Hacker Newsnew | comments | show | ask | jobs | submit | kingkilr's comments login

(I work for the Digital Service @ the VA)

This is correct. The HQ team is a part of OMB, the White House's Office of Management and Budgest.

The agency teams can be thought of as a franchise model, we work closely with the HQ team and the other agency teams, but we're also a for real part of the agency we work at.

(Just realized who I was replying to, welp!)

-----


I was disappointed to find out yesterday from Jeff M. that there is no remote position available. I hope this changes at some point in the near future.

-----


Django's trademark is held by the Django Software Foundation.

-----


They're working on the HTTP server.

-----


Several of us who work on PyCA Cryptography (https://cryptography.io) will be doing code reviews (our docs outline the code review process we use).

-----


Warehouse is the re-reimplementation, also done by the same guy, which will eventually become the new pypi.python.org

-----


Just to be perfectly clear: it's 100% possible to write an efficient Ruby implementation, and if you have the right technical infrastructure, it's no more difficult than Python, or Javascript for that matter.

-----


https://research.microsoft.com/en-us/people/mickens/thisworl...

-----


Python already comes with the logical conclusion of goto-fail out of the box. There's no need to add a new special feature for it.

(There is absolutely no certificate store checking for certs by default, nor is there any hostname checking, or any of the myriad of other checks one might expect a reasonable TLS implementation to perform. Use the requests module.)

-----


Midnight is not the addittive identity of points in time. There is no additive identity because there is no addition operation. You're confusing the ``time`` type, with the ``timedelta`` type, which represents a duration, and does have 0-minutes as an additive identity.

midnight is not, nor has it ever been, the "zero-time", it's simply a point whose typical representation contains some 0s. It is no more Falsey than the origin (0, 0) in the cartesian coordinate system is Falsey.

-----


You win: I was confusing those things! I was thinking times were treated as a timedelta ranging from 0 to 23 hours 59...

-----


Let us present a third possibility: Maybe they shouldn't have shipped a TLS client if they weren't prepared to take responsibility for how it was configured.

-----


True, and by that same logic maybe anyone using ruby's TLS client shouldn't ship anything if they aren't prepared to take responsibility for how it's configured (since the default configuration can be overridden at any point from OpenSSL on up).

-----


Sure, any consumer of this API really should fix it themselves to have a secure configuration. But I submit that basically none of them are. An API where almost everyone who uses it wrong is not a good API. When the consequence of using it wrong is poor security, that's a dangerous API.

Knowingly shipping dangerous APIs is irresponsible.

OpenSSL is a god damned shitshow, no questions from me, it's bad, it's dangerous, it's irresponsible.

But they shipped something based on OpenSSL, and now they're making a deliberate decision not to act to protect their users. That's not cool, and that's unacceptable to me. If I actually used Ruby, this would make me reconsider that.

-----


Importantly, every layer in the stack is responsible for it's own security. A consumer of this API should be making sure that it's optimally configured and configure it differently where it's not. Any project that isn't doing that should have security reports sent to it to tell it to do that and if they refuse they are guilty of the same sort of negligence as ruby core.

However the fact that other people should also be claiming responsibility for their own security does not absolve ruby of it's own responsibilities.

-----

More

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: