Hacker News new | past | comments | ask | show | jobs | submit login
🥺: the best sudo replacement (xeiaso.net)
335 points by Tomte on Jan 20, 2023 | hide | past | favorite | 493 comments



The first time I saw perfectly valid Unicode take down an RSS reader (in ~2003), it was an ü that did it. I have taken to calling that the kaboomlaut in unit tests.


The are quite a lot of "gotchas" with passwords being Unicode though. One of my favourite tricks is to include a null byte in passwords and see what happens. Sudo treats it as the end of the string. Passwd gives "token manipulation error" and nopes out. Many websites seem to fail in interesting ways...


I've run into a service where having a password longer than 15 characters _truncates_ it but the password change dialog does not so it's stuck in limbo.


The PayPal forgot password form had this bug just a couple years ago. I changed my password to a generated one. And it was too long. But it didn’t tell me. Just silently truncated.

I used the password reset to change it. This time I used a pretty short password I could type (to rule out a weird copy-paste bug or something). Logged in, went to the change password option and THAT page informed me there was a character limit.


Password character limits are important.

They reveal that the back-end service probably doesn't hash the passwords, which is a good time to GTFO.


I would consider setting a (high) limit for a password a good practice. No one wants an attacker to run a megabyte of password data through your slow password hash. It should be a limit that normal users never reach, but something like 100 chars seems entirely reasonable.


Some web frameworks have such limits built-in. Django for example has a limit of 4096 characters for password input, which should be more than enough for anyone, including people using long random-generated passwords from password managers


The reasonable thing to do is to prehash the user password on the client with a Unicode normalization and a SHA-512 pass.

This way you can have strong input validation server side but also allow almost arbitrary inputs client side.

PS: you likely could also salt the client side hashing and use bcrypt, but bcrypt has a quite short maximum length and I am not sure if it would provide significantly better security here.


The typical password managers allow you to generate up to ~120 characters, I would go for 500 just to be on the safe side.


My bank requires a password of exactly 8 digits. In 2023.


I know of banks which, in 2023, requires exactly 8 digits, the first four being numbers, the other four later letters. No digit can be repeated. Also no consecutive numbers.

It's like they're deliberately trying to reduce the pool of valid inputs.


Not only this, but they also have a sadistic trait against their users. My password on another site (a bank too, IIRC) requires the password not to have my email username and consecutive, or repeated letters. My email username is "u" (as is u@example.com) and I usually generate a 50 or 70 characters long password. There is usually a "u" (they check the case, too). And come characters are repeated in the whole password.

So I reduce the length, significantly, sometimes to 8 characters.

The people who make rules in security in some areas are complete idiots.


A bank I used until about 2018 (no idea if they've fixed this yet - I left) had an exactly 6 character password, and when you used telephone banking it just needed the 6 digits that corresponded to that word. Those 6 numbers also worked online, so at best they were turning all passwords into numbers before hashing them, ensuring there are less than 900000 different possible passwords, which was trivially easy to brute force in 2015, nevermind today.


Bruteforcing should not work as the attempts are either throttled, or lock the account. Provided that they are in place, otherwise the account is wide open.

This i what happens with the 4 digits of a CC PIN and the 3 attempts before the card switches into PUK mode.


One site I went to lowercased my password before storing it unencrypted in the DB, which I only discovered after failing to log in and asking for a password reset mail, so it helpfully emailed me my clear text lowercased password.


I worked at a place that did this, case-insensitive passwords and all. The worst part? They had unencrypted production database backups on all of their dev laptops, the majority of which left the premises after every night. I couldn't get a figure of how many laptops were lost but statistically speaking there had to have been at least 3 lost laptops with unencrypted production database backups per year using industry statistics.

Eventually I convinced leadership to invest in basic security after conservative but still embarrassingly high 6-to-7-figure estimates of annual loss expectancy that only took a measly 5 figures a year to eliminate 75% of the risk, but the company only went around to it a long while after I left the place.


I have former employers who still didn't fix the security bugs I uncovered years after.

I don't know what makes a manager turn off snooze on open PRs for fixing blatant holes.

But if you've got that skill, it can take you far!


I think the lesson is "stop asking for permission and just do want is right". It's rare that a manager needs to approve a PR - would be a culture smell for me in an org.


Incredible. Please tell us who did this, not to shame them, bit to help us!


It was an online store I bought something from quite a few years back. I would hope most stores are using more modern back ends nowadays that doesn't allow this to happen.


I ran into a service where the password entry input enforced a shorter length than the change password.

If I pasted my password it failed, but if I auto-filled from bitwarden it succeeded. Took me weeks to figure out why...


This was, at least a few years ago, the case with Blizzard's Battle.net passwords. I picked a nice secure passphrase, but had to cut it off mid-word because of this truncation. (I think the behavior was for it simply to take the first 16 characters of whatever you typed in the password field, so typing the full passphrase didn't fail, but I wasn't confident that that would remain true in all cases, so I made a habit of only typing the first 16 chars.)


I believe the British Airways site still does something similar to this, or it did until very recently if it's been fixed. Add a password that is too long, it gets truncated and the truncated version saved with no warning or error.

It took me several password reset attempts to realise what was going on, as my literally just set and password manager-saved password didn't work.

I think in BA's case the password input also had a character limit on it, which is ultimately how I realised what was happening, even though there was no info anywhere that such a limit existed.


This is still the case with PeopleSoft (32 chars limitation, and truncation)


This has nothing to do with Unicode (assuming that by "Unicode" you mean "UTF-8"). The null byte has the exact same meaning in UTF-8 as ASCII: https://stackoverflow.com/questions/6907297/can-utf-8-contai...


> The null byte has the exact same meaning in UTF-8 as ASCII: https://stackoverflow.com/questions/6907297/can-utf-8-contai...

And what meaning is that? That link doesn't refer to an authority on the meaning of the nul byte.


In C, strings are nul terminated. Thus when at some point your password is passed along a tool written in C (or any language with the same behaviour) it’ll be truncated at that position.


If by Unicode you mean UCS-2 or UTF-16 though it applies.


A bigger deal happens with ambiguities concerning composed versus decomposed characters. Linux and Windows tend to prefer writing composed characters, whereas Mac OS will prefer writing decomposed characters. The letter é will have two distinct byte sequences to represent the same character (more precisely, the same grapheme).


Shouldn't normalization functions handle that?


Yes, now see if any random service actually uses said functions...


If Unicode weren't broken it wouldn't need any "normalization functions".

And no, I don't have anything better to propose at the moment. Unicode is a mess, but currently without realistic alternatives.

Still I would like to live long enough to see that we finally manage to create some proper text format without all kinds of crazy gotchas and deficiencies.


Care to elaborate?

Are you suggesting that a better version of Unicode does not allow combining characters? [1]

Some languages have an explosive amount of characters if you regard each possible modifier in combination with each base character, some of which aren't practically used. By allowing the composition of modifiers and base letters, all the historically used ones are available, and all the odd ones are technically expressible.

I'm not sure how you encode all the world's languages, live and dead ones, without a few gotchas and deficiencies.

What would an always-normalized Unicode look like, if not either having really, really many characters, or having a non-trivial syntax?

[1]: https://www.unicode.org/versions/Unicode15.0.0/ch03.pdf#G306...


One solution to allow combination characters, but only in a normalised way is to only allow one of the same modifiers, and only allow modifiers in the normal order. This makes parsing Unicode quite complex. If you allow for non-normalised Unicode and write a post-processor that normalises, you get to status quo.

So either you are suggesting to disallow non-normalised Unicode with the current definition, or something different altogether. I can't imagine what that alternative looks like.

(Also, I'm a Unicode fanboy. Sorry for the intensity.)


I think normalization and compound glyphs are orthogonal concepts.

The point would be to have only one canonical binary representation. A representation that is also free of all kinds of "compromises" which are only there for legacy reasons…

Additionally the whole madness should be resolved that Unicode mixes content, representation, and layout (especially as it fails miserably at all of them).

Than there are the problems that Unicode is actually incapable of representing all kinds of scripts. (Just think for example about stuff written top-to-bottom, and not LTR / RTL). Some "unimportant" things like Math can't be represented in Unicode also…

And I won't even talk about the issue that the committee was taken over by some political movement, namely the woke fraction.

I think it's actually a kind of joke that we still didn't mange to invent some sane text format for computers. Unicode doesn't cut it.

But frankly I admit that we won't get anywhere — as even Unicode is full of madness it works "good enough" by now through even more layers of madness on top, so we won't get rid of it ever again. That ship sailed I fear. Still I can't stop banging my head when I hear about things like issues with normalization, something that shouldn't exist in the first place in a sane world.


I wouldn't call that "being Unicode" though, since null byte is in ASCII.


It depends on the encoding: In UTF-16, a lot of characters have 0x00 as part of their encoding. That's the null byte, even if the software isn't technically supposed to see it that way, so it's a valid test. (Easy, too: Any character that's also in ASCII will be represented with a 0x00 byte in UTF-16.) Of course, UTF-8 solves that problem, plus the problem of surrogate pairs.


> That's the null byte, even if the software isn't technically supposed to see it that way

that's a null byte, even if the spec says it's not the string terminator.

i just think it's worth referring to things by using words that more precise semantics if possible


When AOL 4.0 came out they added the ability to embed images in emails, and there was a super fun bug where you could put a certain unicode char into the file name of an image and it would blue screen the recipient if they opened the email. Fun times.


Umlauts are in Latin1, so it’s pretty shoddy software that couldn’t deal with that.


As late as 2020 I encountered a European shop that couldn't handle my Swedish address that had an å in it.

That is, it accepted the address on the website, but then it got screwed in the delivery.

I'm still in awe.


Sounds 'normal' if the website was built in a recent stack in recent years.

The shipping backend might run on a mainframe, almost if not fully unchanged from 40-50 years ago and blissfully unaware of anything but the mainframe quivalent of your standard ASCII.

You can see large stores run all their inventory and such on mainframes. If you ever look over someone's shoulder. My insurance also does but it looks like they don't because it has a nice standard Windows look on the 'inside' of the window. Looked at the title bar and yep, it's just a 3270 terminal emulator that renders fields as nice standard windows input fields that follow whatever theme your computer is set to instead of your telltale black background "DOS" look.


you'd be even more impressed to find out how often polish characters (ąęłćśżźńó) get totally screwed in... poland itself


UPS sent me a parcel and replaced ä with ae


That’s a valid and common replacement for German umlauts


That was not a German umlaut


As I remember it, the RSS readers under test did not correctly handle encodings, blissfully ignorant of the difference between UTF-8 and Latin-1. Many had processing pipelines that did not preserve encoding.


dümlaut


What was the point of this post? No, this program isn't a replacement for sudo; it's closer to a reimplementation of su. The post links to 3 CVEs and talks about Rust, but only one of the CVEs was a memory safety bug, the others are a logic error and a race condition, neither of which are protected by Rust (sadly).


Yeah, no idea why people are upvoting this. Reads like a listening to the internal jokes of a tight-knit group that you don’t know.


I thought safe rust did prevent race conditions by preventing simultaneous write access to data except behind a Mutex or similar guard.


Check out eg. “Race condition vs. Data Race: the differences explained” [0]

[0]: https://www.avanderlee.com/swift/race-condition-vs-data-race...


That's a memory safety issue that caused by a race condition. Rust prevents memory safety issues, but not race conditions. The race condition in one of the CVEs is in the filesystem, not in sudo.


Rust does prevent memory race conditions, but of course, only within the address space of the process and only for memory read and written to exclusively by rust code.


For example, there is this (pure safe Rust) code: https://github.com/ben0x539/totally-safe-transmute/blob/main... which accesses external resources (/proc/self/mem) in order to violate the safety guarantees.


