robryk @robryk@qoto.org

@XaiaX it seems to have an extremely low vapor pressure at room temperature (which isn't that surprising, given that it boils at nearly 200 deg C). You might have better luck trying to create a very fine caffeinated mist (which will quickly turn into caffeinated dust), which would happen with some ultrasonic humidifiers.

All that said, trying to absorb something that's a poison at achievable doses via atypical means makes me wary (for one specific thing, I am not sure how this affects uptake rate, but I'm more worried about unknown unknowns).

@jbqueru @timbray

Re test files, I don't think that is desirable, especially for parser-like it compressor-like projects. In case of anything that smells of passing, fuzzer-generated regression tests have significant positive value (one can try to write regression tests by hand instead, but it's more work for imo an infrared chance of getting it wrong) and fuzzer-generated example inputs to parsing have a very large value. Example files that were generated using weird tools or extend weird ones are also important test cases (as opposed to previous ones, not just to assert lack of crashes, but to assert correct parsing).

I think that having a better split between building (which generates all non-test artifacts) and testing (that uses already-built everything else, generates test artifacts and runs them) solves the same problem: it allows build environments to ensure that testing doesn't affect the output and that test files are not inspected by the build process. If done sufficiently well (which is admittedly hard to do in the current world) this can even allow test-only dependencies to not be visible to the build stage.

@quinn @gwcoffey

I do expect that the pitchfork mob wants credit as a group, but am somewhat surprised that individual members want credit. (I would expect them to wish to hide in the anonymity of the mob; otherwise I wouldn't expect them to form any sort of cohesive mob.) Do you have a clue whether they find retaliation implausible, don't care about it, or something else?

(Please feel more than free to point me at something longer to read on the topic.)

@oldladyplays

(It's not a loan word change: it's that in Polish there's no way to spell hard s followed by I, and yet loanwords are like that.)

"rz" is an edge case. I can't recall more that two extended word families that use it as an r followed by a z, so unless a friend of yours is called something like Zmarzlik it won't matter for names.

I've had significant difficulty with explaining the differences between ć, ś, c, s, cz, sz, ż even in person so I think that a description from a POV of someone who didn't learn them in childhood is a very useful thing.

@oldladyplays

It's not all that rosy though re regularity. "si" is pronounced differently depending on ~whether it's in a loanword (compare silos and silnik). "rz" is sometimes two phonemes (e.g. in marznąć or mierzić, but surprisingly enough not in obmierzły).

Your guide is imo very helpful. I'd quibble a bit about "cz", because the way I pronounce "ts" is closer to Polish "c" than to "cz". (The way I think about "cz" is that it's a more plosive "sz", but am not sure whether that's a helpful way for people who don't speak some language with similar phonetics natively.)

@oldladyplays Yup. And for me it's still in the spirit of April Fool's because it causes confusion. (Also, hail Eris.)

@oldladyplays

The way I decided to celebrate April Fool's is to tell people a puzzle that causes confusion (because two contradictory things seem to be very obviously true), such that they learn something nontrivial by resolving that confusion. An extremely nice property of that is that it isn't spoiled by first asking them whether they want to partake.

@rq is the source of your confidence empirical or theoretical?

@tqbf what is exactly the chief engineer theory?

@aeva

Also, its activation conditions were pretty strict (both at build time as well as at runtime), so there's a good chance it wouldn't enable itself there even if the malicious sources were used.

@aeva it was only (fully) present in _source tarballs_ from maintainer (but not in the repo), so that depends on where guix was getting its sources from.

@erl you mean a steeple as in the tower that is often placed on top of a church and might sometimes contain a bell?

@niconiconi do you use something other than skin oil for that?

@erl what's a _catholicism grade_ steeple?

@q3k

Re the supposed killswitch: I don't get the point of a killswitch. Where would malware authors use it?

@Conan_Kudo @jwf I'm somewhat concerned that the site ignores the hypothesis that the attacker compromised Lasse's dev environment (I think it does by stating free of caveats that tarballs signed by Lasse were created by Lasse).

@yossarian

Sure, it's not a general solution to the "malicious committer" problem, but it _is_ a solution to _this_ attack. (Obviously, if we were doing that, the attacker would choose a different attack, though potentially risking a larger chance of discovery.)