#clojure logs

2013-02-05

00:05ivanapparently my Xbootclasspath/a:clojure/target/classes was causing my truncated class problems
00:05ivanmaybe JDK7u13 broke it
01:05callenbotivan: yes, blame Oracle.
01:15ivanthat should always be the first step
01:22xeqiugh, arbitrary code execution found
01:23ivanhope nobody runs master in production
01:24xeqi... now you made me wonder what the responsible disclosure would be
01:24xeqiwas planning on a reply in the ml
01:28tomojhttps://www.refheap.com/paste/0edb0432d917a9f7e73e3e570 :/
01:28tomojat least it works
01:35sshackDoes anyone know if the in canter project is still alive?
02:04nonubyis there a version of -> macro that works right to left, i want to use it with hiccup (otherway-> with-header with-container with-normal-body (get-article 1))
02:05ivanperhaps comp
02:06nonubyivan, thanks, will check docs on that
03:18luxbockanyone here using ac-nrepl for Emacs? for some reason ac-nrepl-popup-doc works fine for me in the nrepl-buffer, but if I try to use it in a clojure-mode buffer where I'm editing something, then it complains:
03:18luxbockac-nrepl-documentation: Wrong type argument: arrayp, nil
03:21bdashluxbock: fwiw, I saw the same thing when I tried it last week
03:22luxbockhmm
03:23amalloynonuby: that's just parentheses. (with-header (with-container (with-normal-body (get-article 1))))
03:28nurettinI wish clojure could be written like [1 1 1] reduce +
03:28nurettinit would look even better than ruby
03:40nonubyjust playing in repl if do just want map to be a no-op how do I do this (map #(%) [1 2 3])
03:43thorwilnonuby: use identity
03:43nonubyah do work
03:43nonubys
03:43nonuby'do' still seems nasty, http://pastebin.com/fjaQLTPP
03:43nonubyignoring the css != script mistake
03:45nonubythorwil thanks
03:46thorwilnonuby: looking at your paste, why don't you use defhtml?
03:47Ember-http://www.javacodegeeks.com/2013/02/java-8-from-permgen-to-metaspace.html
03:48nonubythorwill, will revisit the docs, admittedly i rushed into this with only cursory read of frontpage readme.md
04:13drorbemetHello, may I ask questions on how to get started with Clojure-Projects on Eclipse?
04:14clgvdrorbemet: just do. you already have Counterclockwise installed?
04:18drorbemetYes, I have Eclipse, Counterclockwise and Leiningen installed. I build up the startingclojure project successfully. But now I am having trouble with importing projects from github.
04:19clgvdrorbemet: describe your problem in more detail: what do you want to do? what do you expect? what happens (error messages?)?
04:36desertmonadanyone used the kindle version of Clojure Programming?
04:37pimeyshas anybody done the SICP excersises with Clojure?
04:38clgvpimeys: there are one or two resources where they try to convert all SICP examples to clojure
04:38clgv$google sicp clojure
04:38lazybot[SICP in Clojure] http://sicpinclojure.com/
04:38drorbemetI am unsure about the order in which I have to set up the project template with Leiningen and importing a project from github.
04:39drorbemetI want to import e.g. clj-file-browser from github into Eclipse with Leiningen support. If I set up a new Leiningen-Project with name "clj-file-browser" first and then import https://github.com/xiaonaitong/clj-file-browser.git - I end up beeing asked to set up a "New Clojure Project" again. But if I import from github first I have no Leiningen support.
04:39clgvdrorbemet: do you want to modify the github project or do you just want to use it?
04:39pimeysclgv: it's pretty easy to do the exersises with clojure, just some of them are not so relevant anymore
04:39pimeysfor some reason lisps are quite easy to understand, even between the different versions
04:40pimeysjust wondering the relevance of chapter 2 now, doing the message passing style
04:40pimeyshaving abstractions over basic sum etc.
04:40pimeysand using lists to keep the value type
04:40clgvdrorbemet: you can enabled leiningen support rightclicking the project
04:41drorbemetI want to work with it as an exercise, but without pushing up to github at the moment.
04:45clgvdrorbemet: when you only want to use it you just add it to your project.clj
04:45drorbemetExactly, that's what I am missing when I rightclick on the project. I have an other project in Eclipse, that has Leiningen in the context menue.
04:46drorbemetI think I have to do it on the shell
04:47clgvdrorbemet: you need a project.clj in that project and then in the context menu there is an entry "Convert to leiningen project" under "Configure"
04:48clgvdrorbemet: but again: if you only want to use it in another project, add it as dependency
04:49pimeysoh, there it is http://sicpinclojure.com/?q=sicp/2-5-3-example-symbolic-algebra
04:49drorbemetAh, thanks a lot, ... Now I found it :-)
04:49pimeysdoes anybody in the lisp world use that way of building software?
04:49pimeysdoing the put functions etc.
04:49pimeyskeeping the functions and types in tables
05:02drorbemetpimeys: which projects would you suggest for exercise with clojure?
05:03AWizzArdHello regexperts, I currently have this:
05:03AWizzArd,(re-seq #"(.)\d+" "(and &10 &20 $30 &40)")
05:03clojurebot(["&10" "&"] ["&20" "&"] ["$30" "$"] ["&40" "&"])
05:04clgvdrorbemet: 4clojure.com
05:04AWizzArdIs it possible (maybe with look-around assertions?) to get instead ==> (["10" "&"] ["20" "&"] ["30" "$"] ["40" "&"])
05:04AWizzArdSo, without matching the & or $ symbol, but still collecting it as group?
05:05clgvAWizzArd: you can use a range [$&]
05:05drorbemetOk, yes 4clojure is very helpfull, I am doing that from time to time :-)
05:06pimeysdrorbemet: do your own lisp :)
05:06pimeysit's the most fun way of digging into lisps
05:06pimeysmetacircular evaluator
05:08clgvdrorbemet: usual exercises from computer programming courses might serve as well especially from functional programming
05:08drorbemetpimeys: yet I am starting to get there after reading a lot :-)
05:09pimeysdrorbemet: doing the evaluator is not at all hard
05:09pimeyswhen you get it, it's kind of an explosion of your mind :)
05:09pimeysthere's a reason that there is thousands of lisp implementations
05:10Ember-AWizzArd:
05:10Ember-,(re-seq #"(?<=$|&).\d+" "(and &10 &20 $30 &40)")
05:10clojurebot("10" "20" "40")
05:10Ember-like this?
05:11AWizzArdnearly
05:11Ember-oh, you wanted the & and $ also
05:11Ember-but not with the decimals
05:11AWizzArdI like that it now matches 10 20 30 40, but I would like to get the $ or & too
05:11AWizzArdso I know that it was the & in front of the 10
05:11AWizzArd["10" "&"]
05:12Ember-ok, but what's the problem of just matching to "$10"
05:12clgv,(re-seq #"(.)(\d+)" "(and &10 &20 $30 &40)")
05:12clojurebot(["&10" "&" "10"] ["&20" "&" "20"] ["$30" "$" "30"] ["&40" "&" "40"])
05:12Ember-,(first "$10")
05:12clojurebot\$
05:12AWizzArdclgv: hmm yes, this works
05:12pimeysfor me the hardest thing with lisps are the macros
05:12Ember-(second ["10" "$"])
05:12Ember-,(second ["10" "$"])
05:12clojurebot"$"
05:12pimeysI still don't get the syntax
05:13clgvAWizzArd: the first entry is always the whole match and after that you get the groups
05:13Ember-but anyway, you can as easily get the first character to check for $ or &
05:13pimeysI read The Joy of Clojure, everything else is very simple
05:13drorbemetpimeys: Yes in Lisp I see the relevant patterns more clearly I think.
05:13AWizzArdEmber-: yes of course, I can easily transform my output. But would be nice of the regexp to give me what I want, if possible ;)
05:13pimeysbut oh my god the macros :P
05:13pimeysand I really want to learn them
05:13Ember-AWizzArd: well you'll end up fetching stuff from the second index of the grouped list anyway
05:13AWizzArdclgv: yes good, I can do it as you suggested by having two groups. Good idea.
05:14Ember-but glad you got your solution
05:16jballancnurettin: (re: alt syntax) check out Io. It works sorta like that...
05:23desertmonadpimeys: This video helped me a fair bit with macros in clojure (http://www.infoq.com/presentations/Clojure-Macros)
06:06nurettinjballanc: yes, it looks almost like that: list(1, 2, 3) reduce(+) http://iolanguage.org/scm/io/docs/reference/index.html#/Core/Core/List/reduce
06:07nurettinio library itself looks surprisingly rich
06:44juxovechi, I have function abc and list of params [1 2 3] and want to call (abc 1 2 3) instead of (abc [1 2 3]), how can I do this?
06:47malesch(apply abc [1 2 3])
06:47juxovecthanks
06:48matrixpower script
06:50degI'm getting a "reference to field ToString can't be resolved warning", apparently from this line: (defmacro current-function-desc [] `(-> (Throwable.) .getStackTrace first .toString unmangle))
06:51degI'm not sure where to put the hint; my naive attempts are all failing.
06:51deg(don't worry about the defn of unmangle... my utility)
06:57BronsaDeece: (defmacro current-function-desc [] `(-> (Throwable.) .getStackTrace ^Object first .toString unmangle))
06:57Bronsaops
06:57Bronsadeg ^
06:57Bronsaor you could just call str instead of .toString
06:57clgvdeg: those threading macros are problematic in terms of type hints. I often failed to get the hint to work although I tried all logical position
07:14degBronsa: Thx, str solved the problem. Brilliantly obvious in hindsight.
07:16hyPiRionWait what
07:16hyPiRionThe Clojure compiler isn't able to deduct that every value can use .toString?
07:17Bronsaright.
07:17hyPiRionThat's kind of silly.
07:17hyPiRionNot completely, but kind of.
07:18pimeysI'm kind of wondering how much of the java stuff and methods you really need in daily life with clojure
07:18clgvhyPiRion: cries for a jira ticket ;)
07:18pimeysthe syntax is not the pretties
07:18pimeyst
07:18pimeysto do (.fooBar (Foobar. "value"))
07:19BronsahyPiRion: w/e, I just always use str
07:19pimeysme too
07:20Bronsait's better looking, can HOF, and removes the need for hinting
07:20hyPiRionBronsa: what about .equals or .hashCode? They should suffer from the same thing.
07:20pimeysis there an eq? function like in scheme?
07:20hyPiRionIt's a minor detail, and they can be replaced by = and hashcode, but well.
07:21pimeysI don't like to think about objects when doing clojure
07:21degThe sad thing is I also always use str, with this one exception. This was a piece of code that I copied from somewhere back when I first started using Clojure a few months back. Guess if I was really motivated, I'd find the blog page and see it is open for comments.
07:21pimeysbut am I then using the wrong language :)
07:22ivaraasentype hints are a bit annoying
07:22ivaraasenwasn't able to get them to work properly in macros
07:23hyPiRionpimeys: I agree, but the compiler itself should be able to infer that a cast to an object will never fail (except for, woo, null)
07:23cemerickhyPiRion: if a call only resolves to java.lang.Object, the compiler assumes it's a reflective call; isn't related to .toString in particular
07:24cemerickProbably a reasonable enhancement.
07:25pimeysdoes the clojure still use the STM when modifying java objects?
07:25clgvhyPiRion: there is one exception: primitives
07:25pimeysok, objects themself are not so dangerous, I'm more worried about class variables
07:25cemerickpimeys: Clojure never uses STM implicitly.
07:25hyPiRionclgv: But wouldn't they be boxed unless explicitly casted?
07:25pimeysso if I build my concurrent application on top of the clojure agents and futures, can I be sure no roque library will cause any trouble with the threads
07:25clgvhyPiRion: yeah they would^^
07:25pimeysthis is the biggest reason for me now to learn clojure
07:26clgvat least when passed as parameter to a function
07:27pimeysI'm doing a lot of work with ruby and threads, and I want a language that has nice interface for doing parallel stuff without any worries
07:27arcatanHaskell!
07:27pimeysso it's either clojure, haskell or erlang, and I love lisp syntax
07:28pimeysthe immutability of clojure is a big thing for me, but the only thing I'm not sure of is the java interop
07:29ivaraasenpimeys: Java interop isn't a problem usually, but YMMV
07:29hyPiRionIt may sound like I'm advocating casting whenever Object-methods are called, but it's not a big issue. I'm just saying that it should be possible. If it's a trivial and simple enhancement in the compiler, then I may consider a ticket.
07:29pimeysyeah, that's what I thought
07:29pimeysif you're instantizing inside your threads and modifying the state there
07:30pimeysat least the situation is not as hellish as with ruby
07:30hyPiRionpimeys: Java interop is very, very easy if you need to work with Java objects.
07:30pimeysit is, just how threadsafe that is?
07:31pimeysdo we have the same protection mechanism as with refs for example?
07:31hyPiRionpimeys: Just as threadsafe as java is. You can use monitors and stuff if you need to.
07:32clgvpimeys: you get pure java in interop
07:32pimeysso you can do a class variable and mutate it?
07:32clgvpimeys: but there are some convenience macros for several access pattern
07:32pimeyssorry, my java experience is from 10 years ago
07:32alexnixonpimeys: you'll want to be careful combining mutable Java objects and transactions
07:33pimeysand what about clojure libraries, that use java libs behind the scenes, how easily they do something dangerous that will mess up my app when using threads?
07:33pimeysI mean, with ruby, it's almost half of the libraries
07:33pimeysI don't want the same situation when I'm building my next thing with some toolset :)
07:34hyPiRionpimeys: The most used wrappers take care of that, from my experience.
07:34pimeysif it's plain clojure, I'm really fine with that, great ideas in there
07:35hyPiRionThe big issue is how you wrap java libraries where there's mutating objects.
07:35pimeysof course
07:35hyPiRionUsually you'd prefer some other alternative if it exists.
07:35pimeyshow big of an issue this is with clojure libraries
07:35pimeysis it still always a good idea to read the whole source code first :)
07:36hyPiRionI haven't had any issues with it yet, but I haven't been a heavy library user
07:36ivaraasenpimeys: I believe most wrappers take care to use the ! convention for functions that mutate objects
07:36pimeysach so
07:36pimeysnice :)
07:37hyPiRionMaybe cemerick has some input here, since he did a talk about it.
07:37hyPiRionor well, the bad parts of Clojure.
07:37pimeysis it downloadable somewhere?
07:37hyPiRionpimeys: It's watchable, let me find the link
07:37ivaraasenhyPiRion: yeah, that talk is great
07:37pimeysI'm still not sure what lisp to use for my next big thing, clojure feels like the best choice for now
07:38pimeysthere's leinegen, there's good community and really good ways of doing parallel computing
07:38cemerickhyPiRion: on what?
07:38ivaraasenpimeys: I dabble in SBCL and Racket from time to time, but I find Clojure more practical. also, nice data structures
07:39cemericksorry, haven't been following
07:39hyPiRioncemerick: Wrapping java libraries
07:39hyPiRionpimeys: http://www.infoq.com/presentations/What-Sucks-about-Clojure-and-Why-You-ll-Love-It-Anyway
07:39cemerickhrm, I didn't do a talk on that
07:39cemerickoh, that
07:39cemerickyeah, there's ~5m on that topic in there
07:39hyPiRioncemerick: Well, you did mention it at least, so I assumed you had some experience re that issue.
07:40cemericktl;dr: be careful about which libraries you choose
07:40pimeyscemerick: that I was asking
07:40pimeysshould I be careful on selecting clojure libraries, like I have to be when doing ruby
07:40hyPiRionpimeys: What are you going to build, by the way?