Ah, thanks


Rust prevents data races which are only one kind of race condition.


Btw, there is a logical bug in the code, although it isn't exploitable. env::args().size() can be zero.


I feel obliged to mention doas[1], which is a sudo alternative from openBSD. It is written in c, but tries to be smaller and easier to configure. I am not qualified to vouch for or against it, but it is interesting.

1: https://man.openbsd.org/doas


The primary author, Ted Unangst, has a couple of blog posts describing the inception of doas, and its intended typical use patterns:

https://flak.tedunangst.com/post/doas

https://flak.tedunangst.com/post/doas-mastery


I have moved over to doas a while back and it is really amazing. Why? Because it JUST WORKS. I do not need to learn a configuration language to understand what is going on. It does very little and that is exactly what 80% of the users need. We should use more software like that. Simplicity is the best design pattern.


When you find software that has a clean abstraction it really is a beautiful thing. sndiod (also from the BSDs) is also amazingly simple and reliable.


My existence is split between OpenBSD and Linux. What I really want is OpenBSD than runs Steam and Proton—nothing more.

OpenBSD has maintained exceptionally good taste when it comes to change. When they rip out and replace a "classic" utility, they invariably make a modern classic: openssh, pf, doas

When others rip out a system and replace wholesale, they often just do the hard work to secure the existing thing: Wayland vs. Xenocara

I don't know that there's any objective way to know ahead of time whether replacement or repair is the right approach. But the fact that such a relatively small project such as OpenBSD has managed such outsized positive impact across the open source landscape speaks volumes to their intuitions here.


I noticed and enjoy that both sudo and doas use each side of a standard qwerty keyboard to type, though doas uses 3 keys on the left while sudo has two on the left and two on the right. It made the transition a little easier for my muscle memory.


I mapped ^S in zsh to toggle "doas" at the start of the line:

  # Toggle "doas" at the start.
  toggle-doas() {
      [[ "${BUFFER:0:4}" = "doas" ]] &&
          {CURSOR+=-5; BUFFER="${BUFFER:5}";} ||
          {BUFFER="doas $BUFFER"; CURSOR+=5;}
  }
  zle -N toggle-doas toggle-doas && bindkey '^s' toggle-doas
Even less typing!


On dvorak they're also mostly on the home row (except d), and the split is even 2-2 for both.

(aoeu)id(htns)


The neo2 layout has both in the home row.


I didn’t learn anything from this post about why to use this sudo replacement except that it’s written in Rust and that it handles errors. Am I missing something?


Sarcasm/humor; the program in question does no authentication, so it's not an alternative in any meaningful sense.


I was thinking the same. But then I thought about it more and wondered why you need to enter your own password if you're already logged on. If an attacker is already in the system, it can install key logger and whatnot without the root password. And the xn--ts9h program can have the Unix permission so that only the user can run it.


Insider threat, attacker not in the system, you leave your terminal unlocked and are away. Someone walks passed and tries to install something from you terminal?


While it leads to slightly more chance of traceability, I've seen one line "curl | sh" which install a tool which transmit everything you type, or just your password (when you next type it) off to a remote server, so once you've left a terminal unattended you are in trouble anyway.

This is one place when windows can be much better, as users can't catch ctrl+alt+del, so you can always press that before logging in.


There is the mental function signalling "hang on, you're about to do something unsafe. Are you sure you want to do this?"

But I think there are some scenarios where it serves a practical security purpose as well:

- You're in an office, went away to grab a coffee and left the screen unlocked (bad!). Without sudo, a malicious person could indeed quickly install a backdoor or keylogger and take over your system.

- you're executing a third-party script on your user account. Without a password prompt, that script could trivially escalate its privileges by embedding sudo commands. With a password prompt, you'll hopefully stop and ask yourself why the script is asking for your password.

Basically, you actually cannot assuming that every running on a user account is really authorised by that user. So asking for the password is an attempt to reaffirm that it's really the user who gave that command.

> If an attacker is already in the system, it can install key logger and whatnot without the root password.

Yes, but that would require the attacker to, well, run sudo...


If I'm not mistaken, especially with x11, it is trivial to install a keylogger without root password. Just a process in the background that listen to your keys and send them over the wire. (And you can add that program in the list of program to run while logging in)


You need to enter your password so that software you run can’t give itself root privileges without permission


For some more serious alternatives, I have heard of many people finding doas to be a drop in replacement. Furthermore, I've heard some people suggest neither doas nor sudo, but instead using an SSH server to gain root access to your local machine. It could listen on localhost and use key-based auth to allow root logins...


Using key-based auth without encrypting the key with a password sounds like a bad idea, as then any program running on the host can trivially gain root privileges.


Any program running as your user on your personal machine can trivially gain root privileges, by dropping a program called "sudo" in your personal PATH, putting a "sudo" command in your .bashrc, man-in-the-middle a shell (how do you know that last command actually completed?), or hijacking any of the graphical programs that trivially ask you for your UNIX password to do anything (Discord/Slack/... updater, Steam, ...)


When do any of those programs ask you for your password? I've never had any of them ask for my Unix password, ever. Is that just a macOS thing with self-updaters?


I'm using Ubuntu/KDE/Plasma. "Discover" is the GUI app that prompts you to install system updates, and will ask for your password when you do (to run apt/dpkg as root). Discord doesn't directly ask for my password, it downloads a .deb from somewhere and opens it, and I get prompted for my password then. Not much different IMHO.


I'm using Debian(Testing)/KDE/Plasma. (What was the point here?)

I don't have any "Discover" installed as it's not needed for anything. There's aptitude…

Regarding Discord: Discord is a virus. I try to avoid it. (And since you can't register without getting naked and showing the virus your telephone number it's not difficult to avoid ;-)).


I don't think I ever gave discord a phone number...


That just means you're fully transparent to them. (Likely they have linked other accounts / IIP data behind the scenes; using it form a phone will have that effect obviously).

It's almost impossible to register an anonymous account there. Even if you find a throw-away SMS number that works to register (which is hard enough) a few hours later they will block that account again and require a fresh number to unlock. I've given up even trying to register there; but plan to fill out some GDPR complains soon. Thanks for reminding me to do so…


More likely it just means they have an old account from when they weren’t as hung ho about it all and now they don’t delete it on a whim because it’s longstanding without issue. Same thing with mine, beyond it’s desperate for that phone number for things lately.


Those are poklit popups, similar to UAC on Windows. The program doesn't get your password, but depending on what kind of access it requested, it could give it root access. If implemented correctly, the popup should say "wants to install a package" or "wants to mount drive X", which runs a predefined action on behalf of the app and doesn't actually give it any elevated permissions.

Of course, like UAC, an app could just make its own prompt that looks like the real deal and steal the password, but that seems to be an unsolved problem on every platform.


I’m guessing something like `chown root ~/.bash*` would prevent that, if all the folders in your PATH are owned by root.


You can close some gaps, but at the end of the day you can't expect that you'll run malicious code but it won't do this or that. For example the X server allows any client to listen for key events or hook into other windows.


> For example the X server allows any client to listen for key events or hook into other windows.

That's one of the reasons why "lock screens" are a lie under X.

But that's one of the problems Wayland solves. It has a much better security story.


Nobody said you can't encrypt the key?

Also some people use password-less sudo, so...


I used the SSH server method for a while on a Windows machine since it's built in Terminal doesn't support mixed security contexts between tabs/panes.


Except the enterprise security industry is waging war on ssh keys and ssh/sshd.


In the enterprise key management can become a bitch really quickly. Good luck updating 10.000 servers every time an admin leaves.

For them ssh certificates are much better because you can simply revoke them, and new certs don't have to be added to each server.

At home I still use keys though, but as an enterprise admin I see the issues. Even at home it's kinda annoying having to add a new yubikey to 20 servers.


You could use AuthorizedKeysCommand or some other method to manage your keys in one central place.


You can, but you still need to set up a secure infrastructure to manage all the requests going back and forth.

And most enterprises already have a completely functional and secured PKI, usually with the whole HSM deal and everything. It's plug and play and works with your existing infra.


> In the enterprise key management can become a bitch really quickly. Good luck updating 10.000 servers every time an admin leaves.

Can't "jump host" solve this?

(Not an admin, so please excuse if the question is stupid).


No


You have 20 servers at home? What's you electrical bill like?


Last month's electricity bill was about 75€ including electric heating, VAT and fixed charges. I do get 2 hours free per day during which I run the heading full blast at the moment, and other high energy stuff.

Most of my servers are not always on, some are in the cloud and some are virtual.

The ones that run 24/7 are NUCs which have excellent idle energy usage. The bigger ones are HP microservers but like I said those just run when I need them (there's about 100 TB of archive storage in them).

And then I have some raspberries to run my home Assistant and some other stuff. All in All I have about 10 real 'servers', 5 running 24/7, the rest are remote or virtual (one of the NUCs is an ESXi). Plenty of resources for a decent home lab.

With the recent increase in electricity prices I did move one of the microservers from 24/7 to on-demand.


> Last month's electricity bill was about 75€ including electric heating, VAT and fixed charges.

Damn, I'm double+ that a month with turning everything off at the plug each night and during the day when not on. Just one of the benefits of living in post-brexit UK, with a lame useless gov... Anyway nevermind. Always wanted to do the home assistant thing with one of my rpi, but can't afford it just now.


Unless you use something like Userify. It's like my secret tool that no one knows about..


Interesting. Could you expand on that, or point me towards some related reading? Thanks!


It is not as much the enterprise security industry as it is better security for all. Problem with the current implementation with ssh keys is that there are non-trivial problems with it. For example how do you revoke a key? It is not possible in a central AAA service to revoke access for a user like it is possible for other kind of auth systems. Ssh and ssh keys were designed in an era where security was not really the primary concern. I think Facebook DevOps team had some detailed article how they manage ssh access to fb production with keys.


There is so many things wrong with your comment it is not even worth explaining.


What's wrong with ssh keys? Or ssh/sshd for that matter?


The main problem with SSH keys is that they are good at small scales, but at larger scales the abstractions start to be really leaky. Distributing SSH keys across hundreds of machines is a nontrivial task. Not to mention the lack of audit logging in opensshd and the lack of session recording (these requirements suck but acronym compliance means you need them anyways).

It's also kind of the wrong tool for the job anyways. I'd love to see tools that are more built to purpose for what you are _actually doing with the servers_ instead of giving people a REPL and telling them to go nuts.


> It's also kind of the wrong tool for the job anyways. I'd love to see tools that are more built to purpose for what you are _actually doing with the servers_ instead of giving people a REPL and telling them to go nuts.

On the other hand, if you knew what I'd need to do with the servers, I probably wouldn't need to do it. It's really hard to investigate problems without tools. Nobody is going to make a graph for how much cpu poorly configured docker/datadog are wasting rereading the same 1GB of json logs once or twice a minute, because nobody thought it would be meaningful, but watching top in one window, and running lsof at the right time to see what's being read, and whatever performance tools are hanging out to confirm.


Ah the dream of easy to administer, perfectly adapted fine grained access permissions that can predict the future of exactly what an authorized user can run and needs to do.

It never works because of the lack of precog, ticket walls, escalation over policy requiring reviews, and other bureaucracy.

What they end up replacing ssh with (teleport or aws ssm are the two I've been forced to use) are slow, spotty, crash frequently, and who knows what vulnerabilities they have.

If all these companies trying to get rid of sshd want to slap their own daemon on to replace it, why not keep sshd and simply have a deamon that manages the keys and not throw out the entire tool chain?

