home.social
Sign in Create account

Nikita Karamov

@[email protected]
View on fosstodon.org
  1. Nikita Karamov @[email protected] ·

    Looking at the diff between two minor versions of a GitHub Action for installing Node.js. Not many changes: Just a few dependency version updates and a few CI changes. The source of the action itself is unchanged.

    And yet, the files that run in CI have 95k additions and 124k deletions. Two hundred and nineteen thousand modified lines. There is no way anyone will ever look at and audit those changes. And all that in an action whose only task is to download and unpack Node.js. How have we become okay with running this much obfuscated code as part of our critical supply chain?

    #GitHubActions #NodeJS

    #githubactions #nodejs
  2. Nikita Karamov @[email protected] ·

    TFW my website is prettier during the #CSSNakedDay than with styles 🥲

    #cssnakedday
  3. Nikita Karamov @[email protected] ·

    Having #Algolia widget for your docs is the worst thing you can do for your project's users. Only five results at any time, no results page so that you have to retype your search query every time, and the search is so fuzzy that it's impossible to find pages unless you type their full title.

    #algolia
  4. Nikita Karamov @[email protected] ·

    #sncb also picked the perfect dates to be on strike 😑

    #sncb
  5. Nikita Karamov @[email protected] ·

    I like the DX of #Astro and #Vite, but man, I just can't survive any more "security" "vulnerabilities". Coupling any projects written in those frameworks with #Dependabot is a grave mistake. But it doesn't matter what dependency scanner you use.

    #NPM taught us that vulnerabilities are everywhere, and we should use a scanner. But then, I'm getting a new "vulnerability" every other week. Yes, once a week I get an alert about yet another XSS/ReDoS. I use quotations the whole time, because the vulnerabilities can be exploited only when "you run Vite/Astro development server in production", which you should never do.

    I'm developing an alert blindness because of this. If I see an alert about a new vuln in Vite/Astro, I straight up ignore it, because I can now deadass predict what it's gonna say.

    #astro #vite #dependabot #npm
  6. Nikita Karamov @[email protected] ·

    Maybe #NixOS is something for me, after all, but for "wrong" reasons. I really don't care about reproducibility, learning what Flakes are, or ephemeral shells. All I want is one file that governs my whole system, with sane defaults for many services that I'd want to self-host, all without relying on Docker!

    I've tried my luck with #Ansible and #pyinfra, but I've failed. I'm starting to see them as "Tailwind for Ops": You have to learn a non-standard language only to do stuff you could already do with a (de-facto) standard language (shell scripts). But, writing shell scripts is a hassle, too, just like applying changes on the server. And I will definitely forget where I've put what, or what technology governs which services.

    The worst is probably user management. Creating system users, some of which should get subuids, other of which will run systemd units, chmod, sudo... I'm just tired of typing the same commands over and over. Adding a line to configuration.nix that will do the magic for me seems inviting.

    #nixos #ansible #pyinfra
  7. Nikita Karamov @[email protected] ·

    #NowPlaying: Gareth Coker — Dashing and Bashing

    The best ad for the #Ori games are their soundtracks! I definitely need to play them one day

    #nowplaying #ori
  8. Nikita Karamov @[email protected] ·

    #TIL about the #AGit workflow

    https://git-repo.info/en/2020/03/agit-flow-and-git-repo/

    Two takeaways:

    • this is (almost) exactly what I was looking for and have been wanting to write a blog post about for some time
    • Forgejo supports it!

    Have just tried it out on a repo of mine — works like a charm! I feel like it's the best mix of git-send-email and the pull-request-based workflow.

    #Git

    #til #agit #git
  9. Nikita Karamov @[email protected] ·

    I was always struggling with wrapping in GNU #gettext PO files; #Django ./manage.py makemessages does it one way, Poedit.app does it differently. To avoid dirty Git diffs, I used to re-wrap the strings by hand this whole time... until TIL that you can just use msgcat without arguments :neocat_facepalm:

    msgcat -o django.po django.po

    To re-wrap all PO files:

    fd -epo . -x msgcat -o '{}' '{}'
    #gettext #django
  10. Nikita Karamov @kytta ·

    After procrastinating for way too long, I have finally set up regular backups of my laptop and achieved the 3-2-1 strategy 🙌

    But the reason I was procrastinating this is because I couldn't decide on a good wrapper! And, to this day, none of the options appeal to me

    - can't do stdin, --keep-within-*, and passwords from command
    - can't do stdin, and scheduled check/forget
    - is too complicated and has a different mental model

    #restic #backrest #autorestic #resticprofile
  11. Nikita Karamov @kytta ·

    Yes, I know that and did similar things, but the beauty of uv is that it doesn’t need anything to work. uv is the first and the last thing you have to manually install; heck, it even runs in busybox! It gets rid of the weakest link when it comes to managing Python (namely Python)

    #pdm #hatch
  12. Nikita Karamov @kytta ·

    Alright, what’s the deal with every YouTuber doing ad reads for data deletion services? Seemingly everyone got a deal with either or Aura. I find the idea of such services good, but I’ve never used one nor even investigated them. The amount of creators they sponsor makes them seem *very* suspicious; it’s like VPN and Raycon and Raid Shadow Legends all over again 🤨 Does anyone know what’s up with that?

    #deleteme