07:41pimeysa callback system, which interacts with thousands of different servers
07:41pimeysand has 1000-2000 operations per second
07:41pimeysinvestigating my toolset for that
07:41ivaraasenintense
07:41pimeysthe current system is ruby + beanstalkd + threads and works fine for this traffic
07:41pimeysbut I see the sore points and when I need to refactor that, I might change the language
07:41BronsaI'm confused.
07:42Bronsaclojure-1.5.0-beta7 has just been released
07:43hyPiRionpimeys: I'd look at either Clojure or Erlang for that system at least. Erlang is designed for those things if I've understood the language correctly
07:43pimeyshyPiRion: I know, but I have this not so reasonable lisp devil living inside me :D
07:44hyPiRion:D
07:44pimeysmaybe with elixir erlang would be better
07:44cemerickpimeys: of course, you always need to be careful about which libraries you use, regardless of language. Choosing and using Java libs from Clojure deserves special consideration though, insofar as the former can be wildly stateful and unpleasant to use with the latter.
07:45hyPiRionI haven't worked with elixir yet, will do so when I know the language better.
07:45pimeyshow often you find a need to use java libraries with clojure?
07:46hyPiRionIt seems like you should be fine with agents for the concurrency parts.
07:46ivaraasenhyPiRion: would probably need message queues to make it concurrent as well
07:46pimeysmy libraries with that project might be korma and clj-http
07:47pimeysand I like this clojure approach with agents better than the erlang processes
07:47pimeyswhere you can send functions instead of plain messages
07:48hyPiRionivaraasen: Yeah, you got lamina for that I think
07:49hyPiRionBronsa: huh, maybe Rich decided that the RC should go away since there are new changes (*read-eval* discussion going on)
07:51hyPiRionpimeys: neither clj-http nor korma has mutability issues. Though well, there has been some discussion about Korma's way of wrapping stuff. See https://github.com/korma/Korma/issues/64 and other issues before you decide to go that route.
08:21luxbock(reduce #(and %1 %2) [... bools ...]) and (every? bools) do the same thing, right?
08:21hyPiRionluxbock: almost.
08:22luxbockwhat's the difference?
08:22hyPiRion,(reduce #(and %1 %2) [true true])
08:22clojurebottrue
08:22hyPiRion,(reduce #(and %1 %2) [])
08:22clojurebot#<ArityException clojure.lang.ArityException: Wrong number of args (0) passed to: sandbox$eval60$fn>
08:22hyPiRion,(every? boolean [])
08:22clojurebottrue
08:22hyPiRion,(every? boolean [true true])
08:22clojurebottrue
08:22luxbockah I see
08:22hyPiRion,(every? boolean [true false])
08:22clojurebotfalse
08:22hyPiRion,(reduce #(and %1 %2) true []) ; should fix it for you.
08:22clojurebottrue
08:24clojure-newbhey guys, my compojure.route/files stops serving static resources once i have a route like "/some-path/:id", any ideas on a strategy that works across all sorts of different routes ?
08:25clojure-newbI understand that its relative.. just wondering what people do to solve this kind of thing
08:25pimeysin which order you have your routes?
08:25pimeysif I remember correctly the order matters
08:25pimeysnot an expert here yet, just guessing
08:26clojure-newbpimeys: I see you think having the "/some-path/:id" in a different order to the "/some-path" could fix things ?
08:27pimeysnot really
08:27pimeyssomebody is overwriting your files path
08:27pimeysbut maybe somebody who knows better can explain
08:28clojure-newbif I place a '/' as a prefix to the css href attribute it works, but then obviously breaks when trying to load straight from disk into a browser
08:29clojure-newbI'm trying to have the best of both worlds
08:30bburns777hello, anyone out there ever use storm's clojure del?
08:30bburns777clojure DSL rather
08:36@rhickeybeta7 should be out, looking for experience reports
08:43cemerickrhickey: tests running now
08:45clojure-newbis it advisable to use composure to serve static files in production ? wondering how it performs compared to the apache's etc
08:45xumingmingv&(defn f1 [a] (-> a meta))
08:45lazybotjava.lang.SecurityException: You tripped the alarm! def is bad!
08:45xumingmingv
08:46xumingmingvI cannt define a function in the sandbox? lazybot???
08:46lazybotxumingmingv: Oh, absolutely.
08:46xumingmingvI cannt define a function in the sandbox? lazybot!!!
08:46AWizzArdWhere is beta7? I see 1.5.0-RC6 @maven.org
08:49@rhickeyAWizzArd: it takes a while to show up
08:52cemerickAWizzArd: you can add the sonatype releases repo to your project.clj to get it right away
08:53xeqiAWizzArd: https://www.refheap.com/paste/9475
08:58AWizzArdOki great, thx
09:04AWizzArdBtw, could it make sense at some point that print-dup and print-methods become protocol functions?
09:11clgvoh a beta in-between release candidates. is that because of the *read-eval* patch?
09:14stuartsierraclgv: I think that was Hudson having a spasm.
09:14@rhickeywe are back in beta
09:18clgvwhat happened?
09:18stuartsierraOh, ok.
09:18stuartsierraOur new contrib for tools.reader had some issues with Hudson releases last night, so I thought it might be related.
09:23augustlwhat data structures are good for map-like structures where both keys and values are unique, and I can look up values both ways (get the value of a key, and the key of a value, in hashmap terminology)?
09:23clgvaugustl: sounds like you need to combine two maps
09:25augustlclgv: it's the same map, it holds a map between internal database values (a namespaced symbol) and publicly used values in the API (a string)
09:25augustlI need to look up both ways, depending on whether I look at incoming data or internal data
09:26clgvwell you have to add each pair twice (both vals as key and value) then
09:27augustlif I use a normal map, then yes, I was hoping there was an alternative to that :)
09:27cemerickclgv: arbitrary code execution vulnerabilities are front-of-mind for many of us. Hoping to see Clojure buttoned up from that perspective ASAP.
09:33saalaa-foliohey guys, anyone has had issues with vim-foreplay and recent versions of vim?
09:33saalaa-foliorecent as in 7.3.754
09:34clgvcemerick: so that is the reason for dropping back to beta?
09:36cemerickclgv: appears so, yes
09:44tpopesaalaa-folio: I haven't tried. what kinds of issues?
09:46saalaa-folioI'm not sure, I'm cleaning my setup so that I don't make useless noise
09:48saalaa-folioseems like there's an error in classpath#detect line 64
09:51tpopesaalaa-folio: what error? and do you have https://github.com/tpope/vim-classpath installed or are you just using the one that ships with foreplay?
09:51saalaa-folioit's installed
09:51saalaa-foliobut this error occurs even without vim-classpath
09:52tpopeonce again, what's the error?
09:52tpopecheck :messages if you can't see it
09:52saalaa-folioand the error occurs when I open any .clj file in a project
09:52saalaa-foliohere's the full text: "project.clj" 6L, 264C
09:52saalaa-folioError detected while processing function classpath#detect:
09:52saalaa-folioline 64:
09:52saalaa-folioE484: Can't open file /tmp/vD3yrRQ/6
09:52tpopecheck :set shell?
09:53saalaa-folioI'm using fish
09:53saalaa-foliohum
09:53tpopeoh, fish will give you all sorts of trouble
09:53tpopeadd set shell=/bin/bash to your vimrc
09:54saalaa-folioyeah, it's working now
09:55saalaa-foliothanks a lot tpope!
09:55tpope;)
10:19shriphanihello everyone. I am struggling to find info on how to run a script (i.e. write a main function and so on). Is there a definitive way to do this ? (I see source code using *command-line-args*, main [& args]. What is the definitive way of doing this?
10:20nDuffshriphani: main [& args] is closer to what the language will do for you automatically.
10:20nDuffshriphani: *command-line-args* is a var that's presumably being populated somewhere -- ie. someone is actually setting its value themselves. That doesn't make it a bad idea.
10:21shriphanii see.
10:21nDuff(indeed, as a dynamic var, its values can be overridden during individual tests during test suite execution, which maybe makes it a _good_ idea)
10:21shriphaniand the [& args] format gives you an array with command line args in it?
10:21nDuffthat expands all remaining arguments into a vector called args
10:21nDuffit happens, for something that's a conventional main, that that's what you want.
10:22shriphaniah I see.
10:22nDuff...it's nothing specific to command-line arguments, but using the normal destructuring mechanism that works everywhere else as well.
10:24shriphaniI am coming from racket to clojure (libraries). I am using clj <scriptname> <arg> to run my script and I am doing a println of the args vector. I don't see anything on stdout. Am I doing something wrong ?
10:25borkdudeshriphani what is clj, a script? what's in that script
10:26nDuffWhat I was talking about, with respect to building a main, is for if you're compiling to a traditional/conventional Java main
10:26nDuffThis ''clj'' sounds like it does something else.
10:26shriphanihttps://gist.github.com/shriphani/4715130 <-- that is my clj
10:26shriphaniI found it in one of my tutorials.
10:26nDuffAhh, so it's arguments passed directly to clojure.main
10:27borkdudeshriphani the most easy way I would say is make it a leiningen project and call "lein run args"
10:27nDuffshriphani: ...for the future, getting accustomed to using Leiningen really _is_ the right thing -- you'll need it when you start dealing with 3rd-party libraries.
10:27nDuffAhh. *command-line-args* is something set by clojure.main
10:28nDuffDidn't know that because, well, clojure.main isn't very often used.
10:28nDuff...so, if you _are_ going to use clojure.main, *command-line-args* is the right thing.
10:28TimMcstuartsierra: I'm really glad to see this read-eval stuff going into 1.5. Thoughts on backporting?
10:28shriphaniI just ran it with lein run and I get this: No :main namespace specified in project.clj.
10:28nDuffshriphani: so edit your project.clj and tell it which namespace you put your main in.
10:28stuartsierraTimMc: I don't understand.
10:29TimMcstuartsierra: 1.4.1, 1.3.1, 1.2.2 with dead-eval bound to false by default
10:29TimMc*read-eval :-P
10:29stuartsierraErg. If you're volunteering...
10:29borkdudeshriphani add ":main foo.core", if foo.core is the namespace you put the -main function in to project.clj settings
10:30borkdudeshriphani oh yeh, the standard name of the main function is -main
10:30borkdudeshriphani so not the minus
10:30borkdudeshriphani note
10:32cemerickTimMc: FWIW, it looks like *read-eval* will not be false in 1.5.
10:32TimMccemerick: D-:
10:33TimMcI suppose I should check the mailing list ever.
10:33shriphaniborkdude and nDuff thanks for the help. I got it to work.
10:33borkdude:-)
10:46TimMccemerick: If read is moved to unsafe-read, that's fine by me.
10:47TimMcAnyway, it's not like Clojure hasn't made breaking changes before in second-segment version bumps...
10:47shriphaniborkdude: I am trying to do this : is this incorrect ? (map (fn [s] (println s)) (line-seq rdr))
10:48borkdudeshriphani (map println …) would also work I think
10:48shriphaniThis happens : Exception in thread "main" java.io.IOException: Stream closed
10:49borkdudeshriphani ah, this means the stream already has been closed before consuming the entire lazy seq
10:49borkdudeshriphani so you would have to wrap it in side the (with-open ...)
10:49shriphaniI have it in with-open
10:50rplacashriphani: you probably want doseq rather than map there
10:50shriphanirplaca: would it be lazy then ?
10:50borkdudeshriphani rplaca is right, because map is also lazy and if you consume this result outside the with-open, it also would be closed before read
10:50rplacano, but if you have side effets, you probably don't want laziness
10:51rplaca*effects
10:51shriphaniborkdude: but the map is inside the with-open
10:51rplacashriphani: but the map is lazy
10:51borkdudeshriphani yes, but the result is probably not consumed, and map is lazy
10:51rplacaso it's not executed until later
10:52shriphaniso i should use doseq ?
10:52rplacashriphani: if you want to print lines from a stream, yes
10:53rplacait guarantees that all the work is done by the end of the call *and* it's more idiomatic in this case
10:53shriphanirplaca: now it wants a vector. line-seq isn't working.
10:55vijaykiranshriphani: what wants a vector ?
10:56shriphaniCaused by: java.lang.IllegalArgumentException: doseq requires a vector for its binding in seedscore.core:27
10:56borkdudeshriphani (doseq [l (line-seq (clojure.java.io/reader "/tmp/Foo.java"))] (println l))
10:57borkdudeshriphani or: (dorun (map println (line-seq (clojure.java.io/reader "/tmp/Foo.java"))))
10:57rplacaborkdude: beat me to it. My nine year-old came in to ask me about nodejs :)
10:58rplacabut I would claim the doseq version is clearer than the dorun version here. (Though it's a matter of preference)
10:58borkduderplaca and no intermediate collection
11:01shriphanirplaca: racket has file->lines primitive I can use for something like this: (filter (lambda (s) (string-is-ok s)) (file->lines s)). Is there an as-clean way of doing this ?
11:01shriphanisorry (file->lines filename) *
11:01borkduderplaca maybe there should be a switch in 1.5: *lazy* true/false :P
11:01nDuffshriphani: there's a line-seq
11:01rplacaborkdude: ugh!
11:02borkdudeomg, I take that back… and also I haven't said anything about significant whitespace
11:03rplacashriphani: no, things are simpler in this case here because racket isn't lazy so you don't have to worry about the deferred evaluation
11:03borkdudeshriphani you can get the lines into a vector of course
11:03rplacashriphani: you can always force execution with doall in these cases and get a non-lazy seq
11:03rplaca,(doc doall)
11:03clojurebot"([coll] [n coll]); When lazy sequences are produced via functions that have side effects, any effects other than those needed to produce the first element in the seq do not occur until the seq is consumed. doall can be used to force any effects. Walks through the successive nexts of the seq, retains the head and returns it, thus causing the entire seq to reside in memory at one time."
11:04nDuff...why is laziness a problem for shriphani here?
11:04rplacanDuff: cause he's in a with-open block
11:05nDuffAhhh; I missed that.
11:06luxbockcould this function be simplified somewhat? I have a really hard time wrapping my head around what's going on
11:06luxbockhttps://www.refheap.com/paste/9477
11:06borkdudeshriphani (-> "/tmp/Foo.java" slurp clojure.string/split-lines)
11:06luxbockit's from here: https://github.com/abengoa/clj-gametheory/blob/master/src/gametheory/core.clj
11:07luxbockI've been trying to fix this into a more readable format following the clojure style guide and trying to understand it at the same time
11:08S11001001luxbock: the style guide mentions indentation, right?
11:08S11001001ah, I suppose
11:08luxbockyes, here's what I've done so far: https://www.refheap.com/paste/9478
11:08luxbockit's not my code originally
11:09borkdudeshriphani filter all lines from Foo.java for which count is more than 1: https://www.refheap.com/paste/9479
11:09S11001001luxbock: well first, (map f (map g x)) = (map (comp f g) x)
11:09luxbockI can follow the rest of the code alright but that one function makes my head hurt
11:10S11001001luxbock: this is called fusion, and you can apply it to combine the 3 outermost maps into 1
11:11luxbockyeah that helps a little bit
11:11S11001001luxbock: also, comp is a variadic associative operator, so (comp (comp f g) h) = (comp f (comp g h)) = (comp f g h)
11:11S11001001then you should have (map (comp ??? ??? ???) all-strategies), and you should be able to fuse those 3 functions into a single function relatively easily
11:12luxbockyeah that sounds like a good excercise
11:13S11001001I do recommend doing it mechanically like this, so you can see the transformations
11:13borkdudehmm, makes me wonder, is there such a thing as higher order slurp which takes a filter fn ;)
11:13S11001001e.g., because you're working purely, you can then do SICP chapter 0 style argument substitution to actually do the fusion
11:15luxbockI'm learning Clojure without much of a background in any other languages (besides for a little bit of Python)
11:15borkdudeluxbock nice choice :)
11:15pimeysit's then much easier, I'd say :D
11:15S11001001yeah
11:15luxbockwould it be a good idea for me to go through SICP on my own using Scheme or Clojure to get a hang of things?
