Archive for October 29, 2016

Saturday, October 29, 2016

Inadvertent GitHub Private Repository Disclosure

Todd Berman:

The new line of code disconnected only ConnectionPool objects that are managed by Active Record, whereas the previous snippet would disconnect all ConnectionPool objects held in memory.

The impact of this bug for most queries was a malformed response, which errored and caused a near immediate rollback. However, a very small percentage of the queries responses were interpreted as legitimate data in the form of the file server and disk path where repository data was stored. Some repository requests were routed to the location of another repository. The application could not differentiate these incorrect query results from legitimate ones, and as a result, users received data that they were not meant to receive.

[…]

To prevent this from happening again, we will modify the database driver to detect and only interpret responses that match the packet IDs sent by the database. On the application side, we will consolidate the connection pool management so that Active Record’s connection pooling will manage all connections. We are following this up by upgrading the application to a newer version of Rails that doesn’t suffer from the “connection reuse” problem.

Good Coding Taste

Brian Barto:

But it wasn’t the line count that mattered. It was that if-statement. It’s gone. No longer needed. The code has been refactored so that, regardless of the object’s position in the list, the same process is applied to remove it.

[…]

To the best of my ability to discern, the crux of the “good taste” requirement is the elimination of edge cases, which tend to reveal themselves as conditional statements. The fewer conditions you test for, the better your code “tastes”.

It’s an interesting example because the “bad” version has more state and branching, but some programmers would find the “good” version harder to understand, due to the indirection and attendant C syntax.

iPhone 7 Plus Portrait Mode

Brian L.W. Moore (via John Gruber):

I’m sure there’s a word to describe what I’m calling “stepping”—where different depths of focus are clearly defined with more or less bokeh depending on how far from the focal point the photo is—but the 7 deals with this surprisingly well.

[…]

While a lot is super good, there are a couple areas where the Portrait Mode just ain’t gonna cut it. Complicated foreground and background combinations seemingly overwhelm it and the blur edges get confused throughout the photo.

The Beautifully Annoying Siri Remote

Ken Segall:

Like the hockey puck, you can’t tell what direction the Siri Remote is facing when you pick it up. You have a 50-50 chance of getting it right, and therefore a 50-50 chance of hitting the wrong button.

[…]

Like the ill-fated touch-sensitive iPod, the Siri Remote’s touchpad makes it way too easy to screw up your viewing by accident. All it takes is the slightest brush of a finger when handling it.

And, though the touchpad is a cool thing, it is oftentimes not nearly as quick and accurate as physical directional buttons would be.

Update (2016-10-31): Marcel Weiher:

tvOS 10.0 broke volume on Siri remote so you had to config every time. 10.1 broke it further so even config doesn’t work!!

An Ode to the 11-inch MacBook Air

Serenity Caldwell:

After 6 years of faithful service, that 11-inch model is now dead, killed by Apple, the 12-inch MacBook, and increasingly thinner MacBook Pros. I’ll miss it dearly.

Seeing the writing on the wall, I bought one right after the 12-inch MacBook was announced. It’s still going strong and one of my favorite Macs ever. Nothing that Apple makes today has close to that combination of price, power, ports, and size.