It’s an interesting point but I think it kind of confuses two different but related concepts. From the perspective of the library author a vulnerability is a vulnerability and needs to be fixed. From the perspective of the library consumer a vulnerability may or may not be an issue depending on a lot of factors. In some ways severity exists in the wrong place, as it’s really the consumer that needs to decide the severity not the library.

A CVE without a severity score I think is fine. Including the list of CWEs that a particular CVE is composed of I think is useful as well. But CVE should not include a severity score because there really isn’t a single severity but a range of severities depending on specific usage. At best the severity score of a CVE represents a worst case scenario not even an average case, nevermind the case for a specific project.

Yeah, our security team once flagged our app for having a SQL injection vulnerability in one of our dependencies. We told them we weren’t going to do anything about it. They got really mad and set up a meeting with one of the executives apparently planning to publicly chew us out.

We get there, they give the explanation about major security vulnerability that we’re ignoring, etc. After they said their bit we asked them how they had come to the conclusion we had a SQL injection. Explanation was about what you’d expect, they scanned our dependencies and one of the libraries had a security advisory. We then explained that there were two problems with their findings. First, we don’t use SQL anywhere in our app, so there’s no conceivable way we could have a SQL injection vulnerability. Second our app didn’t have a database or data storage of any kind, we only made RESTful web requests, so even if there was some kind of injection vulnerability (which there wasn’t) it would still be sanitized by the services we were calling. That was the last time they even bothered arguing with us when we told them we were ignoring one of their findings.

It’s a good idea to be aware of any security advisories of your projects dependencies, but it’s also equally important to be aware of your actual attack surface and audience. It for instance may not matter to your entirely offline and utterly unprivileged app that there’s an arbitrary code execution flaw in one of your dependencies because any theoretical attacker is the user themself and they would only be executing code they already had the capability to execute. On the other hand such a flaw in other circumstances could be absolutely critical. It’s really down to you as the author of the code to evaluate any security advisories through the lens of your codes expected use cases.

Right, it’s essentially the same argument as strong vs. weak typing. The weak typing proponents say JavaScript is best, because you can just write anything and you don’t need to worry about all those pesky types getting in your way. The strong typing proponents (which if it’s not obvious I am one of) point out that you can write incorrect code quickly in just about any language, but writing correct code is much harder, and the cost of correcting code increases the later the mistake is found. Errors that can’t even be written are better than errors that are found at compile time which are better than errors that are reliably caught at runtime, which are all infinitely better than errors that only randomly appear under very specific circumstances.

That is why many people switched to using TypeScript for their websites instead of JavaScript, because even though you have to spend more time putting type annotations on everything, and at the end of the day at runtime TypeScript is literally just JavaScript, the errors it lets you find at compile time instead of runtime make the effort necessary to include those types worth it. Same thing applies with Rust vs. Go. Yes it requires more thinking up front when you’re writing Rust code, and yes it might take you longer to write that code, but it’s also going to be correct code you can be confident in and not have a bunch of ticking timebombs waiting in it that you don’t even know about.

An extra 30 minutes spent having to think about a dozen lines of code, is infinitely preferable to spending 3 hours pouring over stack traces and single stepping debuggers to find that one subtle mistake you made.

Basically modern language with modern tooling. It’s what C++ would look like if it had been designed today. The big thing though is the abstraction of ownership and lifetimes which took C++ ideas of scopes, smart pointers, and destructors and polished them into something much more powerful. Simply put it’s possible to design APIs in Rust that are literally impossible to express in any other language, and that’s a big deal.

Added on top of that is a modern dependency management system that is severely needed in languages like C and C++, and a very powerful meta programming system that enables compile time code generation and feature selection that’s much safer and powerful than C and C++ fairly primitive pre-processor (although C++ STL does come close).

That does appear to be the problem. The US might not officially be a gerontocracy, but it sure does a damn good job looking like it these days.

It didn’t say that it would make anything radioactive, it said there was a radiation hazard. Radar is in fact radiation, it’s just non-ionizing which means that unless you’re dealing with massive power levels it’s generally safe to be around. If they’re warning of an extreme radiation hazard it’s either not radar, or they’re pumping a ridiculous amount of power into it.

He’s a Lemmygrad user, there’s no point in debating him. He’s just going to keep spouting a bunch of pro-Russia propaganda. It makes me seriously question the source of the article as well. I can’t say one way or another if it’s part of Russian propaganda, but the fact that a lemmygrad user posted it does suggest it started circulating among consumers of Russian propaganda, so there’s some circumstantial evidence at least. At any rate, it’s a just an opinion piece and probably shouldn’t be posted in this community.

What a load of crap. It’s the equivalent of “If the sun suddenly exploded it would be really bad for Biden!”. This is almost literally some GQPs wet dream. There are no facts in that “article” just the same conspiratorial ravings that they failed to prove last time, they’re just dusting them off now that Hunter is getting raked over the coals to appease the GOP. This will end the same way, yes Hunter committed some crimes that he’s already been tried for and found guilty, but no he’s not a government employee and Joe had nothing to do with it.

Eh, it’s debatable. He had already shipped Wagner off to Belarus and folded the Wagner troops into the Belarus military, so Wagner was pretty effectively de-fanged at that point. The only thing Putin gained by this was sending a message to anyone else that decided to stand up to him, although if anyone still didn’t understand that Putin tends to assassinate people who displease him they haven’t been paying attention since like 1980 when Putin was still actually KGB. This is very on brand for Putin, although it is a bit novel to apparently go with airplane “crash” rather than his usual standbys of poisoning, “falling” out of windows, or tripping down flights of stairs/elevator shafts and landing on bullets.

On the other hand, it does make Putin look scared and weak that he felt the need to assassinate someone who he had already effectively defeated, without needing to fire a shot at that. I still wonder how he pulled that off. He must have either had some seriously damning dirt on Prigozhin, or else made him one hell of a deal to get him to about face and march right out of Russia. Maybe Putin just straight up threatened to nuke him if he got any closer to Moscow and he decided not to try to call Putin’s bluff.

Bit off topic here, but what’s a hexbear? First time I’ve ever encountered that term.

I’d be more inclined to believe they’re probes from higher dimensional beings than that they’re intelligent life from other stars/planets, but even that I’d give astronomically low odds to. It’s like a 99.999999999% chance it’s some unknown phenomenon or misunderstood sensor reading/glitch, 0.0000000009% chance it’s something from a higher dimension, and 0.0000000001% chance it’s aliens.

The poster of this has exactly one post and one comment. The post is this one which consists entirely of one image showing nothing and a list of unsubstantiated claims that read like a greatest hits list of conspiracy theories. The one comment is to a ex-mormon community saying a list of other ex-mormon communities on lemmy is “very useful”.

Now, I’m not really inclined to defend mormonism, it’s a terrible “religion” with a laundry list of crimes and bad practices associated with its leaders at every level, but unhinged ravings like this with literally no evidence to back them up should probably be removed by a mod.

Clearly because actually explaining it doesn’t generate clicks and controversy

Solving real problems is hard because if it wasn’t they would be solved already, but making up fake problems is really easy.

And monkeys could fly out of my ass. Before we start hand wringing about AI someone would probably need to actually invent one. We’re probably closer to actual room temperature fusion at this point than we are an actual general purpose AI.

Instead of wasting time worrying about a thing that doesn’t even exist and probably won’t in any of our lifetimes, we should probably do something about the things actually killing us like global warming and unchecked corporate greed.