11:15pimeysyes
11:15pimeysit's teaching from very scratch
11:16pimeysand the exersizes are easily converted to clojure
11:16pimeysalthough some of the stuff seems irrelevant for clojure, but still it's a good read
11:16S11001001luxbock: I'd at least do chapter 0, but no need to bog yourself down so much that you lose motivation for working on what you really want to work on.
11:16luxbockcan I combine it with learning Clojure at the same time, or should I just stick to the original format and use Scheme? I know there's that one SICP in Clojure project but it's not quite ready yet
11:16pimeyschapter 4 is also good
11:16pimeysluxbock: I'm learning clojure with sicp currently
11:17pimeysso it's doable
11:17luxbockah cool
11:17pimeysbut some stuff, like the end of chapter 2 seems a bit outdated for clojure
11:18pimeysand when they're talking about tail recursion, instead of calling the iterative function recursively, use the loop...recur construct
11:18TimMccemerick: The idea is that unsafe-read wouldn't do binding, and could be used in libs, but that read would bind *read-eval* to false before calling unsafe-read?
11:18luxbockI'm learning programming so I can learn about other stuff that's hard to think about without the mental tool box that programming provides you with
11:18AWizzArdIs there a good reason for this? ==>
11:18AWizzArd,(identical? 'and 'and)
11:18clojurebotfalse
11:18cemerickTimMc: That's my minor proposal, yes.
11:18S11001001AWizzArd: metadata
11:19TimMcAWizzArd: Symbols aren't interned.
11:19luxbockthis one game theory library library I was able to find hits pretty close to what I want to be doing, but it's a lot of things to learn at once
11:19AWizzArdSo both are fresh and different symbols.
11:19AWizzArdWhile for keywords `identical?` works fine.
11:19AWizzArdOki, understood, thanks.
11:19pimeysluxbock: well it takes another 30 years to be a great programmer, so be patient :D
11:19TimMcYep, keywords are interned.
11:20@rhickeycemerick: which accomplishes nothing, since unqualified call to read are then not useful in libraries, and the I accidentally called unsafe read moves to I accidentally called this library which called unsafe read - how dare they!
11:20AWizzArdI think they are interned up to a certain limit. At some point older interned keywords get overwritten, so that there is no memory hole?
11:20BronsaFWIW tools.reader's read now disallows read-eval by default
11:20Bronsayou have to use unsafe-read and unsafe-read-string explicitely
11:21TimMcrhickey: The library maintainer would have a responsibility to document their call to unsafe-read, yes.
11:21@rhickeyBronsa: that's bad design
11:21@rhickeyTimMc: again ,for what purpose? Basically there will be no libraries that read and compose
11:21S11001001AWizzArd: they're in soft refs so can get GCed; a cleanup running every n ticks drops empty refs. It would violate the semantics of keywords to drop keywords that are still reffed
11:22TimMcrhickey: That was ambiguous... You're saying that this would block composition, or that reading libs don't exist?
11:22S11001001AWizzArd: the java code in Keyword.java that implements this is pretty straightforward, short, and worth reading if you're interested.
11:22S11001001you know, for java code
11:22TimMcrhickey: My understanding is that unsafe-read would not perform any binding.
11:22TimMcmore like "maybe-unsafe-read"
11:23Bronsarhickey: I'm sorry but if find this behaviour saner
11:23@rhickeyYou can't put a hardwired choice at the bottom of a library
11:23TimMcIt wouldn't be hardwired.
11:23TimMcunsafe-read would respect the current binding
11:24BronsaTimMc: that's what I'm doing in tools.reader. unsafe-read allows read-eval to be true or false
11:24@rhickeyTimMc: but who will use it in their library and risk being responsible for someone reading crap from the internets?
11:24TimMcI would. With a big ol' warning.
11:24@rhickeylooking forward to a world where everything is prefixed by unsafe-
11:25Bronsa,unchecked-inc
11:25clojurebot#<core$unchecked_inc clojure.core$unchecked_inc@4633f685>
11:25@rhickeybecause if not, then the hungarian notion safety system fails
11:26@rhickeynotation
11:26AWizzArdS11001001: :)
11:28@rhickey(yourlib/foo ...) is it safe?
11:28@rhickeyIf I have to read docs, I might as well read the docs for read
11:29TimMcTrue.
11:29TimMcBut it still depends on the dynamic scope anyhow.
11:29@rhickeyAnd then I would understand that the safety is up to me, not your library, and how to ensure it
11:29TimMcI can't tell the safety of that call in isolation.
11:30@rhickeyBut if I take responsibility for myself, I am always explicit about safety
11:30TimMcI'd still have to document that mylib/foo calls read-string.
11:30TimMcANd the user would have to read it.
11:30S11001001TimMc: in core.typed you can add an alias for the Identity monad, Unsafe, which would check percolation of unsafety :)
11:31@rhickeyno, it's often obvious that a library is I/O oriented, and one can presume uses read. In any case, one could explicitly setup the safe binding in self-defense
11:31@rhickeythe point is, defaults accomplish nothing here
11:32@rhickeyand to the extent they lull people into not being explicit, are doubly dangerous
11:32pjstadigrhickey: no one is arguing that defaults would save you from cases where someone explicitly established a binding
11:32pjstadigthose are two separate circumstances that should be considered separately
11:33pjstadigeven if the default changes, there's still a need to program defensively, and educate people to do so themselves
11:33@rhickeyread is not and has never been safe. you can;t superimpose safety on old code that calls read by changing what it means
11:33@rhickeyand, that old code might use binding, which would be disabled
11:33headshotah, rhickey. thanks for clojure
11:34headshot</end-gushing-fan>
11:34@rhickeyohpauleez: at which point you will prove my point, a safe reader is explicitly so, with no options for otherwise
11:34@rhickeylike safe-read
11:34pjstadigrhickey: isn't it the case that the changes on master also break code?
11:34pjstadigif someone is doing something with #= that isn't in the whitelist
11:34borkdudewouldn't nested bindings also cause danger?
11:34@rhickeyheadshot: you're welcome
11:35borkdudefor example, a library designer could always do (binding [*foo* false] ….) no matter what you bind *foo* to?
11:35ohpauleezagreed - if that's what we want, and that's what people want (it's sure what I want in my code), let's just make the most direct solution
11:35pjstadigborkdude: yes, but that is orthogonal to what is the default value for *read-eval*
11:35ohpauleezthen say, "if you're using it for just data, grab the contrib"
11:35@rhickeyborkdude: but that would be a bad library, a library could fire missles too
11:36borkdudeor drones, so I heared
11:36@rhickeyohpauleez: I don't disagree, the point is people are looking to break read without getting the benefit they seek
11:37@rhickeyI'd be happy to have an edn reader
11:37pjstadigsomeone can always bind *read-eval* whether it defaults to true, false, or :default, but that is an entirely separate issue as "what should the default binding be"
11:37@rhickeyreusing the reader for interop is an act of extreme convenience
11:37@rhickeypjstadig: and the default ensure what for you?
11:37pjstadigthe change of the root value of *read-eval* to :default will still break code
11:38pjstadigso the question isn't whether to break code, but how much code to break
11:38@rhickeypjstadig: It might, and an option is to go back to the black/white world, but if we do, the default will still be unsafe, as it must be for all the reasons I've given
11:39@rhickeypjstadig: no, the non-breaking option is to add safe-read and docs
11:40pjstadigrhickey: in my mind having a 'safe' default doesn't ensure anything, it's just a backstop
11:40pjstadigi don't disagree with you
11:40pjstadigit would not be a be-all-end-all solution
11:40@rhickeySo, if you were a fan, would you sit behind a backstop with gaping holes?
11:41@rhickeyI wouldn't
11:41pjstadigwhat gaping holes?
11:41@rhickeyBut the semblance of a backstop, and people blogging about it now being a safe default might very well cause people to not be explicit
11:41@rhickeypjstadig: binding
11:42pjstadigrhickey: as soon as you use binding, you've stepped into a different situation
11:42pjstadigthe changes on master also have "gaping holes"
11:42pjstadigsomeone could bind
11:42@rhickeyThe [roblem is when someone else uses binding around you
11:42pjstadigand that problem has nothing to do with the default
11:42pjstadigi see your argument that perhaps having a 'safe' default lulls people into thinking they are safe
11:43@rhickeypjstadig: yes it does, if the default is unsafe I never rely upon it for safety
11:43pjstadigbut i don't think the solution there is to throw them to the lions
11:43pjstadigand *read-eval* as :default is still a "lulling" situation
11:43pjstadigsomeone could still bind
11:43@rhickeybind arounf safe-read? so what?
11:43pjstadigno
11:43pjstadigread
11:43pjstadigsafe-read may be a good addition either way
11:44pjstadigbut having *read-eval* as :default for read is just as much lulling people as having it false
11:44pjstadigand the problems with composing bindings still exist
11:44@rhickeylook, there is not going to be a safe read given whatever default, of a function that has dynamic control, that is not explicit. At the point it is explicit it doesn't care what the default nor surrounding bindings are
11:45@rhickeypjstadig: as I said, it could go back to full eval by default
11:45pjstadigfull eval with safe-read?
11:46@rhickeyold code, add safe-read, docs, make record reading subject to *read-eval*
11:46pjstadigwhat i mean is read would to full eval, but we would have a new safe-read function
11:46pjstadigright
11:47pjstadigyeah, there would be no expectation of safety there, sure
11:47pjstadigbut the composition problems still exist
11:47@rhickeywhat composition problems?
11:47pjstadigsomeone could still decide to use safe-read for me and i wouldn't be able to control it
11:47pjstadigor they could bind below me
11:47@rhickeylibrary code calls read, application code ensures safety
11:47pjstadig(in the case of using read)
11:48ohpauleezPersonally, I really like the changes in master + an EDN reader contrib. I think that covers all the bases
11:49@rhickeypjstadig: they can't bind around a code path that's your responsibility below you
11:50pjstadigif i call someone who binds *read-eval* to true, i cannot effect that
11:50ohpauleezcemerick: Want to jump in on this real quick?
11:50pjstadigif they decide to use safe-read, but i want read with *read-eval* true, then I cannot effect that
11:50@rhickeypjstadig: If they are doing that they own that, they could launch missles too
11:50borkdudebackward-bind: the most outside binder wins :P
11:50pjstadigbut as i said those are orthogonal to defaults
11:51pjstadigthose situations come about no matter what the default is
11:51@rhickeypjstadig: you are wrong about that, if read's defaults are characterized as safe
11:51cemerickohpauleez: apparently I missed the action, was off writing an email :-P
11:52pjstadigrhickey: yeah, i mean that's fine if that's the tack you want to take
11:52@rhickeyIt's not a tack, it's basic privilege narrowing
11:52pjstadigrhickey: and if that's the tack you want to take then you probably don't want what's on master
11:52clgvrhickey: I like the whitelitst idea. but one little question why bind *read-val* to :default instead of :whitelist?
11:53@rhickeypjstadig: it depends on how it is sold - I still characterize it as unsafe
11:53@rhickeyand thus safe-read
11:53pjstadigin my mind it is as much about establishing a safe default as setting *read-eval* to false
11:53pjstadigand it still breaks code
11:53pjstadigpossibly less, but it will
11:54@rhickeybut if we are worried about code written with complete lack of awareness, perhaps it reduces the risk footprint
11:54@rhickeynot changing read is least disruptive
11:55@rhickeypjstadig: there is not such thing as a safe, dynamically rebindable, default
11:55@rhickeyno
11:55pjstadigrhickey: but when you talk about binding you have stepped outside of default
11:56pjstadigsomeone can always bind
11:56pjstadigwhat should the root value be
11:56@rhickeydefault means - if I do nothing else explicit, this is what I get. A default value of a dynamic var doesn't give you a default semantic for read
11:56pjstadigiff someone binds
11:56@rhickeypjstadig: the point is the root value doesn't convey any semantic, better to choose one that doesn't make people complacent
11:56aroemerspjstadig: breaking a little code for a reduced risk isn't that bad, is it?
11:57pjstadigrhickey: i understand that is what you are saying, but i don't think everyone sees it that way
11:57pjstadigrhickey: and i don't think you want what is on master in that case
11:58pjstadigaroemers: it depends on what the goal is
11:58TimMcrhickey: I think I see what you mean about read vs. unsafe-read -- it might connote that read is always-safe.
12:01pjstadigTimMc: but if safe-read gets renamed to read and always binds *read-eval* to false, then it would be always-safe, no?
12:01hyPiRionOne way of solving this "*read-eval* should be true/false"-discussion would be to make *read-eval* unbound by default. It will break everything, though.
12:01aroemerspjstadig: well, I think a lot of Clojurians are not aware of the read-eval binding. As Clojure gains more popularity, I think it is good to have some risk reduction, while indeed not implying that read is defaults to safe (as rhickey states).
12:01eggheadall this talk about safe reading... no one ever told me reading was dangerous!
12:02pjstadigaroemers: yeah, well i'm in favor of having *read-eval* default to false, which would break code for reduced risk
12:02@rhickeyegghead: reading from the internet is dangerous, any developer that doesn't know that should be fired
12:02egghead:)
12:02pjstadighaha
12:02hyPiRionoh TimMc, did you see that I finished the quicksort?
12:02technomancyring used to call read-string on session values until very recently
12:03cemerickohpauleez: sorry, what were you asking about? safe-read + a canonical non-side-effecting reader impl?
12:03ohpauleezyes
12:04cemerickwell, that was the email I was writing earlier, on the ML now
12:04ohpauleezahh
12:04ohpauleezI'll read now
12:04TimMcpjstadig: Oh right, never mind.
12:05aroemershyPiRion: how feasable is this idea of having an unbound *read-eval*? How much would it break?
12:05cemerickI don't think anyone has said why #= is so critical to maintain. rhickey is right that dynamic scope ensure that the default cannot be relied upon as an absolute, but I disagree that it's effectively meaningless.
12:06pjstadigyeah it's a good question, some cases of #= can be covered with reader literals
12:06pjstadigrecords have their own syntax now
12:06matthavenereven with *read-eval* false, is read-string even safe from other reader attacks? what would be the uses of a safe-read?
12:06hyPiRionaroemers: Everyone who doesn't bind *read-eval* and attempts to use read-* will end up getting a "*read-eval* is unbound" error.
12:07hyPiRionIf *read-eval* is unbound by default, that is.
12:07aroemershyPiRion: I understand that, and I actually like that idea, but I cannot foresee how much it breaks. Maybe you have a better view on it.
12:07cemerickegghead: thank you for representing the vast majority :-)
12:07cemerickre: "all this talk about safe reading... no one ever told me reading was dangerous!"
12:08@rhickeyClojure's code-as-data extends to Java data - classes, Java collections etc. All of that can be intermixed with Clojure data but not all can be represented as Clojure data
12:08@rhickeyreconstructing it requires calling ctors, static methods etc
12:09@rhickeyit is unlikely that will ever be replaced by tagged literals except via a tagged literal as dangerous as #=
12:09hyPiRionaroemers: Well, it will most likely be an easy fix by binding *read-eval* at a program's entry point. However, that's without threads. As far as I know, binding is only thread-local, so a new binding has to be set up for each thread (or one must use boundfn if one wants *read-eval* to be passed on to that thread)
12:10@rhickeyat least, as dangerous as the #= default in patch
12:10TimMcrhickey: The vast majority of the time, full serialization is completely unnecessary.
