Quoting https://bsky.app/profile/baldurbjarnason.com/post/3mgcpckb5qk27 :
Uncategorized
10
Posts
7
Posters
0
Views
-
Quoting https://bsky.app/profile/baldurbjarnason.com/post/3mgcpckb5qk27 :
As @davidgerard has posted elsewhere, the maintainer of the library HarfBuzz has gone all-in on vibe-coding.
(see: https://typo.social/@behdad/116172838540880597 )
A note on why this is a worry in the thread ->
Fonts are a lucrative target. They require a complex parser, usually written in a language that isn't memory safe, and often directly exposed to outside data (websites, PDFs, etc. that contain fonts). This means a flaw could lead to an attack worst case scenario: arbitrary code execution
HarfBuzz is pretty much the only full-featured library for that takes font files, parses them, and returns glyphs ready to render. It is ubiquitous. A security flaw in HarfBuzz could make a good portion of the world's user-facing software (i.e. that renders text) unsafe.
Irrespective of the vibe-coding issue (code review is not an adequate defence against "agent" bugs) this is a piece of software that, due to its position in the industry, should be MORE conservative than the rest. Core infrastructure is not where you want experimentation
-
Quoting https://bsky.app/profile/baldurbjarnason.com/post/3mgcpckb5qk27 :
As @davidgerard has posted elsewhere, the maintainer of the library HarfBuzz has gone all-in on vibe-coding.
(see: https://typo.social/@behdad/116172838540880597 )
A note on why this is a worry in the thread ->
Fonts are a lucrative target. They require a complex parser, usually written in a language that isn't memory safe, and often directly exposed to outside data (websites, PDFs, etc. that contain fonts). This means a flaw could lead to an attack worst case scenario: arbitrary code execution
HarfBuzz is pretty much the only full-featured library for that takes font files, parses them, and returns glyphs ready to render. It is ubiquitous. A security flaw in HarfBuzz could make a good portion of the world's user-facing software (i.e. that renders text) unsafe.
Irrespective of the vibe-coding issue (code review is not an adequate defence against "agent" bugs) this is a piece of software that, due to its position in the industry, should be MORE conservative than the rest. Core infrastructure is not where you want experimentation
in one day I learn both about HarfBuzz guy and Donald fucking Knuth being one-shotted by code waifu psychosis (not to mention the bcachefs case from before https://poc.bcachefs.org/ ) (not to mention continued cases of murderous psychosis https://www.wsj.com/tech/ai/gemini-ai-wrongful-death-lawsuit-cc46c5f7 )
I swear if I don't find comrades to declare full-blown Butlerian Jihad soon I'll just find some other job and retire from computers altogether, permanently
-
in one day I learn both about HarfBuzz guy and Donald fucking Knuth being one-shotted by code waifu psychosis (not to mention the bcachefs case from before https://poc.bcachefs.org/ ) (not to mention continued cases of murderous psychosis https://www.wsj.com/tech/ai/gemini-ai-wrongful-death-lawsuit-cc46c5f7 )
I swear if I don't find comrades to declare full-blown Butlerian Jihad soon I'll just find some other job and retire from computers altogether, permanently
@elilla frankly, if i had means to leave my job rn, i'd probably do that and just start supporting any ethical distro or system that deliberately avoids the autoplags.
-
Quoting https://bsky.app/profile/baldurbjarnason.com/post/3mgcpckb5qk27 :
As @davidgerard has posted elsewhere, the maintainer of the library HarfBuzz has gone all-in on vibe-coding.
(see: https://typo.social/@behdad/116172838540880597 )
A note on why this is a worry in the thread ->
Fonts are a lucrative target. They require a complex parser, usually written in a language that isn't memory safe, and often directly exposed to outside data (websites, PDFs, etc. that contain fonts). This means a flaw could lead to an attack worst case scenario: arbitrary code execution
HarfBuzz is pretty much the only full-featured library for that takes font files, parses them, and returns glyphs ready to render. It is ubiquitous. A security flaw in HarfBuzz could make a good portion of the world's user-facing software (i.e. that renders text) unsafe.
