The former is ideally resolved with attribute((format_arg)), the latter with attribute((format)).
The flag is -Wformat-nonliteral or -Wformat=2. -Wformat-security only includes a weaker variant that will warn if you pass a variable and no arguments to printf.
5 years seems like a low for Apple device longevity. I think that there’s an enormous difference between today’s Macs and Macs from 5 years ago and maybe the leap is accelerate deprecation, but there was a long period…
> We could stop right here but this suffers from overflow limitations if translated into C. FWIW, the final version also suffers from integer overflow limitations. If the difference between an and INT_MIN/INT_MAX…
In context, it sounds like they relied on simulations that don’t use exact numbers. I’m guessing that they saw an IEEE-754 floating-point infinity and then had to determine whether they got it because the accurate…
I feel that it’s so simple that many people will overlook that it even exists. In languages that have both, it’s hard for functions to compete with operators. I don’t think that this is the best design to promote…
The “battle of preparedness” for grandmasters looks miserable. My experience being bad at chess is pretty cool, though. If anyone’s looking to pick up chess, it’s a pretty good time to do it even if the people making a…
Yes, but your 1995 Windows NT 4.0 PC ran a 640x480 display at 60Hz and graphics compositing had, at best, one-bit transparency. It took 3 minutes to boot. Websites could bluescreen it with `<img src="con">`. A malicious…
How does one verify that their server has never ever sent spam, for instance through a security breach?
This is fairly old. When it came up last time, there were robust arguments that xz was characterized unfairly, and that the author’s format wasn’t very good at recovering in most cases either.
No, logic bug consequences are fundamentally different from memory corruption bugs. A bug with an access check for one resource in the kernel means you get access to that specific resource. A missing bounds check in the…
What the missing access check protected was a stream of information that could defeat ASLR. If Zircon was written in a memory-safe language, that would have been the end of the issue. Logic bugs and missing access…
That’s not really a “but” to the comment, which was that you need to find one bug and it’s game over. We’ve known for a long time that best practices aren’t enough to prevent memory corruption in large enough C++ code…
The intent of the post isn’t to claim that any Fuschia device currently sold is vulnerable. Unless Fuschia never graduates to running third-party code, that seemed like the right assessment to me.
One data point from the Prodfiler folks was that even if the GC cost to throughput is relatively low, some programs will still spend up to 25% of their time doing garbage collection. This will show up on your cloud bill…
Can I, uh, make a bank account for _myself_ without being a corporate customer?
Big fan of BBEdit, didn’t realize it’s just barely younger than me. I started using it probably about 20 years ago. These days I use it mostly for one-offs and as a scratch pad. It’s doing a very good job at that.
Someone should make an online version of Mysterium that uses Dall-E to make the picture cards!
It kinda sucks, but “tampering with the public record”? Is Twitter liable for holding the public record now?
For a while, there would be a macOS notification suggesting that you try Safari after updating. This notification should be gone with the latest macOS. Are you talking about something else?
CAN-SPAM does not create a private right of action. I have generally no idea what I’m talking about when it comes to legal stuff but I think this means only the government can sue them over it.
Criticism is not always respectful and it stings more often than not but it’s important to long-term success. What would help the open web even more would be to address issues instead of asking that no one brings up.…
The difference with other services is that what people want when they subscribe to Spotify is access to music. What (at least some) people want when they subscribe to MDN Plus is ensure that Firefox and other open Web…
And what are the boundaries of the law?
The reason it’s not that easy is that platform holders have contractual obligations with content providers about their content being secure. These obligations are an incentive to content production.
The former is ideally resolved with attribute((format_arg)), the latter with attribute((format)).
The flag is -Wformat-nonliteral or -Wformat=2. -Wformat-security only includes a weaker variant that will warn if you pass a variable and no arguments to printf.
5 years seems like a low for Apple device longevity. I think that there’s an enormous difference between today’s Macs and Macs from 5 years ago and maybe the leap is accelerate deprecation, but there was a long period…
> We could stop right here but this suffers from overflow limitations if translated into C. FWIW, the final version also suffers from integer overflow limitations. If the difference between an and INT_MIN/INT_MAX…
In context, it sounds like they relied on simulations that don’t use exact numbers. I’m guessing that they saw an IEEE-754 floating-point infinity and then had to determine whether they got it because the accurate…
I feel that it’s so simple that many people will overlook that it even exists. In languages that have both, it’s hard for functions to compete with operators. I don’t think that this is the best design to promote…
The “battle of preparedness” for grandmasters looks miserable. My experience being bad at chess is pretty cool, though. If anyone’s looking to pick up chess, it’s a pretty good time to do it even if the people making a…
Yes, but your 1995 Windows NT 4.0 PC ran a 640x480 display at 60Hz and graphics compositing had, at best, one-bit transparency. It took 3 minutes to boot. Websites could bluescreen it with `<img src="con">`. A malicious…
How does one verify that their server has never ever sent spam, for instance through a security breach?
This is fairly old. When it came up last time, there were robust arguments that xz was characterized unfairly, and that the author’s format wasn’t very good at recovering in most cases either.
No, logic bug consequences are fundamentally different from memory corruption bugs. A bug with an access check for one resource in the kernel means you get access to that specific resource. A missing bounds check in the…
What the missing access check protected was a stream of information that could defeat ASLR. If Zircon was written in a memory-safe language, that would have been the end of the issue. Logic bugs and missing access…
That’s not really a “but” to the comment, which was that you need to find one bug and it’s game over. We’ve known for a long time that best practices aren’t enough to prevent memory corruption in large enough C++ code…
The intent of the post isn’t to claim that any Fuschia device currently sold is vulnerable. Unless Fuschia never graduates to running third-party code, that seemed like the right assessment to me.
One data point from the Prodfiler folks was that even if the GC cost to throughput is relatively low, some programs will still spend up to 25% of their time doing garbage collection. This will show up on your cloud bill…
Can I, uh, make a bank account for _myself_ without being a corporate customer?
Big fan of BBEdit, didn’t realize it’s just barely younger than me. I started using it probably about 20 years ago. These days I use it mostly for one-offs and as a scratch pad. It’s doing a very good job at that.
Someone should make an online version of Mysterium that uses Dall-E to make the picture cards!
It kinda sucks, but “tampering with the public record”? Is Twitter liable for holding the public record now?
For a while, there would be a macOS notification suggesting that you try Safari after updating. This notification should be gone with the latest macOS. Are you talking about something else?
CAN-SPAM does not create a private right of action. I have generally no idea what I’m talking about when it comes to legal stuff but I think this means only the government can sue them over it.
Criticism is not always respectful and it stings more often than not but it’s important to long-term success. What would help the open web even more would be to address issues instead of asking that no one brings up.…
The difference with other services is that what people want when they subscribe to Spotify is access to music. What (at least some) people want when they subscribe to MDN Plus is ensure that Firefox and other open Web…
And what are the boundaries of the law?
The reason it’s not that easy is that platform holders have contractual obligations with content providers about their content being secure. These obligations are an incentive to content production.