12:11@rhickeyHere's a thought experiment - imagine we have a startup option that sets the default value of *read-eval* - how would that change your code or your recommendations to others on the shape of their code?
12:11hyPiRionI think the main issue here is that people aren't aware of *read-eval* and what it does. People should know that it exists and what may potentially happen if they don't bind it.
12:11TimMcrhickey: alter-var-root?
12:12TimMcOh, an option, I see.
12:12@rhickeyIMO, you should code as if set to the worst, regardless of the default
12:12hyPiRionTimMc: More like clojure --read-eval=false or something, I think.
12:12@rhickeythe point is not the option, it's that the option doesn't change good code
12:12aroemershyPiRion: so the fix is indeed not that complicated. But would many projects/libraries need such a fix? (I have no idea where and how much read is used)
12:12@rhickeyand doesn't fix bad code
12:13pjstadigit would possibly break bad code if --read-eval=false
12:13pjstadigdoes that code deserve to be broken?
12:13@rhickeywhat bad code?
12:13cemerickrhickey: except, AFAICT, that capability is unused, undocumented (rightly so IMO), and necessarily makes Clojure a conduit for exploits.
12:14pjstadigcode that doesn't explicitly set a binding before calling read?
12:14hyPiRionaroemers: For libraries, you'd only have to bind for testing (and potentially replace some `fn`s with boundfn) the code. Only applications should have "an issue" with it.
12:14@rhickeypjstadig: and reads what?
12:14hyPiRionThough, that being said, I suspect that the world is a bit more complicated than that.
12:14pjstadigrhickey: user generated data
12:14@rhickeypjstadig: if edn, will be silent
12:15pjstadigrhickey: what are you thinking of when you use the term "bad" code?
12:15@rhickeycomputers can't smell user generated data
12:15pjstadigum, i wasn't saying they would?
12:15pimeysI smell the ruby's YAML hell when seeing this :)
12:15technomancypimeys: heh, that's exactly why we're having this conversation
12:15@rhickeybad code is code that needs to protect itself and doesn't setup safe read
12:16@rhickeyunsafe readers need do nothing
12:16@rhickeyi.e. readers of trusted sources
12:16pjstadigright, so good code is unaffected by the default value for *read-eval*
12:16technomancypimeys: the rubygems.org exploit happened because people didn't understand that YAML.parse was a dangerous operation
12:16@rhickeyright, and good code is necessarily explicit
12:16pimeysI know
12:16pjstadigbut "bad" code could be broken if you set *read-eval* to false by default
12:17pimeyswe've been hot-fixing like hell in my workplace recently
12:17@rhickeypjstadig: and I contend good code is less likely to exist
12:17pjstadigrhickey: possibly, but in the end if there's a high profile "rubygems like" incident it will reflect on the whole clojure community
12:18technomancypimeys: fun, innit
12:18@rhickeypjstadig: no, bad code (fails to set anything) won;t be exposed until bad things are sent to it
12:18pimeyssad, I think
12:18@rhickeypjstadig: It's fine to be afraid of that, but important to solve it, not just make gestures
12:18pimeysbut will happen everywhere if people are not careful
12:18pjstadigrhickey: but when something bad is sent it will throw an exception instead of exposing some security risk
12:19TimMcrhickey: A library that just calls read, is that bad code? And a caller of that library that doesn't bind, is that bad code?
12:19@rhickeywe have a different scenario than python/ruby with the dynamic bindings
12:19@rhickeypjstadig: only if not wrapped in another context - I contend the default does nothing
12:19pjstadigi tend to fall on the side of "good code" is unaffected, "bad code" deserves to be broken because if it's not then people will cast a bad light on the community as a whole
12:19@rhickeypjstadig: bad code will be undetected
12:20cemerickshould sql query parameters be explicitly escaped?
12:20pjstadigrhickey: it may be a different scenario, but i think anyone analysing an incident would deride *read-eval* defaulting to true
12:20@rhickeythere's no substitute for taking responsibility for yourself
12:21@rhickeypjstadig: and when it was false and still happened?
12:21pjstadigrhickey: they we say, "we had a safe default and you changed it"
12:21pjstadigit's no substitude for personal responsibility; agreed
12:21@rhickeypjstadig: like you told me I had to in order to do X, Y, and Z
12:22hyPiRioncemerick: SQL libraries should provide you with a sane default and explicitly tell you that default.
12:23aroemersbad code would indeed go undetected, until something happens to it, in that case the results of that bad code would be less severe, which is good for the Clojure community IMHO.
12:23pjstadigaroemers: right
12:24@rhickeyyou are just playing the odds, not really safe
12:25aroemersStill, I think rhickey is right to, in the sense that read should still be documented as being unsafe, and a safe-read in that case is very welcome.
12:25aroemers*too
12:26craigbrowell
12:26craigbroeven a "safe-read" that allows macro characters has issues if I can get data to disk
12:26technomancycraigbro: if you can get it to the classpath, you mean?
12:26pjstadigrhickey: having *read-eval* default to :default is still playing the odds by reducing the chances someone wants to tweak the value of *read-eval*
12:26TimMcA default of [*read-eval* false] fails-safe, a default of true fails-deadly.
12:26pjstadigi'm not saying that's bad
12:27@rhickeycraigbro: as I said on the list, read is not going to be made secure near-term, whatever we do right now
12:27pjstadigit's hard to judge odds here
12:27technomancycraigbro: in which case you have plenty of more appealing attacks available to you than the reader
12:27TimMcYou can get "failure" either way, but one of those probably won't cost you a month to fix.
12:27craigbroyah, but that's priv escalation
12:27pjstadigi don't think anyone is really analyzing frequencies
12:27craigbrorhickey: I agree, I bring it up as a point that the issue is more than just default binding
12:28hyPiRionpjstadig: ##(frequencies (repeatedly 345 (partial rand-nth [:for :against])))
12:28lazybot⇒ {:for 160, :against 185}
12:28ruff_hello my friends i first with #clojure how to runing #clojure on #node.js server no lag?? sorry my english
12:29@rhickeycraigbro: sure, someone could probably OOM you just be feeding indefinitely much data inside a collection
12:29craigbroof feeding a anon fn to the right values
12:29craigbros/of/or
12:29hyPiRionor a reified object, for that matter.
12:30craigbrohyPiRion: hmm, not clear on how that would happen
12:30craigbroor I can leak values using @deref
12:30cemerickhyPiRion: My broader point was that saying "you need to be explicit" is a poor option. Even the brightest, most careful among us make mistakes; missing a checkbox to opt into not being exploited is inevitable.
12:31FrozenlockAs a bad person, I often try functions I don't really understand until 'it works'. If I can use 'read-string' and it works, I probably won't think of checking anything else.
12:31@rhickeycemerick: making the mistake of not calling safe-read on internet-sourced data is one for firing
12:31jkkramerto write good (explicit) code, one has to actually know that reading is unsafe. newcomers generally don't know that
12:31hyPiRioncraigbro: ##(= (reify Object (equals [this _] (println "alert!"))) :foo)
12:31lazybotjava.lang.NullPointerException
12:32@rhickeythis whole culture of the lang/lib/service/whatever is going to take care of me is gross
12:32cemerickrhickey: not "take care of me"; "don't go implicitly executing code"
12:32@rhickeyjkkramer: agreed, no argument on docs needing to become much more explicit there
12:33@rhickeycemerick: it's what the reader has always done, it is not fundamentally a tool for reading the internet
12:33enquorahas anyone seen or attempted a clojure pdf generation library?
12:33thickeyit's very interesting problem. the one's at risk are always the unaware. you are only safe if you are explicit.
12:33matthavenercemerick: i agree, even with *read-eval* false, read-string still doesn't "take care of you" (OOM/DoS type attacks are still possible)
12:34@rhickeypeople are using it for that because no one has taken the time to write the tiny bit of code needed for an edn reader. Everyone wants reader for free
12:34wangtd//names
12:34cemerickrhickey: The history is what it is; that doesn't meant that it needs to or should remain
12:35@rhickeyIf there was an edn reader right now in Clojure, who would advocate using read for internet data?
12:35@rhickeyIt wouldn't be called core/read
12:35@rhickeyit would have to be a different call (like safe-read, erm edn-read)
12:35cemerickI think people should be forgiven for using the Clojure reader to read Clojure data.
12:36craigbrocemerick: no way
12:36technomancyhttps://github.com/ring-clojure/ring/commit/7028d12759ababdcd
12:37dnolencemerick: hmm I don't know, people used to abuse eval in JS for JSON parsing. This spawned proper JSON parsers - now no one uses eval for JSON parsing.
12:37jkkramerenquora: there's http://www.clojuresphere.com/clj-pdf/clj-pdf. I ended up shelling out wkhtmltopdf, which provided much better control/flexibility
12:37craigbrocemerick: I'm not saying we be vindictive, but since the days of CL web dev and before, lisps do not use read to get data
12:37technomancyany guesses as to how long that affected every cookie-store-using Clojure web application?
12:37enquorajkkramer: that's based on iText, afaik, which is a non-starter
12:37cemerickdnolen: except no one is using clojure.core/eval to parse clojure data that they wrap in a (quote ...) form.
12:37Frozenlocktechnomancy: 24 days ago? Shi...
12:37`fogustechnomancy: since the beginning of time?
12:38@rhickeycemerick: there's no substitute for a hardened interop-oriented read - Clojure's reader isn't that, and changing a default won't make it that
12:38dnolencemerick: read-string is a bad as eval is my point
12:38dnolencemerick: people should use EDN reaaders
12:38cemerickdnolen: indeed, read-string is as bad as eval now; what I've been driving at is, it doesn't have to be.
12:38@rhickeyClojure's reader is meant to server the language, and devs looking to fully exploit their environment
12:39hugodI like the idea of a separate read that is unaffected by dynamic vars
12:39@rhickeycemerick: just use safe-read, wtf
12:39cemerickindeed
12:39enquorajkkramer: that's exactly what we do now. our needs push html layout beyond its limits though :-(
12:39ohpauleezcemerick: I'm with dnolen on this - tempted to cook one up in the spirit/API of clojure.data.json
12:39dnolencemerick: agree w/ rhickey here. read language support is being hijacked out of convenience.
12:40@rhickeyI don't see changing defaults as being better than calling safe-read and advocating to everyone else to do the same with untrusted data
12:40hyPiRionOkay, so the issue here is that we don't have a proper `read-edn` function yet?
12:40@rhickeysafe-read
12:40@rhickeysafe-read is a slight superset of edn
12:40enquoraneed something that is optimized for technical report generation. Am reconciled to creating something from scratch, but hoping to find something existing as a starting point that at least provides font-metrics and pdf primitives
12:40@rhickeyallowing records, but disallowing JAva
12:41hiredmanenquora: your best bet is to find a java library for that
12:41enquorahaven't had much luck there, either
12:42hiredman~google java reporting library
12:42clojurebotFirst, out of 920000 results is:
12:42clojurebotJasperReports Library | Jaspersoft Community
12:42clojurebothttp://community.jaspersoft.com/project/jasperreports-library
12:42hiredmanseems like a solid google hit
12:42@rhickeyhow about we call safe-read edn-read, and consider it slightly but harmlessly broken, to be made conformant by 1.6?
12:42enquorahiredman: by which I mean something that is appropriate and I'd like to use ;-)
12:43`fogusohpauleez: The CLJS reader is a good first approximation. Needs work to get the whole way.
12:43craigbromy vote is for seperate edn reader, designed from start to be safe and deal with public data
12:43enquorahiredman: layout concepts nowhere near what we need
12:43TimMcrhickey: How about moving eval and read into clojure.compiler or whatever, since they aren't for general purpose use?
12:43craigbroI think they still are for general purpose use
12:43@rhickeyand everyone who thinks this is important direct their energies off the list and on patches for it?
12:43rplacaJasper is a crazy complicated system. It used to belong to Sun/MySQL, but I don't know what they're up to now
12:43hiredman`fogus, ohpauleez: I am surprised neigher of you mention the recently contribized blind
12:43craigbrothere are tons of times when I am readingwriting dat that I control
12:44nightflyEval and read not for general use? Is this not a lisp?
12:44TimMcWell, that's the message I'm getting.
12:44@rhickeyTimMc: I don't see the point, given better documentation and an alternative edn-safe-read mentioned in same
12:44`fogushiredman: I thought that was intended to provide the same capability as the Reader code.
12:44enquorawe need to produce *very* dense technical/engineering reports with extremely tight typographic control. unfortunately, there isn't much out there that meets this goal.
12:45@rhickeyAll we're doing by futzing with read is breaking things and delivering nothing
12:45hiredmanenquora: generate latex
12:45@rhickeybut making ourselves feel better
12:46`fogushiredman: But yes, its code could be used as a basis for a true CLJ EDN reader
12:46@rhickeycraigbro: I believe most serious use of read is dominated by controlled code and sources, outside of webapps
12:46ivaraasenhyPiRion: so I think I finally managed to decouple the basic functionality of array-utils from doubles. only slightly slower, which is nice.
12:46craigbroTimMc: general use does not include reading tainted strings 8^)
12:46enquorahiredman: have done that in the past. it's a bit like using regex to parse html - in this case. ConTeXt is at least a bit better.
12:46hyPiRionI would support changing the name of safe-read, as it doesn't convery why it's "safer" than normal read.
12:46hyPiRionivaraasen: sweet
12:47hiredmanoh god, yeah, imagine a reader without syntax quote in it
12:47hyPiRioncall it edn-read or read-edn (plus records), as that's what it really does.
12:47enquorahiredman: need to generate these in javascript in the browser, too. am thinking about something that can be compiled using clojurescript
12:47rboyd+1 vote for renaming read to hackme-read
12:47FrozenlockAs a side question: Isn't read and eval two seperate functions usually? (R.E.P.L.)
12:48ohpauleezhiredman: `fogus - yeah cljs.reader or the new clojure reader are both solid candidates.
12:48hyPiRionNot that I really care much about it, but edn-read converys what data format we read -- safe-read doesn't.
12:49jonasen+1 for edn-read. And leave the current read as is (with a pointer to edn-read in its docstring)
12:50craigbrohttps://github.com/search?l=Clojure&amp;q=read-string&amp;ref=advsearch&amp;type=Codehttps://github.com/search?l=Clojure&amp;q=read-string&amp;ref=advsearch&amp;type=Code
12:50craigbrodoh, sorry, repeated url
12:50craigbroanyways, there ya go bois, get to work patching all those 8^)
12:51hyPiRionHmm.
12:52jkkrameredn-read is also probably unused in the wild. there are codebases that already have a safe-read
12:52cemerickdnolen, ohpauleez: a separate standard reader library is certainly welcome. FWIW, I was trying to eliminate a source of inevitable error, not maximize convenience.
12:53aroemersWould edn-read or safe-read then be the same in functionality as read with *read-eval* to false?
12:54hiredman,(- 28 16)
12:54clojurebot12
12:54ohpauleezcraigbro: https://github.com/search?l=Clojure&amp;q=safe-read&amp;ref=advsearch&amp;type=Code
12:55ohpauleezfwiw
12:55dnolencemerick: communicate to not read/read-string (docstring, IRC, ML, Twitter). add a kibit rule etc.
12:55dnolenI honestly don't understand why the huff now after 5 years of unsafe read
12:56ToBeReplacedi'm a bit lost... shouldn't it always be opt-in-for-danger? if you just create safe-read, someone will read somewhere... i liked the idea of moving eval, read, etc. to a separate namespace.