Irrespective of the vibe-coding issue (code review is not an adequate defence against "agent" bugs) this is a piece of software that, due to its position in the industry, should be MORE conservative than the rest. Core infrastructure is not where you want experimentation
@elilla @davidgerard if anyone wonders why code review isn't good enough, it's because code review is meant to see if there's any obvious mistake in the code, and if it looks right. that's not useful when you have something that creates potentially flawed code that looks fine
-
in one day I learn both about HarfBuzz guy and Donald fucking Knuth being one-shotted by code waifu psychosis (not to mention the bcachefs case from before https://poc.bcachefs.org/ ) (not to mention continued cases of murderous psychosis https://www.wsj.com/tech/ai/gemini-ai-wrongful-death-lawsuit-cc46c5f7 )
I swear if I don't find comrades to declare full-blown Butlerian Jihad soon I'll just find some other job and retire from computers altogether, permanently
tfw then only ones with the political will to blow up datacenters is the fascist Iranian dictatorship
-
in one day I learn both about HarfBuzz guy and Donald fucking Knuth being one-shotted by code waifu psychosis (not to mention the bcachefs case from before https://poc.bcachefs.org/ ) (not to mention continued cases of murderous psychosis https://www.wsj.com/tech/ai/gemini-ai-wrongful-death-lawsuit-cc46c5f7 )
I swear if I don't find comrades to declare full-blown Butlerian Jihad soon I'll just find some other job and retire from computers altogether, permanently
@elilla wait what happened to knuth
-
@elilla wait what happened to knuth
-
@elilla wait what happened to knuth
Is a fan of Claude’s now:
-
in one day I learn both about HarfBuzz guy and Donald fucking Knuth being one-shotted by code waifu psychosis (not to mention the bcachefs case from before https://poc.bcachefs.org/ ) (not to mention continued cases of murderous psychosis https://www.wsj.com/tech/ai/gemini-ai-wrongful-death-lawsuit-cc46c5f7 )
I swear if I don't find comrades to declare full-blown Butlerian Jihad soon I'll just find some other job and retire from computers altogether, permanently
@elilla There are lots of us comrades! We've just been abandoned by all the institutions we thought were there to protect open/libre software and civil rights thereof, so it's taking a while to figure out alternatives 🤪
-
in one day I learn both about HarfBuzz guy and Donald fucking Knuth being one-shotted by code waifu psychosis (not to mention the bcachefs case from before https://poc.bcachefs.org/ ) (not to mention continued cases of murderous psychosis https://www.wsj.com/tech/ai/gemini-ai-wrongful-death-lawsuit-cc46c5f7 )
I swear if I don't find comrades to declare full-blown Butlerian Jihad soon I'll just find some other job and retire from computers altogether, permanently
@elilla
Sign me up, butter cup.
Even though I am technically disabled -
undefined cwebber@social.coop shared this topic on
Gli ultimi otto messaggi ricevuti dalla Federazione
-
@Televideo_bot ricorderei al ministro che come il diritto internazionale anche l'Iran ha missili e i droni a non finire,ma fino ad un certo punto!🤡
-
Hopelessly privileged, but there needs to be an escape hatch for inherited footwear of which I have two pairs, one of which are ancient.
-
@MissAemilia hard pass
-
@aeva but imagine if you had nvidia generate enhanced frames for you. You could sacrifice significant amounts of frame time to have them yassify your car for you at 240 totally real hz!
-
if i ever finish my racing game, the pitch practically writes itself. 4k 120 hz clean frames on most hardware, no bullshit.
-
Current* conditions near Chicago, IL:
-
@evan Depends what you mean by "shoes". I have different footwear for different purposes, but only one pair of each.
-
You hear an angry drone.
