When George Mallory, the guy who attempted to climb Mount Everest several times (and almost succeeded, though the most successful attempt was also fatal in the end), was asked why exactly would he try to climb it, as it was extremely dangerous and he wasn't even a scientist or a cartographer, he said one simple thing.
"Because it's there."
Sure, there probably are some practical purposes for a version of Debian running the FreeBSD kernel, but whatever those might be, I think it's not a matter of "what for" but of "why", and this in turn is answered by the aforementioned quote.
Someone wanted to do that, probably just for the heck of it, someone else thought that it might be fun, they joined their efforts and did it. A good part of the whole FLOSS and academic research worlds works like that. Nothing wrong with that, IMHO.
30V through skin, 5V or probably even less otherwise. There was a moron (AFAIR, a soldier in training) who killed himself using a 9V battery-powered ohmmeter by sticking the pointed probes into his thumbs, through the skin. You see, blood is an electrolyte, it conducts electricity quite nicely, and the shortest path from one hand to the other using blood as a conductor is through the heart...
Just as I was thinking of some way to spice up a Call of Cthulhu adventure located in Australia for my players - a million years old crater from the aboriginal dreams pops up, and it's a genuine, real one. A little too far to the east for the original plot location, but that's nothing, just might be a tad more difficult for them to reach. Brilliant.
1. Click on the "Sections" header on the left. 2. Click on the very first radio button in the list of topics that appears. 3. Scroll down and click "Save". 4. ??? 5. Profit!
However, you need some more experience to be able to truly become the one behind all the evil geniuses the investigators try to stop.
In this case, one of the investigators should become a shizophreniac due to past mental strain and suffer from terrible nightmares and symptoms of sleep deprivation even though he goes to sleep each night (or so he thinks), and at the very end it should be revealed (that is, if the other investigators are still alive and doing well enough to reluctantly let them win), Fight Club-style, that the evil genius and leader of the local Cthulhu cult was the investigator's secret second personality acting at night, and not only using himself (that is, his original personality) as an ignorant pawn, but also his friends who join the "investigation".
Nothing a trip to the coffe shop around the corner won't fix.
A friend of mine has a modified ThinkPad fitted with threee WiFi adapters (one IWL, one Atheroes with AP/bridge functionality, another Atheros for quick scanning and data dumps on multiple channels) with external high-gain antennas and basically the only thing that keeps him from having net access virtually everywhere is the CPU power to crack keys. Luckily for him, the biggest telecom around here gives out wireless routers with preset (permanently!) WPA keys generated from the subsciption ID - they're all of the same length and share some character patterns, so a laptop CPU is able to crack them in a few hours. For others, he could be actually interested in such a service, maybe if it were a bit cheaper.
The key word here is "might". It might, it might not.
And the very same thing can be said about 8.0, 3.141592 or 666.456.789 with the same implications about being properly tested and maintained and other things you pointed out in the rest of the quoted paragraph. I've seen too much post-1.0 buggy crap to believe otherwise.
I'd change your definition to "before we consider the initial version of our work complete". This is exactly why I mentioned sub 1.0 version number in a piece of free software. It means there is no marketing department requiring bumping up the version number to impress anybody.
So, as you say, the devs themselves don't think it has the capabilities to be granted the 1.0 number. For whatever reasons they feel.
Well, that's what I had in mind. 1.0 is the point where the devs can do a high fiver, pull out the bottle of champagne and (when sober again) start thinking about completely new features. The exact point of completeness is, however, absolutely arbitrary. There are projects being released under version numbers in the 0.1-0.5 range with more features and better stability than similar projects already at 2.x or something like that, because the latter were aimed for a much smaller feature set. Interestingly, there are even projects that go for 1.0 asymptotically - the philosophy behind them being that 1.0 is a perfect solution to a given problem (as opposed to your "initial version" view), and perfect is impossible, so an actual implementation should never be released as "1.0". Still other projects are using the 0.1-1.0 range much like 1-10, to indicate further *stable* generations (the minor version number then belongs after the second decimal point), and only advance the first number on major project philosophy and structure changes (like, switching programming languages or major libraries, redoing big parts from scratch for better maintainability, turning a client-side GUI app into a web app, adding a whole completely new and different set of tools or features, changing protocols or file formats without backwards-compatibility, etc.), which might actually result in the version 1.0.15 being much less stable and complete than, say, 0.7.46.
All in all, making a broad statement about a project based primarily on its version number is IMHO more in the realm of haphazard numerology than engineering and professional (as in "done in accordance with the best practices", not necessarily "done for money") risk assessment for software deployment.
You are not inflammatory, you just give more meaning to the position of the first decimal point in the version number than it deserves.
Would the software magically be better if the version was 8.0? 2009.12? 3.141592? 666.123.789? There are many post-1.0 applications that are hopeless, buggy crap, quite a bit of them even commercial, and just as much sub-1.0 software of high stability and overall quality.
In this case, as with many FOSS projects, the sub-1.0 numbers probably mean "there are still features to be added before we consider our work complete". The keywords are "we", "consider" and "complete". "We" != "any other user with a different set of requirements", "consider" != "claim as absolute truth", "complete" != "stable". In other words, a 0.8 version might be perfectly stable, just not feature-complete from the author's point of view, and perfetly sufficient for a subset of potential users with less sophisticated needs.
And why 0.8 and not 2.3.075? My best guess is "because they could and they liked it better."
Looks like this is "just for fun" or to learn new, interesting things. A good reason, if you ask me.
Having used both briefly, I can't think of a good answer other than "try both" or "flip a coin" - neither is better or more interesting than the other and both are different from Linux in many subtle ways, enough to force you to learn something, and to cause that funny feeling when you perform some learned, almost mechanical tasks as if it were Linux and almost forget it isn't, when suddenly something unexpected happens (as in, a command having completely different output formatting or existing under a different name, or a subtle difference in directory structure, not a spurious rm -rf/, hopefully).
Oh, well, I'm glad that most of the anime culture has one thing in common, despite the (impressive, indeed) diversity - a sense of humor. Humor, which is present in all but the most serious and gloomy works, and often expressed in making fun of the work itself
Besides, if you bothered to read the second sentence of my post, you could've even realized that it doesn't belong strictly on the "linux side".
Well, it makes. For the website author who just wants to have the goddamned statistics presented in a convinient, easy-to-digest format to be able to focus on actual improvements to the website, and not on wrestling with half-arsed local statistics generators that use access logs, 1px images, session cookies and somesuch.
As a website admin, I'd gladly switch to a solution that does not raise such concerns as GA, but there is none of comparable quality and I'm not in position to make my own with an appropriate feature set. Piwik is somewhat close, but it doesn't support PostgreSQL, which is a show-stopper for me - installing a second RDBMS just for a single auxiliary application is out of question. Besides, it's still probably going to be blocked by NoScript and the likes.
I mean, the original radio broadcast - it was suggestive enough to cause moderate and short-termed, but state-wide panic during the middle of the actual broadcast. People fleeing their homes, calling for emergency services and so on.
How do I implement sessions without mangling all the local URLs in the output (which is seriously non-trivial and poses its own problems, also with security and privacy), yet without the use of cookies?
A malicious Flash payload can be smuggled in an image that looks absolutely harmless for MIME checking libraries. The magic number is there, as are the headers and sometimes even the actual image data that produces an actual image. I'm not familiar with the details of GIF and JPEG payloading, but I've read that clever techniques exist for producing images that can be even read by ImageMagick and similar libraries, for example to produce thumbnails. The thumbnail will not carry the payload, of course, but image hosting sites often save the original full sized image as it is, to avoid degrading it with further compression. This effectively means that an image could be prepared that will upload and display just fine even when thumbnail generation and MIME checking is employed.
There is one effective defense, though - serving user-uploaded content from a dedicated domain that contains absolutely nothing but static files. I'm glad that my website is doing that for a long time already, originally for my convinience of being able to move the files to a different server with only a single rsync call and a DNS record change, but it's paying off in other areas as well.
You, sir, are entitled to the Arrogant Uninformed Derogatory Comment of The Day Award. Here's why, a quote from TFA:
It gets worse. Uploading a SWF with a.jpg extension, or a forged content-type header will get you a long way, but what if you can upload perfectly valid files with malicious content? Remember GIFAR? The basic premise is this: Overload a GIF file with a JAR archive. Specifically, the ZIP file format can be appended to any binary file and still be valid. The GIF format, in turn, can have any binary file appended to it. The JAR archive, being essentially a ZIP file, can be combined with a GIF image to create a a file that is both a valid image and a perfectly valid JAR archive. While SWF files cannot be appended to other formats, the inverse of the GIFAR exploit works- any file format in the ZIP family can have a SWF file prepended to it. This means that ZIP archives, self-extracting executables, Microsoft Office Open XML documents, XPI files, and, if you want to be ridiculous, even JAR files can all be crafted to contain executable SWFs. Additionally, if you don't care too much about compliance with standards (and what attacker does?), many server-side content validation libraries will also allow malformed PDFs, MP3s, and other media formats, so long as you are careful not to mangle them too much. This content overloading technique has countless variations, but the end result is always the same: no matter how good your validation routines, you simply cannot trust user-supplied content.
Short of rewriting everything that has anything to do with several popular formats, you're out of luck.
How, you do ask, is such a prepared file going to be uploaded? A worm that intercepts uploads in the browser, for example. I was able to come up with this in two minuttes, I'm sure that any self-respecting blackhat hacker will as well.
And what's stopping you from replanting it there using DOM? After all, it's the DOM tree that matters in the end, not the textual representation of the HTML code, and every modern browser will cope with something being inserted into the layout very well.
Put the GoogleSomething in a display:none div at the end of the body, let it use document.write and other atrocities, root it out after it's finished and place it where it really belongs.
Well, how do I POST something from a normal link without resorting to JavaScript, then?
I agree that this abuse of GET is quite unfortunate, but the only alternative is to make every action-inducing link into a form, even though it's not really a form in the semantic sense of the word because there are no fields in it (a hidden one or two, maybe), only a "submit" button, and the code is several times longer than it would be for a link. Which becomes, well, a button, not a link, bringing a major PITA for the visual designer, because the browser will render it as a button (which would certainly make sense in an actual form, but not in this case) and make it just impossible to shoe-horn it to look and behave like a link, even with the mightiest amounts of CSS thrown at the problem. Hell, it's impossible to make it look and behave consistently on all browsers and OSes, because some browsers will aply some styles to some form controls, some won't and some will just display the OS controls with the OS' choice of colors. Or even the OS controls with the CSS-provided colors, for the utter horror of any designer.
Are you still going to call web developers names over that?
Slashdot Mirror
The question is, do they have an audible reverse gear warning like european trucks?
Oh my, that's really an awful case of stuttering...
When George Mallory, the guy who attempted to climb Mount Everest several times (and almost succeeded, though the most successful attempt was also fatal in the end), was asked why exactly would he try to climb it, as it was extremely dangerous and he wasn't even a scientist or a cartographer, he said one simple thing.
"Because it's there."
Sure, there probably are some practical purposes for a version of Debian running the FreeBSD kernel, but whatever those might be, I think it's not a matter of "what for" but of "why", and this in turn is answered by the aforementioned quote.
Someone wanted to do that, probably just for the heck of it, someone else thought that it might be fun, they joined their efforts and did it. A good part of the whole FLOSS and academic research worlds works like that. Nothing wrong with that, IMHO.
Ah, so the clown must have been a member of the Judean People's Front!
Buy your own domain, attach a Google Apps account to it. The best of both worlds, truly.
30V through skin, 5V or probably even less otherwise. There was a moron (AFAIR, a soldier in training) who killed himself using a 9V battery-powered ohmmeter by sticking the pointed probes into his thumbs, through the skin. You see, blood is an electrolyte, it conducts electricity quite nicely, and the shortest path from one hand to the other using blood as a conductor is through the heart...
Just as I was thinking of some way to spice up a Call of Cthulhu adventure located in Australia for my players - a million years old crater from the aboriginal dreams pops up, and it's a genuine, real one. A little too far to the east for the original plot location, but that's nothing, just might be a tad more difficult for them to reach. Brilliant.
1. Click on the "Sections" header on the left.
2. Click on the very first radio button in the list of topics that appears.
3. Scroll down and click "Save".
4. ???
5. Profit!
He can't be British anyway, he'd say "bloody hell!" if he were...
he point remains, however: all the pirate supporters on this website don't like it when you shove their arguments back in their face.
Slashdot user base is big.
Didn't it occur to you that these might be completely different individuals?
You know a CoC game master when you see him.
However, you need some more experience to be able to truly become the one behind all the evil geniuses the investigators try to stop.
In this case, one of the investigators should become a shizophreniac due to past mental strain and suffer from terrible nightmares and symptoms of sleep deprivation even though he goes to sleep each night (or so he thinks), and at the very end it should be revealed (that is, if the other investigators are still alive and doing well enough to reluctantly let them win), Fight Club-style, that the evil genius and leader of the local Cthulhu cult was the investigator's secret second personality acting at night, and not only using himself (that is, his original personality) as an ignorant pawn, but also his friends who join the "investigation".
And this *is* true evil genius.
Nothing a trip to the coffe shop around the corner won't fix.
