I use Lemuroid on Android. Works well. On F-Droid. Nothing about it has prompted me to search for alternatives, so no idea how it stacks up against other options.
Also, EasyRPG Player on Android for RPG Maker games. (I played the original Yume Nikki not terribly long ago via EasyRPG Player.) Also on F-Droid. Also worked great.
Bookmarked that shit so fuckin’ hard.
Curl.
“Clown.” Some of my best friends do clowning as a hobby.
Hey thank you! I’m glad to hear some interest in it. I’ve definitely got ideas as far as how I’d like to see it improve moving forward (some syntactic sugar, more sophisticated ways of drawing “people”/creatures/skeletons/etc, maybe vector graphics output support – no project is ever really done, you know.) I’m on another project at the moment, but if it got enough interest, I’d probably be inclined to put more work into it.
I don’t have a TTRPG campaign running right now (which is what I wrote it for), so I’m not “eating my own dog food” very much with that particular project. But I would love to do more with it. Only reason I’m not already is because I’ve got so many other projects I want to work on. Heh.
The main project I’m working on lately has been that 3D game assets DSL that I mentioned later in my post. It’s probably quite a bit more ambitious than codecomic (it’s actually Turing complete which definitely adds to the challenge), but I do see a point approaching where it’s feature-complete enough to at least publish an alpha version. It also definitely needs a lot more code comments/documentation before I publish. Probably still months away, but it feels a lot closer than it did last week. Heh.
Anyway, thanks again for the complement!
Nobody else immediately thought of this?
Before I read the body of the post, I was going to recommend “gl;hf” (the only podcast I’ve really listened to in quite a while), but they don’t stay on topic. There is no topic, really. It’s just rambling about whatever comes to them as it comes up.
At the beginning of every episode, they start with “welcome to gl;hf, the world’s first podcast in gaming.” And the running joke is that they rarely talk about gaming at all.
Largely they talk about being prolific career YouTube content creators, but they may delve into random stuff like the U.S. National Cheese Reserve or the ethics of eating lab-grown human meat or Uncle Wiggily board games.
On the plus side, they’re always interested in what they’re talking about.
Here’s my GitLab. None of it’s “active” really. I’m the only contributor to most things I have on GitLab. At least some of the things there, if they started getting attention and interest, I might very likely make them active. But for now, they’re just out there and may or may not receive further updates. Though I’m working on other projects I specifically intend to publish as FOSS in the future.
My main side-projects right now that I haven’t published yet are:
On the flip side, you’ve probably met someone who has saved a person’s life.
Mom wanted me to go into music performance. I went into computer science both because “holy shit how cool is that” and to get out of music performance.
My alma mater had three computer departments: CSC/CompSci, CIS/Computer Information Systems, and Graphic Design. I’ve never been artistic, really, so I didn’t have a lot of interest in Graphic Design. But I didn’t know the difference really between CIS and CSC going into college.
I went to the head of the CIS department to ask about the difference and he was like “CSC is about building the plane, CIS is about flying the plane.” Misinterpreting that to mean CSC was about hardware and CIS was about software, I thought I wanted CIS. When I met with the CSC head, he met with me in a little lab in the CSC department. And on the shelves on the walls, there were robotic coin sorters and Lego robots and stuff. And that’s basically when I realized the CSC department was my people.
Java, Postgres mostly but also LDAP and random in-house-written RESTful services, almost 20 years.
We couldn’t have pressed Hibernate into this use case. It doesn’t really deal with hierarchical data and sure as hell doesn’t know how to query from LDAP. I don’t know that anything existed at the time (nor am I sure anything exists now) that would fulfill our use case.
And the alternative to what we built was a massive, unmaintainable DAO with ridiculous numbers of individual queries in it that would have to be modified or added to endlessly every time someone needed to filter a bit differently or whatever.
This was a developed-in-house e-commerce web application at a major e-retailer. So fortunately that monstrosity of a cookie-handling mess was only ever used by one company.
You know what, though? Talking about this reminds me of another story about the same e-commerce application.
After a customer placed an order on this e-commerce site, the company’s fraud department had to evaluate the order to make sure it wasn’t fraudulently placed. (As in, with a credit card not owned or authorized for use by the purchaser.) Once that was done, the order had to be communicated to a worker at the warehouse so they could pack the right items into a box, put on a shipping label, and set the box aside to be picked up by the UPS truck which would come once a day near the end of the day.
The application used by the fraud department and the application that displayed new orders to warehouse workers was one and the same application. Whether a user had fraud-evaluating powers or pack-items-in-boxes powers just depended on what permissions their particular user had. (That may have been decided by LDAP groups. I don’t remember for sure.)