12:56@rhickeydnolen: agreed
12:56technomancydnolen: because three high-profile vulnerabilities caused by the same problem just surfaced last month
12:56craigbrodnolen: HN echo of rails catastrophe
12:56matthavenerdnolen: i think people (include myself) assumed that read-string couldn't eval... but imho a lack of understanding on my part doesn't require a change on clojure's part
12:56TimMcdnolen: Apathy.
12:57ibdknoxmatthavener: it does actually, when that lack of understanding spans the community
12:57@rhickeytechnomancy: that doesn't mean the answer is change read, the answer could be - use something else
12:57Frozenlockmatthavener: That was my initial insight. There's a `read' and 'eval' function.
12:57craigbroohpauleez: awesome, I did not mean to cast aspersions on clojure coders with that url, just thought github search was kewl and an easy way to track this stuff and talk about how clojure code gets written in the wild
12:58ToBeReplacedrhickey: would you say that the answer is "make sure everyone is taught that there is an issue here" or "make sure that no one hits the worst-of-the-issues unless they explicit say it's okay"
12:58matthaveneribdknox: but is our goal to please the community or make clojure easy for the community? or to build a good/simple lang?
12:58`fogusWhere oh where is clojure.tools.edn?
12:58technomancyI don't think it would be productive to get involved in this conversation further, but that's why it's being discussed now.
12:58ibdknoxmatthavener: there is no good/simple lang without a community :)
12:58cemerickdnolen: what everyone said above, plus I was around leaving cemerick-shaped holes in walls, per usual.
12:58matthaveneribdknox: agreed, there's a balance there somewhere :P
12:59@rhickeythanks everyone for your input, I'll be back later with an answer I hope :)
12:59ibdknoxI'm amazed this is even contentious, to be honest
12:59cemerickibdknox: oh?
12:59technomancy"YAML.load didn't look dangerous to me" <- sound familiar?
13:00ibdknoxcemerick: any large organization having found an insecure default?
13:00ibdknoxknow what we did at MSFT?
13:00ibdknoxlol
13:00TimMcYou laughed out loud, is what?
13:00ibdknoxor we dropped a few million dollars to fix it in the next couple days
13:00Bronsa`fogus:, dnolen would a tools.reader.edn subnamespace be more acceptable than defaulting to disabling read-eval?
13:01dnolenBronsa: yes that's what I would suggest
13:01aroemersRich shouldn't 'wft' dear Chas next time he comes for input though! ;)
13:01ohpauleezBronsa: dnolen I'd rather see data.edn
13:01jonasen`fogus: shouldn't that be clojure.data.edn?
13:01ohpauleezto match data.json
13:01ohpauleezsince it's a data language
13:02dnolenohpauleez: no argument there.
13:02aroemers*wft, that is
13:02ohpauleezI'm with you jonasen
13:02aroemers**wtf...!
13:02ibdknoxif we took a straw poll on how many people know about #= I imagine it's only the obvious people
13:02jonasenohpauleez: heh
13:02Bronsaright, I would include it in tools.reader only to avoid code duplication :)
13:02ohpauleezBronsa: are you cooking this up right now? I was just going to use the CLJS reader, since it's nearly purely EDN as is
13:03Bronsaohpauleez: tools.reader is already feature-complete
13:03`fogusjonasen: Maybe. But data.edn is just Clojure. ;-)
13:03technomancythe funny thing is the YAML vulnerability was actually much less dangerous than the reader since it only exposed a single []= method; it had to be paired with a class that called eval inside such a method to be exploitable
13:03Frozenlockibdknox: I've seen #= more than 10 times since yesterday and I still don't know what it does...
13:03ohpauleezBronsa: totally, but you need to not pick up Records, etc
13:04ibdknoxFrozenlock: it allows you to execute any arbitrary code at read time.
13:04ohpauleezno eval, no records, but data literals, reader literals, and datatypes
13:05ohpauleezibdknox: I'm still laughing at the term, "the obvious people"
13:05ibdknox:)
13:05Bronsaohpauleez: I'm working on it
13:05`fogusBronsa: Sweet!
13:05ohpauleezBronsa: Solid! I will stop my work then!
13:05TimMcFrozenlock: (read-string "#=(eval (System/exit 0))")
13:05ohpauleezlet me know how I can help
13:05FrozenlockTimMc: naughty
13:05FrozenlockI might have tried that.
13:05TimMcFrozenlock: Long story short, use (binding [*read-eval* false] ...) around everything.
13:06cemericktechnomancy: All I can think of now is a phrase from an email of yours early in one of the threads, "tribal knowledge"
13:06technomancycemerick: honestly I don't know how anyone gets anything done in Clojure without hanging out in this channel anyway
13:06sshackHow do you install a jar file into the local maven repo? I did this a few days ago but forgot the command.
13:06ibdknoxhaha
13:06Frozenlock,(read-string "(+ 1 2)")
13:06clojurebot(+ 1 2)
13:06ibdknoxtechnomancy: it is a wonder
13:06Frozenlock,(read-string "#=(+ 1 2)")
13:06clojurebot#<RuntimeException java.lang.RuntimeException: EvalReader not allowed when *read-eval* is false.>
13:07FrozenlockSo the point of #= is to screw us?
13:07TimMcYes.
13:07cemericklol
13:07ohpauleezhaha
13:07FrozenlockI mean... I would just do (eval (read-string "(+ 1 2)")) if I wanted to eval code.
13:07`fogustechnomancy: That's odd because I don't know how anyone gets any work done /while/ hanging out in this channel :p
13:07TimMcBut since we're all mega-rockstar programmers who never screw up, it will never bite us in the butt.
13:07ohpauleezit's why it loosely resembles a...
13:07technomancyFrozenlock: only in undocumented ways, don't worry
13:07rbxbxcemerick the tribal knowledge situation in this community isn't nearly as bad as, for example, Rails.
13:07cemerickrbxbx: Oh, good, thanks for that. :-P
13:07rbxbxthen again Clojure is younger, so we might end up there eventually :|
13:07TimMctechnomancy: It's a good thing that black-hats never read the docs, am I right?
13:08ohpauleezhaha
13:08technomancyFrozenlock: I get the feeling you're going to pull out the c-word
13:08rbxbxcemerick just saying, I feel like you can read a few books and blog posts and be a moderately effective Clojure developer. I don't see that in Rails at all.
13:08ibdknoxWould anyone actually complain about making read non-side-effecting?
13:08technomancy(not that c-word, I mean complected)
13:09rbxbx(and yes, language vs framework, but meh, point stands ––– it's really community comparison, not tooling)
13:09ohpauleeztechnomancy: haha
13:09cemerickibdknox: it is quite off the table
13:09rbxbxtechnomancy: I kept seeing c-word on the mailing list and thought that perhaps wasn't the best choice of phrasing.
13:09ibdknoxcemerick: I read your response that said that, but I didn't catch why
13:10Frozenlocktechnomancy: I don't get it.. :(
13:10ibdknoxFrozenlock: read currently does more than one thing
13:10ibdknoxFrozenlock: like you said, you expected to use (read (eval ..)) if you needed such a thing
13:11craigbroreverse that 8)
13:11FrozenlockIndeed.
13:11mattmossBut can you put #= inside #= ?
13:11FrozenlockSo clojure doesn't have a repl, it has a RPL.
13:12ohpauleezmattmoss: You're talking about the 5th dimension of eval? I've only heard the rumors
13:12cemerickibdknox: I think they closest we'll come is @ http://clojure-log.n01se.net/#12:08
13:12technomancyFrozenlock: maybe more like a reepl
13:12ibdknoxcemerick: I see
13:13mattmossohpauleez: C'mon... everyone knows the 5th dimension is love... or... wait: that's the 5th element.
13:14craigbrowelll
13:15cbpany way for nrepl to terminate the jvm it started?
13:15craigbroclojure code is data, clojure data is code -- that mantra should at least clue you in that reading data as clojure is not something you do with any old input
13:15cbpso i don't end up with 10 jvm hogging 3 gb of ram at the end of the day? :p
13:15cemerickibdknox: long before edn and tagged literals, there was a desire to be able to represent Java objects within Clojure data, e.g. #=(java.util.ArrayList. [1 2 3])
13:15technomancycraigbro: that mantra is true of other lisps, and they don't have this problem.
13:15Frozenlockcbp: (System/exit 0) might do it...
13:15craigbrotechnomancy: yes, they do
13:16dnolentechnomancy: I would find that *very* suprising
13:16cemerickthus print-dup, etc.; apparently, #= existed already?, but I don't recall that prehistory
13:16technomancycraigbro: so... how would you exploit an Emacs instance via read-from-string?
13:16ohpauleezC-x C-x M-a C-t
13:17ohpauleezsee what I did there?
13:17dnolentechnomancy: heh, was thinking about production Lisps, not text-editor lisps
13:18`fogusDo a Google search for "Red Team vs the Agents"
13:18FrozenlockDoesn't common lisp require an eval function?
13:18technomancydnolen: package.el calls read-string on untrusted data, so it's still an issue
13:18technomancyread-from-string; sorry
13:19`fogushttp://www.websecuritywatch.com/cve-2012-3479/
13:19technomancydnolen: I haven't used racket; is it a safe operation there?
13:20`fogushttps://gist.github.com/fogus/4716440
13:20ohpauleez`fogus: Thank you
13:20craigbrotechnomancy: in elisp case, it appears that #N for circular obects is the only special reader macro
13:21craigbrotechnomancy: so off the top of my head, only a DOS is possible, but I have not read emacs source
13:21dnolentechnomancy: I don't know, but I wouldn't be surprised if there were exploitable corners given Racket's flexibility
13:21craigbrotechnomancy we want a read with reader macros, ability to read/output java or non-native objects etc..
13:22technomancycraigbro: who is "we"?
13:22craigbrotechnomancy: so once you have thos things, read is prolly not what you want
13:23technomancymost people are happy with reader literals
13:23craigbrotechnomancy: err, the people who wrote clojure, those who campaigned for reader macros, those who want to be able to write out their clojure data, and read in their clojure data when it contains non-native objects etc...
13:23technomancyso... people who don't want to bother with reader literals for some reason?
13:24craigbrotechnomancy: when I said reader macro above, I was refereing to reader literals, sorry, I confused the terms because of the use of the word macro character on the clojure reference page that talks about them
13:27TimMcI think "reader literal" and "reader macro" are mostly the same thing.
13:28craigbroTimMc: well, with the caveat that reader macros ala CL can modify your read table on the fly, and do a whole lot more in terms of controlling input.
13:28TimMc*Clojure* reader macros
13:28craigbroreader literals just get prelexed forms
13:28technomancyyeah, in my mind "reader macros" refers to the much more flexible CL flavour, right
13:28aroemersAFAIK, reader literals, apart from some default ones, need to be made available to the system explicitly right?
13:28`fogusTimMc: Unless you hack it, the reader macros are not intended for extension
13:29TimMcThere's some confusion here with the #tagged stuff.
13:29craigbroyah CL reader macros have access to the stream being read and all kinds of neat stuff
13:29aroemersIf I am correct, then that is a lot safer than #=()
13:29technomancyaroemers: yes, it's basically always a better choice
13:30craigbroBTW, my support for safe-read or edn-read or whatever, is orthogonal to make *read-eval* default false. however, I also think you will not get read to be safe in the present of reader literals
13:30FrozenlockIt could lead to some interesting expression. "Ah man, I got #=ed by this deal."
13:31craigbroI mean, looking at the rails sploits, it was a case of something similiar to reader literals, being abused because some complicated reader literal fns were hooked up by default
13:31aroemerscraigbro: not even if reader literals are the _only_ way to go, as in #=() is not available?
13:32craigbroaroemers: "not even"? I don't undertand, restate.
13:32devnIs it impossible to do this in straight Clojure? https://github.com/danielribeiro/conjcraft/blob/master/java/mod_Conjcraft.java
13:33aroemerscraigbro: I mean, wouldn't that make read a lot safer? If it does not support #=() at all?
13:33devn(because of the @Overrides)
13:34technomancycraigbro: I don't think it's fair to compare it to a bad reader literal; the problem was YAML.load itself
13:34rodnaphcore.logic - if there is no :else on conde, is there an alternative?
13:35gfredericksdoes it sound plausible that `lein new` doesn't add `.lein-repl-history` to the .gitignore?
13:35dnolenrodnaph: you don't need :else in conde, every branch is tried anyway
13:35proger79How to do the same aliasing if instead of println I want to use MessageBox/Show in .NET?: (def out println) (out "hi!") . When using (def out MessageBox/Show) (out "hi!") the error is given: "Unable to find static field: Show in System.Windows.Forms.MessageBox".
13:35technomancygfredericks: it does in 2.0.0, but it's a recent-ish addition
13:36gfrederickstechnomancy: upgraded! all better now.
13:37craigbrotechnomancy: I am refering to the XML containing YAML part of the rails exploit, not the YAML.load !class representation
13:37technomancycraigbro: oh, gotcha; sure
13:37craigbroaroemers: i think it would make it safer, and this it's a reasonable default, however it's not safe, nor is it solving the problem
13:37technomancyI was tracking the rubygems.org exploit more closely
13:38craigbroaroemers: I personally thing having it default to false would be good
13:38craigbroaroemers: however, I would also never use read-string even then to read tainted strings
13:39craigbrothe Rails issue is really not about defaults in the anguage
13:39craigbroit's about defautls in the framework. that same set of decisions that led to it, would not be changed by read-eval being false
13:39craigbroit's the decision to "hey, let's make this more flexible and powerful" without evaluating costs, or being explicit about what exactl you are doing
13:40Frozenlockcraigbro: like a read that does eval at the same time? :)
13:40callenbottechnomancy: just saw the seattle hacking locations post, cool stuff. How'd you come by that standing desk?
13:40rodnaphdnolen: https://gist.github.com/rodnaph/4716586 trying to implement flatten (got my hands on TRS now) - but the else part seems not to be firing correctly... it seems to be an extra clause is needed here to either say that s is a "single" or that it's not null or a pair... ?
13:41rodnaph(thanks too btw - you always seem to answer my silly questions)
13:42technomancycallenbot: it's just a basic ikea model; nothing fancy
13:42craigbroFrozenlock: as I said before, I think it's reasonable for read to be able to do tht, and to have reader literals (I want more, but I'l settle)
13:42technomancyI have room to keep a recliner by the standing desk, which means I don't need an adjustable model. I couldn't stay on my feet all day.
13:43craigbroFrozenlock: because the mantra code = data in a place where your data has to interact with non-native data, you need that extra step.
13:43callenbottechnomancy: I've heard having a soft mat to stand on helps with standing desks.
13:43technomancyI have a carpet. it's my knees that get worn out. may have inherited week knees.
13:44craigbrotechnomancy: standing desk destroyed my knees for a few months too.
13:44craigbrotechnomancy: with mat, with shoes, without etc...
13:44`fogustechnomancy: Relevance has these extra padded floor mats that work wonders for the knees
13:44craigbroI did not get a fancy gel mat tho
13:44technomancy`fogus: huh; I assumed they were more to deal with pain in the feet
13:44callenbottechnomancy: you need more than carpet.
13:44callenbottechnomancy: you really need thick, soft padding
13:45craigbroi have a floor desk, a standing desk and a recliner, and rotate thru them
13:45Frozenlocktechnomancy: if you have some money to spare: geekdesk.com. You can easily switch between standing/sitting and even on-your-knees.
13:45`fogustechnomancy: It's all connected. ;-)
13:45callenbottechnomancy: the knees are probably from the leverage caused by your height :)
13:45craigbrothe floor desk I use a zafu, and sit zazen-style at
13:45technomancyFrozenlock: I have enough room in my lab that I don't need all those in a single desk =)
13:45craigbrotechnomancy: work from home?