A friend of mine has a modified ThinkPad fitted with threee WiFi adapters (one IWL, one Atheroes with AP/bridge functionality, another Atheros for quick scanning and data dumps on multiple channels) with external high-gain antennas and basically the only thing that keeps him from having net access virtually everywhere is the CPU power to crack keys. Luckily for him, the biggest telecom around here gives out wireless routers with preset (permanently!) WPA keys generated from the subsciption ID - they're all of the same length and share some character patterns, so a laptop CPU is able to crack them in a few hours. For others, he could be actually interested in such a service, maybe if it were a bit cheaper.
The key word here is "might". It might, it might not.
And the very same thing can be said about 8.0, 3.141592 or 666.456.789 with the same implications about being properly tested and maintained and other things you pointed out in the rest of the quoted paragraph. I've seen too much post-1.0 buggy crap to believe otherwise.
I'd change your definition to "before we consider the initial version of our work complete". This is exactly why I mentioned sub 1.0 version number in a piece of free software. It means there is no marketing department requiring bumping up the version number to impress anybody.
So, as you say, the devs themselves don't think it has the capabilities to be granted the 1.0 number. For whatever reasons they feel.
Well, that's what I had in mind. 1.0 is the point where the devs can do a high fiver, pull out the bottle of champagne and (when sober again) start thinking about completely new features. The exact point of completeness is, however, absolutely arbitrary. There are projects being released under version numbers in the 0.1-0.5 range with more features and better stability than similar projects already at 2.x or something like that, because the latter were aimed for a much smaller feature set. Interestingly, there are even projects that go for 1.0 asymptotically - the philosophy behind them being that 1.0 is a perfect solution to a given problem (as opposed to your "initial version" view), and perfect is impossible, so an actual implementation should never be released as "1.0". Still other projects are using the 0.1-1.0 range much like 1-10, to indicate further *stable* generations (the minor version number then belongs after the second decimal point), and only advance the first number on major project philosophy and structure changes (like, switching programming languages or major libraries, redoing big parts from scratch for better maintainability, turning a client-side GUI app into a web app, adding a whole completely new and different set of tools or features, changing protocols or file formats without backwards-compatibility, etc.), which might actually result in the version 1.0.15 being much less stable and complete than, say, 0.7.46.
All in all, making a broad statement about a project based primarily on its version number is IMHO more in the realm of haphazard numerology than engineering and professional (as in "done in accordance with the best practices", not necessarily "done for money") risk assessment for software deployment.
You are not inflammatory, you just give more meaning to the position of the first decimal point in the version number than it deserves.
Would the software magically be better if the version was 8.0? 2009.12? 3.141592? 666.123.789? There are many post-1.0 applications that are hopeless, buggy crap, quite a bit of them even commercial, and just as much sub-1.0 software of high stability and overall quality.
In this case, as with many FOSS projects, the sub-1.0 numbers probably mean "there are still features to be added before we consider our work complete". The keywords are "we", "consider" and "complete". "We" != "any other user with a different set of requirements", "consider" != "claim as absolute truth", "complete" != "stable". In other words, a 0.8 version might be perfectly stable, just not feature-complete from the author's point of view, and perfetly sufficient for a subset of potential users with less sophisticated needs.
And why 0.8 and not 2.3.075? My best guess is "because they could and they liked it better."
Case closed, have a good day.
Looks like this is "just for fun" or to learn new, interesting things. A good reason, if you ask me.
Having used both briefly, I can't think of a good answer other than "try both" or "flip a coin" - neither is better or more interesting than the other and both are different from Linux in many subtle ways, enough to force you to learn something, and to cause that funny feeling when you perform some learned, almost mechanical tasks as if it were Linux and almost forget it isn't, when suddenly something unexpected happens (as in, a command having completely different output formatting or existing under a different name, or a subtle difference in directory structure, not a spurious rm -rf /, hopefully).
Looks like you've got a naughty kerning algorithm...
Oh, well, I'm glad that most of the anime culture has one thing in common, despite the (impressive, indeed) diversity - a sense of humor. Humor, which is present in all but the most serious and gloomy works, and often expressed in making fun of the work itself
Besides, if you bothered to read the second sentence of my post, you could've even realized that it doesn't belong strictly on the "linux side".
Neither Tux, nor any Ubuntu release mascott I know of has tentacles.
OTOH, one of the protagonists in NGE was a penguin, so there's still hope for acceptance...
