Mochabot log - CommonJS IRC channel: #commonjs on irc.freenode.net

2010-04-17:

[2:17] <Wes-> anybody here know anything about blog providers?
[2:21] <Afkytman> Wes-, lemme know if you find anything interesting yourself... I was thinking of making Kommonwealth able to use an external wordpress or hosted blog as a content source... in other words allowing you to make a fully customized kommonwealth site as if it were a blog skin and feed it content from a blog provider while making the Kommonwealth site your blog/homepage.
[2:22] <Afkytman> Exporting as a WordPress skin was also a plan.
[2:23] <Wes-> Afkytman: Frankly, I'm just looking for a site that will let me ramble on about GPSEE -- although it would be nice if the content were a) versioned with mercurial, b) wiki .... I'm also looking at alternate wiki providers ... seriously thinking about doing something in GPSEE on the server-side, but also thinking I have better things to be doing with my time. :D
[2:23] <Wes-> I don't even know what a wordpress skin is, sigh
[2:23] * Wes- is sooo uncool
[2:24] <Afkytman> Oh wait, I mean theme
[2:24] <Afkytman> All that MediaWiki development has me calling them skins
[2:24] <Wes-> ah, well, you know how that goes
[2:24] <Wes-> Hey, can you make MediaWiki read from hg and use alternate markup?
[2:25] <Wes-> I want to mirror my googlecode wiki, because google code does not allow anonymous access
[2:25] <Afkytman> lol... you're better off writing a brand new wiki engine ^_^
[2:25] <Wes-> *how stupid is that*
[2:25] <Wes-> heh, thought about that, too
[2:25] <Afkytman> ^_^ I tried to rewrite titles once....... that branch is dead
[2:25] <Wes-> It doesn't seem that hard, I've hacked pretty hard in that direction before
[2:26] <Wes-> we have a php wiki internally with some pretty nice, but non-standard syntax
[2:26] <Afkytman> Time to go shopping
[2:26] <Wes-> yep
[8:55] <ashb> Wes-: i've got a simple blog engine based around files on disk (written in juice) that we use for evilstreak and my blogs
[9:07] <jhuni> why is the package metadata stored as package.json rather then META.json?
[9:07] <jhuni> META.json is what JSAN uses
[9:08] <jhuni> I think its a better name
[9:14] <jhuni> The packages spec should probably be made compatible with JSAN's packages
[9:27] <ashb> jhuni: JSAN is very browser focused
[9:27] <ashb> also JSAN uses META.json cos they just did what perl did without thinking about *why*
[9:37] <jhuni> JSAN is browser-focused because JavaScript in general is browser-focused, especially at 2005 when it was formed
[9:37] <jhuni> The JSAN architecture could just as well support server side modules once there is a good serverjs spec
[9:37] <jhuni> ashb: also that doesn't really change my point, the name "package.json" is too confusing
[9:37] <ashb> you are the first person to complain fwiw
[9:38] <ashb> but feel free to suggest it on the mailing list
[9:38] <jhuni> ashb: I was just wondering why it is named "package.json", is there any reason the name was changed?
[9:38] <ashb> changed?
[9:39] <ashb> it has always been package.json
[9:40] <jhuni> Before CommonJS was formed at least for 2005-2009 it was META.json
[9:40] <ashb> and none of us knew/thought about it. JSAN isn't particularly well known
[9:42] <ashb> jhuni: if you think META.json is good, propose it. thats how these things work
[9:42] <jhuni> http://groups.google.com/group/jsan-devel/browse_thread/thread/4c5882969569e44c from 2005
[9:42] <ashb> jhuni: '10:46 < ashb> and none of us knew/thought about it'
[9:43] <ashb> proving it exists was never my point
[9:43] <jhuni> k
[9:43] <ashb> also META.yml is so poorly speced its not even funy
[9:43] <ashb> *funny
[9:44] <ashb> (i say this as a perl guy)
[9:45] <jhuni> I will write a proposal to the mailing list listing my ideas
[11:34] <kuya> 7/5
[11:34] <kuya> arf
[12:00] <ashb> well said
[12:05] <kuya> :)
[12:08] <kuya> fluss is working great for me btw ashb :)
[12:11] <ashb> cool :D
[12:35] <kuya> ashb: what am i meant to pass as the fields arg with mongo?
[12:36] <kuya> i dont think its meant to be an array or names...
[12:36] <kuya> *of
[12:37] <kuya> oh
[12:37] <kuya> {field1: true, field2: true} works...
[12:37] <kuya> not sure thats quite right but it does work
[12:40] <ashb> yeah, thats what it's meant to be
[12:40] <ashb> is that not in the docs?
