> (I always wondered who started it with YAML and why everyone copied that, if anyone knows I'd love to read about it).
I know this isn't a definite answer to your question, but it was still super interesting to me and hopefully it will inspire someone else to dig into
finding the actual answer
- I was shocked that GitHub existed in 2008 https://web.archive.org/web/20081230235955/http://github.com... with an especial nod to no longer a pain in the ass and Not only is Git the new hotness, it's a fast, efficient, distributed version control system ideal for the collaborative development of software but this was just "for funsies" link since they were very, very late to the CI/CD game
- cloud-init had yaml in 2010 https://github.com/openstack-archive/cloud-init/blob/0.7.0/d... so that's a plausible "it started here" since they were yaml declarations of steps to perform upon machine boot (and still, unquestionably, my favorite user-init thing)
... but they defend my cooking blog from the botz!111 (I guess one could also substitute "from AI scrapers" but I guess that ship has sailed)
In the spirit of not pitchforking, it does make it sound like they put some non-trivial energy into making the injections hidden, but I'm with you that monkeying with responses is the road to ruin
> When these links are followed, we know with high confidence that it's automated crawler activity, as human visitors and legitimate browsers would never see or click them.
Yeah, it would have been just stellar if I had spotted "huh, that's weird" in a page response and I chased it to see what it was. Then "har de har har, welcome to a Cloudflare blocklist, n00b" for being curious
I doubt they'd add these protections for visiting a handful of links at human speed. Correct me if I'm wrong, but crawlers often send hundreds of requests per minute, testing random outlinks and routes they find on the site
My concern would be as a webmaster: serving useless content to users, and as a user: not getting the information from the site.
I probably wouldn't use this feature, since I often deploy static websites that use little to no resources, and the potential harm outweighs the benefit
I am guessing it only resorts to that expansion if it dosesn't _already_ know about the command, because $(printf '#!/bin/sh\necho pwned\n' > /bin/git-status; chmod 755 /bin/git-status; git status) results in the thing happening that you'd expect, not a mysterious message
FWIW, both brew and kubectl also have adopted this behavior (of $(basename)-plugin style verb extensions) so I find it unlikely they'd all do it if it was a straight-up facepalm
probably adding a confirmation message the first time the alias is used for each command would be good, it would be nice to know when i'm invoking git and when i'm invoking a third party binary regardless of any exploit attempts!
I know it's usually poor form to whine about the names for things, but "cua" and "computer" have such a massive history, at least with Lume it was a more distinct thing to search for
---
In the spirit of being constructive, don't overlook the previous submission's comment which I felt addressed some common questions one might have https://news.ycombinator.com/item?id=42990867
Hi! Thanks for the feedback. We hear you on the naming - "computer" is a broad term, but it aligns with our vision for making AI agents feel more like a natural extension of computing. "Lume" is staying as the name for our CLI, but we've integrated it into our monorepo alongside our agent and computer-use interface.
Also, appreciate you linking the previous discussion! We'll make sure to address common questions more clearly in our docs and updates.
The sibling comment's blog post <https://news.ycombinator.com/item?id=43374972> included the relevant detail: they were just doing (...//ds:DigestValue).firstChild.nodeValue without checking that .firstChild was a Node (in the offending case, it was a Comment). Thus, the non-canonical one saw the "masked" signature, the corrected one which tossed out comments saw a Node and when two implementations differ about a signed document hilarity will ensue
Evidently it's not the same, sorry; it seems that I lept to conclusions with the two signature mismatch vulns by ahacker1 showing up so close to one another but opening the very tiny, very dark, code picture shows this seems to be xpath-centric, not nodeType as the workos link discussed
I know this isn't a definite answer to your question, but it was still super interesting to me and hopefully it will inspire someone else to dig into finding the actual answer
The best guess I have as far as CI/CD specifically appears to be <https://en.wikipedia.org/wiki/Travis_CI#:~:text=travis%20ci%...> which launched in 2011 offering free CI and I found a reference to their .travis.yml in GitLab's repo in 2011, too
- CruiseControl (2004) was "ant as a service," so it was XML https://web.archive.org/web/20040812214609/http://confluence...
- Hudson (2007) https://web.archive.org/web/20140701020639/https://www.java.... was also XML, and was by that point driving Maven 2 builds (also XML)
- I was shocked that GitHub existed in 2008 https://web.archive.org/web/20081230235955/http://github.com... with an especial nod to no longer a pain in the ass and Not only is Git the new hotness, it's a fast, efficient, distributed version control system ideal for the collaborative development of software but this was just "for funsies" link since they were very, very late to the CI/CD game
- I was surprised but k8s 1.0.0 still had references to .json PodSpec files in 2010 https://github.com/kubernetes/kubernetes/blob/v1.0.0/example...
- cloud-init had yaml in 2010 https://github.com/openstack-archive/cloud-init/blob/0.7.0/d... so that's a plausible "it started here" since they were yaml declarations of steps to perform upon machine boot (and still, unquestionably, my favorite user-init thing)
- just for giggles, GitLab 1.0.2 (2011) didn't even have CI/CD https://gitlab.com/gitlab-org/gitlab/-/tree/v1.0.2 -- however, while digging into that I found .travis.yml in v2.0.0 (also 2011) so that's a very plausible citation <https://gitlab.com/gitlab-org/gitlab/-/blob/v2.0.0/.travis.y...>
- Ansible 1.0 in 2012 was also "execution in yaml" https://github.com/ansible/ansible/blob/v1.0/examples/playbo...
reply