13:45technomancycraigbro: home and around town =)
13:46craigbrowork from bars
13:46technomancyhttps://secure.flickr.com/photos/technomancy/tags/laboratory and http://technomancy.us/156
13:46technomancyheh
13:46technomancyand https://secure.flickr.com/photos/technomancy/tags/remoteoffice/ in the summer
13:47craigbrox100e?
13:47technomancycraigbro: the thinkpad? it's an X200s
13:47dnolenrodnaph: I don't think you need that last clause anyhow - it's handled by the first one
13:48Frozenlocktechnomancy: https://secure.flickr.com/photos/technomancy/4397554484/ really? :P
13:48dnolenrodnaph: and that flatteno doesn't do what you think it does - it won't return a flattened list after 1 run.
13:48technomancyFrozenlock: don't knock it till you try it =D
13:48FrozenlockEver dreamed of trying https://en.wikipedia.org/wiki/File:DataHand_Professional_II_Keyboard-Right.jpg?
13:48technomancyFrozenlock: I don't use it all the time, but it lets you keep your arms in a completely neutral position
13:49rodnaphdnolen: ok thanks - i shall take another look.
13:49technomancyFrozenlock: I would love to see that adapted for mobile use. I suspect it wouldn't be as big of a win vs a full keyboard.
13:50rodnaphdnolen: ah yes i see now! i was misguided. back to the drawing board, heh
13:53craigbroyou know
13:53craigbroI didn't realize edn basically has reader literals
13:54craigbroso I defeintly support setting read-eval to false by default
13:54craigbrohehe
13:55craigbroof course, theissue of controlling the binding of that var still applies
13:55craigbrohence the need for a edn-read or something, that will never ever eval
13:56FrozenlockI want a function named `read' that does that.
13:58craigbroFrozenlock: hehe 8^)
14:04mpenettechnomancy: About the knee issue with standing desks, a pair of worn out running shoes does it for me (I have that $20 ikea standing desk setup).
14:05ivaraasenhyPiRion: just pushed the decoupled version. wanna have a look at it? wondering if I'm using the right abstractions for decoupling
14:24@rhickeyedn reader done - name game time - edn-read + edn-read-string, or what?
14:25pjstadigread-data?
14:25pjstadigunless you want edn in there
14:25ohpauleezbut it's still a str
14:25@rhickeyread reads data too
14:25rplacarhickey: I go for the original name: safe-read (+ -string)
14:25craigbro+1 edn-read end-read-string
14:25@rhickeyonly reads edn subset
14:25@rhickey safe implies same as read but + safeness
14:25ohpauleez+1 edn-read end-read-string
14:25mpenetread-edn? matches read-string: read-<something>
14:25ohpauleezalso
14:26@rhickeympenet: read-string-edn?
14:26rplacarhickey: ahh, ok, vote withdrawn
14:26@rhickeyread-edn-string
14:26pjstadigread reads data too, but we shouldn't use it to read data
14:26jeremyheiler+1 for read-edn and read-edn-string
14:26pjstadigwhat is the use for read outside of the compiler
14:27@rhickeypjstadig: stop being ridiculous - serious programs use read to read data from trusted sources all day long
14:27rplacarhickey: then I would lead with edn: edn-read (+ -string)
14:27craigbropjstadig: dumping a computation state out between trusted programs
14:27pjstadigwow ok
14:27pjstadigi didn't realize i was being ridiculous
14:27craigbropjstadig: aka, any time I am moving data between trusted programs
14:27mpenetrhickey: read-edn-string sounds good. I prefer the shorter read-edn, but I understand the need to be more specific
14:27@rhickeyread can read data that includes java data structures
14:27craigbropjstadig: join the club!
14:27pjstadigdnolen says read is being "hijacked" to read data
14:28craigbropjstadig: I don't agree with that
14:28craigbroread is for reading clojure data
14:28@rhickeypjstadig: you are overstating things in a manner that suggests not being serious - it's quite obvious that read has a lot of utility - if that's not apparent to you, then just stay out of it
14:28craigbroyou don't read clojure data from strangers, cause remmeber, data = code in clojure 8^)
14:28pjstadigrhickey: you're being entirely unkind
14:28ohpauleezI like leading with edn ala edn-read-string
14:28pjstadigi wasn't over stating i was asking a question
14:29@rhickey"pjstadig: read reads data too, but we shouldn't use it to read data"
14:29@rhickeyI'm tireds of that crap
14:29pjstadigshould have been a question mark at the end of that
14:29@rhickeyI'm trying to work here
14:29pjstadigi'm trying to understand the landscape here
14:29pjstadigwe're going to have read, safe-read, read-edn
14:30@rhickeyuser=> (doc read)
14:30@rhickey-------------------------
14:30@rhickeyclojure.core/read
14:30@rhickey([] [stream] [stream eof-error? eof-value] [stream eof-error? eof-value recursive?])
14:30@rhickey Reads the next object from stream, which must be an instance of
14:30@rhickey java.io.PushbackReader or some derivee. stream defaults to the
14:30@rhickey current value of *in*.
14:30@rhickey Note that read can create arbitrary Java objects etc (controlled by *read-eval*),
14:30@rhickey and as such should be used only with trusted sources.
14:30@rhickey For data structure interop use edn-read
14:30@rhickeyno safe-read
14:30pjstadigok
14:30@rhickeyread and edn-read
14:30craigbroI think I may chang my vote to read-edn and read-edn-string
14:31ohpauleezcool
14:31@rhickeyour big problem was the overloading of read - the internet use case needs something that can be compromised
14:31@rhickeyedn-read has no capabilities to do eval, java etc
14:31ohpauleezthanks rhickey, it's appreciated
14:31@rhickeycan't be compromised :)
14:32craigbroit is also explicit about the format, which includes reader literals, and the security implications of that
14:32craigbroaka, control your *data-readers* map
14:32@rhickeyI like read-edn and read-edn-string, but switching code to the latter might be more of a hassle (says the guy who can't use editors and regexes)
14:32craigbroi like the read-edn because when I do tab completion it is shown 8^)
14:33@rhickeycraigbro: yes
14:33craigbroanyways, the fact that *data-readers* are there also rules out the "safe-" naming convention IMO
14:34@rhickeycraigbro: unless your program is perfect - nothing is safe
14:34ohpauleez+1
14:35@rhickeybut you need never add anything to data-readers
14:35@rhickeyand we might be able to add control over what data readers are active for a read-edn - oh nooo...
14:35craigbrorhickey: read-json in that case is what I do
14:36craigbrorhickey: you do throw out sets and a few other things when you do that
14:36@rhickeycontrol == responsibility
14:37craigbrorhickey: also, the ability to pass in the *data-reader* map to the read-edn* fns worth considering?
14:37craigbroaka, not relying on the dynamic binding
14:37craigbroa stretch...
14:37@rhickeyok - seems like edn-read edn-read-string vs read-edn read-edn-string - vote?
14:38jonasenread-edn
14:38@rhickeycraigbro: could be, but read has that arity overload
14:38TimMcKeep the read-* prefix.
14:38jeremyheileri vote for read-* because it groups them in documentation and easier for auto-complete
14:38craigbroread-*
14:38jkkramer+1 read-edn / read-edn-string
14:38amalloyi like edn-read. splitting read-string in the middle to produce read-edn-string looks confusing
14:38TimMcNewbies are more likely to find read-edn*
14:38saolsenedn-*
14:39normanrichardsread-edn*
14:39@rhickeyamalloy: read-string-edn is possible but ugly
14:40jkkrameralso, would be nice if you could pass read-edn a non-pushbackreader source
14:40TimMcThis is all besides the default-bindings question, yes?
14:40mpenetverb first feels more natural, and is more common
14:40amalloyrhickey: no, i was in favor of the edn-read-string you suggested. just noting why i don't care for read-edn[-string]
14:40teromacronym edn is not very obvious but if there isn't a better name, read-edn sounds better to me
14:40aroemersread-edn (-string) for me
14:41@rhickeyTimMc: what default bindings question - for read?
14:41TimMcFor *read-eval*.
14:41TimMcWrong moment to ask, probably.
14:41@rhickeyTimMc: in this plan nothing about read changes except doc strings
14:41TimMc:-/
14:41@rhickeyas above
14:42@rhickeyTimMc: I can't interpret that emoticon here
14:42ToBeReplacedread-edn (-string) for me; verb the noun
14:42Bronsarhickey: reverted safe-default changes to tools.reader, working on an implementation of edn-only reader, should it handle eg deref/quote or not?
14:43@rhickeyBronsa: I'm pushing edn-only reader momentarily, but no deref/quote in edn
14:43TimMcrhickey: "Disappointment" is probably the closest description.
14:44Bronsarhickey: right
14:44@rhickeyTimMc: I'd like to work on getting everyone on board with educating people about being explicit, and/or just not using read if you don't understand or need it
14:44aroemersamalloy: you can read read-edn-string as "read edn from string", maybe that makes better sense then?
14:45TimMcEducation is a losing game.
14:45TimMcrhickey: So the idea here is that libraries will either call read or read-edn/edn-read?
14:45@rhickeychanging default doesn't really make safe
14:45@rhickeyread-edn is safe
14:46technomancyTimMc: well, libraries that aren't targeting 1.4 compatibility
14:47xeqiI'd rather see clojure.edn/read and clojure.edn/read-string, but I'll vote for read-edn / read-edn-string given the two choices
14:47@rhickeyTimMc: I imagine most public libs only need read-edn
14:47craigbroTimMc: making read safe means disabling the ability to reliable write/read clojure code as data
14:47TimMcrhickey: Doesn't this hardcode a decision into a library?
14:48craigbroTimMc: which I think is a reasonable default behavior
14:48@rhickeyTimMc: there's no decision there, and if you need the power of read then lib uses read, all prior arguments about binding apply
14:48craigbroTimMc: there are more safety issues with read than just #=
14:49@rhickeyTimMc: e.g. libraries that deal with code will use read, libs that deal with the web will use read-edn
14:50TimMcI feel like that's a direct contradiction of what you said an hour or two ago about composability and general-purposeness.
14:50@rhickeybut you simply can't have a facility with a safety switch for primary internet interop, no matter which way it defaults
14:50aroemerschanging the default might mitigate some risk of bad things happening in current bad code. The argument "don't use bad libraries" is not a strong one, one cannot simply write everything oneself or read all the soure code.
14:51@rhickeyTimMc: there we were talking about a switchable thing being configured one way at the bottom
14:51@rhickeyI'm still opposed to that, and would advocate that libs that do read not bind *read-eval* for all the reasons I said before
14:52@rhickeybut I think the discussion demonstrated that we can;'t make that safe, and flipping the default doesn't really make the story different - you should use something much less powerful for internet interop
14:52aroemerstrue
14:52TimMcFlipping the default is about layered security.
14:53TimMcRisk management.
14:53@rhickeynow we'll have something, unambiguously the right thing with no caveats
14:53aroemersit won't make it safe, just mitigates some risk
14:53aroemershmm, that's true as well...
14:53TimMcSo now if I want to use a library that uses read, but I know the data is user-provided, there's no way for me to make the library behave differently.
14:53aroemersdamn this is hard :)
14:53@rhickeyTimMc: switch to read-edn, what's the problem?
14:54@rhickeyTimMc: ? read is still controllable
14:54TimMcSorry, I meant it the other way around. >_<
14:54@rhickeywhich other way? :)
14:54craigbroread-edn
14:55craigbrouse a library that uses read-edn, but know data is user-provided...
14:55TimMccraigbro: *isn't
14:55@rhickeylibrary uses read-edn with user-provided (user is trusted???)
14:55@rhickeyTimMc: could you just restate please?
14:55craigbrooh, I take "user provided above to mean, "from trusted source" sorry
14:55TimMcrhickey: A library that uses read-edn, and I want to point it at non-user-controlled data.
14:56@rhickeyuser doesn't convey anything to me - trusted or not?
14:56TimMcTrusted data.
14:56TimMcSerialized stuff.
14:57@rhickeyso you'll have a contract with trusted people, if more than edn you need read
14:57@rhickeyif not more than edn, trusted/not doesn't matter
14:58craigbroTimMc: I think it would be best for the library, where feasible, to treat it as two different types
14:58hiredmanedn still allows for reader literals
14:58craigbroapplication/edn (or whatever you call it) and application/clojure
14:58ohpauleezapplication/edn is the preferred one now
14:58craigbroand choose the reader appropriately, and also provide you with ability to tell it which types you accept so a non-trusted source can't just set their mime type header and p0wn you
14:58@rhickeyhiredman: yes, whatever you've installed, but not whatever an attacker submits
14:59hiredmanright
14:59hiredmanI am just saying that there is a lot of flexibility there still as a serialization format
14:59TimMchiredman: As long as some random common dependency doesn't have an unsafe data-readers...
14:59@rhickeyhiredman: absolutely
14:59TimMcStill better than #=, mind you.
14:59@rhickeyTimMc: you can't have everything
14:59glosolihey folks, any ideas what can be the problem I installed LA Clojure plugin in Intellij IDEA CE, but it doesn't appear in the new project list
14:59glosoli?
15:00craigbroTimMc: then we're in the same boat, controller a dynamic binding 8)
15:00hiredmanrhickey: so when do we get a built in data reader for binary data? #base64 or whatever? :)
15:00@rhickeyread-edn* seems to be the winner, how about that doc string for read?
15:00@rhickeyhiredman: soon I hope
15:00craigbrowe've solved the ruby YAML problem, we can't solve the rails XML reader problem 8)
15:01TimMcrhickey: I'd prefer the docstring for read mentioned "arbitrary code execution". It needs to leave nothing to the imagination.
15:02craigbroGist of read doc string: https://gist.github.com/craigbro/4717176
15:02TimMc"Arbitrary Java objects" isn't scary enough.
15:03TimMcWho's going to read that and think "hmm, static initializers..."?
15:05akhudekTimMc: I agree with your "arbitrary code execution" suggestion.
15:06@rhickey Note that read can execute code (controlled by *read-eval*),
15:06@rhickey and as such should be used only with trusted sources.
15:07@rhickeywhat's the unicode character for scary monster?
15:07aroemersnice
15:08angermanCan I make a String in cljs Meta capable?
15:08redingerclosest I can get: 👾
15:08@rhickeylooks like a box here
15:09@rhickeyscary box
15:09craigbroUnicode hexadecimal: 0x1f627
15:09bruceadamsi don't suppose a snowman is scary ☃
15:10angermanI'd like to do something ^raw "<b>…</b>"
15:10angermane.g. tag a string as raw html… but apparently, String does not like meta.
15:10kalizgai suppose the shortcut for deref can't be used here; the macro system will think i want to splice: `[1 ~(deref (ref 2)) 3]
15:10amalloyangerman: if you can, you probably shouldn't
15:11xeqi
15:11amalloykalizga: ~ @(ref 2) probably works fine, though i prefer deref
15:11kalizgayep, that works, amalloy
15:12@rhickeyso everyone's still unhappy with this plan, or the happy people are silent?
15:12angermanamalloy: so I better create a wrapper type?
15:13akhudekread-edn* sounds fine to me
15:13amalloyangerman: personally i wouldn't use a type (or at least wouldn't call it by such an exalted name). just a map with some data in it is fine
15:14@rhickeywe also could revisit the arglists for read-edn, Clojure's read following CL but I don't think the other args are often used
15:14@rhickeykeeping it the same makes a migration easier, but saddles us with those arglists moving forward
15:15angermanamalloy: hmm good idea. Maybe I was on the wrong path anyway.