[12:41] <ashb> hmmm no it seems not
[12:42] <kuya> does that mean i can pass false?
[12:42] <ashb> tbh i have no idea
[12:42] * kuya really could work that one out on his own ...
[12:42] <ashb> its just passed to the server
[12:42] <ashb> not sure if it uses the presence of hte field or the value of the field
[12:42] <kuya> false makes no difference so it must be just using the keys
[12:43] <kuya> wow - if you pass undefined tho you get:
[12:43] <kuya> Could not call function: exception `You cannot currently mix including and excluding fields. Contact us if this is an issue.'
[12:43] <ashb> huh
[12:43] <kuya> so i think its more complicated than just keys maybe ...
[12:43] <ashb> pass 1 or true :)
[12:44] <kuya> http://www.mongodb.org/display/DOCS/Querying#Querying-FieldSelection
[12:44] <kuya> yea
[12:44] <ashb> ahh
[12:44] <kuya> or use 0 and false to do the inverse :)
[12:45] <kuya> id just stick that link in your docs ;)
[12:46] <ashb> yeah - patches welcome :)
[12:55] <kuya> :]
[12:59] * kuya makes excuses about not understand pdoc or whatever it is ...
[12:59] <kuya> ;)
[12:59] <kuya> *understanding
[13:13] <ashb> kuya: its Markdown :P
[13:14] <kuya> :]
[13:14] <kuya> ewww ruby
[13:14] * kuya wonders why its called pdoc...
[13:23] <Wes-> ashb: how hard do you think it would be to make juice run on gpsee? I forget what it needs now
[13:24] <ashb> jsgi
[13:25] <ashb> and module.resource of one form or another
[13:26] <kuya> whats module.resource? something to do with mongo?
[13:26] <Wes-> Hm, module.resource should be easy, I wonder how hard jsgi would be to bootstrap. I haven't really looked at the spec in detail (CGI addresses all my needs currently)
[13:26] <ashb> module.resource is basically give me the name (or an open handle) to a file relative to a loaded module
[13:26] <kuya> ah
[13:26] <kuya> usefull
[13:26] <ashb> hmmm i did have a CGI <->JSGI thing before
[13:27] <ashb> but i suspect it wont work right anymore
[13:27] <Wes-> My CGI is pretty high-level anyhow -- I wrapped a C CGI library :)
[13:27] <ashb> Wes-: http://github.com/ashb/juice/blob/master/lib/juice/engine/cgi.js
[13:27] <Wes-> Although, env vars can certainly be read, hmm
[13:27] <ashb> isn't quite right for how juice behaves now
[13:27] <ashb> but it should be most of the logic
[13:28] <Wes-> (right now I just do var query = new (require("cgi").query)(); print(query.firstName)
[13:28] <ashb> for instance the way the response is sent isn't right anymore
[13:29] <Wes-> Hm, that looks like it would run on gpsee + apache really easily
[13:30] <Wes-> That reminds me, I need to get hdon to fix system.stdout
[13:31] <Wes-> Oh, wait! It works!
[13:31] * Wes- must have missed that patch
[15:30] * kuya looking for session middleware...
[15:31] <kuya> ashb: anything you know of that works with fluss/zest ?
[15:31] <ashb> not off the top of my head
[15:32] <hdon> Wes-, i think it was your patch
[15:32] <kuya> ashb: ok ta
[15:36] <dmachi> kuya: there is some in jack, though its jsgi based http://github.com/kriszyp/jack/blob/master/lib/jack/session.js
[15:38] <kuya> hrm lemme try
[15:41] <dmachi> there isn't much to it :)
[15:41] <ashb> ah thats JSGI 0.2
[15:42] <dmachi> hmm, could be, though i thought kris uses 0.3
[15:42] <ashb> 'HTTP is a stateless protocol for a *good* reason' <--- no its not
[15:43] <dmachi> here is the jsgi implementation he uses with node and it claims jsgi 0.3, http://github.com/kriszyp/jsgi-node/blob/master/lib/jsgi-node.js
[15:45] <dmachi> ashb: well looking at pintura.app, kris isn't using the session middleware, so thats probably why :)
[15:45] <ashb> heh
[15:52] * kuya sticks something around mongo and calls it session ... :]
[15:58] <ashb> kuya: open source it? ;)
[16:01] <kuya> :)
[16:01] <kuya> i may have a few bits around ill possibly maybe release at some point in the future maybe
[16:01] <kuya> :]
[16:41] <Wes-> ashb: "good reason" - like it's hard to find resources to keep state for a 200 hit/min web server on a Pentium 90 with 32MB RAM? ;)
[16:41] <ashb> Wes-: i don't think it was an explicit decision, more just htey saw no need for it
[16:42] <ashb> could be wrong
[16:43] <Wes-> ashb: actually, HTTP was pretty novel at the time (by my observation) for being stateless - ftp certainly wasn't. Although, http was more than likely inspired by gopher, I don't think it was stateful iether
[16:45] <Wes-> ashb: Hmm, no, I take back what I said about gopher
[16:49] <ashb> i missed gopher
[16:50] <ashb> went from BBS to web
[17:02] <kuya> 7/3
[17:04] <ashb> 2.33333333333333333333
[17:05] <kuya> >.<
[17:16] <Wes-> js> 7/3
[17:16] <gbot2> Wes-: 2.3333333333333335
[17:17] <Wes-> js> for (var i=0; i < Infinity; i++);
[17:17] <gbot2> Wes-: Timeout.
