Archive for July 17, 2019

Wednesday, July 17, 2019

SummerFest 2019 Ending Soon

The SummerFest festival of artisanal software is ending tomorrow. Besides the apps I previously mentioned, it includes HoudahSpot (better Spotlight searching), Nisus Writer Pro (my favorite word processor), Panorama X (RAM-based database), TaskPaper (plain text lists), and Tinderbox (power notes organizer).

Lowercase Passwords

Stuart Schechter:

Your master password should be at least 12 lowercase characters or five words. Why use lowercase characters or words when you’ve probably been told (and coerced) to use uppercase characters and symbols in the past? If you have to enter the password on a device with on on-screen keyboard (like your phone’s), each uppercase letter or symbol may require extra key presses. You can get the same security, and save yourself a great deal of frustration, by making your all-lowercase password just 30% longer than if it were mixed case [9]. In other words, a randomly-generated 13-character lowercase password, which can be entered with 13 keystrokes, is as secure as a 10-character mixed password, which may require many more.

Via Ricky Mondello:

This plays into why the passwords that iCloud Keychain generates are dominated by lower-case letters; you might have to type them somewhere, sometime (but not remember). I explain this in the talk I gave at PasswordsCon 2018.


Branches and Continuous Integration

Soroush Khanlou (tweet):

A problem presents itself, however. You need to build a feature that takes 1,000 lines of code, but you’d like to merge it in in smaller chunks. How can you merge the code in if it’s not finished?

Broadly, the strategy is called “branch by abstraction”. You “branch” your codebase, not using git branches, but rather branches in the code itself. There’s is no one way to do branch by abstraction, but many techniques that are all useful in different situations.


Of course, the humble if statement is also a great way to apply this technique; use it liberally with feature flags to turn features on and off. (A feature flag doesn’t have to be complicated. A global constant boolean gets you pretty far. Feature flags don’t have to come from a remote source! However, I would recommend against compile-time #if statements, however. Code that doesn’t get compiled might as well be dead.)

Branches are just not very useful for managing features or major releases for which development will take a long time (during which you will keep working on the shipping version). They’re great when you want to make a bug fix release based on an old version, and thereafter plan for the branch to die. But, otherwise, you spend a lot of time merging changes back and forth between two active branches and still end up with a potentially difficult integration at the end. It’s better to use feature flags and potentially extra Info.plist files and Xcode targets to support simultaneous development of multiple versions.


Why Does APT Not Use HTTPS?

Chris Lamb (via Hacker News):

Accessing mirrors over HTTPS would not prevent a compromised mirror tampering with packages, so APT already has other mechanisms to guard against this.

Also, HTTPS would not stop a determined attacker deducing which apt packages your system was downloading (though this becomes more difficult).


A switch to HTTPS would also mean you could not take advantage of local proxy servers for speeding up access and would additionally prohibit many kinds of peer-to-peer mirroring where files are stored on servers not controlled directly by your distribution. This would disproportionately affect users in remote locales.


Go64 Finds 32-bit Apps

St. Clair Software:

macOS 10.15 Catalina will not run 32-bit Mac applications. At all. Once you upgrade to Catalina, those apps won’t even launch.

To prepare, I wrote Go64, a free application that scans your system for 32-bit apps and shows them all in one place, with version and website information to make it easier to assess whether you need to update or look for an alternative.


As they say, the devil’s in the details, and dealing with the vagaries of what goes on inside applications got interesting. Go64 leverages Spotlight to compile a list of executables, but then does a deep dive into each 64-bit application to check for any helper apps, frameworks, services or plugins that might not be 64-bit. While I knew this could be an issue, Howard’s work highlighted just how common it is to have a mix of executables bundled within apps. Most of the time, it’s just for expediency, and developers do the proper juggling to run the correct one, but how’s a user to know? So Go64 does a bunch of checks to look for common methods, and if it still can’t make sense of things, errs on the safe side and flags the app with a little caution icon.