StellarTabi's recent activity

  1. Comment on Zulip 3.0 released: Open source, self-hostable, threaded team chat in ~tech

    StellarTabi
    Link
    Interesting that, AFAIK, not a single slack competitor has a non-electron like desktop app.

    Interesting that, AFAIK, not a single slack competitor has a non-electron like desktop app.

    4 votes
  2. Comment on Necrobarista | Launch trailer in ~games

    StellarTabi
    Link
    Is there a trailer for gameplay?

    Is there a trailer for gameplay?

  3. Comment on <deleted topic> in ~tildes

    StellarTabi
    Link
    Should tildes implement a feature that presumes Tildes is secondary to reddit? 🤔

    Should tildes implement a feature that presumes Tildes is secondary to reddit? 🤔

    11 votes
  4. Comment on Full employment in ~tech

    StellarTabi
    Link Parent
    Another thought to consider... in a post-covid19 world, with remote-work now forcing companies to try it, will people still want to live in NYC over the next few decades? I for one would choose to...

    Another thought to consider... in a post-covid19 world, with remote-work now forcing companies to try it, will people still want to live in NYC over the next few decades? I for one would choose to live far away from expensive cities with in-office jobs if permanent remote was an option.

    3 votes
  5. Comment on The marijuana superweapon Biden refuses to use in ~misc

    StellarTabi
    Link
    Not just Biden, Trump also refuses to use it. I think it's going to be a close race, like extremely close. Even if it were less close than I'm thinking of, I think if one of them promised to...

    Not just Biden, Trump also refuses to use it. I think it's going to be a close race, like extremely close. Even if it were less close than I'm thinking of, I think if one of them promised to legalize marijuana, they would win.

    https://en.wikipedia.org/wiki/Cannabis_policy_of_the_Donald_Trump_administration

    4 votes
  6. Comment on Infinity Train Book 3 to premiere on HBO Max in ~tv

    StellarTabi
    Link
    Oh shit I didn't realize they made more than the pilot, I need to catch up.

    Oh shit I didn't realize they made more than the pilot, I need to catch up.

    1 vote
  7. Comment on What games have you been playing, and what's your opinion on them? in ~games

  8. Comment on Do Americans understand how badly they’re doing? in ~health.coronavirus

  9. Comment on How should I host my images? in ~tech

    StellarTabi
    Link Parent
    I heard it's in beta though, I'm personally taking the gamble that it'll work soon enough.

    I heard it's in beta though, I'm personally taking the gamble that it'll work soon enough.

    1 vote
  10. Comment on Lemmy, an open-source federated Reddit alternative, gets funding for development in ~tech

    StellarTabi
    Link Parent
    I noticed immediately that it's an SPA. Pretty cool otherwise, e.g. it's written in Rust.

    I noticed immediately that it's an SPA. Pretty cool otherwise, e.g. it's written in Rust.

    3 votes
  11. Comment on Lemmy, an open-source federated Reddit alternative, gets funding for development in ~tech

    StellarTabi
    Link Parent
    There probably is a "tankie" or 2 here, but AFAIK nobody actually talks "tankie" here, or Marxism, or Anarchism, etc. Basically nobody is here for Far Left discussion, I've only seen one thread...

    There probably is a "tankie" or 2 here, but AFAIK nobody actually talks "tankie" here, or Marxism, or Anarchism, etc. Basically nobody is here for Far Left discussion, I've only seen one thread and it was prompted by OP slandering millennials who just wanted affordable healthcare, housing, jobs, etc.

    4 votes
  12. Comment on Lemmy, an open-source federated Reddit alternative, gets funding for development in ~tech

    StellarTabi
    Link Parent
    Maybe they talking about me? Do I even post often enough to meet this description? Maybe this user was just trying to gaslight or something.

    Maybe they talking about me? Do I even post often enough to meet this description? Maybe this user was just trying to gaslight or something.

    2 votes
  13. Comment on Lemmy, an open-source federated Reddit alternative, gets funding for development in ~tech

    StellarTabi
    Link Parent
    These days "Far Left" and "Marxism" tend to just mean "Not openly racist" and "Stop murdering me please" and "I just want affordable healthcare".

    These days "Far Left" and "Marxism" tend to just mean "Not openly racist" and "Stop murdering me please" and "I just want affordable healthcare".

    8 votes
  14. Comment on How should I host my images? in ~tech

    StellarTabi
    Link
    I think webp will soon be the best option (safari is the last hold out, but support is in beta now). PNG is currently king I think, use optipng:...

    Can anyone recommend software for optimizing image sizes? (Linux friendly, command-line or otherwise scriptable utilities preferred.)

    I think webp will soon be the best option (safari is the last hold out, but support is in beta now).

    PNG is currently king I think, use optipng: https://www.cyberciti.biz/faq/linux-unix-optimize-lossless-png-images-with-optipng-command/

    2 votes
  15. Comment on How should I host my images? in ~tech

    StellarTabi
    Link Parent
    Don't use Google Photos for sharing beyond personal friends, it does spooky unexpected redirects to Google Service(s) Apps on mobile (when the user is just expecting a .jpg or w/e), and is...

    Don't use Google Photos for sharing beyond personal friends, it does spooky unexpected redirects to Google Service(s) Apps on mobile (when the user is just expecting a .jpg or w/e), and is probably a doxing liability.

    4 votes
  16. Comment on How should I host my images? in ~tech

    StellarTabi
    Link Parent
    Have you considered using webp files to save on bandwidth costs?

    Have you considered using webp files to save on bandwidth costs?

