strugee.net

I'm pleased to announce that filter-other-days 1.1.0 and 2.0.0 are now available. In fact, they were both released simultaneously over three weeks ago while I was at SeaGL, but things at college have been so hectic I'm only just finding time to write about them! If you're not already familiar with filter-other-days - which provides reliable, Artificial Ignorance-compatible logfile date filtering even in the face of unknown formats - I would encourage you to read my blog post introducing the tool for the first time. Or, if you read this post late enough, you could even watch video of the talk I gave at SeaGL, which talks about filter-other-days before pivoting into a broader discussion of the kind of runaway complexity filter-other-days is designed to address.

1.1.0 and 2.0.0 are both feature releases. Due to filter-other-days 2.0.0 breaking compatibility with OpenBSD, I'm providing 1.1.0 which contains everything that filter-other-days 2.0.0 does except for the feature that breaks OpenBSD support - localization in the logfile filters. (Localization does not and to my knowledge cannot work on OpenBSD because OpenBSD does not support the POSIX features that filter-other-days' localization relies on.)

Here are the highlights of the engineering that both 1.1.0 and 2.0.0 share:

• filter-other-days -d operates on any day instead of the current date on supported systems
• filter-other-days is portable to OpenBSD, NetBSD, OpenIndiana and OmniOS (i.e. illumos), and Cygwin
• GNU seq is no longer required; the only requirement for core functionality is now POSIX
• Several bugs have been fixed
• Release artifacts are built reproducibly
• Automated testing has been improved

Note that filter-other-days -d does require more than POSIX - it needs a system with either GNU date -d semantics or BSD date -r semantics. This is because POSIX does not provide enough support to implement this feature otherwise. If your system does not support either of these, filter-other-days will simply turn the feature off. You can check if -d is available by looking for it in the help output - it will show up only if the system supports it.

In addition to the above, filter-other-days 2.0.0 also includes support for filtering logfiles in different locales. This means that if your system logs things like month names in languages other than English, filter-other-days will now be able to process these logs! filter-other-days will automatically use the C locale (which is mandated to be available by POSIX) and will additionally use the locale defined by the $LANG environment variable, if set. You can also specify more locales to be loaded by specifiying the -l command line flag. filter-other-days extracts the information it needs using specific keywords in the system locales, which means that if you want filter-other-days to load a particular locale to filter with, you need to have that locale installed.

Unfortunately, there's one more complication: some systems are buggy and do not have keywords that properly conform to POSIX. FreeBSD 12.0 and below as well as NetBSD are known to have these bugs. Since these systems are relatively popular, I am providing patched versions of filter-other-days that will work around these bugs. You can recognize these versions because they have freebsd in the tarball filename. They will also tell you they've been patched for FreeBSD (and NetBSD) in all relevant places, like the version output and the manpage.

So, to summarize what version to use:

• If you're on OpenBSD, use 1.1.0
• If you're on FreeBSD 12.0 or below, or on NetBSD, use 2.0.0 with FreeBSD patches
• Otherwise, use the unpatched 2.0.0 tarballs

I hope these releases of filter-other-days are useful to people! I'm super proud of them and I couldn't be more excited for people to try them out. And as always, feel free to report any bugs you find!

Recently the cross-site-scripting sanitization library that pump.io uses, DOMPurify, published several security advisories for mXSS vulnerabilities affecting browsers based on the Blink rendering engine - you can find the latest one, for example, here. As we've done in the past, the pump.io project is publishing security releases to ensure that everyone is using the latest version of DOMPurify. Per our security support policy, we are providing patches for the current stable release and the previous stable release:

1. pump.io 5.1.2 has been updated to pump.io 5.1.3
2. pump.io 5.0.2 has been updated to pump.io 5.0.3

As these are security releases we encourage administrators to upgrade as soon as possible. Both 5.1.3 and 5.0.3 are drop-in replacements for their predecessors. If you have pump.io 5.1 installed via npm - our recommended configuration - you can upgrade with:

$ npm install -g pump.io@5

If you're on pump.io 5.0, we recommend that you also run the above command to upgrade to 5.1 - it's a drop-in replacement for 5.0. However, if you want to stick with 5.0 for the time being, you can install a patched version with:

$ npm install -g pump.io@5.0

Note that if you have a source-based install, the above commands won't work and you will need to upgrade however you usually do - this will depend on how exactly you have pump.io set up.

If you need help, or if you have questions about these security releases, get in touch with the community.

A month or two ago, my friend Evan tweeted:

Fuck reCaptcha.

I am sick of doing unpaid labour classifying images for Google.

We need a captcha widget that contributes to the global commons instead of siphoning value into yet another proprietary lockbox.

Frankly I agree. Not only am I being forced to do Google's dirty work, but ReCaptcha is known to make life extremely difficult for Tor users. I've literally spent 15 minutes before trying to solve a stupid captcha and eventually I gave up because Google just wouldn't let me past. ReCaptcha profits off of innocent users who are just trying to go about their business on the web, and Google is exploiting people in order to build a locked-up, proprietary image recognition system. Why are we, the users, not allowed to have access to the fruits of the labor that we are forced to provide for free? Because of this, today I am announcing an advanced, next-generation, cutting-edge platform that is poised to revolutionize this problem space.

Nah, just kidding (mostly). Inspired by another tweet from Evan, I threw together a browser extension in like 30 minutes that changes "I'm not a robot" to "I want to do unpaid image classification". After a long exchange with the fine folks behind addons.mozilla.org (because my account is so old that when I logged in I hit this bug and got 500 Internal Server Error), I've finally sorted out my logins, and today I've uploaded the latest version of this extension to both addons.mozilla.org and the Chrome Web Store. So at least if you're getting screwed by Google, you'll be able to make them be honest about how they're screwing you. Here's a screenshot:

Also, for some extra irony, I took the icon from Google's Apache 2.0-licensed Material Design icon set. If someone feels like contributing a real icon, I would probably replace the current icon with it. (I would also be happy to take translations into different languages!)

In the words of the README:

This was Evan Prodromou's idea unless you like it, in which case the idea to follow through and make an actual extension was totally all mine.

I hope people enjoy this extension! Make ReCaptcha's "I'm not a robot" accurate is available as a Firefox extension and as a Chrome extension, and the source is published on GitHub.