Hacker Newsnew | past | comments | ask | show | jobs | submit | panzi's commentslogin

On one hand yes, sandbox everything. On the other the extensions still can change your code which you then run. Though you might only run it in a container at first.

I heared zed sandboxes extensions. I should have a look at that editor some day.

reply


Sandboxing doesn't necessarily mean isolating the extension from all potentially dangerous functions, you can have a permission system so that for example a color theme extension can't modify files.

reply


Not every extension needs the ability to change your code, let alone change it without user interaction - similar to how iframe sandboxing can allow top level page navigations with user consent.

Also, modifying my code is far better than just launching, stealing everything silently, and having full control over my system. Needing to inject some sort of malware into an arbitrary project is way better.

reply


Wasn't it more like this?

    <style>
    @keyframes blink {
        0% { visibility: visible; }
        50% { visibility: hidden; }
        100% { visibility: visible; }
    }
    
    blink { animation: blink 0.7s steps(1, end) infinite; }
    </style>

    <blink>This guy blinks.</blink>


Plus the lock file doesn't just contain the exact versions, it contains hashes. Making sure that you actually got the package in the exact same version.


How does Maven handle JNI? Is it also a build system for C/C++, or do packages with native bindings require manual build steps?


I googled a bit and found this snippet:

            <plugin>
                <artifactId>exec-maven-plugin</artifactId>
                <version>3.5.1</version>
                <groupId>org.codehaus.mojo</groupId>
                <executions>
                    <execution>
                        <id>Generate-shared-lib</id>
                        <phase>package</phase>
                        <goals>
                            <goal>exec</goal>
                        </goals>
                        <configuration>
                            <executable>bash</executable>
                            <arguments>
                                <argument>generate-lib.sh</argument>
                            </arguments>
                            <environmentVariables>
                                <JAVA_HOME>${env.JAVA_HOME}</JAVA_HOME>
                            </environmentVariables>
                        </configuration>
                    </execution>
                </executions>
            </plugin>
At least with certain plug-ins Maven will execute arbitrary commands at build time. And if you need that to build native bindings it feels like a big hole. Granted, most projects don't need JNI, I guess.


Last I checked npm had 2FA for publishing, but cargo didn't. I don't think cargo is any better than npm, just not that of an attractive target.


A good part of it is already implemented in web crypto, which is supported by browsers and node. There is a chance that npm could implement something there without extra dependencies. Maybe I'm too optimistic?


Does Debian 12 have this patched? But I guess I'm not affected if I don't use `rewrite` or `set` anywhere?


https://security-tracker.debian.org/tracker/CVE-2026-42945


Ubuntu has patched as of this morning. Debian doesn't look like they've patched trixie yet.


Just as a PSA, I found that "nginx -v" was not detailed about the version sufficient to check, but "apt list nginx" gave the full version number that was checkable, and indeed the 24.04 version of this morning (1.24.0-2ubuntu7.8) is patched.


I find it very unlikely that anyone using nginx does NOT use `set` at least.

Most nginx use cases are to end tls and then pass the request to node/php/go/etc. So, I bet you have at least one set with attacker controller data on a line like 'proxy_set_header X-Host $host;'

edit: nvm. aparently named captures are not affect. Unless you have a $1 somewhere, it should be fine.


The default NGINX PHP integration uses this:

    # regex to split $uri to $fastcgi_script_name and $fastcgi_path
    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
    set $path_info $fastcgi_path_info;


Is NTSYNC used for anything else other than wine/proton?


The docs explicitly say not to: https://docs.kernel.org/next/userspace-api/ntsync.html


One wonders if it uses futex and poll under the hood, why not?


Doubt it. No linux-native application would be designed to use a Windows API.


So are certain states of the USA: https://www.ipvanish.com/blog/ban-vpns-us-privacy/

It's horrible everywhere. If you're in the EU go donate to: https://epicenter.works/ They're a citizen rights NGO working against all that BS in the EU (and in Austria, where they're from).


What use cases do you see?


Checking 3d models in a directory inside my terminal to see what's what without opening an application and clicking 100 times.


.. over ssh. In a tmux. After disconnecting and reconnecting.


Yea, gotta be honest here; I’m struggling to see many use cases here other than 3d graphs. I really don’t need a spinning 3d rat cursor.


we could bring back the 3d file browser and render it in the terminal now.

https://youtu.be/dFUlAQZB9Ng?si=3fE-vE8xF5rSVhRR


Game development.


pranking your co-workers


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: