44 comments

[ 2.3 ms ] story [ 88.6 ms ] thread
Oh man, there is so much black magic in those slides. I hope to high heaven that as few people as possible read that. Especially not any future employers.

Judging by the number of projects I have seen recently that are predicated on defining new keywords and recognizing them through magic decorators, it may be too late.

This is one of the reasons I love Go: simple, clean, concise, expressive, and completely free of dark magic.

Code does what it says, and says what it does.

You don't get to feel so clever doing magic tricks, but you gain a lot of time by not having decipher and debug such magic tricks.

I believe in a balance, too little magic, and you're working with one hand tied behind your back, too much magic and you're working with blindfolds.
Seriously, try Go for a while, it wont take long before you feel that you have three hands, and more importantly, an extra third eye.
Can you give an example in Go of how you'd solve the same problem as any of the python solutions?
I use Go and I don't see any particular expressivity or ability to code easier/faster, compared to, say Python.

The benefits are: type checking (if you need it), more speed (but not as much as advertised), and easy concurrency (if you need it).

I think one of the main "marketing" points of Go, in a grassroots way, is that some people coming from Python/Ruby/js etc, that have never (or only very lghtly) used C/C++ before, feel suddenly like they are using a "hard, grown up's language", what with pointers and everything. It's mostly an illusion, though.

here's where i disagree with you, and here's why.

there comes times - hopefully rarely - where tricks like metaclasses and monkey patching actually REDUCE overall code complexity, if done right and in a limited way. it takes a lot of experience, education, and skill to do this, but when you see it done right it greatly reduces overall code complexity by isolating the "odd" bits into small, confined spaces, and this can lead to more readable code overall. the other day a link was posted here on HN about metaclasses in python, and dpkt was one of the examples (see the _metapacket class). i think that's a good example of the above: the scary, hard to grok stuff is isolated, and overall the code becomes more readable for it. i've seen - and written - code that could benefit from these things, and it's less maintainable than code with them used appropriately.

also, i think it's great if people read this and learn. i want more talented programmers on my team, people who know how to do these things, when to do them (e.g. limited), and where to do them. i've seen the opposite, and it's not pretty.

that said i'm unqualified to use the "bad ideas" in this presentation appropriately, and so i wont. one facet of wisdom is knowing your limits.

yikes. These are impressive (and terrifying). I particularly like the "see if you use my return value and dynamically change my behavior" trick, I bet debugging a library that used that would be fuuuun.
(comment deleted)
Wow. I'm a numpy aficionado and connoisseur.. I'm sad to say I really don't understand most of whats going on in this code...
> I'm sad to say I really don't understand most of whats going on in this code..

Don't be:) Most of the dark voodoo there is not used(macros, implicit self), some of it is used only by toolmakers(finding request, changing traceback messages, import hooks), and then a small part is used here and there by regular applications(monkey patching; "names of variables" sounds useful but it won't work with shared pool. `a = 10; b = 10; show_names(a)` will show both "a" and "b")

> but it won't work with shared pool. `a = 10; b = 10; show_names(a)` will show both "a" and "b")

That will actually show nothing because strings are not tracked by the cyclic garbage collector because they can never be part of cycles.

Without the (assumed) accompanying presentation these slides aren't all that illuminating
Everything is a first class object? What about the if-statement? Anyway, my personal gripes aside, I've been looking for something like this: http://www.scribd.com/doc/58306088/Bad-Ideas#outer_page_54 ... a way to print "name=value" for variables for debugging.
Your link just goes to the first page. Is this presumably the code you're referencing?

    import gc, sys

    def find_names(obj):
	frame = sys._getframe(1) 
 	while frame is not None:
	 	frame.f_locals
	 	frame = frame.f_back
	result = set() 
	for referrer in gc.get_referrers(obj): 
		if isinstance(referrer, dict): 
			for k, v in referrer.iteritems(): 
				if v is obj:
					result.add(k) 
	return tuple(result)
yup, thanks for the heads up, it worked for me. I realized that most of that was unnecessary, this is what I was talking about:

  import gc, sys
  
  def show(*args):
    for obj in args:
      frame = sys._getframe(1)
      for k,v in frame.f_locals.iteritems():
        if v is obj:
            print "%s=%r" % (k,v)
  
  
  a, b, c, d, e, = False, 1, [1,2,3], {'x':2 }, map
  
  show(a, b, c, d, e)
outputs:

  a=False
  b=1
  c=[1, 2, 3]
  d={'x': 2}
  e=<built-in function map>
[ http://codepad.org/4JogU069 ] [ edit: slight cleanup]
Not so useful when you have shared pool.

    a = 10
    b = 10
    show(a)
Or

    a = 'test'
    b = 'test'
    show(a)
Hey Scribd and or Google Chrome team.

I was just tricked into clicking an ad that simply said "play now" underneath the first slide. I thought it was going to start a slide show of the presentation. Scribd, if you are going to let just anybody advertise on your site you need to clearly mark what is an ad and what isn't.

Google team, clicking the add opened a tab that when attempting to close opened a custom dialog with two buttons at the bottom. "leave now" and "cancel" (or something like that). The page had populated that dialog with a bunch of text and ascii art pointing to the cancel button.

I didn't feel confident enough to click either buttons on this dialog because I thought be may have been some co-oped permissions dialog.I was unable to close the tab. I ended up using the task manager to kill chrome.

I took the time to make a note here because it's been ages (5 years perhaps) since I had to deal with this kind of crap. Has it always been around and I just haven't seen it or is there a resurgence these days.

What made you believe this is the support site for either Scribd or Google Chrome?
The guy who founded Scridb is here as well as tons of googlers.
As well as a ton of AdBlock users who'd prefer discussion of the presentation's content, and have no idea about the obtrusive adverts others mention ...
So what are they doing following this particular sub-thread and giving other people condescending advice?

Why aren't they busy reading other sub-threads where the presentation's content is discussed?

I am also here, and read a lot of what happens on HN; but, if my users decide to start using this as a support site for Cydia, especially so in aside comments on stories that are not even about Cydia, I will be sad: there are more appropriate and efficient channels for that sort of thing.
Not for Google products.

If you are not Internet famous I imagine you could do a lot worse than HN comments.

It's stuff like this that forces people to use AdBlock.
What? You killed Chrome because of what? What is a custom dialog? How is a "custom dialog" going to create a vulnerability?
There is a long history of such dialogs being used to exploit browsers and cause the execution of arbitrary code. For instance, such a dialog may be used to generate a true user click event, which the browser may then treat differently than an event that can be faked by Javascript. This entices malware developers to create dialogs in which you'll click on something, they don't really care what, they just need an authentic click.

Yes, it shouldn't do anything, but that doesn't mean it won't. I've hard-killed my browser for the same reason a couple of times.

Oh the plight of a Windows user.

I know what you're talking about with click jacking. The implication that a "true click" is any more likely to allow a JavaScript exploit to escape the browser sandbox is complete and utter bullshit. If you can give me one example, I won't scowl at the fact that 6 other people downvoted me without saying why.

Think about why, if the attacker already has enough control over the page to put up a transparent iframe and bind a click event to it, why not just do the thing the attacker is trying to attack you with?

And the answer is, the browser will stop them. It treats stuff that sources from a click differently. If it didn't, there would be no "clickjacking", the attackers would simply redirect you to the desired URL. The very existence of the term is evidence. It doesn't escape the sandbox, it gets raised privs from the sandbox by design.

What?

What on Earth does this have to do with vulnerabilities in the browser? Like I said, show me a single example of a vulnerability that is only exploited via a "true click". They DO NOT EXIST. It's hogwash.

I'll say again, I know what you're talking about. It is NOT relevant in this discussion about vulnerabilities.

Please show me an example otherwise.

Just got a full page ad with sound from this page. Fuck Scribd.

Any links to a video *or a PDF of these slides?

I assume you mean a "video OR a PDF", but since it's scribd we're dealing with here, a video of the PDF would still be better.
This presentation is by Armin Ronacher, the author (amongst many other things) of Flask, Werkzeug and Jinja2. If people find this presentation interesting he catalogues and provides slides (and recordings where appropriate) of all his previous presentations: http://lucumr.pocoo.org/talks/

For those who prefer straight PDF over Scribd, Armin has a PDF provided for this presentation[1]. There's also a video but it seems you need to be a member of EuroPython[2].

[PDF]: http://dev.pocoo.org/~mitsuhiko/badideas.pdf

[EuroPython recording if you're a member]: https://ep2012.europython.eu/conference/talks/5-years-of-bad...

i started using flask this past winter. i'm enjoying it as a lightweight framework. armin's got some good code and the reason i posted this link is that the topics and ideas are real and presently simply, useful (in some situations), and great to understand.
Here's a shell function. Pipe the scribd html page into it and, voila!, out pops .jpg urls for each page of the PDF document. Feed them to curl or whatever you program you use. Open them with your browser or your image viewer. Pipe them to ghostscript, remake the PDF to your own specs. Whatever. But for the love of God, stay away from scribd.com That site is an annoyance and I doubt it will ever improve.

scrib(){ sed -n ' s,http://html.scribd.com,\

&,g; s,http://html[1-9].scribdassets.com,\

&,g; s,assets,,; s,pages,images,; s,jsonp,jpg, ; s,html[1-9].scribd.com,html.scribd.com,; s,pageParams.contentUrl = \",,; s,\";,,; s,<img class=\".orig=\",,; s,\"/>,,; /^$/d;

/html.scribd.com.images.*jpg/p; ' |sed '/http/!d'; }

suggestion: you could make that more useful by dumping it into a gist and including a comment block on how to set it up in an rc file
PYTHONNNNNNNN SUCKSSSSSSSSSSSSSSSSSSSSS, FUCK IT
Sometimes magic is necessary but these slides right here contain some serious voodoo.

That said I've used monkey patching before which can be quite useful when you don't want to change the underlying library too much but don't want to make a complete fork. Specifically I've monkey patched methods onto the User model in Django.

What is meant by Python magic? What is and isn't magic? Why would you want to use it and why might it be considered a bad idea?
My definition of magic:

Magic is anything which makes other code behave in a way that would require reading the magic to understand, despite not being apparent in the magicked code.

Good because it makes many things a lot easier, bad because it makes code a lot less explicit and simple and increases cognitive load (you need to always consider the magic not just the current code you're looking at).