The most fun thing with teleport and aws-ssm: to use it you had to bring up a web page to authenticate. There goes any hope of automation at scale. Because in a world where you're supposed to treat servers like cattle, let's impose (and I mean impose) a regime that forces you to access them one at a time manually, especially in critical situations.


> Distributing SSH keys across hundreds of machines is a nontrivial task.

In what sense? If you're distributing public keys to hundreds of servers, go nuts. Put them in git repos and clone them.

If you're distributing private keys to hundreds of clients, why do you ever need to do this? Assuming you do (and I'm just missing something), then I see your point but if you ensure they're encrypted with the user's pass phrase and you have a procedure for ensuring their permissions are set to 0x600, what's the problem?


Yeah, the trickiest part is getting new users to check in their keys to git if git is authenticated with ssh keys. And if you need sudo to install keys, you've gotta use autopw[1] or something similar, and at least autopw is single threaded, so if you've got more like thousands of servers, it's a bit messy. Smarter people than I setup full automation for this kind of stuff, but then you have to trust the automation.

[1] https://github.com/jschauma/sshscan/blob/master/src/autopw


> Distributing SSH keys across hundreds of machines is a nontrivial task.

SSH certificates are a thing.


Yes but the OP was referring to SSH keys being eschewed by the enterprise. I assume they didn't consider certificates part of this category.

For enterprise the certificates are a far better option. Or s full blown IDP of course.


Now you have two problems


You can probably solve those with some regexps.


Please explain. I have deployed them successfully at both large and small companies without any significant issues


Also user directories are thing and you can instruct OpenSSH to use any command you like to fetch a user’s authorized_keys.


There is 0 reason to distribute SSH keys across machines. You can tell SSH to use LDAP to check a user's keys, trivially.


I did use ssh on localhost to do some X11 trickery once. It works surprisingly well


“ has no pronounceable name in English or any other speakable human language.”

I’m in love with this because it’s so silly. I’ve always wondered what would happen if you gave a company an unpronounceable name and it took off.

My guess is that the community would name it and that would be that. But I’m fascinated to witness that process happen.

I really hope Sado takes off. ;)


> “ has no pronounceable name in English or any other speakable human language.”

Doesn't it? https://unicode.org/emoji/charts-11.0/full-emoji-list.html#1...


Check the =nil; Foundation. All of their products have really weird names. Their db service is called `DROP DATABASE *

https://nil.foundation/


So there's actually a cool thing in the blockchain space. Nice.


There’s a number of cool things but you need to know where to look for :)


People in Japan call this emoji “pien” (pronounced “P N” if you’re American) which means like… slight dejection

Was one of the 2020 words of the year by some random group of people! https://www.nippon.com/en/japan-topics/c03823/amp/#


How is it pronounced if you're not American but still speak english?


lots of speculation on how to pronounce this Four Tet side project:

⣎⡇ꉺლ༽இ•̛)ྀ◞_༎ຶ_༽ৣৢ؞ৢ؞ؖ_ꉺლ https://www.discogs.com/artist/6400214-%EA%89%BA%E1%83%9A%E0...


> what would happen if you gave a company an unpronounceable name and it took off.

As long as it's an actual company taking money/paying for services, you'll have to register it, so it will have a pronounceable name.

Reminds me of "Love symbol" formerly know as "Prince". The symbol is great, but you'll have to register as an artist to get the money, you'll be signing contracts, etc., so whatever clever symbol you find, at some point a standard writable name will be settled on.


I guess the point is that writable doesn't necessarily imply pronounceable.


Given the furry/weeb connection, it will inevitably be called "uwu"


If there's a 1:1 mapping from some emoji to one of the basic Chinese logograms, we should just reuse the pronunciation of the latter as the name of the emoji. This one could be "qiu", for example.


> This one could be "qiu", for example.

The wechat shortcode for their similar face is 可怜.

As far as I know, it is not used for begging (and therefore couldn't be called 求); the one time it was used to me, it seemed to express something more like "ouch!".


Officially, it's "pleading eyes", and it seems to be used as such in this case at least.


Just look at what happened to Prince.


I had to google him - he died from it?! WTF!!


It does have a name. The most common of which being being ぴえん (pien). The English name is pleading face, but I hear the Japanese word for it much more in practice.


I’ve worked with a consulting company that chose their name because it was extremely hard to pronounce/understand.


Why?


They could name it Ƭ̵̬̊ and people would call it Prince.


Some others:

Δ

・・・・・・・・・

!!!

†‡†


I was gonna just about to comment about chick chick chick


I just always login as root. No sudo or other programs needed, no security vulnerabilities, no complexity. Clearly the most secure solution as it's widely known that using the setuid bit is a security problem.


Yes, OTOH I don't mind others using sudo or setuid root permissions. I once hacked a payment terminal because someone thought it would be a good idea to put setuid root on pppd :) (we needed to do a bit more than the official SDK api allowed us)


Maybe not for yourself, but sudo can be a benefit when playing with others: fine grained roles and permissions, audit trail, etc.


Yes, I was joking.

Or "woosh", as I believe the kids say these days.


we actually have ascii character pattern for that when posting.

/s


Ah yes, because every joke becomes better when you announce that it's a joke.


I dislike it too. It’s typically unnecessary on hn because it’s well moderated and people often seem nice even when passionately disagreeing.

But on the wider internet everyone assumes you’re stupid. So the “/s” becomes a safety measure.

Also read once that it’s an accessibility thing. But I’m not sure if that’s true.


Usually the majority gets it. And the worst that can happen is that some people will downvote you, or call you an idiot. I'm not especially concerned about this.

I don't see how it's an accessibility issue, except to help out those with a deficient sense of humour.


regarding accessibility..from what I have heard, other cultures have much different styles of sarcasm which might impede their ability to understand that something you have said is sarcastic. e.g. Japan is known to have a reputation of not understanding American sarcasm, but has it's own style of sarcasm. (see https://linguaholic.com/linguablog/sarcasm-in-japanese/)

so, I guess announcing your sarcasm makes sense in an international accessibility sense, particularly when some of the normal cues are not present (tone of voice, facial expression, eyes rolling)


Ah right.

Communicating across cultures is always bound to lead to the occasional misunderstanding, even more so over text. When writing something "dry" such as documentation it's probably a good idea to keep that in mind, but making jokes worse just so that a few more people can perhaps maybe possibly understand it is where I draw the line.


You forgot the /s again.


You have probably already lost at that point, though: if you want true security, you have to go it alone.


I always liked Debian’s really. The first thing it does is make one system call to see if you can open a file in /etc with write permissions. If you can’t then it crashes immediately without doing anything else. The attack surface is very small.

https://manpages.debian.org/stretch/chiark-really/really.8.e...

sudo’s notion of some people being able to do some things but not others just doesn’t seem very relevant these days, and never really sat nicely with me in my multi user Unix host days either. I was much more in favor of giving people multiple system accounts and letting the system auth (ssh) handle who can do what.

Now of course we all have umpteen complete hosts each, and the security boundaries are at the virtualisation layer. Passwordless sudo all ‘round!


Typing emoji is a pain, but the chat suggests that that might be an advantage:

> Using this program requires you to be able to type an emoji. Most attack code is of such poor quality that they are unable to run commands named with emoji.


I'm really curious how much of a joke that was and wasn't


The best part is that it's a joke that has enough merit to it that it's worth being taken seriously. That makes for good satire. I love writing surrealism, it's a very hard balance to meet.


> The best part is that it's a joke that has enough merit to it that it's worth being taken seriously. That makes for good satire. I love writing surrealism, it's a very hard balance to meet.

What makes you think you met it?


This comment section not understanding where I was being satirical.


> This comment section not understanding where I was being satirical.

That means you didn't meet it[1].

[1]That balance you were talking about. You missed it. If too few people understand your content, it's not the people that's the problem. As someone attempting to present an argument, the onus is on the presenter to make the argument readable, not on the reader to squint until it gets readable.

IOW, if you can't be bothered to write your message well, why did you expect other people to be bothered to read it at all?


What makes you say "too few" understood? It's a balance, right? So if plenty of people understand, and the right people didn't understand, then it's right on target.

And it looks to me like lots of people understood.


Yeah! First I read the HN comments and saw how pissed many people were. That helped set the tune for the article (read: it helped me handle my own triggers) and it was a lot more fun that way.


I think the author intended it as a valid criticism, though it's hard to tell given the passé stylistic choice that calls back to early internet (I am nostalgic for those days sometimes). However I disagree with that as it's just one more, fairly silly, obstacle to overcome. If this "replacement" ever did, theoretically, been seen as suitable, all that would happen would be that attack code would suddenly see an increase in quality.

If you've done any research into quality malware, exploits and the like (both domestic and foreign), the quality and often elegant solutions they come up with will not be somehow kneecapped by an emoji. It also only needs to support inputting one emoji in the event that someone uses this out in the field; not hard to do in shellcode.


> If this "replacement" ever did, theoretically, been seen as suitable, all that would happen would be that attack code would suddenly see an increase in quality.

This is where I believe security-through-obscurity is underrated. As long as you're small enough that targeted attacks aren't part of your threat model, merely being unique affords a great deal of safety. Your wierdo jerry-rigged authentication system may not be particularly robust, but it's more likely than any mainstream product to repel an automated attack.


In the event that something is seen as suitable; i'm assuming it would see some adoption (that's the assumption I wrote the comment under).

However I do agree, at least against automated attacks; there will be a bit more security. Though if you are doing anything serious that draws attention, at that point obscurity is all but putting off the enevitable failure if you are ever targetted.


It's easy on Windows, just winkey+.


This is the best feature of Windows tbh


Is that the interface where I have to remember a Unicode code point just to get an em-dash?


This launched the magnifier.


It's the Windows key and the period (".") key, not the Windows key and the plus key ("+").


For anyone wondering, this is basically a young millennial / gen z meme. The emoji is usually pronounced "pwease", as in a childlike pronunciation of "please"

Therefore the command is basically just asking very nicely, hoping to get one's way

edit. source: dude just trust me


Alternatively, a good chunk of my twitter feed would call this the bottom emoji, without attempting to give it a pronunciation. I don't think any particular pronunciation has consensus, but various groups of people imbue it different meanings.


This tool canonically has no pronunciation and any attempt to give it one is non-canon. It is a child of the Internet.


The internet loves being told what to do.


tell that to the gif guy


pre-internet


When do you think the Internet was set up?


2006, I think. Or _maybe_ the early part of 2007, I can't remember exactly. Didn't really get popular until 2014 though.


You're not wrong, at least based on the demographics I've seen.

But I bet if you said "pwease emoji" or "bottom emoji", much of the same group would probably get it.

Though maybe "pwease" would this and the fingers.


I reckon a bottom saying «pwease» would also get their point across.


It's the "step on me mommy" emoji


Y'all need some Jesus.


Does he look good in leather?


> Alternatively, a good chunk of my twitter feed would call this the bottom emoji

Yeah, I don’t think I’m going to be calling it that in the morning standups.


Does "bottom" mean what I think it means?


Yes




Yeah, I always read this as "bottom emoji" in my internal monologue, and that is how I search for it if I need to copy & paste it on a laptop or desktop lol.


(in Rainier Wolfcastle voice) That's the joke.


as in gay bottom? first i've heard of that (as a gay internet person)


Think “sexually submissive,” who you’re attracted to is an orthogonal thing.


I thought it was bottom as in "⊥". But that is orthogonal too.


At least among Gen-Z, it's less an indicator of sexual orientation, and more so one's sexual position. I am friends with a (hetero) couple where the male is the bottom. She pegs him because that what they like. He is not attracted to men, but also does not enjoy being sexually dominant.


A appreciate you 'describing' the emoji for me.

