Re: Stop Using Perl
by Jenda (Abbot) on Dec 31, 2014 at 00:50 UTC
|
"just regular dictionaries, in Perl they are called hashes" ... and that, dear readers, is the point at which I'd either leave, open a book or start a game on my tablet or notebook.
Nowadays anyone can call himself a "researcher" and give speeches.
Jenda
Enoch was right!
Enjoy the last years of Rome.
| [reply] |
|
Nowadays anyone can call himself a "researcher" and give speeches
So it seems.
Googling for "Netanel Rubin" does not show any evidence of Perl
(or Python for that matter) expertise. At least, I couldn't find
any substantial code written by this guy.
BTW, that is in stark contrast to Felix von Leitner (Fefe),
who clearly is an accomplished programmer with
lots of runs on the board.
I couldn't find any runs on the board for Netanel and,
in his first talk, I'm afraid
he didn't score any.
What I found offensive was his crude use of propaganda
in the camel images accompanying the slides,
and in the talk itself.
At the start of the talk, for example, after acknowledging
that this is his first talk, he urges the audience to say "F*** Perl".
Breathtaking. Did his company really give permission
to deliver such a vulgar talk?
Update:
- reddit discussion of Perl Jam talk in which Netanel Rubin replies that he is not a "Pythonista" (I see no evidence that he is an accomplished programmer in any language) and, embarrassingly, continues to display his ignorance of modern Perl, for which he is taken to task as "a complete novice who never even bothered to learn the language, and is instead relying on popular culture definitions of the language they heard from their equally ignorant peers". Other responses: "the idea that you expect foo($scalar, @array) to be called as if @array were an array reference is just nonsense ... that you showed those slides that claimed that that behavior was unexpected is the very definition of a straw man argument" and "Your argument is incoherent, reflects a misunderstanding of the nature of technical debt and the constraints of project maintenance with limited developer time, and is just about valid as an attack on Perl-as-of-2001 but makes no sense as a complaint against Perl-as-of-2014".
- Bugzilla bug report in which Checkpoint are taken to task for disclosing the vulnerability to the media before Bugzilla had a chance to fix it and for exaggerating the severity of this vulnerability.
| [reply] |
|
> Breathtaking. Did his company really give permission to deliver such a vulgar talk?
It's an Israeli company, the military has such a strong influence on formation in this society that being offensive (for European standards) is considered a virtue.
I have many friends who came back (often after visiting family) and complained about the "lack of good manners"².
See also Getting behind Israeli 'frankness' ¹
IOW many don't shy away to risk talking bullshit, they expect you to talk back and give them reasons to shut up.
In this sense, Mr Rubin yes you are a prick who didn't do his homework and this unprofessional talk will backfire on you! :)
Cheers Rolf
(addicted to the Perl Programming Language and ☆☆☆☆ :)
¹) Though after reading this blog Are Israeli rude I see Central Europeans somehow in the middle between Israeli rudeness and American "passive aggressiveness" ... of course well balanced! ;D
²) politely phrased (pun intended ;)
update
see also Haaretz # Can Israelis learn to have better manners?
| [reply] |
|
At the start of the talk, for example, after acknowledging that this is his first talk, he urges the audience to say "F*** Perl". Breathtaking. Did his company really give permission to deliver such a vulgar talk?
I think guy was inspired by Eran Hammer's talk about OAuth ;) As for company's permission, from marketing point of view it is most important to be talked about, and a bit of vulgarity and strong statements help to achieve this goal, no matter if they are correct or wrong as long as they are resonate with the target audience, so sure, why not.
