled, or if you happened to be using a version that was from before the log server was added, then there were no issues. But clients just heard "log4j" and thought it was unsafe.
That was not a fun week to be a developer.
As a non-java company developer at the time, I think our biggest challenge was explaining to everyone that Log4j didn't affect us. It took a non-zero amount of effort because a lot of customers panicked. To be fair, it was also an industry where confidentiality is important.
Also a lot of people were pulling it transitively.
Oh man. I missed it by like a month. I graduated with my bachelors in December, and started in January. I was hearing horror stories from my new coworkers about how people had to cancel vacations to get stuff patched asap
It was if none of your code used log4j. I remember being very grateful that I had chosen
java.util.logging and Logback for my Java logging needs.
Lol, yeah for us we didn't own any of the code that used it but depended on server software made internally that did. At the time we managed our own hosts, so it was a long week of deployments.
Public NTP time servers have occasionally been that piece of infrastructure.
NTP is used for synchronizing computer clocks, ultimately using highly-accurate time sources such as atomic clocks. The most authoritative public time servers tend to be run by research universities, national labs, and so on.
Multiple home router vendors have sold devices configured to poll university NTP servers vastly excessively; effectively running a denial-of-service attack against public infrastructure. In a few cases, public time servers have closed down because of abuse by misconfigured consumer devices.
https://en.wikipedia.org/wiki/NTP_server_misuse_and_abuse
FORM https://en.wikipedia.org/wiki/FORM_(symbolic_manipulation_system)
Recent news article: https://www.wired.com/story/a-crucial-particle-physics-computer-program-risks-obsolescence/
Nodejs left-pad
https://www.theregister.com/2016/03/23/npm_left_pad_chaos/
spartanatreyucURL was one of these for a while (according to my limited understanding)
It was made in the 90s and it didn't get commercial support until a few years ago.
Sci-Hub anyone?
Alexandra Elbakyan manages this truly awesome source of scientific papers completely on her own. She got sued twice and lost, had to change the URL multiple times due to takedowns and only gets along by donations.
It is a crime to humanity to lock knowledge behind a huge paywall. She does God's work.
And it's not like the actual scientists/academics support knowledge being locked away either, or profit from it.
a_statisticianshit, scihub is easier to use than the library, so we're all grateful to her too.
She’s the best thing that’s happened to the s scientific publishing field. I’m no longer a student but I still enjoy reading scientific papers and I’ll be damned if I have to pay $20 per article (which doesn’t go to the authors) since I no longer have access to a library that maintains relationships with these big publishers.
As a game developer ImGui comes to mind.
The Network Time Protocol was certainly one of these for a long time, although I think it gets reasonable support now.
Having the clock read the same on all the computers in the world makes so many thing possible.
A bit older, but how did time even get standardized between time zones so we’re all synchronized to the same minute / second, only being different by the hour?
Oh you're in for a great story! It mostly comes down to the American railroads, but you can listen to a good podcast on it at https://www.npr.org/2019/06/07/730727038/episode-918-the-day-of-two-noons
Werner Koch, the guy who created, and who has maintained for 30 years now, pretty much all by himself, GnuPG, the modern email encryption replacement for PGP.
Just the other day, I realized I actually live just a few kms away from the guy, here in Germany ... very tempted to reach out to him someday and actually buy him an actual coffee.
That was the one I couldn't remember, I got GPG and PGP confused but I remember it involved email encryption.
This guy was the reason that every security dev had those personal public keys clearly posted next to their email address on every announcement and blog post they ever released.
JWBananasWould you like to hear an OpenSSL joke?
It's 64k letters long and you can repeat it back to me when I'm done.
It's "A".
I don't get it. What's funny about "A complete film set up for the day less than a week and a half hours or so to get a new Hampshire the same thing we have to do yay for it to be done with the repellant the same thing we have to do you have to be a car or a goat does it make you feel better than I expected it to my mother-in-law and I will be there in a few minutes to be there for you to get back to me is getting a little bit of a man on the way to work through the ditches the other day and I will be there in the morning and I will be there in the morning...
/c/YourJokeButWorse
Did you just keep tapping the center predicted text suggestion?
muttleyThe core-js library is used by 1000s of top websites and is maintained by one guy
https://github.com/zloirock/core-js
He also went to prison
That feels it went seriously bad
HighsightIt's honestly a fascinating read. We count so much on these kinds of people to keep our way of life intact, but when they ask for a little help in their own life, they get spat on.
It's really, really sad that this sort of stuff doesn't get picked up and funded for the greater good. Stuff like the NLnet Foundation exists, which has helped fund some pretty major projects (including the development of Lemmy), but something this critical I feel should be consistently funded by even larger entities in order to keep things working right.
Not a package but FilleZilla is developed by Tim Kosse for over 20 years. I know that there are a lot of other FTP-Clients but FilleZilla is my favorite. Easy to use and very very stable. There is a pro version sure, but most of the time the regular one does the job. My company throws thousands of dollars a month at Adobe, Microsoft and others. But they would never even think about giving anything to Tim Kosse and others, even though I've probably saved days of work with tools like this.
ilovededyoupiggyMy company's anti-malware started triggering on filezilla's installer a few years ago because they started packaging apparently sketchy ads in it. Dunno if that's still the case or not. I ended up switching to WinSCP instead. (Which I believe is actually another example of just one or two guys running that show too.)
I believe a great example is... you know... the entire internet.
A developer maintained a NodeJS package called left-pad that would add leading whitespace to strings. He unpublished the package and broke basically the entire Node ecosystem until the repo owner forcibly republished it against the author's wishes.
rimukbin
TzData is basically maintained by 2 guys. Pretty much every computer, phone and language relies on this database for timezone information.
RenderDoc is made by one person. It's used by every graphics programmer. It's free, open source, faster + better than anything else. I love it.
Look up a machine called Therac-25. great example of this. Terrifying.
That's terrifying!
I'll save the next guy a search https://en.wikipedia.org/wiki/Therac-25
Tl;dr:
The Therac-25, a radiation therapy machine produced by Atomic Energy of Canada Limited (AECL), was implicated in six accidents between 1985 and 1987 where patients received massive radiation overdoses due to software errors.
Standard JS. It's a library maintained by one guy in Russia who went to jail for some car accident (I don't have the full context). He needed money and had trouble getting it. Then the Ukraine invasion happened and that only made it more difficult for him to get money. Also he was harassed by less technical people seeing his code on websites thinking it was malicious.
It's really a sad story to me.
You mean coreJS, not standard JS, right? But yes, it's a sad story.