freenode/#lisp - IRC Chatlog
Search
11:44:35
jmercouris
the only thing I see is this discussion I participated in a long time ago: https://www.reddit.com/r/emacs/comments/a8d61y/help_with_porting_elisp_to_cl/
11:57:50
phoe
also https://news.ycombinator.com/item?id=21665987 is a relevant discussion from not too long ago regarding compiling elisp
12:00:00
jmercouris
thats an interesting discussion indeed, though a lot of the comments are parroty and 'talk to talk' type things as is common on YC
12:03:22
jmercouris
or rather the two edged sword, convenient, but very deadly, and you cut yourself a lot accidentally
12:04:24
_death
how would an elisp interpreter be helpful?.. elisp is a language for emacs, which has abstractions like buffers, windows, markers, fonts, and a ton of other things
12:06:53
jmercouris
froggey: a very straightforward solution, but a very lengthy and long one :-D, I do admire your persistence and dedication!
13:24:27
pjb
jmercouris: my solution is to develop a C compiler targetting CL so that we may compile GNU emacs into a CL lisp image.
13:24:29
pjb
jmercouris: my solution is to develop a C compiler targetting CL so that we may compile GNU emacs into a CL lisp image.
15:45:33
seok
At the moment my option is to use third party image storage/hosting just for image validation
19:30:34
adam0001
New Ubuntu system, I notice ~/quicklisp/setup.lisp is in the hidden directory ~/.quicklisp/setup.lisp Should I uninstall and reinstall using Quicklisp method?
19:35:25
MichaelRaskin
I have multiple QuickLisp installations in various very non-default locations, and I never have any problems with that
19:38:34
adam0001
OK. Thank you. It seems that the Lisp of others often expects it in the non-hidden directory.
19:39:17
adam0001
So, no real convention I guess. Will take another look at the Quicklisp install notes.
19:39:46
MichaelRaskin
Well, I load mine manually. (Of course that could go into .sbclrc if you have exactly one installation)
19:40:51
Bike
adam0001: implementations don't really expect it to be anywhere. they just need to load setup.lisp
19:42:33
adam0001
a quick fix, might be to link or copy the hidden directory and file, alias it to a non-hidden ~/quicklisp/setup.lisp
19:43:22
Bike
on my system .sbclrc is set for quicklisp/setup.lisp. if i threw a period in there it would do the hidden location instead.
19:51:12
adam0001
@Bike OK. Yes, my .sbclrc has it pointing to the hidden. So, its simply programmed hard-wired in the software I'm trying to run. I can change that, or copy setup.lisp to where it expects to find it.
19:53:54
seok
How would one verify user-uploaded image in common lisp? Did anyone answer me just then
19:55:23
seok
So, if someone uploads a jpg on my web, how would I ensure that it is actually a jpg file?
19:56:32
pjb
seok: you would use a jpg parser and check that it can run without detecting any error.
19:56:49
pjb
seok: it's just like for a lisp file or a C file. You use the compiler to check for errors.
19:57:04
Bike
oh, something like jpeginfo. i don't know that there's a library to do that. cl-jpeg is more about the data in the jpeg
19:57:25
pjb
seok: unfortunately, jpeg libraries are in general written without this aspect of validation. Instead, they often prefer to crash or to allow security problems.
19:58:00
seok
I'm sure there are established libraries in other established languages like PHP node or python, I'm considering outsourcing just the validation to another language
20:03:21
pjb
seok: your lisp program can be sold and use by any web server, not only by web browser written in lisp!
20:03:48
seok
but I'm sure there are libraries already verifying user uploaded images in PHP or node
20:04:07
pjb
Writing any validing software in other programming language fails, because then you introduce more bugs than you detect!
20:04:39
adam0001
@Bike simply copying ~/.quicklisp/ directory tree to ~/quicklisp/ runs the software. Now I'm getting this which is progress. "unhandled condition in --disable-debugger mode, quitting "
20:05:32
seok
I'm actually looking for one in node, I'm surprised it is harder than I had thought to find one
20:05:56
pjb
seok: as I said, not surprising, because any non-lisp code introduces more bugs than it can detect.
20:06:11
seok
Are you telling me a simple feature such as image verification has not been implemented properly in any popular libraries?
20:07:00
pjb
seok: yes, the purpose of libraries is not to verify or validate, but to read the image.