| [reply] |
|
|
|
> just regular dictionaries, in Perl they are called hashes
I browsed thru the pdf and yes it seems pretty obvious at more than 3 slides that he is blaming Perl for not being Python. ¹
Hail Python!°
Cheers Rolf
(addicted t (o the Perl Programming Language and ☆☆☆☆ :)
°) Re^2: I want you to convince me to learn Perl
update
¹) for those unaware dict(ionary) is very much a Python term for associative arrays
| [reply] |
|
| [reply] |
|
Re: Stop Using Perl
by Anonymous Monk on Dec 30, 2014 at 20:18 UTC
|
# list context can be dangerous so warn:
# http://blog.gerv.net/2014.10/new-class-of-vulnerability-in-perl-
+web-applications
if ( wantarray && $LIST_CONTEXT_WARN ) {
my ( $package, $filename, $line ) = caller;
if ( $package ne 'CGI' ) {
warn "CGI::param called in list context from package $pack
+age line $line, this can lead to vulnerabilities. "
. 'See the warning in "Fetching the value or values of
+ a single named parameter"';
}
}
Whatever you thought about CGI.pm before, its about to get real stupid, its breaking backwards compatibility... that was like the only good thing left about it | [reply] [d/l] |
|
| [reply] |
|
You contradict yourself. You say the talk is embarrassing (and it is), that it's amazing that CGI.pm was patched to warn about this; then you complain that CGI.pm is "about to get real stupid" by breaking backwards compatibility. Do you not see the contradiction? Sometimes we have to break backwards compatibility to fix issues like this, and the "real stupid" thing is to turn a blind eye and say "well, it's legacy code so fuck it". Doing *that* gives Netanel Rubin, et al, even more fuel for their FUD.
The fix highlighted in your post only breaks back compatibility for those with fatal warnings enabled - arguably those users with fatal warnings enabled are the most concerned about problems like these. As i've previously stated - v4 releases of CGI.pm will be back compatible (as much as can be when issues like this arise). v5 and beyond *may* not be. CGI.pm is no longer core and Lincoln has trusted me to DTRT. Regarding the v5 releases: "I am altering the deal, pray I don’t alter it any further."
| [reply] |
|
You say ... that it's amazing
I'm fairly certain that what the other anon meant is "<sarcasm>amazing</sarcasm>", in which case he/she isn't contradicting him/herself.
The fix highlighted in your post only breaks back compatibility for those with fatal warnings enabled
No, at least not as of 4.13; the warning is unconditional and not fatal:
$ perl -MCGI -sE 'say $CGI::VERSION'
4.13
$ perl -MCGI -E 'no warnings; my $x=CGI->new; $,=", ";
say $x->param("x"); say "didnt die"' -- x=foo x=bar
CGI::param called in list context from package main line 1, this can l
+ead to vulnerabilities. See the warning in "Fetching the value or val
+ues of a single named parameter" at /opt/perl5.20/lib/site_perl/5.20.
+0/CGI.pm line 437.
foo, bar
didnt die
$ perl -MCGI -E 'use warnings; my $x=CGI->new; $,=", ";
say $x->param("x"); say "didnt die"' -- x=foo x=bar
CGI::param called in list context from package main line 1, ...
foo, bar
didnt die
$ perl -MCGI -E 'use warnings FATAL=>"all"; my $x=CGI->new;
$,=", "; say $x->param("x"); say "didnt die"' -- x=foo x=bar
CGI::param called in list context from package main line 1, ...
foo, bar
didnt die
Assuming you're the current maintainer: if you want warnings that the user of CGI can enable, disable and make fatal themselves, you should be using warnings::warnif() with warnings::register instead of warn.
BTW, 4.13 is showing up on search.cpan.org as an unauthorized release.
| [reply] [d/l] [select] |
|
|
|
You contradict yourself. You say...it's amazing that CGI.pm was patched...
Definitions/usages of amazing include the notion of being "struck with some degree of horror". I see no contradiction.
| [reply] |
|
$ perl -MCGI=escapeHTML -le " print escapeHTML(qw/ < < < / ) "
<
Also, why not warn about html shortcuts getting used?
Also, another pitfall you might be able to warn about in some cases, mixing exported param() with CGI->new ?
