# Site TODO
**Note:** This is the `TODO.md` from the old Jekyll backend, so some of
this stuff may not make any sense.
## general
* replace `` in old posts with `{{< figure >}}` (partial work
done on stuff `>= 2019`)
* fix broken links in posts
* import files
* add "music" somewhere ("songs", keep pmdn.org for personal stuff)
* add sticky footer:
https://css-tricks.com/couple-takes-sticky-footer/
## projects
* gemboree
* themble
## posts
* animated svg, another example here:
-
* fast document search: postgres fts, `pg_trgm`, and tika (git/test/sift)
(richard asked about this on 2019-07-22, so +1)
- sqlite3 fts search
* monthly link sweep?
* pi notes
* k3 notes
* compiler surprises: https://godbolt.org/z/ZQbZ2R
* model 3 (3 months, notes, cost per mile comparison)
* temperature sensors (see SA post, add bit about "meat"): https://forums.somethingawful.com/showthread.php?threadid=3468084&userid=0&perpage=40&pagenumber=176#post494884256
* weather charts
* micromeet
* sensortron
* teslacam-merge
* jenkins pipeline, blue ocean, Jenkinsfile notes
* meson-junit
* bf-dynasm
* bfb64
* pwasm
* jiffy
* RewriteMap/docker (gist)
* ev-crash-course (~/git/ev-crash-course)
* ev articles
* pocket-jim
* ccs/nuclear/hydrogen is a scam
* 2021 bev ranges
* thoughts on "relevance of classic fuzz testing"
* https://neverworkintheory.org/2021/10/01/the-relevance-of-classic-fuzz-testing.html
* "law of small numbers": http://psychology.iresearchnet.com/social-psychology/decision-making/law-of-small-numbers/
* full paper: https://neverworkintheory.org/2021/10/01/the-relevance-of-classic-fuzz-testing.html
* legacy debian (hamm): http://archive.debian.org/debian/dists/hamm/main/binary-i386/base/
* things i noticed:
* possible small set giving extreme outliers
* dash is not /bin/sh on all linuxes (only debian-based distros)
* wonder about overall size of base installs (base rate fallacy)
* summary of rust conclusion seems suspect and different than
content of paper itself
* detailed results are interesting
* my tools 2021 (vim, irssi, screen, mutt/offlineimap/notmuch, irb, git, bash)
* buttcoin:
* https://www.theonion.com/man-who-lost-everything-in-crypto-just-wishes-several-t-1848764551
* tulip mania
* nerd sniping
https://www.jwz.org/blog/2022/01/mozilla-blinked/
https://www.wired.com/story/theres-no-good-reason-to-trust-blockchain-technology/
(nicholas weaver article)
https://blog.yossarian.net/2021/12/05/Blockchains-dont-solve-problems-that-are-interesting-to-me
https://thecorrespondent.com/655/blockchain-the-amazing-solution-for-almost-nothing/86714927310-8f431cae (not great technically)
https://www.usenix.org/publications/loginonline/web3-fraud
https://web3isgoinggreat.com/
https://www.schneier.com/blog/archives/2022/04/de-anonymizing-bitcoin.html
https://www.salon.com/2022/07/19/cryptomining-uses-a-disturbing-amount-of-energy-lawmakers-find_partner/
https://www.dailykos.com/stories/2022/9/30/2126181/-Bitcoin-mining-is-just-as-bad-for-the-environment-as-burning-gasoline-new-study-finds
https://theintercept.com/2022/10/26/matt-damon-crypto-commercial/
* syzkaller/syzbot:
https://www.youtube.com/watch?v=YwX4UyXnhz0
https://clangbuiltlinux.github.io/CBL-meetup-2020-slides/glider/Fighting_uninitialized_memory_%40_CBL_Meetup_2020.pdf
* bpf:
https://ebpf.io/
https://www.brendangregg.com/blog/2021-07-03/how-to-add-bpf-observability.html https://qmonnet.github.io/whirl-offload/2021/09/23/bpftool-features-thread/
https://github.com/iovisor/bcc
https://old.reddit.com/r/golang/comments/ww57pq/has_anyone_had_any_luck_with_ebpf_libraries/