Meanwhile, the e-commerce site offered gift cards for sale online. The gift card would be shipped to the customer. And there was a box where you could write a message associated with the gift card. So, for instance, someone could buy a gift card to be sent to their nephew’s address or whatever and include a little note like “Happy Birthday. Don’t spend it all at once.” or whatever. And the fraud/pick-and-pack application would display all details of the order including any messages associated with the gift cards.
Well, I found a stored cross-site scripting vulnerability where if you put <script>...</script> tags with some JavaScript in the gift card message box and completed the order, the JavaScript would execute any time someone viewed the details page for the order in the fraud/pick-and-pack application. And of course, the JavaScript could do within that application just about anything the user could do with their given permissions.
The main danger was that a malicious actor with sufficient knowledge of how our fraud application worked could place an order fraudulently with someone else’s credit card and include in the order a gift card with a malicious JavaScript payload in the message box, and then that malicious JavaScript could automatically mark the order “a-ok, no fraud here” when a fraud department worker loaded the order details page, letting the order be fulfilled without any actual fraud review.
The fix was pretty simple. Just stick a <c:out>...</c:out> in the appropriate place in the fraud/pick-and-pack application code. But it was an interesting example of a vulnerability in a not-customer-facing application that could none-the-less be exploited by any public customer/user without any particular special access.
If you’re interested in one more interesting story about the same e-commerce application, see this comment I made a while ago.
Never roll your own ORM
I’ve done this. Probably 10 years ago. Even today, I maintain the same application that has the ORM in it that I designed. If I could go back in time and do something else, I’d do the same thing again. Honest to god. For my use case, I feel it was warranted. It was risky, but it worked out surprisingly well.
Java webapp. Customer facing. E-commerce application, so in PCI scope and dealt with credit card info and such.
There was one specific cookie that stored some site-wide preference for the customer. (Why not just put that preference in the database associated with the user? Because that would make too much sense is why.)
But the way they encoded the data to go into the cookie? Take the data, use the Java serialization framework (which is like Python’s “Pickle” or Go’s “Gob”) to turn that into a string. But that string has binary data in it and raw binary data is kindof weird to put in a cookie, so you base64 encode the result. (The base64 encoding was the only sane step in the whole process.) Then you do the reverse when you receive the cookie back from the browser. (And no, there was no signature check or anything.)
The thing about the Java serialization framework, though is that decoding back into Java objects runs arbitrary object constructors and such. As in, arbitrary code execution. And there’s no checking in the deserialization part of the Java serialization framework until your code tries to cast the object to whatever type you’re expecting. And by that point, the arbitrary code execution has already happened. In short, this left a gaping vulnerability that could easily have been used to extremely ill effect, like a payment information breach or some such.
So all a malicious user had to do to run arbitrary code on our application server was serialize something, base64 encode it, and then send it to our servers as a cookie value. (Insert nail biting here.)
When we found out that there was a severe vulnerability, I got the task of closing the hole. But the existing cookies had to continue to be honored. The boss wasn’t ok with just not honoring the old cookies and developing a new cookie format that didn’t involve the Java serialization framework.
So I went and learned enough about the internal workings of how the Java serialization framework turned a Java value into a binary blob to write custom code that worked for only the subset of the Java serialization format that we absolutely needed for this use case and no more. And my custom code did not allow for arbitrary code execution. It was weird and gross and I made sure to leave a great big comment talking about why we’d do such a thing. But it closed the vulnerability while still honoring all the existing cookies, making it so that customers didn’t lose the preference they’d set. I was proud of it, even though it was weird and gross.
The value that was serialized to put into the cookie? A single Java int. Not a big POJO of any sort. Just a single solitary integer. They could just as well have “serialized” it using base-10 rather than using the Java serialization framework plus base64.
The costs of distribution aren’t really that expensive for big companies.
You can’t really trust that users are going to be willing to donate hard drive space and upload bandwidth to help your maps service or whatever work. (Though, to be fair, you did mention things like OpenStreetMap which is probably more likely for users to be willing to support that way.)
Bittorrent isn’t something you can seamlessly integrate into browser-based apps.
But also, there are newer technologes based on a very Bittorrent-like P2P way of doing things. IPFS is basically reskinned Bittorrent. And Peertube uses in-browser P2P to distribute videos. I don’t think there’s any standard in, say, HTML5 that allows for P2P without some hacks, but it sounds like there’s a good chance such a standard is likely to make its way into browsers in the relatively near future. Also, it sounds like Chrome supports more than Firefox in that area right now.
If you’re ever able to and need to go no-contact with him, just don’t feel any guilt over it.
The IP address of lemmy.world is 104.26.8.209 which appears to be in San Francisco.
There are games I pay for, but only on Nintendo consoles. Aside from that, it’s strictly write it myself or go without.
I definitely should donate to more FOSS projects, though.