15:15amalloyrhickey: fwiw, i never use eof-error? or recursive?. i'd be happiest with ([] [stream] [stream eof-value])
15:15@rhickeyamalloy: same here
15:16jonasenWhat does recursive? do?
15:16amalloyhonestly i usually rebind *in* rather than using `stream`, too
15:17pepijndevosahoy clojure discussion! What's happening?
15:18matthavenerseems like the unhappy people are silent
15:19jweissanyone have a problem opening large (3mb) clojure data file in emacs? font-lock-mode goes crazy for me, emacs hangs longer than i'm willing to wait.
15:21sveduboisIs this java to clojure correct?
15:21sveduboislong minSize = randomAccessible.dimension( 0 );
15:21svedubois(def minSize (..dimension randomAccessible 0)
15:21pepijndevossvedubois: why the double dot?
15:21hyPiRionIs there still a discussion about read-edn-string ?
15:22hyPiRionBecause I seem to be late to the party, and want to propose string->edn
15:22svedubois(def minSize (.dimension randomAccessible 0)
15:22matthavenersvedubois: just one dot, yep
15:22tcrawleysvedubois: and a closing )
15:23sveduboisyes
15:23pepijndevoshyPiRion: what is it anyway? I'm extra late to the party
15:24hyPiRionpepijndevos: 1.5.0-beta7 added safe-read and safe-read-string, which binds *read-eval* to false before calling the "unsafe" versions.
15:24matthavenerhyPiRion: the function would be called "string->edn" ?
15:24mattmossSome of us silent folks don't understand the issue, btw.
15:24hyPiRionmatthavener: Well, I think it makes sense.
15:24mattmossListening to the middle of a conversation has never been a strong point of mine. :)
15:25nDuffhyPiRion: Are you actually serious about that?
15:25pepijndevoshyPiRion: And then the edn version is the one that reads edn as opposed to safe???
15:25lazybotpepijndevos: Yes, 100% for sure.
15:26hyPiRionnDuff: Every record makes ->Recordname and map->Recordname, so it seems consistent to me. I don't know.
15:27hyPiRion*defrecord
15:27kokenx5hello
15:27kokenx5a
15:28nDuffhyPiRion: yes, but you're not creating an object of type edn here.
15:28hyPiRionpepijndevos: safe-read would be renamed to edn-read (or read-edn, whatver), and safe-read-string would be read-edn-string.
15:28kokenx5anyone know what the hell clojue ns is?
15:28hyPiRionnDuff: I don't consider records to be objects though. I consider them to be data
15:28nDuffhyPiRion: What you're doing is much, much more analogous to reader operation.
15:28nDuffs/you're/this is/
15:29kokenx5is clojure a middle tier language
15:30hyPiRionnDuff: Oh right, *facepalm*
15:31nDuffkokenx5: That's quite a vague term. Clojure is general-purpose.
15:31hyPiRionedn stands for extensible data notation, you're not really converting anything, you're parsing it based on edn.
15:31Wild_Catwhat are language tiers?
15:31amalloyjweiss: are you using rainbow parens?
15:32callenbothow much sense would it make to use something like Antlr4 from Clojure programmatically?
15:32callenbotis that even a good idea?
15:32kokenx5nDuff: i mean is it used in the place of something like jsp or is it seen as a utility library?
15:32nDuffkokenx5: Clojure can be used all the way from the far back to the far front.
15:32jweissamalloy: no. i had some extra highlighting on top of the normal clojure-mode but i took that out and still had the same problem. so even vanilla clojure-mode seems to have a problem. maybe because this clojure file was written to disk with the intention of reading it back in (so it's just one long line).
15:33nDuffkokenx5: ...you can use ClojureScript to build JavaScript for the client side of the UI, Clojure for the servlet bits, Clojure for any templating you need, etc.
15:33Wild_Catkokenx5: you can run your entire webapp stack on Clojure.
15:33@rhickeyhow about a system property for *read-eval* default?
15:33hyPiRioncallenbot: I've heard of some people using Antlr from Clojure, and they haven't said it's bad at least.
15:33kokenx5nDuff: thats insane
15:34kokenx5Wild_Cat: insane
15:35rbxbxhyPiRion callenbot https://github.com/briancarper/clojure-antlr-example
15:35nDuffkokenx5: Flexibility is a strength of LISP-family languages.
15:35thhellerhey, I have some clj->cljs conversion troubles, I pr-str'd a date in clj and get #inst "2012-01-23T14:03:19.445000000-00:00", cljs complains "Assert failed: timestamp millisecond field must be in range 0..999 Failed: 0<=445000000<=999"
15:35rbxbxolder, but probably still relevant-ish
15:35thhellershould I file a bug? :P
15:35hyPiRionrbxbx: thanks
15:35hyPiRion(inc rbxbx)
15:35lazybot⇒ 1
15:35rbxbxcheers :)
15:35kokenx5nDuff: I am a front end developer, so can you give me a sense to what clojure is most commonly used for?
15:36nDuffkokenx5: As I said -- it's a general-purpose language. There's no one niche I can describe to you.
15:36kokenx5nDuff: in a wayI might understand
15:36kokenx5nDuff: so its a utility library ?
15:36tomojthheller: a Date or a Timestamp?
15:36hyPiRionkokenx5: What is Java for you?
15:36thhellerits coming from sql so probably a timestamp
15:37tomojTimestamps have ns precision, which cljs can't handle.. hmm
15:37kokenx5hyPiRion: i dont know squat about java past jsps in a j2ee
15:38hyPiRionkokenx5: Okay, tell me some languages you know and what you consider them to be
15:38tomojshould cljs just drop the ns?
15:38tomojor should you have to convert instants to ns-less instants before printing for cljs?
15:38bruceadamsrhickey: system property for *read-eval* doesn't sound helpful.
15:39kokenx5hyPiRion: javascript, a loosly written language for the UI that can have OOP principles applied to it
15:39thhellerdunno, what does edn say? :)
15:39dnolentomoj: there's a ticket to add support for nanosecond precision
15:40thhellerI'd be fine with no ns, just blowing up in my face sucks
15:40@rhickeybruceadams: would let whoever doesn't get their way to swap the default without a major code change
15:41@rhickeyI guess more transitional than operational
15:41tomojdnolen: what, monkey-patch Date, or have the instant reader return something else?
15:42bruceadamsrhickey: ah, ok. a way to pretend to have some control over older and/or unknown libraries. sounds like a band-aid.
15:42kokenx5is clojure better than groovy
15:42@rhickeybut it's too easy for people to say - everyone can just wrap their code with binding *read-eval* true
15:42nDuff*snerk*.
15:42@rhickeybruceadams: a band-aid is what people are clamoring for IMO
15:42tomojdnolen: nvm, I'll read the ticket :)
15:42nDuffkokenx5: You're picking an easy target there -- I'm hard-pressed to think of anything worse than Groovy.
15:42nDuffkokenx5: The bytecode it generates is abominable.
15:42dnolentomoj: instant reader that returns something else that supports all the operations possible of js/Date sounds ok to me.
15:42bruceadamsrhickey: it does sound that way, yes
15:43kokenx5nDuff: LOL
15:43pepijndevosdnolen: Is this okay? https://github.com/clojure/core.logic/wiki/Extending-core.logic-(Datomic-example)
15:44dnolenpepijndevos: looks good to me
15:44TimMcrhickey: To recap, you're worried that defaulting *read-eval* to false will A) lull people into a false sense of security, and/or B) break too much code?
15:45@rhickeyTimMc: both
15:45pepijndevosdnolen: cool. I'll see if I can actually replicate it with Redis once I have some time.
15:45ravsterhello all
15:46@rhickeyTimMc: I'm happier now with he warning on read and the clearly safe read-edn alternative
15:46dnolenpepijndevos: thanks for updating the wiki
15:46@rhickeybut people with perfectly fine programs will get broken to protect others
15:46hyPiRionrhickey: I think that should be sufficient, as long as the community actively explains the difference between read and read-edn.
15:46pepijndevosdnolen: no problem. I'm more than happy to contribute to core.logic in ways that do not break my brain :P
15:46ravsterI'm trying to learn the 'friend' auth system. I'm finding it difficult to wrap my head around it. Is there a tutorial or some text out there that explains the reasoning behind the 'friend way'?
15:48@rhickeyTimMc: making *read-eval* default to false won't make using read for untrusted data, without explicit binding, ok
15:48TimMcSure.
15:49TimMcI don't think anyone is arguing that it would.
15:49ivaraasendnolen: the Reasoned Schemer is melting my mind, but in a cozy way
15:49borkdudewow, discussion still going
15:49@rhickeyTimMc: by arguing for the default to change they are arguing for being able to leave their broken programs alone
15:50TimMcThat's an unfair characterization.
15:50kayokenx5what is the purpose of a jvm based language
15:50pepijndevosAs someone who doesn't hang out on the mailing list all the time, I find using edn more confusing. Until 5 minutes ago, I did not know or remember what edn was.
15:50@rhickeymaybe others broken prgrams, let's say
15:50kayokenx5is it to limit the amount of java written?
15:51ravsterkayokenx5: :)
15:51matthavenerI think its more people are afraid the community will be "shamed" ... the YAML::load of clojure
15:51@rhickeyTimMc: certainly some of the programs are broken due to ignorance due to lack of documentation
15:51Wild_Catkayokenx5: the purpose is to benefit from the JVM's omnipresence, the Java ecosystem (tons of existing libs) and to not have to write a complicated optimizing compiler
15:52@rhickeymatthavener: what's more shaming - we fooled ourselves into complacency by changing a default or mobilized everyone to become actually safe?
15:52TimMcrhickey: A default binding of false will not prevent the community from doing education as well.
15:52kayokenx5wild_cat: so the flip side would be to use vanilla java which would be inefficient in some cases?
15:52matthaveneri agree rhickey, i think the long term is to avoid complacency and the expense of a short term patch
15:53@rhickeyTimMc: that's the first iota of that spirit I've seen today
15:53Wild_Catkayokenx5: ah, you meant the benefits of using a JVM-based language compared to using Java itself directly?
15:54Wild_Catkayokenx5: well, at that point it's mostly a matter of *programmer* efficiency. Languages like Clojure and Scala are far more expressive than plain old Java, and allow you to write your programs more quickly, in much less code and very often with less bugs.
15:54TimMcrhickey: You see people warning each other about unsafe stuff *all the time* in here.
15:54kayokenx5Wild_Cat: there is no other alternative right, either Java itself or a JVM lang
15:54kayokenx5?
15:54bruceadamsTimMc: changing the default binding has the potential to confuse people into thinking it fixed everything
15:54Wild_Catkayokenx5: of course there is. You can use a non-JVM language :p
15:54TimMcbruceadams: Which people?
15:54aroemersrhickey: how about a dynamic var that warns us that an unsafe read takes place? Like *warn-on-reflection*? That way it might be easier to pinpoint whether a lib is bad, without reading it's entire soure code?
15:54matthavenerbruceadams: i think worse it just breaks legacy functionality
15:55TimMcbruceadams: THe people who already know it exists at all won't be confused, and the other people, as I said, won't know about it.
15:55bruceadamsTimMc: i was thinking of people on the edges of the clojure community, who aren't in the constant conversations.
15:55bruceadams(which, at times, includes me)
15:55pepijndevosdnolen: it seems the actual to-stream for datomic is somwehat more comples than the example. What is going on there? Are you walking vars to pre-select on grounded values or something like that?
15:55aroemersrhickey: not that such a thing should be in 1.5, but more, do you like such an idea?
15:56TimMcThere's such a big fuss right now that anyone who hears about the change will also almost certainly hear about the discussion *not* to change it.
15:56bruceadams"did you hear that clojure has a problem like that rubygems.org thing? yeah! but I hear they fixed it..."
15:56bruceadamssomething like that.
15:56SgeoWhat change?
15:56@rhickeybruceadams: but changing the default doesn't fix it
15:56TimMcbruceadams: I suppose nuance could be lost along the way.
15:56dnolenpepijndevos: there some half-baked smarts to access the right index based on ground vars
15:56clojurebotvars are a linking construct
15:57@rhickeydnolen: that reminds me, I owe you fully-baked smarts
15:57SgeoOh, default of *read-eval*?
15:57bruceadamsrhickey: exactly. which is why "fixing it" scares me. people will hear "fix" without the subtleties.
15:58TimMcbruceadams: And you think these few people would otherwise have been carefully binding *read-eval* to false?
15:59bruceadamsTimMc: no, certainly not. i can hope that we can get the message out that "read" is dangerous and to use read-edn (or others) instead.
15:59TimMcbruceadams: Then at worst they're still writing broken programs, just like they would have.
16:00TimMcEducation about read is a separate thing, and only helps, but is not sufficient.
16:00TimMcIt's not like this would make *those people's* programs more unsafe.
16:01xeqiis read-edn planned as a change for clojure 1.5 or a seperate contrib?
16:01seangrov`Where the hell do Infinity/-Infinity live in js?
16:02bprFloat/POSITIVE_INFINITY
16:02bprsimilar for Double
16:02TimMcseangrov`: In JS, just Infinity
16:03TimMcYou mean hwo to get it from CLJS?
16:03seangrov`Must be on the window object then
16:03pimeysis it really so bad to break things for good sometimes?
16:03seangrov`Yeah
16:03pimeysI know, it's annoying
16:03pimeysbut coming from the ruby world...
16:03pimeysthis is peanut
16:03pimeyss
16:03TimMcpimeys: And it wouldn't be the first breaking change...
16:03nDuffpimeys: You realize that that's a major drawback to Ruby?
16:03TimMcGod knows the RTE-wrapping stuff screwed up a bunch of programs.
16:04amalloyquick, someone caption a "This is Sparta!" image with "This is peanut!"
16:04pimeysjust a good way to do it is to spam with deprecation warnings
16:04pimeysbut I don't know...
16:04Foxboronamalloy: i think "This is data!" is better.
16:04pimeysnDuff: I do
16:04pimeysand more for Rails
16:04pimeyswhere upgrading is very expensive
16:06TimMc"Breaking code" is an *extremely* weak argument.
16:06cemerickwow, still churning
16:06TimMcPeople don't expect Clojure to follow semver.
16:07xeqicemerick: it died for awhile
16:07cemericktopic "weather" visualizations for irc/twitter/g+/etc would be an interesting service
16:08akhudekcemerick: nice idea!
16:08seangrov`cemerick: What's churning?
16:08akhudektopic forecasts could be a neat CS problem too
16:08amalloycemerick: weather? like, "there's a big arbitrary-code-execution front blowing through #clojure today"?
16:08ravsteramalloy: lulz
16:09cemerickThere's very generalized sentiment stuff, but discrete topics aren't bubbled up last I saw.
16:09ravster(about 'this is peanut')
16:09cemerickamalloy: exactly
16:09cemerickseangrov`: I saw TimMc talk about 'breaking code' arguments, so I inferred...
16:09TimMcANd you were right.
16:09seangrov`Ah, I see
16:10amalloycertainly would be fascinating if anyone could make it happen
16:10cemerickamalloy: really just a wordcloud or something might be enough
16:10akhudekcemerick: applying an online LDA process to it and reporting a sample from the top topics might work
16:10cemerickyeah, hook opencalais up to it, etc
16:11hiredmandnolen: I've been thinking it would be neat to do something with a rest api (maybe github's?) with core.logic in clojurescript, but it doesn't seem core.logic plays well with ajax, I cannot start a core.logic computation, suspend the computation then resume it after I get a result
16:11TimMccemerick: "Temperatures will rise toward mid-day as an HTML-templating front sweeps in from Callenia."
16:12cemerickexactly
16:12xeqiy u no use laser?
16:12dnolenhiredman: suspending + resumption is something I plan on looking at some point. I think Kanren went there at some point ...