Also, why not warn about header_printed ? (you already printed headers, second time doesn't count)
And big one, warn about anyone using using ReadParse/->Vars
:) | [reply] [d/l] |
|
|
|
|
|
|
|
|
|
|
|
Seem odd to have to force scalar context to get a single_value .. there should be a function for that
sub CGI::first_param { return my( $first ) = param( @_ ); }
sub CGI::last_param { return my $last = param( @_ ); }
| [reply] [d/l] |
|
| [reply] |
Re: Stop Using Perl
by eyepopslikeamosquito (Archbishop) on Dec 31, 2014 at 22:21 UTC
|
And, more sadness, Fefe called it brilliant.
German monks please correct me if I'm way off here,
but after doing some random googling on Felix von Leitner ("Fefe"),
I get the impression that his latest Perl bashing comments are a very minor diversion for him compared to his
other more serious activities, such as political campaigning against the German health card and abusive policing,
plus membership of the Chaos Computer Club.
I assume his political and security activities
are why he is so well known in the mainstream German media.
As for his programming pedigree,
he seems to be a grandmaster of Security, Linux, embedded systems,
and the C programming language.
In terms of programming languages, I don't see much experience except for C.
In particular, I don't see much experience in Python or Ruby either, so I doubt his opinion on this talk was in an area of his expertise.
At least he knows how to write Perl though, having a
fleitner CPAN account,
and being the proud author of two CPAN distributions,
Mirror-1.0 and WebMirror-1.0,
though these two have not been updated since 1996.
Updated: Minor corrections and wording changes.
| [reply] |
|
I'm a German monk and I seem to remember I heard his name before, but didn't recognize him when I commented.
This guy seems to be very sarcastic and provocative, he also admits posting wrong stories in his blog to test the "media competence" of his audience.
While I admit such personalities are useful in niches like open source and IT security, I'm not sure I want to meet them in real life¹.
Anyway his comment was only limited to three phrases:
Der Perl-Talk war großartig. Wer den verpasst hat, und mit Perl zu tun hat, sollte sich den dringend angucken. Popcorn bereithalten! :-)
The Perl-talk was great. Those who missed it and have to deal with Perl, should urgently watch it. Keep your popcorn ready! :-)
I haven't seen the video yet, but I have to admit that meditating about fat comma was worth talking about it.
- I'm not sure which backwards compatibility would break if => would force scalar context on the RHS. Till now I can only imagine cases of syntactic sugar broken.
After all that's the behavior most people seem to expect, list flattening like @c=(@a,@b) can still be done with a simple comma.
- Furthermore I'm not sure why HTTP responses aren't easily sanitized, such that fields which are not expected to hold multiple values are blocked/filtered before any further processing takes place.
For instance: Why should I even handle requests with multiple real_name ?
Also worth noting that Sheldon (aka Python) has DWIM mechnanisms, when returning multiple values.
>>> def func(): return 1
...
>>> func()
1
>>> def func(): return 1,2
...
>>> func()
(1, 2)
>>> def func(): return (1)
...
>>> func()
1
>>> def func(): return (1,)
...
>>> func()
(1,)
As you can see one element is "scalar", more are tuples and it's not that intuitive how to return a one element tuple.
Cheers Rolf
(addicted to the Perl Programming Language and ☆☆☆☆ :)
¹) For instance: I have friends who organized conferences with Richard Stallman and never want to meet him in real life again. This doesn't diminish his importance.
| [reply] [d/l] [select] |
|
The Perl-talk was great. Those who missed it and have to deal with Perl, should urgently watch it. Keep your popcorn ready! :-)
In an earlier announcement he writes: "Um 22:00 verspricht der Perl-Vortrag hochkarätig zu werden." (At 22:00 the Perl lecture promises to be top-class.) Being an influential guy and to some extent spokesman for the CCC (although he dismisses that, his label is associated with the CCC) I judge that as intolerable.
I haven't seen the video yet, but I have to admit that meditating about fat comma was worth talking about it.