I'm on the spectrum, and I can't tell 99% of these things apart. Looks like a sad face to me. no different then the 500 other sad face emoji's I find. I'll stick with =(


> I'm on the spectrum, and I can't tell 99% of these things apart

If it's any consolation, I'm not, and I don't know exactly what a lot of the face-emojis are supposed to be expressing unless I see a text representation of them or otherwise have them explained.


Yeah, many are just too small to distinguish clearly. I actually thought it was "rolling eyes". That's kind of how it renders for me in Firefox anyway, but if I zoom in a lot I see it's not.


I also find tiny body-text-sized emojis hard to grok. A thing that’s helped me is heavily focusing on context and trying to imagine the human speaker/writer making the same face in said context—i.e. relating it to their apparent emotional state or other clues in their language. It’s like learning vocabulary from scratch all over again, with some prior learning pathways as a shortcut.

I don’t know if that’ll help you (or anyone), and I have other problems with meatspace facial expressions (partial face blindness, probably partly attributable to finding eye contact uncomfortable; although weirdly enough trying to “get” emojis has helped on both these fronts to some small extent). So … idk if this will help but I took all this time typing it so here we are.


> I also find tiny body-text-sized emojis hard to grok.

This depends a lot on emoji font. Apple's 3D-ish, highly colorful, rasterized emoji are very difficult to discern at small sizes, for example, unless you already know what they are.

More stylized emoji fonts, like EmojiOne or emoji that are drawn basically the same way as text glyphs, like in Symbola, are way, way easier to read, especially at small sizes.

If you're on an Apple device, though, you're close to fucked, since the operating system just ignores your font choices when it comes to emoji. The best you can do is carefully hack the actual files for the Apple Color Emoji font on macOS, which requires you to disable SIP and will cause lots of app crashes if you do it wrong. But if you're using an OS that has some respect for you and your choices, try a different emoji font!


I will make the emoji bigger in CSS


Wait what, this is some kind of emoji/face? It shows up as a grey solid box that is slightly wider than tall for me, so not even the typical "glyph missing" thing...

Edit: ok apparently this is indeed the placeholder for missing emoji in Firefox for Android at least.



> I'm on the spectrum, and I can't tell 99% of these things apart. Looks like a sad face to me. no different then the 500 other sad face emoji's I find. I'll stick with =(

If it's any consolation, I don't think anyone could infer that from the emoji itself. The meaning is like a subculture's slang.

I don't use emojis, so I only know the very basic ones (which I consider to be obfuscated emoticons).


Am I the only one that can read faces in here?

It is pretty obvious that it is a face doing the sad puppy eyes, like the one a young niece might do after I refuse to buy her some ice cream. I didn't even know it's meant to be underground, impenetrable slang.


It might be an emoji-font thing. Might be easier to tell what's up in some than others. I know I've seen emoji I sent from Apple devices on Android phones and been all "LOL WTF that's not what I sent at all" so that is sometimes a factor.

Anyway, this is one reason why I prefer images and anigifs for expressing emotion in chats.


> I know I've seen emoji I sent from Apple devices on Android phones and been all "LOL WTF that's not what I sent at all"

Someone linked this above, which has the various versions: https://emojipedia.org/pleading-face/

The Twitter version of it is what I'm seeing from this blog (Firefox on Ubuntu), which to me does look a lot more like "exasperated eyeroll" than "puppy-dog-eyes pleading".


Slack transforms `:(` to `:disappointed:`… which is not helpful.


you are alone


Nope. Face-reading is an underappreciated skill around these parts.


If you don't already know, you can usually copy/paste to your favorite search engine and one of the first results is often the page explaining the unicode character, including those all-caps formal names of them.


It's U+1F97A, FACE WITH PLEADING EYES.


The nice thing about emojis being in Unicode is that you can copy/paste them and look them up, unlike embedded images. The reference name in the Unicode database conveys the original intent of the people who submitted it for standardization, at least.


There should be a quick-reference lexicon for these things


I don't know if it's ironic or not but there is also a sudo replacement in Rust that is called "please"

https://gitlab.com/edneville/please


Depending on your temperament, you might prefer https://github.com/nvbn/thefuck

    $ apt-get install vim
    E: Could not open lock file /var/lib/dpkg/lock - open (13: Permission denied)
    E: Unable to lock the administration directory (/var/lib/dpkg/), are you root?

    $ fuck
    sudo apt-get install vim
    [sudo] password for nvbn:
    Reading package lists... Done


It's officially called 'Face with Pleading Eyes', which also conveys the meaning. :)

https://emojipedia.org/emoji/%F0%9F%A5%BA/


Thanks for explaining..that makes it more obnoxious than I realized.. still I think people are dismissing it without any logical reason.


It's also a meme in Japan, called "pien".

https://www.nippon.com/en/japan-topics/c03823/


Thanks for the explanation. Emoji to me might as well be Chinese characters. It's just a "thing" I can't read.


The meaning can also be inferred from… the face.


Judging just from that, I'd have taken the meaning as "verge of crying" or "my pet just unexpectedly died"

Until I read that comment I was having real trouble figuring out WTF it had to do with running commands. I thought it might be some practical joke tool that automatically modifies your commands such that they'll make you sad when they run.


Google “puppy dog eyes”.

Don’t get why we have to bust out all the cringe internet lingo to describe something that you see in that venerable “real world”.


people have different perceptions, interpretations, and understandings of things. Your comment comes across as pretty insulting. clear communication is necessary and helpful


It doesn't read that way to me. Maybe it's an emoji-font difference (I'm on Mac).

[EDIT] I mean I see it once someone points it out, but that'd have been lucky to make my top-5 guesses otherwise.


Would like to note that I happened to see someone I know use this over the weekend and it was unambiguously intended as the "verge of crying" meaning I guessed previously, not "puppy dog eyes". LOL.


I also interpreted it as eyes watering up on the verge of crying.


Not as obvious as you think.

https://github.com/twitter/twemoji/blob/v14.0.1/assets/72x72...

To me at 2–3 mm it looked more like sleep deprived baggy eyelids (or maybe candy corn eyes, but what does that mean?). I read the whole post thinking the program was named after exhaustion, not pleading.

I just polled the room and most guesses were that it’s sadness/sorrow.


Sleep deprived is also a good guess in my opinion!


If I zoom in, maybe. At default text sizes, it's indistinguishable from all other emoji faces for me.


Feeling yellow and looking down?

No idea what that's supposed to mean


Looking up.


Depending on font. Inside my web browser, it appears to be looking up. On my web browser's title bar (so rendered by my window manager...), it appears to be looking down, or maybe straight forward. Fonts make a big difference on interpretation too.

I remember a few years back, there was a problem where Apple implemented "GRINNING FACE" in such a way that Apple users interpreted it as a sarcasm indicator, but most others would look just like a standard smiling face, leading to quite a number of awkward exchanges when non-Apple users would read things such as "Yes, let's burn it all down :)" instead of "Yes, let's burn it all down :|"


Huh. That’s weird. A looking down variant sounds misleading.


If you think that's weird, compare it between common fonts: https://unicode.org/emoji/charts-11.0/full-emoji-list.html#1...

Disregarding the "browser" column (could be anything, it's what your browser renders the text as), only the Twitter font has the "looking up" variant that you think is normal. I'd rather say the straight-ahead look is the norm for most font designers when interpreting the "FACE WITH PLEADING EYES" description of the character.


> They wrote the program in C

They wrote it in 1980 for unix; what exactly would you like them to have used?

> (as far as I can tell) have no intention of rewriting it in Rust

Since it will be less than a paragraph before you start ranting about how "obscure targets that nobody uses won't be able to leech off of the rest of the ecosystem by holding back any chance to let us have a modicum of nice things", I trust you, who would surely never be a "leech", have written an actual replacement or submitted patches to start improving the situation? Or perhaps are funding such efforts?


I did write an actual replacement. It's what TFA is about :)


> I did write an actual replacement. It's what TFA is about :)

That is obviously not a replacement; either we take the serious approach of "sudo allows only authorized users to run things as root" and yours doesn't control access, or we take the nonserious approach of "sudo has so many bugs that it just gives people access" in which case we hardly need to bother rewriting it.


to me the solution seems fairly obvious, and as is tradition already exists in unix as groups.

sudo is for people who need root access. if you need anything less then create a custom group and assign the relevant specific rights there.


And then use su or whatever to control access to the actual root account? You'll always need some amount of access to it, although I suppose you're correct that in a truly well-functioning system it would be needed much less since everybody would be in enough groups to get access to the stuff they actually need.


exactly


I just like sudo as a sanity checker — if I need it for some random command I stop and figure out why it needs root privileges.

The amount of times I’ve seen:

  wget random_script.sh && chmod +x random_script.sh
  sudo ./random_script.sh


Yesn't.


Because the entire value-prop of sudo is ubiquity and mindshare. There are as many replacements for sudo as there are Rust developers. Any one of them is probably fine.

The hard part is solving the coordination problem among millions of humans to just pick one and standardize on it. All that work is eliminated in an instant if you just convince the sudo maintainers to bless and ship one.


>They wrote it in 1980 for unix; what exactly would you like them to have used?

Pascal


Huh. I didn't think there was Pascal for Unix back then, but apparently there was:

https://web.archive.org/web/20200614183924/http://www.grokla...

So yes, actually, that might have been possible, and if so it probably would have been better than C.


I think there's a security problem with this command. The command does not verify it's called as [xn--ts9h], it really needs to verify args[0] equals the name of the command, otherwise you could call it though a link or mapping, etc. The article states that the name is important for security, so I'm submitting this bug as critical.


https://github.com/Xe/xn--ts9h/commit/861f8fa86ef58cdc371b0e... I will make a new set of packages tomorrow because I am tired


Linux surprisingly allows you to exec a program with argc == 0, so you also want to check for that...

https://lwn.net/Articles/882799/


Tangent: I’ve never seen emoji rendered on HN before. Really surprised to see this in the title.


Only because dang went into the backend and manually inserted it as a special exception, bypassing the filter: https://news.ycombinator.com/item?id=34460417


Wait? it doesn't make any sense. So any userspace program can call `setuid(0)` and `execv()`? Why is there sudo in the first place? I am not getting it.


The program needs to have the setuid bits set on its inode (chmod u+s), and be owned by root.

https://en.wikipedia.org/wiki/Setuid

Sudo exists as an elaborate ACL scheme implemented in user-space which takes advantage of the setuid+root permission scheme implemented in the Unix kernel to allow granularly granting root access to non-root users.

But any program can be setuid and/or setgid to any user/group and it will then run as that effective user/group by any user with permission to execute that program.

There are handful of programs that are setuid root because they need to do things like open raw sockets that non-root users can't do, ping being the canonical example. Finding buffer overflows in these programs has been a source of privilege escalation security bugs.


Fortunately these days programs like ping can use more focused alternatives to setuid, like CAP_NET_RAW, to greatly reduce attack surface.

But also we’ve largely given up on Unix users as a security barrier in many places, instead using things like VMs as the interface between different tenants in hosting providers and clouds and such. The age of untrusted shell accounts shared Unix servers is ending, if not over already. Passwordless sudo on a cloud VM is probably the norm now.


Understood. Thanks.


Any userspace can call it, but unless you have the SUID bit set on the binary and have it owned by root, it won’t really do much.


Presuming charitably that you mean the more interesting question of "why is this a program rather than a thing other programs do internally when they realize they need elevation": well, two reasons:

1. any program can call fopen(2) and fwrite(2), and yet cat(1) exists. Unix plumbing is mostly there for cases where you're linking programs together in ways those programs didn't expect.

2. Privilege separation. You don't want big, complex programs running as root. You want big, complex programs running as your user, speaking to tiny little well-hardened programs running as root over a pipe, where the tiny-little program can only do one thing.