https://pkg.go.dev/github.com/cilium/ebpf
https://github.com/dropbox/goebpf
(plus kernel docs)
* gpg keys, 2021:
https://musigma.blog/2021/05/09/gpg-ssh-ed25519.html
* compression: huffman coding vs arithmetic coding versus asymmetric
number system compared to shannon entropy (`H(X) = -Σ p(x) log_2(p(x))`)
https://neptune.ai/blog/lossless-data-compression-using-arithmetic-encoding-in-python-and-its-applications-in-deep-learning
(zstd rfc, which uses ans)
(zlib compression doc)
https://kedartatwawadi.github.io/post--ANS/
* fun paradoxes:
condorcet paradox
simpsons paradox
anscoms quartet
base rate fallacy
"law of small numbers" from "thinking fast and slow": http://psychology.iresearchnet.com/social-psychology/decision-making/law-of-small-numbers/
* retro gaming handhelds: psp, 2dsxl, rg350m, rgb10 max
* lvm thin provisioning (see notes from x1.txt and linked gist)
* log4j and dependency usefulness as a function of time for projects
* good week for EVs
* r1t car o' the year
* ioniq 5 pricing and reviews
* ford f150 lightninght battery sizes
* 500 fedex EV delivery trucks arrived
* https://www.nytimes.com/2022/01/17/business/electric-vehicles-europe.html
* https://cleantechnica.com/2022/01/24/electric-campers-coming-from-airstream-winnebago-mercedes/
* https://www.tbray.org/ongoing/When/202x/2022/01/22/Three-Jaguar-Years
* switched to duckduckgo.com
(fast, configurable, dark mode, better privacy)
* use svgmin and imagemagick (webp/avif)
convert -quality 100 -define webp:lossless=true llvmweekly-new.{png,webp}
convert -quality 100 -define heic:lossless=true llvmweekly-new.{png,avif}
* pe-figure and pe-picture shortcodes
* postgres tiny tricks
- CTEs as optimization barrier:
https://old.reddit.com/r/programming/comments/suyidt/a_hairy_postgresql_incident/hxdvwl4/
- `~* ANY(string_to_array(?))` (comment in reddit w/json array)
- pub/sub?
- domains instead of repeated check constraints
- trigger `TG_ARGV`
- trigger `REFERENCING ... AS` (newer PG)
- `COMMENT ON` ...
- `LISTEN/NOTIFY`?
- timestamptz, long timezone names aware of DST
- RETURNING
* compare and contrast cyclonedx vs spdx
- (at the moment i like cyclonedx more, it seems less ad-hoc)
- https://cyclonedx.org/docs/1.4/json/
- https://github.com/spdx/spdx-examples/blob/master/example3/spdx/example3-bin.spdx
- go parsers for both are available:
- https://github.com/spdx/tools-golang
- https://github.com/CycloneDX/cyclonedx-go
* investigate sendBeacon()
https://developer.mozilla.org/en-US/docs/Web/API/Navigator/sendBeacon
* YUGE site JS savings
- 27 bytes, ~8.8% unminified size reduction
- notes in header of `themes/hugo-pt2021/assets/script.js`
- over the network size (inc deflate and headers) went from
450 bytes to 374 bytes for a 76 byte reduction (~16.9%)
* needed in a package manager
- organizational namespacing
scoped gems:
- signing and/or global subdb
- declarative install (go)
rationale:
- typosquatting (see sqo vulns from may email)
- starsquatting (requests, phpass): https://medium.com/checkmarx-security/typosquatting-attack-on-requests-one-of-the-most-popular-python-packages-3b0a329a892d
- ref: https://kerkour.com/rust-crate-backdoor
- (related, semver is garbage)
- (problems w/ go modules)
- ruby gems not solving the right problem with 2fa:
- go1 and GODEBUG
- motherfucking package managers
* radare2, ghidra
* what would git look like with modern hash (sha-512/256/blake3), data
formats (msgpack/protobuf), compression (zstd), language (rust,
go), and crypto (ed25519)?
