From c03af0eacc0fcdb829399730e0b4b5de5ec1bbf6 Mon Sep 17 00:00:00 2001 From: Rohan Kumar Date: Sat, 19 Feb 2022 12:47:07 -0800 Subject: [PATCH] Use new "indieweb-person" shortcode This should reduce a lot of repetition. Supports first/last names, nicknames, generic names that don't conform to first/last norms, and has basic support for affiliated organizations. Also snuck in more info on website colors to the web best practices article, inc. a link to Chris' Wiki. --- Makefile.online | 8 ++++---- content/posts/floss-security.md | 10 ++++++---- content/posts/keeping-platforms-open.md | 4 ++-- .../posts/search-engines-with-own-indexes.md | 4 ++-- content/posts/website-best-practices.gmi | 6 ++++++ content/posts/website-best-practices.md | 19 +++++++++++-------- ...whatsapp-and-the-domestication-of-users.md | 8 ++++---- layouts/shortcodes/indieweb-person.html | 17 +++++++++++++++++ layouts/shortcodes/picture.html | 2 +- 9 files changed, 53 insertions(+), 25 deletions(-) create mode 100644 layouts/shortcodes/indieweb-person.html diff --git a/Makefile.online b/Makefile.online index a27efe2..c9196e6 100644 --- a/Makefile.online +++ b/Makefile.online @@ -7,15 +7,15 @@ URL = $(SCHEME)$(DOMAIN)$(PAGE_PATH) # latest bleeding-edge chromium snapshot CHROME_PATH = /home/rkumar/Executables/ghq/github.com/chromium-unofficial-latest-linux/chromium-latest-linux/latest/chrome-linux/chrome CHROME_PROFILE = /tmp/chrome-lighthouse -CHROME_FLAGS += --headless --disable-extensions --no-sandbox --no-first-run --user-data-dir=$(CHROME_PROFILE) +CHROME_FLAGS += --headless --disable-extensions --no-default-browser-check --disable-client-side-phishing-detection --disable-component-update --disable-default-apps --disable-device-discovery-notifications --disable-domain-reliability --disable-background-timer-throttling --disable-breakpad --enable-blink-features=LayoutInstabilityAPI --no-first-run --disable-component-update --disable-background-networking --enable-features='EmbeddingRequiresOptIn,EnableDrDc,HttpsOnlyMode,PdfUnseasoned,StrictOriginIsolation,StrictExtensionIsolation,WebRtcHideLocalIpsWithMdns,ThrottleDisplayNoneAndVisibilityHiddenCrossOriginIframes,UseOzonePlatform' --user-data-dir=$(CHROME_PROFILE) --enable-quic --origin-to-force-quic-on=seirdy.one:443 CPU_SLOWDOWN=2.4 -LIGHTHOUSE_ARGS += --budget-path budget.json --output html --output json --output-file lighthouse-results --throttling.cpuSlowdownMultiplier=$(CPU_SLOWDOWN) --plugins=lighthouse-plugin-resource-granular-summary --chrome-flags="$(CHROME_FLAGS)" +LIGHTHOUSE_ARGS += --budget-path budget.json --output html --output json --output-file lighthouse-results --throttling.cpuSlowdownMultiplier=$(CPU_SLOWDOWN) --chrome-flags="$(CHROME_FLAGS)" hint-online: - hint --config .hintrc -f codeframe $(URL) + pnpx hint --config .hintrc -f codeframe $(URL) lighthouse: mkdir -p $(CHROME_PROFILE) - npx lighthouse@next $(URL) $(LIGHTHOUSE_ARGS) + CHROME_PATH=$(CHROME_PATH) lighthouse $(URL) $(LIGHTHOUSE_ARGS) rm -rf $(CHROME_PROFILE) redbot: redbot_cli -a $(URL) diff --git a/content/posts/floss-security.md b/content/posts/floss-security.md index 5762686..993bd4b 100644 --- a/content/posts/floss-security.md +++ b/content/posts/floss-security.md @@ -135,7 +135,7 @@ Manual invocation of a program paired with a tracer like `strace` won't always e Fuzzing doesn't necessarily depend on access to source code, as it is a black-box technique. Fuzzers like [American Fuzzy Loop (AFL)](https://lcamtuf.coredump.cx/afl/) normally use [special builds](#special-builds), but [other fuzzing setups](https://aflplus.plus/docs/binaryonly_fuzzing/) can work with just about any binaries. In fact, some types of fuzz tests (e.g. [fuzzing an API](https://github.com/KissPeter/APIFuzzer/) for a web service) hardly need any implementation details. -Fuzzing frequently catches bugs that are only apparent by running a program, not by reading source code. Even so, the