freenode/lisp - IRC Chatlog
Search
16:11:43
katco
a few years ago i downloaded and used a PoS tagging library written in the 70s, unmodified
16:13:02
katco
part of the reason my personal projects use CL is because it's the best way i can think of to build a corpus of work and not have it degrade out from under me. i can actually build on it to create bigger and better things
16:23:34
katco
sorry oni-on-ion, i'm unsure what you're trying to say. i think we're saying the same thing?
16:25:59
oni-on-ion
katco, responding to gaze___ on bit rot. then thinking about what you said about building a corpus
17:05:37
gaze___
I've found myself becoming a software luddite where I just wanna distribute tiny executables dependent upon code written when people were performance and code size were important... writing guis based on win32 or whatever
17:13:58
pjb
gaze___: we've not all decided. Some fools have decided to shoot in their feet, by making incompatible changes. Their problems. If you use CL on Linux, you were good 30 years ago, and you'll be good in 30 years.
17:16:07
gaze___
yeah seriously. It's like a lisp image is an oasis from the javascript nonsense and everything proximitized by it
17:16:37
pjb
And most applications don't need a GUI, and 80% of those needing a GUI only need it for output so it can be a CLI generating pictures or movies…
17:17:18
pjb
And even if you think users need a GUI for input, you'll be happier if you can take text input and process batch instead of interactive.
17:17:42
gaze___
I soooorta agree. Having a gui for running scientific experiments interactively is very nice
17:18:06
gaze___
or having a gui for tweaking parameters on a virtual synthesizer for making music is very nice
17:18:34
gaze___
do I wanna open a config file and write in +100 Hz cutoff on my filters to tweak them so they sound right? no.
17:19:43
pjb
Or if you want to manage thousands of sounds at once, you bet you want to do it with a script.
17:25:43
gaze___
this feels like my mom telling me "we have that at home" when what we have at home isn't actually the thing I want.
17:28:35
anamorphic
Cool. I was reading about QGAME recently (Quantum Gate And Measurement Emulator). It had a GUI
17:29:46
gaze___
one already exists that our lab uses... uses python and pyqt. Coming from a background of driving experiments entirely from a REPL, having an interactive gui makes the experimental experience much much better.
17:30:53
gaze___
experimental physics is a continuous exercise of trying to budget time, trying to figure out if one should spend time automating something, or if one should grit their teeth and be the human control loop that makes the experiment work "by hand"
17:31:24
gaze___
so being able to tweak things by hand and get instantaneous feedback is just fantastic.
17:32:59
dim
about UIs, nowadays lots/most of them are on the web, so make your program a lisp image that embeds a webserver?
17:33:55
dim
gaze___: also have a look at clasp and CANDO projects where they have a Jupyter Notebook kernel for common lisp full with 3D output support
17:48:06
gaze___
you think so? I have the impression that microsoft is super good about backwards compatibility
17:48:22
gaze___
I'm sure they want to kill win32... but I sorta doubt they'll really kill it any time soon
17:50:35
gaze___
I use a program called Sonnet for doing microwave simulations... the gui is all win32 and the company is really small. Just the sheer amount of software like this that people depend on
21:01:51
jmercouris
are there any exploits in any of the common implementations? how are these handled?
21:16:38
pjb
On the other hand, we're not a prized target. Too much work for too few systems to crack…
21:22:18
sjl_
Quicklisp wants to be a one-file install, without requiring something like OpenSSL or curl be installed on the machine
21:22:52
sjl_
So the options are either 1. Implement a SSL in pure CL. 2. FFI out to some system SSL lib. 3. Not use SSL at all.
21:23:38
sjl_
I think Xach is planning on option 3, by implementing some kind of cryptographic checksum algo in pure CL (which is *much* easier than implementing full TLS) and then validating the packages downloaded to be able to tell if they've been tampered with on the way
21:24:18
sjl_
VPN doesn't help you if the "middle" in "man in the middle attack" is between your VPN endpoint and the Quicklisp servers
21:25:24
sjl_
You can also set up an HTTP proxy and tell quicklisp to use it (the quicklisp servers actually already support ssl) , but last time I tried that I couldn't get it working for some reason. I can't remember why.
21:27:26
sjl_
There's also https://github.com/slime/slime/issues/286 / https://github.com/slime/slime/issues/511 which the slime people probably won't fix unless someone exploits it on their machine
21:29:00
Xach
The quicklisp installer file (quicklisp.lisp) includes an openpgp key and openpgp key signature verifier. it's used to verify fetching the rest of the client. the client includes code to check the sha256 checksum of downloaded archives.
21:29:09
sjl_
Then pay some cryptographers to audit it, etc etc. Checksumming is almost certainly *far* more practical.
21:29:17
Xach
this scheme is not deployed yet. i am still thinking about key management and expiry and stuff.
21:29:21
jmercouris
sjl_: I know about the slime issue with local attackers, but I don't see how that's even an issue really
21:29:44
sjl_
jmercouris: someone is already on your machine -> every web page running javascript ever
21:29:57
Xach
Sometimes I feel like just pushing it out and fixing problems as they come, sometimes I feel like I should test more
21:30:19
sjl_
Xach: can we volunteer to be guinea pigs by downloading a special version of quicklisp?
21:31:08
jmercouris
I don't know, it isn't my software, however I wouldn't feel comfortable making releases on such a critical piece of software without very thorough tests
21:31:57
Xach
sjl_: I did that a while ago and the results were promising, but some of the infrastructure to make it work is not set up - recent releases don't have the checksums published and signed.
21:33:51
jmercouris
sjl_: Why does OpenSSL need 550k lines of code? what is it doing that is so complex?
21:35:09
jmercouris
for example, how could one have written test suites for the exploits on intel chips?
21:43:00
Xach
There are issues involved with implementing eavesdrop-proof communication that are different from implementing signature/checksum verification.
21:43:19
Xach
Maybe it's possible and worthwhile in CL but it is not something that interests me due to my impression of the difficulty.
21:44:28
sjl_
A better comparison might be Go's TLS implementation, which is ~13k lines of code. If you're Google, you can throw money at cryptographers and security engineers to write/audit a TLS library for your language.
21:44:47
sjl_
But in a smaller community without piles of money, that's probably not going to happen.
21:45:27
sjl_
It's much, *much* easier to implement a single checksum algorithm than even a decent subset of TLS.
21:45:36
Xach
I am always on board for implementing something in CL even if it's slower or clunkier because I love to avoid FFI.
21:46:15
sjl_
Checksum is probably the wrong word. You get the initial Quicklisp installer over https, which includes Xach's public key
21:48:00
jmercouris
so the question is, if we can verify a library is what it says it is, what is the advantage of having HTTPS support?
21:49:11
Xach
In my ideal world each CL implementation would provide the right stuff to make secure connections on all supported platforms.
21:49:53
jmercouris
last question, your above statement implies some implementations provide support secure connections
21:49:54
Xach
If all implementations that Quicklisp supports also supported secure communication, things would be done by now.
21:56:42
jgkamat
sjl_: I'm actually planning to write an exploit for that slime issue at some point, chrome has some raw TCP apis exposed to js and I want to give that a shot. I'm super busy though so not sure when I'll get a chance to work on that
21:57:24
sjl_
As long as you're nice and present it as a proof-of-concept, and don't actually exploit anyone's machine, that would be valuable.