    1 vote
  17. Comment on How should I host my images? in ~tech

    StellarTabi
    Link Parent
    On any mobile browser (that I know of), imgur will redirect you to the _d version which is resized. For large images (like infographics) only desktop users can actually zoom in to read the text.

    On any mobile browser (that I know of), imgur will redirect you to the _d version which is resized. For large images (like infographics) only desktop users can actually zoom in to read the text.

    7 votes
  18. Comment on How should I host my images? in ~tech

    StellarTabi
    Link
    I don't know any existing solutions, but if you wanted to write one, (personal or as a SaaS company) B2 has the best prices (compare to AWS S3), cloudflare's ToS says you can't exclusively be an...

    I don't know any existing solutions, but if you wanted to write one, (personal or as a SaaS company) B2 has the best prices (compare to AWS S3), cloudflare's ToS says you can't exclusively be an image host, and nginx would probably be a great cache to use plus also has an addon module to "transform" images on the fly so you don't need to always persist thumbnails to disk.

    2 votes
  19. Comment on What's it take to make a secure, stable, and scalable site? in ~comp

    StellarTabi
    Link
    Stability: Strong type system + High Test Coverage. Strong type system is NOT a substitute for automated tests, and automated tests are NOT a substitute for a Strong type system. Sidenote,...

    Stability: Strong type system + High Test Coverage.

    Strong type system is NOT a substitute for automated tests, and automated tests are NOT a substitute for a Strong type system. Sidenote, languages with strong types tend to be faster and less memory intensive languages. You might spend more time upfront battling the type system and writing tests (Test Driven Design AKA "TDD") but you'll save even more time down the line because types will force you to define behavior for more edge cases, tests will cover your base APIs, bugfixes should be covered by tests, new features covered with new tests. When new features or major refactoring happens, the type system and tests (better together) will let you fearlessly push new releases.

    Tests should cover both the "happy path and "unhappy paths" as possible. Make sure things that shouldn't work actually don't work (validation errors, user input, fuzzying, references to invalid objects, API calls that require permission and/or ownership to view or edit or delete).

    People shouldn't be getting "500 errors" if they fill out a form. Useful validation messages.

    Database transactions for complex DB updates so that if SQL statement 2 out of 3 fails in an API call, you don't leave a resource in an unwanted state.

    Learn more SQL than your ORM provides, and fully learn your ORM. Good ORMs allow you to make complex composable SQL queries and also allow you to mix in RAW SQL. Learn about indexes and EXPLAIN for performance.

    Use integer IDs for internal references. If you want, hide them in API calls (expose a UUID instead) so that outside observers can't figure out how many products or users are in your DB, and makes guessing URLs for new items or other users items harder. UUIDs are also valid if your DB will be sharded across regions. If you're a B2B (like slack), you might want to isolate each customer to their own DB. Enterprise customers should quit you if another customer's data shows up, because that means another customer is probably seeing their data.

    Always use prepared statements in SQL (see SQL Injection). Don't use database users with full privileges (why would the database user your main application runtime uses be allowed to drop any table, be an owner of the DB, or be an admin user?). Use a separate DB user account for altering tables and administration.

    Don't trust user input. if you accept HTML, someone will try to put JavaScript in it. If you don't accept HTML, someone will still try to put JavaScript in it just in case you don't sanitize it. If data input by one user is shown to another user, make sure it's escaped so that you don't compromise your user.

    Don't let users upload files directly to your server. Always upload them to something like AWS S3.

    Anyone can upload a *.jpg with the filename ending in *.png. A *.exe could be named *.jpg. An image file can have a password protected *.zip file full of pirated content embedded while still being a valid image file. Your safest bet is to store the uploaded images privately, use a serverless function (aka AWS lambda, aka not your real application server) to make filesize-optimized thumbnails, and only show those thumbnails to public end-users.

    3 votes
  20. Comment on What's it take to make a secure, stable, and scalable site? in ~comp

    StellarTabi
    Link Parent
    also opens you up to weird bugs and/or threat vectors. sign up for Trello with an email address at domain? Somebody makes an Atlas organization with that domain? your atlas avatar now shows up in...

    Oauth makes Google or Facebook handle it

    also opens you up to weird bugs and/or threat vectors.

    • sign up for Trello with an email address at domain? Somebody makes an Atlas organization with that domain? your atlas avatar now shows up in Trello! Are you able to log in with both a password and a "Login with your Atlas account"? Is your implementation of this secure? Is Atlas's? Did your user expect this? Can my account be hijacked from someone who only knows my name or only knows my email address?
    • signup anywhere with your email address or your Facebook account. Then sign up again with the other (assume same email address associated with both). Do you have two accounts? Did you gain access to your account without entering a password or verifying your email address?
    • signup anywhere with your Facebook account. What if you need to change your email? Does it work? What if you change your email address on Facebook itself?
    • signup anywhere with your Facebook account. What if Facebook terminates your account for literally no reason?
    • signup anywhere with your Facebook account. Make a Twitter account with the same email. Log into the service. Does this Twitter account give you access to the account associated with the Facebook account? Can you still log in with your Facebook account? Did you have to verify your Twitter account by email to even do this?
    • Facebook decides your website no longer can authenticate users with their facebook accounts anymore or randomly revokes your keys. gf hf.

    One thing that would help guard against the account hijacking possibilities of the above is implementing TOTP (one-time passwords) in your webapp. Not through SMS, that's hijackable and I don't want to enter my phone number. Google Authenticator/Authy/LastPass have TOTP apps.

    3 votes