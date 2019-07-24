Compiling with the GCC sanitizers and then fuzzing the resulting binaries might find real bugs. But not all such bugs are security issues. When a CVE is filed there is some pressure to treat such an issue with urgency and push out a fix as soon as possible. But taking your time and making sure an issue can be replicated/exploited without the binary being instrumented by the sanitizer is often better. This was the case for CVE-2019-12900 “BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors“. The bzip2 project had lost the domain which it had used for the last 15 years. And it hadn’t seen an official release since 2010. The bzip2 project homepage, documentation and downloads had already been moved back to sourceware.org. And a new bug tracker, development mailinglist and git repository had been setup. But we were still in the middle of a code cleanup (removing references to the old homepage, updating the manual and adding various cleanups that distros had made to the code) when the CVE was filed.

There's a lesson here about the people who advocate for allowing companies to decide when defects in their products can be revealed: companies are not trustworthy custodians of bad news about their products, even (especially) when the stakes are high and they face titanic liability for failing to mitigate reported defects.

Programming: Test Driven Development (TDD), Cryptocurrency, Mocking, Dask and Vim Lesson In Adopting Test Driven Development (TDD) Test Driven Development (TDD) has been a part of the developer's term that I view it as an arcane art for me. As a love or hate relationship between the developer who swears by it exclusively to you don't need this attitude. Which is similar to adopting Agile software management practices for an organisation. I found out about it more as I became involved in helping to guide developers in Python for a developer gym organised by Junior Developer Singapore.

Use the Blockchain data to populate the combo box Previously the cryptocurrency application has loaded the world currency text file and then populate the currency combo box based on the currency symbol in that text file. In this article, the cryptocurrency program will use the returning currency symbol from Blockchain to populate that same combo box.

Why your mock doesn’t work Mocking is a powerful technique for isolating tests from undesired interactions among components. But often people find their mock isn’t taking effect, and it’s not clear why. Hopefully this explanation will clear things up. BTW: it’s really easy to over-use mocking.

Dask joins NumFOCUS Sponsored Projects Dask is an open source library for natively scaling Python. It provides advanced parallelism for analytics, enabling performance at scale for the tools you love. Dask builds on existing Python libraries like NumPy, pandas, and scikit-learn to enable scalable computation on large datasets. In addition, Dask provides a general purpose framework to enable advanced users to build their own parallel applications. Dask enables analysts to scale from their multi-core laptop to thousand-node cluster.

[Older] History and effective use of Vim This article is based on historical research and on simply reading the Vim user manual cover to cover. Hopefully these notes will help you (re?)discover core functionality of the editor, so you can abandon pre-packaged vimrc files and use plugins more thoughtfully.