It's not worthy of a CVE and whether it applies to me is irrelevant. I didn't say a CVE is a black mark. Frivolous reporting of CVEs damages trust in the usefulness of the system in identifying critical vulnerabilities. This is a known issue related to resumé padding by newcomers to the cybersecurity industry.
kogasa
joined 2 years ago
To a point. Ever heard of the boy who cried wolf?
100 gang (but not for python, just let black defaults do its thing)
Seeing un-blacked python code is like finding out someone doesn't wash their hands. Literally what the fuck
Frivolous CVEs aren't a good thing for security. This bug was a possible DOS (not e.g. a privilege escalation) in a disabled-by-default experimental feature. It wasn't a security issue and should have been fixed with a patch instead of raising a false alarm and damaging trust.
Spin them
You are unhinged
You are off your meds
The distributive law has nothing to do with brackets.
The distributive law can be written in PEMDAS as a(b+c) = ab + ac, or PEASMD as ab+c = (ab)+(ac). It has no relation to the notation in which it is expressed, and brackets are purely notational.
Of course. If you're working in a DSL that's popular enough for someone to have written a good schema/parser for then tooling can help.
Not that YAML's structure is too complicated, but its syntax is too flexible. All the shit about being whitespace sensitive yet with whitespace errors leading to a syntactically valid YAML document. TOML's syntax is rigid which makes it unsuitable for expressing complex nested data structures, which is good because that's not what you should use TOML for. Ultimately the dependence on a highly flexible baseline language like YAML to create complex DSLs is a failure on the developers' part, and the entire configuration system should be reworked.
Uh, no. But thanks for guessing. It's frivolous because it violates several principles of responsible disclosure. Yes, the scope of impact is relevant; the availability of methods of remediation is relevant; and the development/patch lifecycle is relevant. The feature being off-by-default and labeled experimental are indirect references to the scope of impact and availability of remediation, and the latter is an indirect reference to the state of development lifecycle. Per the developer(s)' words, this is a bug that had limited risk and was scheduled to be fixed as part of the normal development schedule. Escalating every such bug, of which the vast majority go without a CVE, would quickly drown out notices that people actually care about. A CVE is not a bug report.