For example, you might have seen the pattern of piping things into `sudo tee [file owned by root]` in order to be able to write to a file that's owned by root. This fits both of the above considerations: moving the privilege into "tee" rather than having whatever command is generating the text, exposes less of a vulnerability surface; and also, it's `sudo tee` rather than tee(1) itself performing elevation, because tee(1) itself was written a decade or two before this pattern emerged, and so has no idea it could be used this way.


> Most attack code is of such poor quality that they are unable to run commands named with emoji. This makes the program secure.

That’s a pretty wild conjecture.


I believe it was a joke.


The best jokes have a basis in fact.


> I wonder how many people's RSS/JSONFeed readers we broke with the title...

Well played.


The ironic part is that I didn't break any RSS readers! I broke URL parsers in chat apps, scp, and for command line arguments to `tailscale serve`.


I have a poem that I published which has a Japanese title (宝石の十字架). The journal that published it put that in the URL: https://www.invisiblecitylit.com/poetry/宝石の十字架/ and not surprisingly, many URL parsers don’t like the Japanese text.¹ I really need to get around to changing the link that I have in my publications list to use the URL encoded version of the title so that it's easier to share on systems that don’t like the Japanese there.

1. Although, if I remember correctly, URLs are not supposed to have characters outside of ASCII 33–126 in them (and some of those within the range are also disallowed), although as the link to my poem shows, those restrictions aren’t always enforced.


Ahh, that is because that isn't a valid URI - it is an IRI.

The space of IRI implementations is quite sparse, mostly limited to browsers (and often rather spotty within the browsers as well). So a page hyperlink or paste into a browser bar will turn it into a URI behind the scenes, but it is unlikely another program or script will handle them.

In fact, I believe WHATWG defines that hyperlinks are URI, not IRI - so the generated HTML in this case by HN is not valid.

IRI are of dubious value - they exist in a space where users are expected to understand and evaluate the legitimacy of an identifier by sight. That said, this is about the best we have for web domains, so (for example) I think all major browsers do render internationalized domain names in their address bar.


Screw that nomenclature. URI is universal. Banning non-ASCII letters doesn't make sense. I will continue to call it a URL/URI.


Beyond the usual ASCII stuff, the standard allows you to have all nonsurrogate characters between U+00A0 and U+10FFFD in the path of a URL within HTML. The standard has browsers internally percent-encode them. It's also dumped the IRI/URI terminology and just uses URL.


Boy do I have news for you:

https://en.wikipedia.org/wiki/Internationalized_domain_name

https://en.wikipedia.org/wiki/Country_code_top-level_domain#...

Pretty soon you'll be able to do this instead:

https://www. 宝石の十字架 .jp/poetry/invisiblecitylit

(https://www.xn--u9j516hprf6h574cs4w.jp/poetry/invisiblecityl...)

Is that... good? ¯\_(ツ)_/¯


IDNA has been a standard for 20 years. You can already do this.

However, they are IRI, not URI, and IRI support is sparse because of its dubious broader value.


“Dubious broader value” is a great way to tell you’re United-Statesian without saying you’re United-Statesian.


Note that the second link is a table of Internationalized ccTLDs and .jp is not yet on it. So you can't do it yet.


That table shows whether the ccTLD itself has an IDN form e.g. 宝石の十字架.日本. You can register 宝石の十字架.jp just fine (obviously, if you think about how IDNA works).


Emoji domain names exist, so I'm pretty sure you can put anything you want in your URL. Displaying the URL might differ though.

https://xn--i-7iq.ws/


my favorite way to plumb an old / unmaintained program or workflow is to put some emoji in as an input parameter, and see where the logs start exploding


I came here to make a similar comment! A good smell test for whether a piece of software "has its act together" is to send it emoji where it expects text and observe whether it handles it gracefully or shits the bed. It's 2023 and so much bad software still assumes text = ASCII or at best assumes text = ISO-8859-1.


If I recall correctly, `guake` had/has a downstream issue where the terminal would crash because a dependency of a dependency of a dependency was 15+ years old, had no maintainers, no one wanted to take it over, and would hard crash if it encountered emojis.

The build-around was having to fiddle with a bunch of core system stuff (super descriptive on my part) with lots of overloading system packages and just... no thanks.

I did it once; never doing it again because then you have to deal with having a non-standard system from then on. Switched to `kitty` and have no problems with emojis.

tl;dr: If you are designing a CLI tool, please refrain from emojis.


There is a lot of complaining in this thread about the website, the idea, and the author but I have to say I really enjoyed this webpage. There was a another website posted recently [0] that a different style than most things posted here which I also enjoyed. I don't understand why people get so up in arms about things like this. I thought the in-article conversations were fun and playful and added to my enjoyment of the post.

It all comes across as very "bah humbug", "get off my lawn", "I hate fun". I'm not going to say I wish the whole internet looked like this site or that other site but I do enjoy something different than the same look everywhere and I like seeing people try new/different things.

[0] https://news.ycombinator.com/item?id=34446673


Rust, unique website design and cartoon characters together are like a perfect storm.


Some people probably hate it, but I really enjoy the conversational format of these posts. Very novel and interesting way to bounce around a topic


Thanks! That's exactly the point of it! I'm going to be working on the CSS this weekend on stream (the images being so big for longer conversations take up too much screen real estate), but in general the idea is to have a combination of the Socratic method of dialogue based teaching combined with a few consistently written characters; not to mention it helps move out parentheticals to break up giant walls of text. I don't have any page explaining each of the characters and their tropes, but here's a small list:

Mara: the student that knows a fair bit but isn't afraid to call the teacher out on their shit, also used for most parentheticals

Cadey: the teacher that learns from student questions, also a bit of a self-insert to de-emphasize certain parentheticals

Numa: the shitposter that really does mean well, but communicates in shitposts, memes, and similar

Aoi: the idealist that has difficulty accepting the state of the world as it is

With these I create tension between the characters to help illustrate the point. Aoi was added for this article and helps to ground the satire in a sense of reality by being disgusted by this tool.


> the idea is to have a combination of the Socratic method of dialogue based teaching combined with a few consistently written characters

This is, of course, how the original Socratic dialogues are written, too! There are characters with distinctive personalities and points of view who (re)appear in multiple dialogues.

Maybe a lot of STEM folks here have never read Plato or other/later philosophical dialogues, or they never got a sense for how they can be useful. Maybe how it's interleaved with the main body of text is confusing for people as well?

Either way, I think the main idea of the format is good. Maybe some small formatting tweaks or a link at the top like 'how to read this document' would help get new readers to grok the format.


I'm gonna work on the CSS on stream this weekend. It's something that usually comes up in bad faith so I haven't really prioritized acting on it. However I think I finally understand enough CSS to do it properly.


Fixed on stream. The CSS looks a bit better now.


It looks good to me! It's easier for me to tell that the main body is totally separate from the dialogue now. (Before, I wasn't totally sure if the main body was just one of the people in the dialogue monologuing sometimes, although I usually assumed it wasn't.)

Very readable, still fits with the theme, and helps clarify the genre. :)


Reminds me of Bob and Alice.


The dialog could probably use some left/right padding or an alternate font to indicate it's not part of the main text. Initially I found it a bit unclear, and also hard to skim the article.


I'm gonna give it a lot of love this weekend. Sorry it's not the best. I'm quite terrible at CSS.


Fixed on stream. The CSS delineates conversation snippets better now.


I really like your style as well and have throughly enjoyed several of your articles in the past (a lot of your articles on nixos for example).

I have no problem at all with the presentation of this article. As always your characters make the article really gripping to read imo, like taking part in a good conversation.

But I did not like the way you handled the topic as much this time. I know that it is supposed to be confrontational and a bit in the face. That is the joke. Being nonchalant about is kinda fun, but when that is part of what actually is quite hard criticism of someone else's work it starts to sound very arrogant. But I don't know.

Anyway, looking forward to your next article :)


I just have to say: May you one day end up on a system nobody uses, and watch as your environment dies so other people can have "nice things".


Why shouldn't people try different, novel approaches on their personal websites, though?

Where else should one try out "weird" (non-mainstream) concepts and see what sticks?

I don't understand your harsh dismissal of the author based on the design of a personal website, to be honest.


I'm responding to this:

> <Cadey> I don't know about the code quality standards of the sudo project, but overall I don't see them doing any concerted effort to try to migrate away from C (or to reduce the complexity of sudo) and there are frequent security vulnerabilities that result in attackers getting root access anyways. I really wish the industry as a whole would take languages like Rust a bit more seriously and start actually moving towards programs being safer to use because security vulnerabilities in core infrastructure result in emergency patches. It was disappointing to see an attempt at using Rust in an important Python library torpedoed by users of obscure architectures not supporting Rust. Maybe the solution there is to use WebAssembly as a compile target instead of making everything be native code. I wouldn't wish hppa's reverse stack growth on anyone trying to write a compiler though.

Which was edited from this:

> <Cadey> God I wish they did. They wrote the program in C, (as far as I can tell) have no intention of rewriting it in Rust, and it's had many viable attacks over the years that allowed attackers to gain root privileges and worse. It's also debatable if the entire concept of privilege separation as implemented in Linux and UNIX was a bad idea to begin with but we're stuck with it because of an endless ball of legacy programs controlled by egotistical open source people that refuse to change because then obscure targets that nobody uses won't be able to leech off of the rest of the ecosystem by holding back any chance to let us have a modicum of nice things.

I don't care about their website design (it's better than a number of "serious" websites I've visited) and I don't care about their characters, especially since it's a literally ancient way to explore philosophical issues and being a furry is morally better than being a pederast, as the Ancient Greeks were.


Ah, I see, misunderstanding on my side, also didn't see the old version. Sorry! :)


That already happens to anyone that tries to stay on the same system indefinitely.

Personally I'm used to it and I think security is more important than indefinite hardware support. Installing the same software on newer hardware is fine.


If you're going to be working on CSS anyways, I noticed that the tables on the pronoun page could use a little bit of padding—the text is touching the table borders (https://vgel.me/imgshare/xe-pronouns-no-padding.png)


Good catch! I'm really bad at CSS lol


Hey! I would definitely recommend putting this somewhere on your website.

I have been encountering it now and then - mostly on Nix/NixOS topics (by the way, thank you very much for some very useful articles!), and while I don't have any issues with the format, those characters were a kind of small and a little bit weird (not in a bad way, just... unusual) mystery, making me wonder "who are those, what's the story/going on here besides the obvious dialogue format?". Not much, of course, just a minor casual curiosity, but made me look into the footer/about section if there was anything in there.

Just saying. And thanks again!


I find it the format really hard to follow


Fun style to read, but without knowing what level of sarcasm I'm supposed to assign to the peanut gallery characters (or to the main author voice), I'm left wondering whether there is a point beyond "sudo should be written in Rust?"


Loved it as well. Reminded me of some of the blogposts over at https://fasterthanli.me/tags/rust


This is silly, thank you for brightening my day


I feel it relevant to point out that any application running as a user that can run sudo, can just steal your sudo password.

https://gist.github.com/lrvick/b0f4b744ab277582b1f9c50e0eb87...

Having a password or a key or any other nonsense to run sudo is security theater.

If you do not want all applications to have real root access, use Qubes to isolate applications into VMs, or at the very least have your daily driver user not have root access and have a separate admin user.


Yes, it took me some thinking but it's the conclusion I arrived at as well; the password is useless because as soon as somebody or something can run a bad process it's game over, first of all because all the files I really care about are owned by and writeable by me, and secondly because the bad process can just mess with .bashrc and get root access later. About the only benefit I could think of is slowing down an opportunistic attacker that finds my device unlocked, but even that could be game over with a quick `curl ... | bash` if the attacker is prepared enough. 'Security theater' was my conclusion as well, and I was surprised by it, why is everybody doing this?