20:08:48
seok
Then how are all these other websites coping? surely none of them are using a lisp web server
20:09:06
MichaelRaskin
I guess a _pure_ JavaScript solution would be also okay-ish safety-wise, but I am not sure one exists
20:09:12
pjb
seok: how do you think we get all those databases of personal data and credit card number available?
20:09:46
MichaelRaskin
They are using imagemagick, which supports a huge number of formats and is really unsuitable for untrusted input
20:10:59
seok
Yeah, I'd imagined that node would have a library verification since node servers are pretty common and so is image upload function
20:11:10
MichaelRaskin
Many sites with image upload functionality don't even do anything with images
20:12:08
pjb
seok: this would be an interesting experiment. Locate malicious jpegs, and test uploading them everywhere…
20:13:01
pjb
seok: 90% won't detect anything bad. 9% will break somehow without telling you why (you could probably hack them). And I'm very optimisitic here: 1% will tell you they reject the malformed file.
20:13:17
seok
I have been having a headache for a week trying to figure this out, how everyone else is doing it
20:13:59
pjb
seok: but as I said, if you do something solid in lisp, you have a market, and given the number of web site, you could very well end up not billionaire, but trillionaire.
20:14:46
pjb
MichaelRaskin: there are legal risks, so they may want to run an antivirus software on those files.
20:15:17
MichaelRaskin
If there were real legal risks for redistributing the viruses, Google ad network would be already shut down
20:16:40
MichaelRaskin
And there is an easy and cheap solution for sanitising jpegs. Which is not perfectly safe but safeish
20:19:28
seok
This threat is well documented risk https://www.owasp.org/index.php/Unrestricted_File_Upload
20:19:44
seok
I'm still not buying what you guys are saying that most websites if not all are vulnerable
20:20:50
pjb
seok: even plain text files can be dangerous. Recently, iOS had a problem processing some unicode encoding, so you could break its Messenger application, just by sending a SMS with some chinese or so characters…
20:20:57
MichaelRaskin
Well, given that it is enough to have a remote code execution at the level of OS network stack…
20:21:29
pjb
You don't even need "execution" as such. Any file processing is a kind of evaluation. Basically, data = code.
20:22:31
pjb
And the worse part is that it's not because you've validated some data with some bug-free library that are good: your same data could be evaluated by a buggy program on the same system, and hose you.
20:23:49
pjb
They have people to correct things when they happen. Like the time iCloud would show you picture of other customers :-)
20:24:36
MichaelRaskin
And also Google can afford the overhead of a few levels of isolation so that an exploit doesn't let you do anything interesting
20:25:32
seok
I should probably stick with one of these third party image hosting and link images from there until I am ready
20:26:09
MichaelRaskin
You can search for «Eternal Blue» to see how security problems are actually handled in the real world. In that case, there was a lot of coverage
20:28:11
seok
Because the one who comes up the solution is going to release the hacks together so the websites who don't use the patch are going to suffer
20:33:37
seok
So if there are no practical vulnerability why have you scared me off with our previous conversation
20:35:04
MichaelRaskin
If you are not trying to process the file, just serve it further, checking the first few bytes for a valid JPEG header is enjough to make it not-your-problem (but your users' one)
22:18:45
akoana
hmm,after (ql:update-dist "quicklisp") i got debugger invoked on a QL-DIST:BADLY-SIZED-LOCAL-ARCHIVE ... The archive file "bodge-glfw-stable-7519a922-git.tgz" for "bodge-glfw" is the
22:18:48
akoana
wrong size: expected 511,390, got 39,493 but ./quicklisp/dists/quicklisp/archives/bodge-glfw-stable-7519a922-git.tgz has 511390 bytes and the tar.gz is ok, should I ignore this error?
22:30:54
akoana
as a lisp newbie I'm rather confused and have no clue how to fix this, so anyone bringing light into this is greatly appreciated - thanks in advance
22:35:21
no-defun-allowed
What's the SLIME package named that makes indentation in Emacs reasonable?
22:35:44
akoana
_death: thank you, hmm, I can't repeat the (ql:update-dist "quicklisp"), it says You already have the latest version of "quicklisp"
22:38:18
_death
is it possible that after you got that error you picked the DELETE-AND-RETRY restart?
22:40:24
nirved
could it be that the download was happening in another thread, and wasn't yet finished at that point?
22:41:33
_death
you could assume all is well until you hit a problem, or you could remove quicklisp libraries and reinstall..