Your meditations are valid, but building an edge case for "fat comma" as it is, breaks orthogonality. Array context is array context, and that applies to %hash as LHS value.
perl -le'print map{pack c,($-++?1:13)+ord}split//,ESEL'
| [reply] |
|
|
|
|
Agreed: the presentatation was quite insolent, but not without merit. There was food for thought. Slides with code and camel mugshots on the left, video inset of Netanel wearing a camel scarf on the right. Charming. :D
Fat comma just implies a mapping relationship, and one-to-many is a possibility in the abstract sense. The problem is not limited to fat comma either. Consider:
@k = qw(foo bar baz); @v = (1,bar(),3); %m = zip @k, @v;
Power/flexibility is a double-edged sword. No news here. I do wonder though — what if the CGI method had been named params all along? Would that have resulted in fewer thinkos?
| [reply] [d/l] |
|
|
|
|
|
|
|
|
|
|
As an American monk, we have a term that describes Leitner:
"muck raker". And, at least as a Marine, we have an even better term: "slime".
| [reply] |
|
| [reply] [d/l] |
|
|
|
|
Furthermore I'm not sure why HTTP responses aren't easily sanitized, such that fields which are not expected to hold multiple values are blocked/filtered before any further processing takes place.
For instance: Why should I even handle requests with multiple real_name ? Hmm... odd thoughts
| [reply] |
|
| [reply] |
Re: Stop Using Perl
by pme (Monsignor) on Dec 30, 2014 at 20:53 UTC
|
| [reply] |
|
After reading some entries he seems to be one of these talkative (read "cool") security guys with a Messiah complex.
The signature of his blog says
Proudly made without PHP, Java, Perl, MySQL and Postgres
So don't expect an unbiased or even scientific opinion.
Cheers Rolf
(addicted to the Perl Programming Language and ☆☆☆☆ :)
PS: had to google his blog, the link was broken, maybe due to proud technology.
| [reply] |
|
Thanks Rolf, I suspected something similar.
| [reply] |
|
| [reply] |
|
Thanks Karl, I learned his name.
| [reply] |
Re: Stop Using Perl
by soonix (Canon) on Dec 31, 2014 at 21:37 UTC
|
And, more sadness, Fefe called it brilliant.
He called "the talk" great. That's not necessarily the content of the talk (or may be ironic).
And his hint at popcorn shows that he expects...
A strong response from the perl community
I think he is aware of the fact that perl is a tool, and any tool that is powerful enough for serious work provides the possibility to $self->{FOOT}->shoot()
| [reply] [d/l] |
|
... (or may be ironic)
He would have made that point and written "the talk, not the content".
And his hint at popcorn shows that he expects...
I read that rather as "Captain Obvious gives perl what it deserves."
perl -le'print map{pack c,($-++?1:13)+ord}split//,ESEL'
| [reply] |
Re: Stop Using Perl
by morgon (Priest) on Jan 03, 2015 at 23:43 UTC
|
A strong response from the perl community is due IMHO.
There will be a 32c3 congress in not quite a year's time - and the date is always a few days AFTER christmas...
So why not hope for a talk about the newly released Perl 6 then? Would that not be a cool response? (if only I could believe in it :-)
Let's hope Larry's talk at FOSDEM will be better publicity for Perl...
| [reply] |
|
Large parts of this talk are polemic shit but it mentions 2 or 3 issues which should be addressed in perl5, either by new features or better documentation.
IMHO waiting for a year to rectify things or for perl6 to be the "cavalry" is not the right strategy.
Update
This video is going to be linked and cited at many places as "proof" that Perl is dead.
Cheers Rolf
(addicted to the Perl Programming Language and ☆☆☆☆ :)
PS These issues are addressed in Perl 6, AFAIK.
| [reply] |
Re: Stop Using Perl
by bloonix (Monk) on Jul 31, 2015 at 20:21 UTC
|
The talk is just a rant, not more. Piss on it. ;-) | [reply] |