[17:17] <Wes-> booo!
[17:18] <keeto> Wes-: does it keep state?
[17:19] <Wes-> keeto: does what?
[17:19] <keeto> the bot?
[17:19] <Wes-> keeto: Hm, good question;
[17:19] <Wes-> js: i
[17:19] <gbot2> Wes-: Error: ReferenceError: i is not defined
[17:19] <Wes-> js> i
[17:19] <gbot2> Wes-: Error: ReferenceError: i is not defined
[17:20] <Wes-> keeto: nope. :)
[17:20] <Wes-> js> require
[17:20] <gbot2> Wes-: Error: ReferenceError: require is not defined
[17:20] <Wes-> You'd think this would be a commonjs bot, though. ;)
[17:20] <kuya> hehe
[17:20] <keeto> js> (function(){ this.i = 1; })()
[17:20] <gbot2> keeto: undefined
[17:21] <keeto> i
[17:21] <keeto> js> i
[17:21] <gbot2> keeto: Error: ReferenceError: i is not defined
[17:21] <keeto> woo. :D
[17:21] <kuya> js> this
[17:21] <gbot2> kuya: {}
[17:21] <kuya> js> this.constructor
[17:21] <gbot2> kuya: <function Object() { [native code] }>
[17:21] <keeto> js> eval
[17:21] <gbot2> keeto: <function eval() { [native code] }>
[17:21] <kuya> spidermonkey :)
[17:22] <Wes-> js> eval('sna' + 'rf("/etc/passwd");')
[17:22] <gbot2> Wes-: Error: TypeError: snarf is not a function
[17:22] <keeto> js> x = function(x) x + 1;
[17:22] <gbot2> keeto: Error: SyntaxError: missing { before function body: x = function(x) x + 1; ................^
[17:22] <Wes-> well, at least he got rid of that guy :)
[17:22] <Wes-> js> eval('loa' + 'd("/etc/passwd");')
[17:22] <keeto> well, old spidermonkey..
[17:22] <gbot2> Wes-: Error: TypeError: load is not a function
[17:23] <Wes-> js> help()
[17:23] <gbot2> Wes-: Error: TypeError: help is not a function
[17:23] <Wes-> Good, he's changed to an unpopulated global
[17:23] <kuya> who owns him?
[17:23] <Wes-> inimo, I think?
[17:24] <keeto> js> GLOBAL
[17:24] <gbot2> keeto: Error: ReferenceError: GLOBAL is not defined
[17:24] <keeto> something primal in me wants to break it. x)
[17:26] <kuya> thats natural :)
[17:27] <kuya> anyone point me at logging solutions?
[17:27] <keeto> too bad it limits its responses..
[17:27] <keeto> js> (function fn(){ return fn.caller.toSource() })()
[17:27] <gbot2> keeto: "(function (load, readline, help, quit, gc, gcParam, trap, untrap, clear, sleep, snarf, timeout, elapsed) {\nfunction pp(o, depth) {return pp_r(o, depth == void 0 ? 8 : depth);}\n\nfunction pp_r(o, d) ...
[17:27] <keeto> js> readline
[17:27] <gbot2> keeto: undefined
[17:28] <kuya> how is void used in js?
[17:28] <kuya> its the second time ive seen it
[17:29] <kuya> is it just a left over something in spidermonkey with a strange toString ?
[17:30] <kuya> >js void 0
[17:30] <kuya> >js (void 0).toString()
[17:30] * kuya shrug
[18:53] <Wes-> kuya: void is an operator which causes the operand to return an undefined value
[18:55] <Wes-> keeto: looksl ike you've discovered how to break his "sandbox"
[19:01] <keeto> uhoh.
[19:04] <keeto> Wes-: i think i might have just found a way to really break it. :|
[19:04] <keeto> who owns this bot?