https://lwn.net/Articles/898522/
https://gist.github.com/dvinciguerra/972a36bac9322d6d98328bad327154ca
https://msgpack.org/
https://git-scm.com/book/en/v2/Git-Internals-Git-Objects
steal ideas from fossil:
https://fossil-scm.org/home/doc/trunk/www/fossil-v-git.wiki
bad ideas:
https://matt-rickard.com/what-comes-after-git/
* try vim9
* f2p nonsense:
https://www.rockpapershotgun.com/star-traders-frontiers-review#comments
(plus the shitty star traders game that's free)
https://github.com/blind-coder/SpaceTrader
https://bitbucket.org/brucelet/space-trader/src/master/app/src/main/java/com/brucelet/spacetrader/
and the 70s one w/ source:
https://en.wikipedia.org/wiki/Star_Trader
* markovian (golang markov chain generator)
(~/git/test/go/markovian)
* hq (~/git/hq)
* secure C wiki is confluence!?!?
* write about go-import support
* fuzzing (afl)
* update mathyd add link to texbox/texoid:
* golang opencl:
https://eli.thegreenplace.net/2021/a-comprehensive-guide-to-go-generate/
https://github.com/KhronosGroup/OpenCL-Docs/blob/main/xml/cl.xml
* duktape vs quickjs (vs mujs?)
* math: multinomial (stars and bars, # of moves on a chess board,
multinomial coefficient, etc), de moir dice problem
ref: Introduction to Probability with Statistical Applications, ch 2.5
1e10/81 (1234567890.1234567890)
gambler's ruin (intro to prob, ch 3.5)
* fzf, ripgrep
- https://krebsonsecurity.com/2022/08/the-security-pros-and-cons-of-using-email-aliases/
(email aliases, suggest whitelist instead of blacklist)
- bad defaults:
- nullable in code/db (see also: )
- mutable variables
- fallthrough in switch
- create openssl 3.x provider, see:
https://www.openssl.org/docs/manmaster/man7/provider.html
(could use pt-aes, pt-chacha20, md4, md5, sha2, etc)
- summary of minification work w/ links to posts, reference this
article:
https://endtimes.dev/why-your-website-should-be-under-14kb-in-size/
- minikube vs k3s (https://minikube.sigs.k8s.io/docs/handbook/)
- on passwords (crypto training, https://arstechnica.com/civis/viewtopic.php?f=2&t=1486155&p=41174039#p41174039)
- lots of bad info floating around (see comments of
https://arstechnica.com/information-technology/2022/08/plex-imposes-password-reset-after-hackers-steal-data-for-15-million-users/
https://old.reddit.com/r/programming/comments/wxx674/password_management_firm_lastpass_was_hacked_two/
etc
- compare sanitizer api, dompurify, fastest htmlesc
- summary of shrinkage (static site, minification, figures with multiple
sources, mod deflate, mod brotli, http2, adjusting content types)
- using hugo to strip bulma to minimum required components
- see minification (above)
- see pe-figure, pe-picture (above)
- see imagemagick webp command (above)
- see js shrinkage (above)
- see k3-notes.txt for info on brotli
- headers
- build hooks?