biggest beneficiaries of fuzzing are open source projects. [cURL](https://github.com/curl/curl-fuzzer), [OpenSSL](https://github.com/openssl/openssl/tree/master/fuzz), web browsers, text rendering libraries (HarfBuzz, FreeType) and toolchains (GCC, Clang, the official Go toolchain, etc.) are some notable examples. Daniel Stenberg wrote about fuzzing curl: +Fuzzing frequently catches bugs that are only apparent by running a program, not by reading source code. Even so, the biggest beneficiaries of fuzzing are open source projects. [cURL](https://github.com/curl/curl-fuzzer), [OpenSSL](https://github.com/openssl/openssl/tree/master/fuzz), web browsers, text rendering libraries (HarfBuzz, FreeType) and toolchains (GCC, Clang, the official Go toolchain, etc.) are some notable examples. {{}} wrote about fuzzing curl:

@@ -149,7 +149,9 @@ If you want to get started with fuzzing, I recommend checking out [the quick-sta A recent example of how fuzzing helps spot a vulnerability in an open-source project is [CVE-2022-0185](https://www.openwall.com/lists/oss-security/2022/01/18/7): a Linux 0-day found by the Crusaders of Rust a few weeks ago. It was discovered using the [syzkaller](https://github.com/google/syzkaller) kernel fuzzer. The process was documented on Will's Root: -CVE-2022-0185 - Winning a $31337 Bounty after Pwning Ubuntu and Escaping Google's KCTF Containers by willsroot + +CVE-2022-0185 - Winning a $31337 Bounty after Pwning Ubuntu and Escaping Google's KCTF Containers by {{}} + I _highly_ encourage giving it a read; it's the perfect example of fuzzing with sanitizers to find a vulnerability, reproducing the vulnerability (by writing a tiny C program), _then_ diving into the source code to find and fix the cause, and finally reporting the issue (with a patch!). When source isn't available, the vendor would assume responsibility for the "find and fix" steps. @@ -165,7 +167,7 @@ I readily concede to several points in favor of source availability from a secur - Some developers/vendors don't distribute binaries that make use of modern toolchain-level exploit mitigations (e.g. PIE, RELRO, stack canaries, automatic variable initialization, [CFI](https://clang.llvm.org/docs/ControlFlowIntegrity.html), etc.[^13]). In these cases, building software yourself with these mitigations (or delegating it to a distro that enforces them) requires source code availability (or at least some sort of intermediate representation). - Closed-source software may or may not have builds available that include sanitizers and debug symbols. - Although fuzzing release binaries is possible, fuzzing is much easier to do when source code is available. Vendors of proprietary software seldom release special fuzz-friendly builds, and filtering out false-positives can be quite tedious without understanding high-level design. -- It is certainly possible to notice a vulnerability in source code. Excluding low-hanging fruit typically caught by static code analysis and peer review, it's not the main way most vulnerabilities are found nowadays (thanks to X_Cli for [reminding me about what source analysis does accomplish](https://lemmy.ml/post/167321/comment/117774)). +- It is certainly possible to notice a vulnerability in source code. Excluding low-hanging fruit typically caught by static code analysis and peer review, it's not the main way most vulnerabilities are found nowadays (thanks to {{}} for [reminding me about what source analysis does accomplish](https://lemmy.ml/post/167321/comment/117774)). - Software as a Service can be incredibly difficult to analyze, as we typically have little more than the ability to query a server. Servers don't send core dumps, server-side binaries, or trace logs for analysis. Furthermore, it's difficult to verify which software a server is running.[^14] For services that require trusting a server, access to the server-side software is important from both a security and a user-freedom perspective Most of this post is written with the assumption that binaries are inspectable and traceable. Binary obfuscation and some forms of content protection/DRM violate this assumption and actually do make analysis more difficult. @@ -190,7 +192,7 @@ Releasing source code is just one thing vendors can do to improve audits; other [^3]: Or a JIT compiler, or a [bunch of clockwork](https://en.wikipedia.org/wiki/Analytical_Engine), or... -[^4]: For completeness, I should add that there is one source-based approach that can verify correctness: formal proofs. Functional programming languages that [support dependent types](https://en.wikipedia.org/wiki/Dependent_type) can be provably correct at the source level. Assuming their self-hosted toolchains have similar guarantees, developers using these languages might have to worry less about bugs they couldn't find in the source code. This can alleviate concerns that their language runtimes can make it hard to reason about low-level behavior. Thanks to Adrian Cochrane for pointing this out. +[^4]: For completeness, I should add that there is one source-based approach that can verify correctness: formal proofs. Functional programming languages that [support dependent types](https://en.wikipedia.org/wiki/Dependent_type) can be provably correct at the source level. Assuming their self-hosted toolchains have similar guarantees, developers using these languages might have to worry less about bugs they couldn't find in the source code. This can alleviate concerns that their language runtimes can make it hard to reason about low-level behavior. Thanks to {{}} for pointing this out. [^5]: For example: C, C++, Objective-C, Go, Fortran, and others can utilize sanitizers from Clang and/or GCC. diff --git a/content/posts/keeping-platforms-open.md b/content/posts/keeping-platforms-open.md index 092c575..c04da78 100644 --- a/content/posts/keeping-platforms-open.md +++ b/content/posts/keeping-platforms-open.md @@ -127,9 +127,9 @@ Perhaps the biggest benefit to abandoning the "move fast and break things" minds Acknowledgements ---------------- -Denver Gingerich helped me brainstorm early in the writing process and provided useful information for the section on XMPP. +{{}} helped me brainstorm early in the writing process and provided useful information for the section on XMPP. -Thanks to Barna Zsombor and carbolymer for giving good feedback over IRC. +Thanks to {{}} and carbolymer for giving good feedback over IRC. [^1]: [This Hacker News comment](https://news.ycombinator.com/item?id=25961895) in particular planted quite a few seeds for this article. diff --git a/content/posts/search-engines-with-own-indexes.md b/content/posts/search-engines-with-own-indexes.md index 200cdf5..1fc6737 100644 --- a/content/posts/search-engines-with-own-indexes.md +++ b/content/posts/search-engines-with-own-indexes.md @@ -193,9 +193,9 @@ Acknowledgements Some of this content came from the [Search Engine Map](https://www.searchenginemap.com/) and [Search Engine Party](https://searchengine.party/). A few web directories also proved useful. -Matt from Gigablast also gave me some helpful information on GBY which I included in the "Rationale" section. He's written more about big tech in the [Gigablast blog](https://gigablast.com/blog.html). +{{}} also gave me some helpful information on GBY which I included in the "Rationale" section. He's written more about big tech in the [Gigablast blog](https://gigablast.com/blog.html). -Nicholas A. Ferrell of [The New Leaf Journal](https://thenewleafjournal.com/) wrote a [great post](https://thenewleafjournal.com/a-2021-list-of-alternative-search-engines-and-search-resources/) on alternative search engines. He also gave me some [useful details](https://lists.sr.ht/~seirdy/seirdy.one-comments/%3C20210618031450.rb2twu4ypek6vvl3%40rkumarlappie.attlocal.net%3E) about Seznam, Naver, Baidu, and Goo. +{{}} wrote a [great post](https://thenewleafjournal.com/a-2021-list-of-alternative-search-engines-and-search-resources/) on alternative search engines. He also gave me some [useful details](https://lists.sr.ht/~seirdy/seirdy.one-comments/%3C20210618031450.rb2twu4ypek6vvl3%40rkumarlappie.attlocal.net%3E) about Seznam, Naver, Baidu, and Goo. [^1]: Yes, "indexes" is an acceptable plural form of the word "index". The word "indices" sounds weird to me outside a math class. diff --git a/content/posts/website-best-practices.gmi b/content/posts/website-best-practices.gmi index d8fa30e..81b73d5 100644 --- a/content/posts/website-best-practices.gmi +++ b/content/posts/website-best-practices.gmi @@ -144,6 +144,12 @@ Some users' browsers set default page colors that aren't black-on-white. For ins It's got a grey background, a header with unreadable black/grey text, and unreadable white-on-white code snippets +Chris Siebenmann describes this in more detail: + +=> https://utcc.utoronto.ca/~cks/space/blog/web/AWebColoursProblem AWebColoursProblem + +In short: when setting colors, always set both the foreground and the background color. Don't set just one of the two. + ## Dark themes If you do explicitly set colors, please also include a dark theme using a media query: diff --git a/content/posts/website-best-practices.md b/content/posts/website-best-practices.md index 54df968..1890a51 100644 --- a/content/posts/website-best-practices.md +++ b/content/posts/website-best-practices.md @@ -1,14 +1,13 @@ --- date: "2020-11-23T12:21:35-08:00" -description: A lengthy guide to making small sites that focus on content rather than - form. +description: A lengthy guide to making small sites that focus on content rather than form. outputs: - - html - - gemtext + - html + - gemtext footnote_heading: Notes tags: - - web - - minimalism + - web + - minimalism title: An opinionated list of best practices for textual websites --- _The following applies to minimal websites that focus primarily on text. It does not apply to websites that have a lot of non-textual content. It also does not apply to websites that focus more on generating revenue or pleasing investors than being good websites._ @@ -137,6 +136,8 @@ Some users' browsers set default page colors that aren't black-on-white. For ins {{< picture name="website_colors" alt="This page with a grey background behind black/grey headers and white-on-white code snippets" >}} +

{{% indieweb-person first-name="Chris" last-name="Siebenmann" url="https://utcc.utoronto.ca/~cks/" %}} describes this in more detail in AWebColoursProblem. In short: when setting colors, always set both the foreground and the background color. Don't set just one of the two.

+ ### Dark themes If you do explicitly set colors, please also include a dark theme using a media query: `@media (prefers-color-scheme: dark)`. For more info, read the relevant docs [on MDN](https://developer.mozilla.org/en-US/docs/Web/CSS/@media/prefers-color-scheme) @@ -265,13 +266,13 @@ The [250kb club](https://250kb.club/) gathers websites at or under 250kb, and al The [10KB Club](https://10kbclub.com/) does the same with a 10kb homepage budget (excluding favicons and webmanifest icons). It also has guidelines for noteworthiness, to avoid low-hanging fruit like mostly-blank pages. -My favorite website club has to be the [XHTML Club](https://xhtml.club/) by Bradley Taunt, the creator of the original [1mb.club](https://1mb.club). +My favorite website club has to be the [XHTML Club](https://xhtml.club/) by {{}}, the creator of the original [1mb.club](https://1mb.club). Also see [Motherfucking Website](https://motherfuckingwebsite.com/). Motherfucking Website inspired several unofficial sequels that tried to gently improve upon it. My favorite is [Best Motherfucking Website](https://bestmotherfucking.website/). The [WebBS calculator](https://www.webbloatscore.com/) compares a page's size with the size of a PNG screenshot of the full page content, encouraging site owners to minimize the ratio of the two. -One resource I found useful (that eventually featured this article!) was the "Your page content" section of Bill Dietrich's comprehensive guide to [setting up your personal website](https://www.billdietrich.me/YourPersonalWebSite.html#PageContent). +One resource I found useful (that eventually featured this article!) was the "Your page content" section of {{}}'s comprehensive guide to [setting up your personal website](https://www.billdietrich.me/YourPersonalWebSite.html#PageContent). [^1]: Many addons function by injecting content into pages; this significantly weakens many aspects of the browser security model (e.g. site and origin isolation) and should be avoided if at all possible. On sensitive pages with content such as public key fingerprints, I recommend setting a blank `sandbox` directive even if it means breaking these addons. @@ -281,3 +282,5 @@ One resource I found useful (that eventually featured this article!) was the "Yo [^3]: Here's an [overview of PE](https://en.wikipedia.org/wiki/Progressive_enhancement) and [my favorite write-up on the subject](https://whalecoiner.com/articles/progressive-enhancement). [^4]: Consider disabling the JIT for your normal browsing too; doing so removes whole classes of vulnerabilities. In Firefox, toggle `javascript.options.ion`, `javascript.options.baselinejit`, `javascript.options.native_regexp`, `javascript.options.asmjs`, and `javascript.options.wasm` in `about:config`; in Chromium, run chromium with `--js-flags='--jitless'`; in the Tor Browser, set the security level to "Safer". + + diff --git a/content/posts/whatsapp-and-the-domestication-of-users.md b/content/posts/whatsapp-and-the-domestication-of-users.md index 0a38967..c8a68bb 100644 --- a/content/posts/whatsapp-and-the-domestication-of-users.md +++ b/content/posts/whatsapp-and-the-domestication-of-users.md @@ -171,15 +171,15 @@ Translations Translations are always welcome. -Евгений Кузнецов translated this article to Russian: WhatsApp и одомашнивание пользователей. +{{}} translated this article to Russian: WhatsApp и одомашнивание пользователей. The Framalang translators at [Framasoft](https://framasoft.org/) translated this article to French: WhatsApp et la domestication des utilisateurs. -Licaon_Kter translated this article to Romanian: WhatsApp și domesticirea utilizatorilor. +{{}} translated this article to Romanian: WhatsApp și domesticirea utilizatorilor. -David Jimenez translated this article to Spanish: WhatsApp y la domesticación de usuarios. +{{}} translated this article to Spanish: WhatsApp y la domesticación de usuarios. -Skariko of [Le Alternative](https://lealternative.net/) translated this article to Italian: WhatsApp e l’addomesticamento degli utenti. +{{}} of [Le Alternative](https://lealternative.net/) translated this article to Italian: WhatsApp e l’addomesticamento degli utenti. [^1]: Pierotti, R.; Fogg, B. (2017). The First Domestication: How Wolves and Humans Coevolved. Yale University Press. diff --git a/layouts/shortcodes/indieweb-person.html b/layouts/shortcodes/indieweb-person.html new file mode 100644 index 0000000..48175c8 --- /dev/null +++ b/layouts/shortcodes/indieweb-person.html @@ -0,0 +1,17 @@ + + {{- /* Strip trailing newline: https://github.com/gohugoio/hugo/issues/1753 */ -}} + {{- if (.Get "org") }} + from + + +{{- end -}} +{{- /* Strip trailing newline: https://github.com/gohugoio/hugo/issues/1753 */ -}} diff --git a/layouts/shortcodes/picture.html b/layouts/shortcodes/picture.html index 186afa2..8b16bfc 100644 --- a/layouts/shortcodes/picture.html +++ b/layouts/shortcodes/picture.html @@ -76,4 +76,4 @@ width="{{ $light_png.Width }}" height="{{ $light_png.Height }}" src="{{ $light_png.RelPermalink }}" alt='{{ .Get "alt" }}' decoding="async"> - +{{- /* Strip trailing newline: https://github.com/gohugoio/hugo/issues/1753 */ -}}