> has no pronounceable name in English or any other speakable human language.

Wrong. He is called ピエン (Pien). Please call him Pien.



I have more trouble interpreting emojis then I do emotions. God help me.


I end up hovering a lot on slack to find out the translation. And thankfully Siri reads them out loud to me when I have my airpods in.


People who use emojis aren't the type to lookup the official meaning. In other words, actual use is at times very different from the official description.


Yet another clickbait for rust sigh


Oh please, don’t start using emojis on HN.


Does HN no longer strip emoji characters, or is it just a bug that allows this specific character to slip through?


Look downthread. Dang made an exception.


For anyone else confused by the name, switching from Twemoji to Noto Color Emoji made it recognizable.


reminds me of a colleague some years ago who often put emoji in his git commit messages.


There’s even a standard (of sorts): https://gitmoji.dev


I just open a root shell with `sudo -i` when I need to do some admin stuff… But that's not the point.

If the post is a joke it's not a good one. Sudo has issue, sure. But this tool is even worse! You could just start working as root user the whole time, like many people do (or did) under Windows, but we all should know where this will end.

The developer didn't do anybody a favor creating this. He will be imho directly responsible for any harm done by this tool.

People should really think upfront about the consequences of their stupid jokes.

People are dying these days form "changeless" on TikTok that are often also just stupid jokes put online by even more stupid people without any sense of responsibility. I see parallels here to be honest.


Kinda reminds me of Puss in Boots pulling that face when he wants something so badly. Cats will rule the planet after we're long gone.


It does have a name, Face with Pleading Eyes.

https://unicode-table.com/en/1F97A/


i don't like sudo, but I feel no need to replace it. I type "sudo su -" and I'm good to go.


The Joke Understanders have logged on


TIL: HN strips emojis from the comments but it does allow then in submission titles...


it doesn't, dang edited it back in here


The emoji is called pien ぴえん


This is a beautiful website with awesome anime-style cartoon formatting. The palette is really nice, well-selected too.

Sadly, the writing style interpersed with the cartoon dialogues is so insufferable and distracting that I learned absolutely nothing. My ADHD didn't help either.


I didn't know that you could use emojis in URLs. Neat.


You cannot. This is an IRI, not a URI.

Browser address bars will typically convert and render URI as IRI, because they need to convey the domain name to the user (because we don't have a better way to handle reputation on the web).


So emojis are allowed in HN titles but not in comments?


surprised that HN didn't filter out the emoji in the title... I've had HN strip out unicode or whatever in posts.

testing --><---


I replaced "sudo" in all my systems a long time ago with an alias to "machinectl shell .host" which is IMHO far superior to it, as it doesn't just spawn a new shell as a privileged process, but instead initializes a full user-session and then spawns a shell in this user-session.

This doesn't carry the risk of tainting the new session with the context of the initiating shell (pwd, env, ...) and doesn't only feel like a full login, but actually provides everything that's part of a login session (systemd and DBus user-sessions, shared session context with other shells of the same user, etc).


Sudo's -i option is able to provide you with a shell in the same state that it'd be if it were a fresh login. I've burned this into my fingers a long time ago. Also, in most configurations you have to specifically whitelist environment variables for them to surivive a "sudo" call.


Is there another way of opening a root shell other than "sudo -i"? That's what I've been using for a decade. How do other people do it?


    sudo su -
Which also resets your environment and everything.


su -l root

But that only works if theres a password on root, which is generally seen as ill advised. But was how every distro did it in the olden days before there was a sudo group.


I've always used sudo -s but no clue why.


`sudo su` is a way.


This is going way over my head. Am I the only one here who just puts everyone in sudoers and does NOPASSWD? Where are these multi-user systems where you don't really trust everyone who has access?


I had to:

  $sudo apt-get install -y systemd-container
to get machinectl


Is this not so microaggression really necessary at the top of every post? it sounds rude and it is not an efficient way of communicating the relevant information.

>Hello. Before commenting about the author, please read this page that explains >the >pronouns that you should be using. tl;dr: the author of this website is NOT >male. >Please do not use "he" or "him" when referring to the author.

How about

> Hi. I am nonbinary. > I prefer the following gender identity pronoun pairs >(xe/xer),(they/them),(she/her) >If you would like to know more here is a link.

(based on blog post and https://www.reddit.com/r/transprogrammer/comments/ox7aef/chr...)

I am autistic and all I want is an efficient way to address this issue I dont care about the politics. Just give me a universal, drama free, efficient way of addressing you and I will do so.

We should just make that a HTML Meta tag <gender identity pronoun pairs> or microschema

Given that there are over 72 different genders now listed here: (https://www.medicinenet.com/what_are_the_72_other_genders/ar...)

Plus: There is no fixed number of gender identities. They occur on a spectrum, which really means that the possibilities are infinite. https://www.medicalnewstoday.com/articles/types-of-gender-id...

HTML will need ways to convey such information in an orderly and efficient manner.

Or we could just reduce infinite to 1 One pronoun pair to bind then all. . Hu? (For HuMAN) (so only Hu)

In some languages you address people in different a different manner depending on age. and some based on age and perceived status. (and in most some variant if married or not).

All of that can be removed.

Age,Married Status and so on is not required knowledge. Gender identify is also not required knowledge.

Hu / Hua ?


Hi, author of the site here.

It only shows up for people that visit via Hacker News with ads disabled. If you don't want to give me ad impressions, then when you visit it gives you a nudge to be civil when commenting on the article.

Is there anything I can do to change it so that it's better?

If you don't want to see that message, please disable your ad blocker.


Interesting, was there a reason to target that specific user group with the message, or is it just filling space that would have been populated by an ad?


Normally that has a "please disable your ad blocker to help this blog be self-sustaining or donate on patreon" message. But Hacker News users spew so much venom and vitriol (see OP in this thread) that I am a bit more pointed and blunt with the nag messages. Going by the numbers of hits vs as impressions my hypothesis is that the biggest assholes block ads.

I did the math for last year and somehow my blog actually made a small profit! It's nowhere near enough to make me want to quit my dayjob, but it's at least enough that the excess can pay for all my video game purchases. I need to finish that article detailing the blog's finances for 2022.


how to type the emoji on terminal?


Ctrl-Shift-U, 1, f, 9, 7, a, Return


carefully


Which terminal?


this is so hilarious and cute


I mean clearly this is all quite tongue in cheek but:

> It's also debatable if the entire concept of privilege separation as implemented in Linux and UNIX was a bad idea to begin with but we're stuck with it because of an endless ball of legacy programs controlled by egotistical open source people that refuse to change […]

Not a very charitable way to describe volunteers who don’t want to learn the flavor-of-the-month language to reimplement their old projects. Maybe if there were some folks who knew rust and were interested in doing this kind of work it would get done.


Honestly, I don't think you should take anything the author of this wrote seriously, the most charitable interpretation is that most of their work is a form of satire.


Speaking as the author of the work, most of _this post_ is satire meant to make you think about the existing security boundaries involved in privilege escalation. It is a false problem. The part about being annoyed that sudo is still written in C is coming from a sense of exasperation that there's still more predictable memory safety bugs involved with sudo because it's still written in C. The comment about python-cryptography failing to move to Rust because of random Gentoo uses holding it back was from a sense of exasperation that we can't have "nice things". I'm tired of having to emergency patch everything because we as an industry can't make our fundamental security tools _measurably safer_ with languages like Rust.

I am a lot more serious in my other posts (such as this one: https://xeiaso.net/blog/2022-media or this one: https://xeiaso.net/blog/hlang-nguh), but sometimes I have to write satirical things otherwise people won't get the point.

Believe what you want though.


Update: after some feedback from a trusted advisor I have rephrased this conversation snippet: https://xeiaso.net/blog/%F0%9F%A5%BA#:~:text=A%20prior%20ver....

Here is the new version (same links):

> <Cadey> I don't know about the code quality standards of the sudo project, but overall I don't see them doing any concerted effort to try to migrate away from C and there are frequent security vulnerabilities that result in attackers getting root access anyways. I really wish the industry as a whole would take languages like Rust a bit more seriously and start actually moving towards programs being safer to use because security vulnerabilities in core infrastructure result in emergency patches. It was disappointing to see an attempt at using Rust in an important Python library torpedoed by users of obscure architectures not supporting Rust. Maybe the solution there is to use WebAssembly as a compile target instead of making everything be native code. I wouldn't wish hppa's reverse stack growth on anyone trying to write a compiler though.


FWIW as one of the original complainers this seems like a perfectly good edit to me.

Also the overall article was quite interesting and I think the template is really accessible and fun to read. If I knew there would be a bunch of ancillary complaining this thread, I probably would have kept quiet!


I feel that where I work. I'm outnumbered in wanting to write web servers with high-level, non-performance-sensitive business logic in something other than C++. We keep having memory safety problems, but more importantly, it's really slow to develop this way and doesn't match the skillset we're hiring. However, these people are being paid.

The common reason our most senior engineers tell me isn't even that it's too late to switch, it's that "C++ is perfectly fine as long as you use it right" and "it doesn't matter what the outside world uses" and "performance."


The Gentoo folks have packaged https://packages.gentoo.org/packages/app-admin/doas ( so they appear to be fine with sudo replacements) and https://packages.gentoo.org/packages/sys-apps/ripgrep (so rust isn't a problem), so if you'd like to do the work and write a sudo replacement in rust, I'm sure they'd be happy to package it as well.


The satire came through loud and strong. Perhaps consider that feedback from hn is somewhat biased on the spectrum? I thought the style was a refreshing change.


I think in my next post about this I'm going to have a giant banner for HN visitors that will block you from reading the article that says "THIS ARTICLE IS SATIRE" just to see how that changes what people say in the comments. I doubt it will have the impact I want though.


Those kids would be really upset if they could read.


[flagged]


Bro chill


Nope. I'm tired of people that can only yap their mouth without doing anything


[flagged]


that did 0.1% of what users use it for, and for a joke. Did you not read the article ? Maybe if you did you'd understand my reaction.


Odd that you left off the rest of that quote ("...because then obscure targets that nobody uses won't be able to leech off of the rest of the ecosystem by holding back any chance to let us have a modicum of nice things") which links to: https://lwn.net/Articles/845535/

> Maybe if there were some folks who knew rust and were interested in doing this kind of work

In this specific example, "this kind of work" would involve porting Rust to 5+ obsolete CPU architectures. Not exactly rewarding work.


That it is not very rewarding seems like a much more synpathetic and likely reason than egotism.


The quoted paragraph has nothing to do with language choice.


They didn’t write in paragraphs, it is more like a collection of IRC posts or something. Here’s the whole post thingy:

> God I wish they did. They wrote the program in C, (as far as I can tell) have no intention of rewriting it in Rust, and it's had many viable attacks over the years that allowed attackers to gain root privileges and worse. It's also debatable if the entire concept of privilege separation as implemented in Linux and UNIX was a bad idea to begin with but we're stuck with it because of an endless ball of legacy programs controlled by egotistical open source people that refuse to change because then obscure targets that nobody uses won't be able to leech off of the rest of the ecosystem by holding back any chance to let us have a modicum of nice things.

So, I guess fair enough. I will expand it slightly to say: it is an uncharitable way of describing volunteers who don’t feel like learning a new language and reimplementing their old projects while also overturning a huge ecosystem of software.


It's obviously a (failed) attempt to be funny by being very sarcastic. No one is stupid enough to this that writing it in Rust was even an option in the days unix was written - especially considering the types of people that would know how to write C and Rust for kernels.


They do believe it should be rewritten in Rust:

> The part about being annoyed that sudo is still written in C is coming from a sense of exasperation that there's still more predictable memory safety bugs involved with sudo because it's still written in C.


The paragraph quoted is about the language choice, too, just that part was snipped off because it's long. It's one ball of a paragraph that goes in all directions, citing debian and gentoo's troubles with rust support[1] and calling them leeches for wanting to support obscure architectures. Not a fun read.

[1]: https://lwn.net/Articles/845535/


It wasn't very charitable, but neither is the "flavor-of-the-month language" dig


That’s fair, it was a bit rude of me. Sorry rust folks it actually is a cool language.


Rust? Well, speaking of egotistical open source people that refuse to change...


Heh. I get what you're saying, but I feel that vibe much more from Golang than from Rust. Rust seems down to earth.


I do think it's funny how this is the only comment in the thread that isn't greyed out.

I wonder if there would be a way to lose the 'value' of a downvote if the account in question predominantly downvotes a specific opinion too much (a form of abuse i think). The assumption being that, "ok, you downvoted three posts, that were all very incendiary; though the other 40+ you've downvoted were all that way, statically the chance that those posts are all offensive is unlikely."

Would be interesting to see; I don't hate Rust, but I don't appreciate the zealous nature of most of their advocates, and for me personally, there's nothing fun about writing in Rust. It's also a bit too bloated for my tastes, i would never want to run it in lowlevel personally. Yet most of the time I stay away from threads talking about Rust, because i just get sent to the bottom fairly quickly, on most sites that encourage discussion.


I mean, I heard it put this way and it has always stuck with me: every conversation here is implicitly inclusive of @dang. He’s wholly responsible for the vibes at large, and in the past several years it has become blindingly clear that he has no issues or qualms with Rusticles overtaking any thread they choose. I could write a scathing 10k word treatise on any topic with a single pithy remark about Rust in it somewhere and he’d allow the discussion to be dominated by the Rust tangent that would inevitably multiply in the comments here.

The chilling effect is as you describe, that I often feel discouraged from contributing my knowledge, experience or opinions because of the blatant manipulation of conversations by Rusticles and the apparently contentedness by dang for that to be the defining angle of discussion here.

HN should have tags. Every article gets tagged by users with high karma counts, by some sort of ranked consensus (maybe a rust tag, python tag, database tag, politics tag, etc) and users could just list tags they want muted in their settings.

Instead, I’ll be told about the HN guidelines and some minutia in this comment that is somehow worse than a thousand idiots hijacking literally every conversation about a particular topic.

As they say, not my monkey, not my circus…


Unfortunately that's often a result of administration. He does have notable ownership of how certain things are, and you do see his bias peak through in many different ways.

You mention the "chilling effect" that does exist, and you aren't the only one, I've seen a lot of comments like yours not just on this site, but on pretty much any site that sees any advocacy for the Rust they promote.

I think there might be some value in filtering through something like a GreaseMonkey extension; which I've been debating for a good while if i should just make. Simply allow to remove listings from the HN page that inlude 'blacklisted' domains and filter key words. Such as "rust" in the title would see a removal.

But yeah, I think there is a place for Rust, just not where we see it for the most part, and i am increasingly bothered by the issues it presents for the Linux community (which was disregarded by the article posted hilariously enough, they can't even show respect for the communities they cause issues for, a core inidicator of narccistic behavior).


Guess I haven't been on enough HN Rust threads yet. My assessment of Rust's vibe comes just from reading the docs and online help when I was using it in a project years ago. It feels like C where they're just trying to get stuff done. I don't have strong opinions on Rust or Golang, and I don't use either one regularly. In that project, I ended up doing most of my work in some FFI'd C code.

I do judge language communities based on the code reviewers at work. Python and Java people are chill, C++ people are obsessive, and Golang people are obsessed with not using C++. N/A for Rust or NodeJS.


That is a healthy option imo, it's not a terrible lang or anything like that; it just gets way more praise and has seen too much growth that it has yet to earn.

My preference is C for personal projects; I like the freedom.

C# because I work with .NET a lot; some might say too much, i get weary of it sometimes. Python is kind of goofy, but it's useful and easy enough to use that I don't mind it's presence in my work.

I will never work with Java professionally ever again if I can help it; I don't like the JVM; working with Android was the final killing blow, i hate mobile dev. simply because they often have me work with ART and i just can't do it with any real enjoyment. Golang is odd, and I have yet to find any real use for it.

The Rust community is pretty unsettling in their dedication, and they seem to actively lie if you question it's usefulness in a specific situation, so i'm weary of their advice. NodeJS is useful, but truly awful to maintain after the fact. It's also quite nonsensical; I would still spend the extra time just using php or python (with flask), Node is also far too bloated and the bottlenecks seem to make my life only more difficult anytime I try to make something even remotely performant without just throwing load-balancers onto every node website I've ever worked on... not worth it.

NIM is by far my favorite; I don't know why, but I love it, it's the language i would build if I had the time. And... C++ has way too many options to do one thing that it confuses most solutions when I've ran into problems, it's just too much.

Something I've learned over the years is that the choice of tool, before you even start on a project, must be taken seriously; if you mess that up, you will be paying for it for potentially years to come.


IMO there’s a widespread belief that these upvote/downvote systems are fundamentally stupid, which is actually true, but I think it also holds back the implementations a bit.

I’d love to see for example a site that treats them as endorcements or something. The logic could be something like: keep track of the graph of who upvotes what. When you upvote somebody, you reinforce the link between the two of you. Then, when showing posts, rather than just using the raw scores, measure the weight of the edges connecting two users or something like that.

Also have a button that, if you see a post you don’t like, shows you the edges connecting you to it so you can re-evaluate them and cut some.

Or something like that. I’m sure this is open to abuse. But the idea would be that you aren’t just generating like a gamified “high score” for comments, but trying to build a collection of people that you find or are likely to find interesting. It might even help reduce abuse of the voting system, in that people playing “let’s all upvote each other” games will just become an isolated clique, maybe?


There is pagerank, which is still easy to game when accounts are free. I like HN's system well enough, mainly cause it doesn't show comment scores except your own. It's not like the toxicity-inducing thing on Reddit.

I also made my own social network for links where "liking" something = reposting it, and you only see stuff posted/reposted from people you directly follow. There's no globally popular stuff. Not comparable to HN, though.


I would love to see a POC of this in action.

I think that this would not fix the issue entirely, but it deserves some thought. It's a unique way of looking at the problems.

Of course this becomes less effective when the community itself gets large, so it won't scale as easily.


You are being downvoted by the RIIR crowd for bruising their egos.


Yeah, sorta proves my point. I expected it.


Here we go, I'm at -3 and you are faint grey.


Hint: If you make a comment that is confrontational but makes no other points, many (if not all) of the people downvoting you are not your opponent, they're someone unrelated who thinks you made an annoying comment. Those downvotes prove absolutely nothing about your opponent.


The number one rule of all sites with voting is that we downvote discussions of voting itself!


Cringe.


The actual title is supposed to be "🥺: the best sudo replacement", but I'm not surprised that Hacker News stripped the emoji.


I've put it back for you.

HN is plain-text-obsessive by design but occasional exceptions make life interesting.


Thanks!


Emoji are text!


Ok, editded for you above:

  plain-text-obsessive
  ^^^^^^


Well, now we're gonna get nitpicky :) Unicode is plain text, therefore emoji are in the set qualified as "plain text." "ASCII text" may be more accurate.


ASCII text would be less accurate I'm afraid. I'm open to suggestions!


I'd say your first description, "text-obsessive", was the most accurate.

"Plain text" is a technical term, which generally means raw unicode (or some other character encoding) without additional markup. Emojis are unicode, and can exist in plain text files.

"Text" does not necessarily mean unicode, nor any type of character encoding. The books on my bookshelf are filled with text. If any of those books contain emoji, I would consider the emoji to be an illustration, not text.

(This is a silly discussion but also the sort of thing I have fun thinking about.)


HN is basic-multilingual-plane-obsessive by design. As a bonus it rolls off the tongue nicely.


Except it strips some characters in the BMP, too, such as U+262D


oh pwease!

(actually, i thoroughly approve of quibbling.)


Reread your comment. Foiled again!


test:

: the best sudo replacement


Wait, HN renders emojis?


It doesn't except for a 10-second window today. https://news.ycombinator.com/item?id=34460417


I swear I saw a heart emoji a few months ago in a comment at the bottom of a long thread. Not sure if it was a bug, an easter egg, or maybe a figment of my imagination.

Also I wonder if you have a secret dashboard full of buttons to control this website, and now there's a "Enable emojis for 10 seconds" button, next to "Subtract 1 karma to anyone with a custom topcolor" and "Promote a random Lisp post to the front page"


It might have been a rendering of U+2661 ♡ or U+2665 ♥ or U+2764 (this last one does get stripped by HN) which are not emoji but may be rendered as such by the browser.


This is dangerous information to spread. Censor yourself, or it will be abused and we will lose this easter egg forevermore.

Let's keep it a secret between you, I and dang's emoji stripping code.


🆔 this type of thing works too


There's a fairly new CSS selector to configure emoji rendering, choosing between a text-like rendering and the coloured emoji rendering.

So far, there's very little browser support.

https://developer.mozilla.org/en-US/docs/Web/CSS/font-varian...


I really love the text-like style. I didn't know Unicode added as composing character to ask for that style!

That's awesome. Those are so easy to read and I love how they play nice with users' font coloring choices.


Ah ffs, this is why we can't have nice things on the Internet.


That does keep things interesting (as long as it's not super common) though i do wonder how it looked previously (did it just strip the emoji or is there like a ":pwease:" dropped in?


it just stripped the emoji


Technically speaking, no, HN doesn't render any titles. Your browser is displaying U+1F97A, which is sent over-the-wire as the bytes \xF0\x9F\xA5\xBA (UTF-8 encoding).


By "render" they probably meant "didn't strip"; HN will strip emoji from comments/titles, generally.

E.g., the emoji of the article: "" but I suspect there won't be anything between the quotes.

(An exception was made for the title, in this case; dang mentions that in a comment in the comments here.)


> By "render" they probably meant "didn't strip"

Yes, this is what I meant.


[flagged]


"Please don't complain about tangential annoyances—e.g. article or website formats, name collisions, or back-button breakage. They're too common to be interesting."

https://news.ycombinator.com/newsguidelines.html


It seems informal and a waste of my time. I'm reminded of the biographical wordarrheah at the head of recipes these days. I. Don't. Care. I'm too old and I don't have time for this.


Not just recipes. Ad driven and SEO industries have made every thing you search for 90% irrelevant bs. I used to be able to search for a PHP function or howto and just see the code. Now to learn something in JS I have to scroll through 500-1000 words of bloat for 10 lines of code when I just want the name of a function or the common way of doing things. This sucks.


Yeah, can't let it cut into your "complaining about websites" time.


You must be a blast at parties held by the professionally offended.

Wrong scale of time. Comments take <2 minutes. Reading an article can take >10 minutes. Additionally, the complaining is less than 5% of my commenting time. I use it mainly to bolster opinions not already commended.


The dialog format is the best part!


And let's ask ourselves what exactly prompts folks to need to comment their disdain for only certain types of articles and not the countless dozens of others they filter through regularly. We'll never know!


[flagged]


Author of the article here. What?


What?


[flagged]


I loved it lol


[flagged]


Good news! I'm going to be adding another furry character to the website thanks to this comment. Feel proud, you've had a positive impact on the wallet of a furry artist.


I hear Flashgitz are a pretty talented bunch of artists: https://www.youtube.com/watch?v=4uqKyofFfm0


Thanks for your patronage.

The fandom will thrive.