Well, it makes. For the website author who just wants to have the goddamned statistics presented in a convinient, easy-to-digest format to be able to focus on actual improvements to the website, and not on wrestling with half-arsed local statistics generators that use access logs, 1px images, session cookies and somesuch.
As a website admin, I'd gladly switch to a solution that does not raise such concerns as GA, but there is none of comparable quality and I'm not in position to make my own with an appropriate feature set. Piwik is somewhat close, but it doesn't support PostgreSQL, which is a show-stopper for me - installing a second RDBMS just for a single auxiliary application is out of question. Besides, it's still probably going to be blocked by NoScript and the likes.
So, what other options do I have?
I mean, the original radio broadcast - it was suggestive enough to cause moderate and short-termed, but state-wide panic during the middle of the actual broadcast. People fleeing their homes, calling for emergency services and so on.
How do I implement sessions without mangling all the local URLs in the output (which is seriously non-trivial and poses its own problems, also with security and privacy), yet without the use of cookies?
No. Read the quote again.
A malicious Flash payload can be smuggled in an image that looks absolutely harmless for MIME checking libraries. The magic number is there, as are the headers and sometimes even the actual image data that produces an actual image. I'm not familiar with the details of GIF and JPEG payloading, but I've read that clever techniques exist for producing images that can be even read by ImageMagick and similar libraries, for example to produce thumbnails. The thumbnail will not carry the payload, of course, but image hosting sites often save the original full sized image as it is, to avoid degrading it with further compression. This effectively means that an image could be prepared that will upload and display just fine even when thumbnail generation and MIME checking is employed.
There is one effective defense, though - serving user-uploaded content from a dedicated domain that contains absolutely nothing but static files. I'm glad that my website is doing that for a long time already, originally for my convinience of being able to move the files to a different server with only a single rsync call and a DNS record change, but it's paying off in other areas as well.
You, sir, are entitled to the Arrogant Uninformed Derogatory Comment of The Day Award. Here's why, a quote from TFA:
It gets worse. Uploading a SWF with a .jpg extension, or a forged content-type header will get you a long way, but what if you can upload perfectly valid files with malicious content? Remember GIFAR? The basic premise is this: Overload a GIF file with a JAR archive. Specifically, the ZIP file format can be appended to any binary file and still be valid. The GIF format, in turn, can have any binary file appended to it. The JAR archive, being essentially a ZIP file, can be combined with a GIF image to create a a file that is both a valid image and a perfectly valid JAR archive. While SWF files cannot be appended to other formats, the inverse of the GIFAR exploit works- any file format in the ZIP family can have a SWF file prepended to it. This means that ZIP archives, self-extracting executables, Microsoft Office Open XML documents, XPI files, and, if you want to be ridiculous, even JAR files can all be crafted to contain executable SWFs. Additionally, if you don't care too much about compliance with standards (and what attacker does?), many server-side content validation libraries will also allow malformed PDFs, MP3s, and other media formats, so long as you are careful not to mangle them too much. This content overloading technique has countless variations, but the end result is always the same: no matter how good your validation routines, you simply cannot trust user-supplied content.
Short of rewriting everything that has anything to do with several popular formats, you're out of luck.
How, you do ask, is such a prepared file going to be uploaded? A worm that intercepts uploads in the browser, for example. I was able to come up with this in two minuttes, I'm sure that any self-respecting blackhat hacker will as well.
And what's stopping you from replanting it there using DOM? After all, it's the DOM tree that matters in the end, not the textual representation of the HTML code, and every modern browser will cope with something being inserted into the layout very well.
Put the GoogleSomething in a display:none div at the end of the body, let it use document.write and other atrocities, root it out after it's finished and place it where it really belongs.
Well, how do I POST something from a normal link without resorting to JavaScript, then?
I agree that this abuse of GET is quite unfortunate, but the only alternative is to make every action-inducing link into a form, even though it's not really a form in the semantic sense of the word because there are no fields in it (a hidden one or two, maybe), only a "submit" button, and the code is several times longer than it would be for a link. Which becomes, well, a button, not a link, bringing a major PITA for the visual designer, because the browser will render it as a button (which would certainly make sense in an actual form, but not in this case) and make it just impossible to shoe-horn it to look and behave like a link, even with the mightiest amounts of CSS thrown at the problem. Hell, it's impossible to make it look and behave consistently on all browsers and OSes, because some browsers will aply some styles to some form controls, some won't and some will just display the OS controls with the OS' choice of colors. Or even the OS controls with the CSS-provided colors, for the utter horror of any designer.
Are you still going to call web developers names over that?