[19:05] <Wes-> keeto: inimino I think
[19:05] <Wes-> keeto: Whoever the owner is, I've voluteered in the past to produce a safer JSAPI embedding, but the bot author is convinced that it's good enough (it's also in ##javascript)
[19:06] <Wes-> keeto: Via your example above, I am ~99% sure I could breach system security within a few minutes if I really wanted to
[19:11] <Wes-> keeto: Okay, 90% - you must be better at this than me. ;)
[19:11] <keeto> :D
[19:11] <keeto> bleh, I don't want to touch it anymore.
[19:12] <keeto> I already got access to a private site this week--one crack at security per week please. x)
[19:12] <keeto> and oh, for anyone who cares: delete your default accounts people!
[19:13] <keeto> test/password is hardly safe. -_-
[19:14] <Wes-> keeto: that's why I use scott/tiger
[19:15] <keeto> I use test/<mypasswordirl>
[19:15] * Wes- identifies keeto as a not-an-oracle-dba
[19:16] <keeto> lol
[21:29] <jbrantly> jhuni, I have some comments on the Metadata proposal I see was added to the wiki
[21:35] <inimino> keeto: what's up?
[21:36] <keeto> hmm?
[21:36] <inimino> Wes-: I never said I was convinced it's good enough, and I'm not the author, patches gladly accepted though
[21:36] <inimino> keeto: about the bot?
[21:36] <keeto> oh.
[21:37] <keeto> i gave up trying to break it. :)
[21:37] <keeto> so nvm i guess. :D
[21:37] <inimino> oh, ok
[21:37] <inimino> cool ;-)
[21:38] <Wes-> inimino: What platform are you on? My suggestion, frankly, is to replace js.cpp with a safer shell (one that doesn't have any extras, so they can't be subverted)
[21:38] <inimino> Wes-: the bot runs on an Arch server
[21:38] <Wes-> inimino: I could put together a shell like that based on GPSEE in no time flat, assuming you know how js.cpp is called by your bot
[21:38] <Wes-> What's arch?
[21:39] <inimino> it's a Linux distribution
[21:39] <Wes-> inimino: you have access to build and install new binaries?
[21:39] <inimino> sure, it's a VPS
[21:40] <Wes-> inimino: I'm guessing that your bot calls /path/to/js -e "stuff that got typed" ?
[21:41] <inimino> Wes-: no, it dumps the contents into a tmp file
[21:41] <inimino> `source
[21:41] <inimino> hm
[21:41] <Wes-> inimino: -f or single argument?
[21:41] <inimino> js> 0
[21:41] <gbot2> inimino: 0
[21:41] <inimino> hm...
[21:43] <inimino> `source
[21:44] <inimino> `source
[21:44] <gbot2> My source code is available at http://github.com/JosephPecoraro/jsircbot
[21:44] * Wes- clicks
[21:46] <inimino> it's using -f
[21:47] <Wes-> Glad you could figure that out, I couldn't see it. (Not knowing whatever programming language that was doesn't help either)
[21:47] * Wes- pokes around locally
[21:47] <inimino> it's Ruby
[21:52] <inimino> it supports a bunch of different interpreters, but only spidermonkey is installed
[22:01] <Wes-> inimino: -f is the *only* argument it passes?
[22:07] <inimino> Wes-: http://github.com/JosephPecoraro/jsircbot/blob/master/jsircbot#L285
[22:07] <inimino> -f and the filename
[22:07] <Wes-> inimino: thank you
[22:34] <Wes-> inimino: I think I have a solution for you that is about as safe as running javascript in firefox
[22:34] <Wes-> inimino: http;//www.page.ca/~wes/inimino.tar.gz
[22:35] <Wes-> inimino: download GPSEE, untar that ^^^ into the GPSEE dir, build & install (I can walk you through)
[22:35] <Wes-> inimino: result will be a JS interpreter called "inimino" in the bin directory which you can use instead of spidermonkey's js shell
[22:36] <Wes-> inimino: At a later date, we could even tweak it to have a require(), but that is disabled right now because it would get you pwned in about six seconds flat
[22:37] <Wes-> inimino: But, say, we could possibly rig up a good portion of the narwhal standard library safely if we pick what modules to present carefully: GPSEE supports a sort of chroot for require() which we could turn on
[22:38] <Wes-> inimino: And on the off chance that archer can run ubuntu binaries, I can build you a binary package easily if you want
[22:39] <Wes-> Linux donny-desktop 2.6.31-20-generic #58-Ubuntu SMP Fri Mar 12 05:23:09 UTC 2010 i686 GNU/Linux
[23:15] <inimino> Wes-: ok, thanks, I'll give it a try in a few minutes here
[23:16] <Wes-> inimino: Okay, I need to step out and play taxi but I'll be around
[23:16] <inimino> ok

 

 

Logs by date :