[flagged]


> But also nobody will read your articles if the site looks like this.

But wait, Xe's articles frequently make it to the HN frontpage. Surely someone must be reading them?


If you don't like it, don't read it. Also consider not commenting. It's pretty well laid out in the HN guidelines.

"Please don't fulminate. Please don't sneer, including at the rest of the community."


As a hallway monitor, you should be aware that you're not supposed to be reading HN at work, now are you? :-)


What? How is the site not safe for work?


Her articles repeatedly top Hackernews. And her audience largely shares or graciously accepts her predilections. Do you know how many of the most powerful people on the internet are furries/otherkin?


> Do you know how many of the most powerful people on the internet are furries/otherkin?

what makes someone powerful on the internet?


I would say someone who administers critical internet infrastructure or who has technical influence over how the network operates.


I had a hard time following it for a moment but then it clicked that it’s kind of a narrative chat room type thing.

The content itself is well worth taking a moment to get your bearings.


Hacker culture is trans/furry/otaku/plural/neuroqueer. Get used to it.


[flagged]


L bozo


[flagged]


Normally this is just tangentially related and not for Hacker News but I feel this time it needs a bit of attention.

My brain melted in the first minutes trying to read this article. I honestly just couldn't. It feels like I'm reading a mentally ill extremelly schizophrenic write-up on the recent sudo vulnerabilities, makes me lose sanity.

Has anyone actually managed to read this? How is this on the front page? (Not a rethoric question).


It's just the classical socratic method applied to characters that you particularly don't identify with. Fasterthanlime's bear and why's guide have often been praised here for the same thing (the interludes break up the long, boring blocks of text that deep dives often lose readers on,) and it's trivial to use a Reading Mode or skip them for the legitimately interesting technical information within.


Unfortunately reading mode didn't remove the characters for me, it actually made them occupy the whole screen LOL (Fennec on Android if anyone is wondering). I don't have that much of a problem with the conversational format as long as it's used in an appropriate context, but this one was really intrusive and broke the flow of the text, since I'm reading mostly for entertainment I decided it wasn't worth the time.


I'll investigate fixing that. Where can I download Fennec?


Thank you xena, you can download it from FDroid here https://f-droid.org/packages/org.mozilla.fennec_fdroid/

You might also just download normal Firefox as the behavior is the same when it comes to rendering.


I'll do what I can. I fear the problem will boil down to not having control of CSS in reader mode (which is understandable, really) and I may need to admit how my CDN serves the sticker files to serve lower quality assets. I hope it's a simple fix. Gonna do the fix live on Twitch tomorrow: https://twitch.tv/princessxen


Fixed on stream. The CDN resizes images on the fly now.


It's actually rather simple. You read one bit of text, and then you read the next. It's a dialogue, if you've ever read a book the format should be familiar.


Disconsidering the sarcasm in your answer I should note I am familiar with the format, I was noting this one specifically was really bad and I just couldn't follow it, specially because of the figures (although that's not really the topic of my question). Just to clarify further: I was asking because I was curious if anyone thought different about it and how they decided to approach the reading.


[flagged]


Hm, I don't see any fetishes in this blog post.


[flagged]


You’re looking too hard.


Yes, I read it and enjoyed it. Clearly it didn't work for you, and that's okay.


>It feels like I'm reading a mentally ill extremelly schizophrenic write-up on the recent sudo vulnerabilities

It doesn't feel like it, you are. You are reading a mentally ill extremely schizophrenic write-up on the recent sudo vulnerabilities


What's the problem? It's just that the information is presented as a back and forth conversation between characters.


Do most of the websites you browse look like this?


"Unusual" isn't an insult; what's the actual problem?


It's unusual that there can't be negative feedback about a website. Different strokes.

I want to read the content, but I can't. The website is too distracting. Is that a valid problem for you, oh great oracle?


> It's unusual that there can't be negative feedback about a website.

I didn't say that there couldn't be negative disagreement. Am I allowed to disagree with you and say that it's fine?

> I want to read the content, but I can't. The website is too distracting.

You can't read the text because there are little icons off on the side? I guess you can read it in elinks; it appears to load fine there. Someone upthread also posted a uBlock-style rule to filter them out.

> Is that a valid problem for you, oh great oracle?

No, it isn't; I'm not convinced that it's that bad to begin with, and if you really care the tools are available to it yourself.


> I didn't say that there couldn't be negative disagreement.

> What's the problem? What's the actual problem?

You're not as personable as you think you are with such a confrontational attitude towards feedback on a website you support. The website is distracting to enough folks that it matters. Period.

I'm not sure I understand the weird fan crowd we have here for the site in question. This thread is rife with folks who are ecstatic to defend the author for exercising artistic license, yet incapable of understanding or receiving valid feedback on said artistic license. And these folks aren't even the author!

If you put it in public, anything is fair game.

> if you really care the tools are available to it yourself.

I cared enough to leave feedback for the author, I'm not going to go out of my way to read text peppered with distracting weeb shit. I don't expect folks to sift through my unusual interests to get to my points.


[flagged]


Not pretending anything, I don't actually see the problem. They're clearly fictional talking heads that exist purely as a narrative device; why should I care if one of them is a girl with cat ears and another one is a fox/wolf(?)?


[flagged]


Okay, I read it...

> Sexual attraction to furry characters is a polarizing issue. In one survey with 4,300 furry respondents, 37% answered that sexual attraction is important in their furry activities, 38% were ambivalent, and 24% answered that it has little or nothing to do with their furry activities.

So I'm reading "no reason to assume it's a sexual thing without specific contextual evidence", which I'm not seeing here.


[flagged]


Consider it like dressing up, with nice clothes. Sexual attraction is an important aspect of dressing up to some people, but that's only part of the time, and just generically being dressed up is not a sex thing.


[flagged]


Dressing up with nice clothes is not bikinis. Some fluff and weird ears is not in any way like a bikini.


I think it's you that has the problem. They are cartoon characters with bunny (or whatever) ears. Fur/furry isn't mentioned once.

If you're triggered by bunny ears, how do you cope with seeing 𓂺 on a toilet stall?

> he or she

From the bit you claim not to understand 'Please do not use "he"' is very clear.


Well that's the point I didn't get it because it also said that the author is not female, which doesn't exclude that person from having the ability to ask for people to call the author with a female pronoun. Me actually using it and respecting that ask is another thing as it is completely up to me if I'm going to do it or not, and honestly if it's respectfully requested with due reasoning I'm okay with it. I did read the page and make the effort to understand which one the author was looking for me to use but eventually I just bounced from the page as I figured I wasn't that interested in the content of the blog post anyways.

Also, bunnies have fur. Source: Had a bunny once.


My god, what whining.


Why not just close the tab then? No one is forcing you to read it.


I did.


Hey, at least it's not Medium.


I think the website is excellent, and it’s a joy every time I see Xe’s posts here or anywhere. If you don’t like the way it’s presented, but you do sincerely want more information on the topic it presents, there is a vast (world wide!) web full of information. Surely you’ll have better luck finding it if you look for it rather, than spending that time trashing something that isn’t your cup of tea.


If you configure your content blocker to hide the picture element, all the furries go away.


I think (hope) this is for the other poster and others of a similar mind, but in case I flubbed saying so: I think your site and its furry content is rad, and do not personally want to see anything different.


[flagged]


I assume you've never been to East Asia in general or Japan in particular. Furries are regular business there. Heck, in Korea, at a police station, they characterized the police man/woman as rabbits.

We don't know where the author is from. However, the website loaded pretty fast, didn't have the 4524 trackers, a Signup/Enroll/Whatever Popup, or prioritize 70% of the page for content other than the blog post.

I'll take the furries over the regular shit one's browse everyday.


I had a hard time reading this just cause of the longwindedness, not cause of the images. But it didn't assault me with popups and GDPR crap, or make my laptop sound like an airplane taking off.


##article > div.conversation > .conversation-smol.conversation-picture

You're welcome


lol "smol"


Not block all images, just on the site. It takes a few seconds.

I think it's valid advice in this case, because they seem to be quite upset specifically at the furries, and not at the conversational structure of the post.


[flagged]


I invited them to view content less triggering to them. I’d link some directly but I’m on mobile so that’s a lot of bother for someone who probably isn’t looking in good faith, and well… their search engine is either the same as mine or functionally equivalent.


The damage is done, they are alas, already triggered.


I’m going to give you the benefit of the doubt that you mean this in good faith, even though I don’t think you do. What is the damage, and how doesn’t the site owner explaining how to consume their site without furries address it?


The damage might be permanent and irreversible psychological and emotional scaring. The trigger warning needs to come before the objectionable content is seen of course.

https://uwaterloo.ca/centre-for-teaching-excellence/trigger

A trigger warning is a statement made prior to sharing potentially disturbing content. That content might include graphic references to topics such as sexual abuse, self-harm, furies, violence, eating disorders, and so on, and can take the form of an image, video clip, audio clip, or piece of text.

In an academic context, the instructor delivers these messages in order to allow students to prepare emotionally for the content or to decide to forgo interacting with the content.


I think it isn’t necessary to give them the benefit of the doubt, they’ve brought up the language of triggering despite the original post just being sort of annoyed. In fact the original post explicitly says they don’t care about “furry shit” as they put it.


How does one discern "sort of annoying" and "triggering"? Sounds like they are coping with severe trauma to me personally. It isn't cool to minimize others peoples pain like this.


Absolutely not in good faith. Nobody has unironically said "triggered" in about ten years.


[flagged]


It's much too late for that, friend. We're everywhere --- in your libraries, your coffee shops, your orange sites. Save yourself lest you join our number. :p


Why?


[flagged]


The best argument you can come up with is that a CCP censor didn't like it in the thirties?


Good point! Ima go snuggle my pup and be glad to be done with HN for the evening. She’s definitely not on the same level as humans


I'll take it over another tedious medium or substack turd. need more sites like this.


[flagged]


Can we please not turn this into a fury flame thread.

I don't think HN should take a perfectly interesting technical article and make it about the author's online identity.

Frankly a lot of this thread is really disappointing to read.


[flagged]


Or you could just, you know, not read the author's stuff? They're posted here enough that you know it's going to be there. No one is demanding you read it and then share your brilliant takes on sexuality with us.


You know it's a terrible take when it can be turned around on you. That is, "if you don't like comments no one is demanding you read them and share your brilliant takes on opposition to mixing sexuality into technical matters".



[flagged]


We've banned this account for posting flamebait and unsubstantive comments and generally breaking the site guidelines a lot.

Please don't create accounts to do that with; it will eventually get your main account banned as well.

https://news.ycombinator.com/newsguidelines.html


Thank you for your feedback. I will increase the thing.


Yeah there is a lot of overlap between overused anime imagery, and hackers. It's certainly strange.


[flagged]


I think you should be more concerned that you can't identify an obvious shitpost if you see one.


I'm pretty sure the (as far as I can tell) was about not intending to rewrite in rust.

> (as far as I can tell) have no intention of rewriting it in Rust,


Ahh, yes, your right. That part is certainly my misunderstanding.


I know I'm an old fart but this is yet another reason why I don't want my servers supporting UTF-8.

LC_ALL=C

It's important and NECESSARY to be inclusive, and as long as nginx can still provide the UTF-8 characters I don't care; but there is no way I can allow anything other then US ASCII to be on the terminal.


How would you read git log output with non-ascii author names then?


That actually didn't work not too long ago. I don't remember if it was git or less, but "unicode" characters it would end up getting reified as, e.g., "<U+1234>", as I recall.

Thankfully it got fixed at some point.


Unfortunately, the C locale will not achieve your goal: UTF-8 will be merely a subset of what you support, rather than getting rid of it.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: