6 Aug 2025 | |||
Voldenet | It bet it'd be fine to use existing libraries for built-in cryptography | 22:30 | |
lizmat | I recently found out that OpenSSL::Digest offers all of them: sha1 .. sha512 | 22:54 | |
which makes me wonder whether it would be an idea to include all of OpenSSL into MoarVM | |||
7 Aug 2025 | |||
Voldenet | I think it'd need to be configurable, on windows there's builtins that support everything: learn.microsoft.com/en-us/windows/...dentifiers | 00:41 | |
there's also ancient wincrypt.h | 00:44 | ||
I'd consider making something like platform/crypt.h but apart from really trivial APIs like `MVM_platform_sha256(buf, size)` it's bound to not work well | 00:51 | ||
there'd be apis using TPMs that need tpm context (even sha256 would suddenly reuire MVMCryptoContext), there'd be also various key handles for dsa, contexts for streaming aead | 00:57 | ||
so after pondering about it a bit - if only sha256 is needed, I'd consider some implementation that doesn't bring any additional library in | 01:08 | ||
because in most cases using NativeCall wrappers directly without indirection is simply the best option | 01:10 | ||
jdv | mef: you ok? | 18:31 | |
8 Aug 2025 | |||
lizmat | I just noticed this when building Moar for Rakudo: | 16:57 | |
Updating submodules .................................... fatal: couldn't find remote ref refs/heads/master | |||
no idea which submodule that was referring to, or whether it is something to worry about | 16:58 | ||
9 Aug 2025 | |||
Voldenet | 3rdparty/mimalloc doesn't have master anymore | 03:31 | |
all other submodules do | 03:32 | ||
lizmat | ah, so this *is* something to worry about, as we would be missing mimalloc updates? | 10:35 | |
Voldenet | most likely, there are 3 major versions (possibly with breaking changes), so I'm not sure if it can be automatically updated | 15:44 | |
however, latest version linked to moarvm is from 2 months ago | 15:47 | ||
and latest version released overall is from 2 months ago as well, so it's probably up-to-date at the moment anyway | 15:48 | ||
11 Aug 2025 | |||
librasteve_ | rakudoweekly.blog/2025/08/11/2025-...esilience/ | 15:45 | |
14 Aug 2025 | |||
lizmat | looks like we still have a build issue on Alpine! | 13:29 | |
correction: El_Che was able to build now, 2025.06 packages on their way now | 13:47 | ||
18 Aug 2025 | |||
librasteve_ | rakudoweekly.blog/2025/08/18/2025-...esilience/ | 18:55 | |
lizmat | librasteve_++ | 19:29 | |
19 Aug 2025 | |||
Geth | MoarVM: AntonOks++ created pull request #1952: build_release.yml: Adding latest macos uns windows runners |
17:32 | |
25 Aug 2025 | |||
librasteve_ | rakudoweekly.blog/2025/08/25/2025-...reducible/ | 19:10 | |
lizmat | librasteve_++ | 21:56 | |
28 Aug 2025 | |||
jdv | where is "anton oks"? | 21:09 | |
in any case. i want to ask him, what is up with this?: github.com/MoarVM/MoarVM/releases/tag/2025.08 | 21:10 | ||
this release is done | 21:11 | ||
1 Sep 2025 | |||
librasteve_ | rakudoweekly.blog/2025/09/01/2025-...tive-data/ | 18:26 | |
8 Sep 2025 | |||
rakudoweekly.blog/2025/09/08/2025-...rg-reboot/ | 19:19 | ||
lizmat | librasteve_++ | 22:08 | |
15 Sep 2025 | |||
librasteve_ | rakudoweekly.blog/2025/09/15/2025-37-astquery/ | 15:39 | |
20 Sep 2025 | |||
lizmat | MasterDuke timo github.com/rakudo/rakudo/issues/5954 | 16:06 | |
21 Sep 2025 | |||
[Coke] | I am onboarded with Snyk, scanned moarvm repo, found 1 H, 22 Medium, 10 Low issues under code analysis. | 18:47 | |
japhb | Were you able to confirm whether any of them were "real"? | 19:07 | |
[Coke] | IANACP | 19:12 | |
I opened an example from the rakudo repo. Will do one for MoarVM | |||
e.g. github.com/MoarVM/MoarVM/issues/1954 | 19:14 | ||
22 Sep 2025 | |||
remaining types of errors reported in Snyk: Improper Null Termination; Dereference of a NULL Pointer; Use After Free; Missing release of memory after Effective Lifetime; Potential Buffer Overflow; Double Free | 12:08 | ||
github.com/MoarVM/MoarVM/blob/69cd...tf8.c#L647 seems a reasonable complaint about use after free, e.g. | 12:09 | ||
.... ah, no it doesn't, because there's a throw in there | 12:10 | ||
So more like it's not understanding our code base, I guess. | |||
I suspect many of them are of that nature. | 12:11 | ||
japhb | Better to deal with some false positives than have no visibility at all. Still, I'd feel better if it found something real, because then I'd know that it was looking deep enough. (I don't really believe you can have a previously unaudited codebase the size of MoarVM without at least *one* real bug existing.) | 15:00 | |
[Coke] | Yup. Happy to share keys to Snyk with any core devs, but also understand we don't want to drown them with more crap. | 16:12 | |
We can also scan the other moarvm repos we have that have patches in them from other places. | |||
importing others (including the web site) | 16:31 | ||
librasteve_ | rakudoweekly.blog/2025/09/22/2025-...clone-liz/ | 18:47 | |
25 Sep 2025 | |||
Geth | MoarVM: MasterDuke17++ created pull request #1955: Zero top of register when getting uint32 class member |
02:44 |