- tiny-binaries redux w/go 1.19, point out grype scanner output for
minimal images
- browser addons:
(ublock origin)
https://arstechnica.com/gadgets/2022/09/beloved-browser-extension-acquired-by-non-beloved-antivirus-firm/?comments=1
cosmetic filter example:
https://github.com/gorhill/uBlock/wiki/Procedural-cosmetic-filters
##table.item:has(p.name > .tag-sponsor)
- try out various lsms
- systemd hardening
- heat pump (pictures/heat-pump-20220930)
-
- `curl|bash` is madness
- dominion data scraping
data = ['MinTemp30', 'MaxTemp30', 'Usage30'].reduce((r, k) => (r[k] = JSON.parse(document.getElementById(`hf${k}`).value).map(row => ({time: row[0], val: row[1]})), r), {})
- gosec vs govulncheck
https://github.com/securego/gosec
https://www.pixelstech.net/article/1667102060-Secure-Your-Go-Code-With-Vulnerability-Check-Tool
- comment on efficiency of compilers
p58 of
ref: stackexchange comment linked from
- thoughts on social networks
(decentralized, federated)
-
-
-
-
-
## linkdump (2022-08-10):
- css bg fade:
- https://www.mgaudet.ca/technical/2022/8/9/faster-ruby-thoughts-from-the-outside
- https://www.fuzzingbook.org/
- https://security.googleblog.com/2022/05/retrofitting-temporal-memory-safety-on-c.html
- machine learning vulns (see vulns 2022-06)
- allocation in go: https://medium.com/eureka-engineering/understanding-allocations-in-go-stack-heap-memory-9a2631b5035d
(src: )
- http://www.linguistic-antipatterns.com/
- https://arstechnica.com/tech-policy/2022/08/us-approves-google-plan-to-let-political-emails-bypass-gmail-spam-filter/?comments=1
- https://brandur.org/fragments/go-wishlist-2022
- https://www.tbray.org/ongoing/When/202x/2022/03/26/Is-5G-BS
- https://teddit.net/
- https://www.privacytools.io/#frontend
- https://github.com/zedeus/nitter
- https://snapdrop.net/#
- https://news.ycombinator.com/item?id=11071754
- https://research.nccgroup.com/2022/08/08/implementing-the-castryck-decru-sidh-key-recovery-attack-in-sagemath/
- https://research.nccgroup.com/2022/08/11/detecting-dns-implants-old-kitten-new-tricks-a-saitama-case-study/
- https://research.nccgroup.com/2022/08/16/wheel-of-fortune-outcome-prediction-taking-the-luck-out-of-gambling/
- https://carlineng.com/?postid=sql-critique#blog
- https://www.openssl.org/blog/blog/2022/08/24/FIPS-validation-certificate-issued/
- constant-time fibonacci: https://specbranch.com/posts/const-fib/
- https://specbranch.com/posts/common-perf-numbers/
- (reminds me of "tyranny of metrics"):
- chebyshev, taylor series:
- and
-
-
-
- page-fault weird machine:
-
-
-
(search effect, link to you are not so smart)
- gba ghidra:
- finding bugs w/ fuzzers (kernel):
- impl semaphores in rust
-
-
-
-
-
-
-
-
-
## done
* add project folders
* add redirect for old rss links (check error.log)
* sidebar: github
* sidebar: other sites
* post: model 3
* post: https://pmdn.org/password-strength/
* tensorflow/docker/libvirt setup (see v4-notes)
* raspberry pi tensorflow benchmark results
* bev ranges (github bev-ranges repo / chart)
* sha2 (https://git.pablotron.org/sha2/, maybe push to github?)
* pi4-bench (https://pmdn.org/pi4-bench/)
* keybase (sidebar only)
* mathy
* stm32f103c8t6 fun
* weather-sage
* nft setup (pmdn, laptop)
* table shortcode (`hugo-shortcode-table`)
* removed `script-src unsafe-inline`, A+ score on securityheaders
* fix RSS to show full feed
* feedbloater
* wireguard notes
* birthday paradox
* mathyd (repo + examples)
* really tiny docker images, based on this post:
https://forums.somethingawful.com/showthread.php?noseen=0&threadid=2389159&perpage=40&pagenumber=865#post520151251
https://nathanotterness.com/2021/10/tiny_elf_modernized.html
(created repo: https://github.com/pablotron/tiny-binaries)
* rust 1.59.9 stripped binaries (update)
- https://blog.rust-lang.org/2022/02/24/Rust-1.59.0.html#creating-stripped-binaries
* CSP-friendly golang coverage reports (see note from k3-notes.txt about
relaxing CSP for `pmdn.org/coverage/`)
- https://cs.opensource.google/go/go/+/master:src/cmd/cover/html.go
- "replace `style='display: none` with `.hide` (shrink html, improve
CSP handling)"
- "add sha256 hash for `