I practice the Boy Scout Rule of programming to manage technical debt: “always leave the area of code you are working on a bit cleaner than you found it”.
But unfortunately this conflicts massively (!) with small, atomic branches/merge requests. How do other teams manage this?
… unfortunately it’s still trivial to perform arbitrary code execution upon deserialisation even in R 4.4 😠
Now I need to find out how to disclose this. I’m not even sure responsible disclosure makes sense here since I’m sure others will either have found this already or will very soon find it.
@Lluis_Revilla Thanks, that’s what I was missing. I’ll see if I can find my old Bugzilla account info.
(As mentioned in another comment I disagree that deserialisation code execution bugs are “bogus CVEs” @bagder is rightly complaining about!]. In fact, they are amongst the most-exploited vulnerabilities.)
@hrbrmstr@joranelias@Lluis_Revilla@brodriguesco@idavydov Right, it’s as much “expected behaviour” as in CVE-2024-27322, and as in other serialisation engines (e.g. Python pickle, .net BinaryFormatter, etc.). Which are all systems that are very hard to use correctly, and cause frequent direct vulnerabilities. Whether that makes the serialisation frameworks themselves a vulnerability… 🤷
(I did not register a CVE; for me this is an issue of awareness and documentation.)
@FSMaxB As a geneticist I disagree about the books not contributing to the field: they changed the thinking around the functional unit of inheritance for a lot of geneticists. I consider them highly influential. The individual ideas were not his own but the way he expressed them and combined them in The Extended Phenotype was original and important — not just for popularisation but for science itself.
It goes without saying that this is regardless of his current behaviour.
Should I teach bash, fish, or Nushell to data scientists who want to go beyond the basics of shell scripting? There seems to be a clear spectrum from "ubiquitous but m'gawd" to "this is the future but m'gawd in a different way".
@gvwilson I’d also recommend teaching Bash but otherwise I would lean heavily towards zsh: still POSIX sh compatible but a lot saner than Bash. And it is the default shell on macOS, and very widely available beyond that, and comes with extensive documentation.
@Mehrad@coolbutuseless ‘box’ allows you to do that (but you will need to convert your entire project to using ‘box’, since the purpose of this package is not to merely provide function documentation capabilities but rather to provide a sane module system): https://github.com/klmr/box
@Sheril That’s a great video but cucumbers don’t shrink much during brining (and pretty much not at all for pickling with vinegar). Instead, smaller varieties or young cucumbers are used. Large cucumbers stay large.
Ie. you need a configure (+ configure.win) file that creates an Rd macro on older R, that rewrites the examples with |>.
You'll also need Biarch: true in DESCRIPTION.
@gaborcsardi I was sorely tempted to do that with the lambda syntax in ‘box’ (which uses many anonymous functions) but making the build process even more complex scared me off. Maybe I’ll reconsider.
@gaborcsardi (My use-case would be more involved since it would have to rewrite the actual package source code, not just the Rd files; but the principle should be similar.)
@CuriosityCat Chill, I am not criticising the joke. My reply was itself a joke, based on the (vaguely funny) coincidental juxtaposition of the two posts on my timeline. Ólafur got it.
#rstats folks: I am trying to remember why we are using 9000 as the last component in development version numbers, and I am drawing a blank. Why not just use x.y.z.1, x.y.z.2, etc?
Surely it’s the mere presence of that last components which signals an unstable development build, not the magnitude, right? Am I overlooking something?
Menopause in chimps: An interesting challenge to the grandmother hypothesis, the idea that menopause, previously documented only in humans and a few cetacean specie, is an adaptation to by which older females help raise their daughters' offspring.
Occasionally I stop to think about how much of the modern software development infrastructure and community is run at a massive loss: Stack Overflow, npm, Github Copilot (probably Github itself), VS Code.
Also how much of it is owned and run by Microsoft.
So much of it could disappear at a short notice if just one CEO changes his mind about his company’s marketing strategy.
@hrbrmstr But it only works with NA_character_, not NA, NA_real_, TRUE or any other reserved names. — And the reason is that NA_character_ (unlike all the others) is a character literal.
» NA = 1
Error in NA = 1 : invalid (do_set) left-hand side to assignment
@gaborcsardiI think R should not allow string literals in place of names, full stop. This change is even worth breaking a few packages on CRAN, IMHO, because the current behaviour is plain bananas and causes plenty of confusion.
@gaborcsardi Yes, backticks came later. And there’s still some ancient core R code which uses "-quoted names, but that could obviously be fixed when deprecating/removing the syntax. But I don’t think there’s appetite for it.