16:12TimMc"Deaths may be in the tens of thousands."
16:13hiredmandnolen: a cps monad transformer or whatever
16:14dnolenhiredman: things will probably easier when I make search configurable
16:15amalloycemerick: a word cloud for that would be pretty neat, in fact. just browsing through what yesterday's cloud might look like is entertaining
16:16hiredmanok, good to know it is a "thing" and I am not overlooking something else
16:16cemerickyeah
16:18@rhickeyif you don't think code breakage isa big deal, it would be easy to set it up so all code blows up that hasn't explicitly set *read-eval*
16:19@rhickeyI've got that running, here, it's quite interesting
16:19@rhickeyeveryone seems ok with breaking other people's code, this would break almost everyone - fair?
16:20sveduboisIs there a better/more concise way to write this java example to clojure?
16:20sveduboishttps://github.com/imagej/imglib/blob/master/imglib2/examples/src/main/java/Example4a.java
16:20sveduboishttps://www.refheap.com/paste/9495
16:21amalloysvedubois: that doesn't look like it works. the loop form always exits immediately, for example
16:21dnolenhiredman: even if I add search customization support I can't say how hard or easy it would be to actually implement restartable search. It's definitely interesting to me.
16:21@rhickeycertainly safest, as the semantics surrounding every read would have to be considered
16:22abedrarhickey: what interesting things are you seeing?
16:22@rhickeyabedra: just the breakdown of trusted contexts vs not
16:22hiredmandnolen: sure
16:26@rhickeyand thinking through, if there was this must-specify rule for everyone, people migrating would almost certainly just search/replace read with read-edn for untrusted contexts, leaving people with trusted contexts to have to do a lot of binding-wrapping they don't need to now
16:26abedrarhickey: interesting
16:28rplaca4
16:28@rhickeyOTOH, I keep trying to protect these people and none have shown up :(
16:29abedrarhickey: I like the idea of separating contexts
16:30@rhickeythe idea is already there, but since switchable, no default is reliable
16:30abedrapotentially even a fn/macro 'trusted' that has different bindings/behavior
16:31reiddraperapologies if this is a can-of-worms question, but are there that many cases where users of libraries want to change *read-eval*? why have a var at all, and not just make read*/load functions take an extra argument?
16:31abedraPersonal opinion is to default to the safest thing and allow easy switching
16:31aroemersrhickey: I actually like that idea, of an initialy unbound *read-eval*. hiPerion also suggested this. Does it really break so much?
16:31cemerickrhickey: who are you protecting?
16:31SgeoHaskell's unsafe functions typically get unsafe in front of their name
16:32TimMcSgeo: RH has already expressed his concern that we'd get a proliferation of unsafe-* aliases.
16:32Sgeooh
16:32SgeoI should learn to pay attention before saying things
16:33FrozenlockSgeo: I suspect the number of people following this conversion is greater than what it appears to be. They are all paying attention :P
16:34SgeoI'm working on a blog post... that sort of complains about Clojure
16:34Sgeo>.>
16:35FrozenlockWhat is its theme?
16:35abpthe parens
16:35Frozenlock,flame abp
16:35clojurebot#<CompilerException java.lang.RuntimeException: Unable to resolve symbol: flame in this context, compiling:(NO_SOURCE_PATH:0)>
16:35@rhickeycemerick: people who are happy with the status quo, wrap their untrusted reads with bindings, leverage the power of the reader otherwise
16:35Frozenlockaw cmon bot, you don't have a `flame' option?
16:35abpFrozenlock: yes, Sgeo
16:35technomancyfor the record I fully agree with cemerick, except for the name of dangerous-read; read-unsafely is a better name.
16:35SgeoTyping. I think trampoline is somewhat unclean
16:36technomancy(not that I feel like arguing it right now)
16:36SgeoAnd that there would be a cleaner design if people approached writing trampoline with the mentality of someone used to static typing
16:36TimMcUnbound *read-eval* is kind of tempting, in a "it's so crazy it just might work" sort of way.
16:36cemericktechnomancy: the naming for the bifurcated fns was a very minor proposal
16:36SgeoWhich is not to say I'm advocating for static typing -- just the mindset that static typing brings
16:37TimMcThe downside is... what, an extra line in every app?
16:37TimMcIt certainly would educate people.
16:37abedraTimMc: potentially an option in Leningen project.clj file?
16:37cemerickrhickey: I keep waiting for the killer use case for #= that make it worth maintaining as a default.
16:37technomancyabedra: yeah, but it wouldn't help for people who deploy uberjars
16:38abedratechnomancy: uberjar could respect that and add it
16:38TimMcabedra: `lein new app`'s template could include it
16:38technomancyabedra: yeah... I've been reluctant to engage in meddling so far, but this could change my mind =\
16:39cemericks/the killer/any
16:39cemericktechnomancy: that'd save me from twiddling things in friend ;-P
16:40xeqiI'm happy with the read-edn functions. I'd prefer read not to be able to load classes or eval by default, but I can alter-var-root my way around that
16:41sveduboisI have changed loop for for: https://www.refheap.com/paste/9499
16:41sveduboisAre there any more errors ?
16:41sveduboisThe java example reference: https://github.com/imagej/imglib/blob/master/imglib2/examples/src/main/java/Example4a.java
16:41TimMcxeqi: Good point re: alter-var-root; (binding ...) wouldn't help with non-binding-conveyed threads.
16:45amalloycertainly both of those `for`s want to be doseqs, at least. whether there are any other errors i don't know; i'm only really willing to glance over it
16:50FrozenlockI'm starting to wonder if #clojure is the official documentation.
16:50TimMcHow would an unbound *read-eval* affect the REPL?
16:53@rhickeycemerick: just because you don't use it doesn't mean no one deas. e.g. clojure reader page promises:
16:53@rhickeyCalls to Java class, deftype, and defrecord constructors can be called using their fully qualified class name preceded by # and followed by a vector:
16:53@rhickey#my.klass_or_type_or_record[:a :b :c]
16:53sveduboisI have changed for for doseq, are there any more errors? https://www.refheap.com/paste/9500
16:54pppauli have an issue with responding with generated xml (via clojure.data.xml). sometimes my tags have spaces in the middle of them…. eg <Fa cet Name="something">....
16:54pppaulanyone have a similar issue?
16:54pppaulby responding i mean via ring/compojure
16:54TimMcI had no idea you could do #java.lang.Integer[4] -- I thought that was only for defrecords and deftypes.
16:55cemerickrhickey: That surely predated IType and IRecord
16:55@rhickeycemerick: and being cavalier about breakage is simply not being serious about language stewardship
16:55TimMcI suppose the machinery doesn't care.
16:56@rhickeyalso the reader can convey and embed classes, and function values
16:56TimMcEmbed classes?
16:56@rhickeyyes
16:56FrozenlockFunction values?
16:56Frozenlock:)
16:56TimMcLike, (read-string "java.lang.Integer")?
16:56@rhickeyand Java collections nested in Clojure collections etc
16:57@rhickeyyou can't advocate for the language being one way or another just from your own experience, you have to think about other people doing different things
16:57@rhickey#=java.lang.String
16:58@rhickeyThere are people who know about and use these things even if you don't
17:00@rhickeyuser=> (binding [*print-dup* true] (pr-str +))
17:00@rhickey"#=(clojure.core$_PLUS_. )"
17:00@rhickeyFrozenlock: ^
17:00cemerickrhickey: Classes, function values, etc can all be conveyed without enabling arbitrary evaluation. I'm not being cavalier about breakage, I'm attempting to be practical and principled given likely threats.
17:00@rhickeycemerick: but people are complaining that class loading is a form of evaluation, and it is, and you can't draw a line around which classes are ok
17:01@rhickeythen there are the java types you might want to embed that have no ctor, but do have static factory method
17:02@rhickeycemerick: either you are open to the java world or not, and it is difficult to circumscribe it
17:03@rhickeycemerick: and claiming there are other ways ignore the fact that people are already using the existing ways, thus breakage
17:04@rhickeyi.e. #=(clojure.core$_PLUS_. ) might already be sitting in files
17:04cemerickrhickey: Indeed, class initialization is a sticky issue; perhaps the other arity of Class/forName helps there. At no point did I claim that e.g. my patch was the end-all, be-all. However, it significantly narrows the vulnerability.
17:04@rhickeycemerick: not buying that
17:06TimMcrhickey: THere are class initializers that can do arbitrary code eval, or what?
17:06cemerickrhickey: Well, okay. Likewise, I don't think the advice of "you all just need to be better programmers" is a reasonable stance. We'll just have to agree to disagree, at least for now.
17:06@rhickeyTimMc: every clojure AOT class does, for example
17:07@rhickeycemerick: don;t put quotes around something I didn't say
17:07FrozenlockThat's probably where my java ignorance shines... I don't understand what's the advantage of using #= vs ((eval (read-string "+")) 1 2). :(
17:07cemerickrhickey: Apologies. That's my paraphrasing.
17:08@rhickeyFrozenlock: the former yields an object in the read data, the latter needs to be evaluated
17:08TimMcFrozenlock: It's for (de)serializing data.
17:08@rhickeycemerick: what I''ve been saying is clear - only explicit is safe
17:10cemerickrhickey: I understand; except that there is case after case of that approach being unsustainable and not applicable to the general programming populace, or to really great programmers having a bad day.
17:10pbostrom_svedubois: you need to do some reading about some Clojure fundamentals like immutability and lexical scope; for example, your code implies that you can reassign minSize at will, and radiusLargeSphere will be automatically updated with the latest value
17:11technomancyyeah, I'd feel more comfortable with education as a solution if we didn't regularly have people coming into the channel asking why contains? doesn't work on lists.
17:12@rhickeyI fail to see how changing the default solves anything
17:13@rhickeynon-explicit code is at permanent risk of having its risk escalated silently
17:13cemerickrhickey: there is no Solution™; there are only ways to limit the scope of such vulnerabilities, and then contain the damage that can be done from within them.
17:13mattmossrhickey: Is there a pull request/bug tracker issue/changelog/etc something that succinctly identifies what the issue is? I can't say I've followed the whole discussion, but I'd like to understand it.
17:13hyPiRionmattmoss: I'll give you a link
17:14hyPiRionhttps://groups.google.com/forum/?fromgroups=#!topic/clojure-dev/zG90eRnbbJQ
17:14TimMcrhickey: I sometimes forget to put in safeguards. I'd like to find out about such an oversight via a code quality checking tool rather than an exploit.
17:14mattmosshyPiRion: Thanks.
17:14@rhickeycemerick: that's simply not true, the force explicitness code I have is categorically different than changing the default
17:15normanrichardsAs long as proper replacements are provided, I don't see why there's a need to change to the current behavior. I'd feel more comfortable calling a new function whose contract and design is safety rather than worrying about possibly breaking changes.
17:15@rhickeyI find it interesting you guys aren't rallying around that as being superior, I guess cause it will break your code
17:15TimMcYou're not forcing explicitness by leaving read (and its settings) completely unchanged -- broken code stays broken.
17:15craigbrodoes a modern (1.4) pr ever produce output that cannot be read with *read-eval* false by a modern (1.4) read?
17:15@rhickeyTimMc: no, the code here requires all use bind *read-eval*, if you fail to do so you read will fail
17:16cemerickrhickey: I'm not aware of the approach, wasn't watching the channel for most of the afternoon.
17:16@rhickeyTimMc: breaking almost everyone, but in the end all code will be explicit
17:18TimMcrhickey: Ah, you're talking about the unbound approach? Yes, that does force explicitness, and I like that about it.
17:18TimMcIt's a *different* approach, though, and I am unsure what knock-on effects it would have.
17:18@rhickeynot exactly unbound
17:18TimMcOh, :unbound?
17:19@rhickeyinit nil vs true/false
17:19@rhickeyand can init from System property
17:19@rhickeyso no one need break
17:19TimMcHuh. And then read would yell if it's nil?
17:19@rhickeyread thros if nil
17:19@rhickeythrows
17:20craigbroseems like a solomon's compromise to me
17:20TimMc:-D
17:20craigbrokinda makes clojure broken by default 8)
17:21@rhickeyThe goal at the end of the day should be safe programs. Don't mistake 'safe' default for a goal, it is a mechanism, and a weak one since it doesn't yield the goal. forced init does
17:21TimMcrhickey: Yes, I would feel much more comfortable about my own code if that were in place. However, I'm not sure what else might suddenly break.
17:21TimMcSafety is a process.
17:21amalloycraigbro: persnickety by default, perhaps. the current "arbitrary eval whenever" behavior is broken by default
17:21craigbroI disagree
17:22craigbroamollow: that was, I disagree with your last statement
17:22@rhickeyTimMc: so the process can involve setting the property to start, testing without, making your code explicit then doing without the property
17:22ChongLiI like it
17:22craigbroamalloy: amalloy even, sorry 8^)
17:22ChongLiwhenever you force someone to be explicit they can't get around thinking about the implications
17:22amalloydoesn't your client have tab-completion for nicks, craigbro?
17:22craigbroamalloy: yes, and I thickfingered it by instinct
17:23craigbroamalloy: anyways, I don't think current default behavior is broken
17:23craigbroamalloy: I asked earlier if pr produced anything that read cannot read with *read-evval* set false
17:23TimMcSo the compiler would need to bind it for its own stuff, the REPL would need to make a decision, etc.
17:23craigbroaka, is there anything in clojure that relies on the #= now
17:24amalloyof course there is. if nothing in clojure relied on #= it either would never have existed, or rich would just delete it without wasting his time asking us what to do
17:24craigbrook, then it's not broken
17:24craigbroand by default, I should be able to pr and read any fucking data
17:24craigbroprofanity denotes enthusiasm, not aggro 8^)
17:25TimMccraigbro: I think everyone here agrees that *read-eval* has severe security implications?
17:26craigbroreading clojure code over the internet has serious security implications
17:26craigbrothat the default behavior of read is to accept all pr produced clojure code is not broken
17:26TimMccraigbro: Or data, or from the filesystem, or...
17:26craigbroit is misuse of read
17:26craigbrosure, internet was used as shorthand for "untrusted"
17:26TimMccraigbro: It happens to be the only utility to do so.
17:27TimMcI await your submission of an EDN reader.
17:27TimMcIn core, mind you.
17:27RaynesTimMc: Didn't rich just write one...?
17:27RaynesHe was asking what to name functions for it like an hour ago.
17:27craigbroTimMc: not true at all, there is an edn reader now, read-json is what we use for moving data in our web app
17:27TimMcJSON... right...
17:28technomancyRaynes: no, that was just read-string with *read-eval* disabled as a placeholder for a future compliant implementation
17:28RaynesI see.
17:28craigbroTimMc: yes, json, because it's a well defined, non-evaluative, and restricted subset. If we needed more we would use EDN
17:29TimMcWell, if you don't see the use case for read + *read-eval* false, I can see why you're having trouble following.
17:30craigbroTimMc: I understand the use casespeople have put forward, and I also have pointed out that setting it to false is not sufficient
17:31abedraall it takes is a (binding [*read-eval* true] ...) inside of some injected code to put it all back together though right?
17:32craigbroabedra: if you can "inject code" at that point you wouldn't bother
17:32@rhickeyabedra: no injecting needed, that might be bound accidentally around some code that presumed the 'safe' default
17:32TimMcabedra: You're confusing levels.
17:33craigbroif the purpose of read is to read clojure code
17:33@rhickeygun, meet foot
17:33craigbrothey don't break it because people might read untrusted data with it
17:33craigbros/they/then
17:33technomancyseems like never binding *read-eval* around anything other than a call to the reader itself would prevent that easily
17:33@rhickey-Dclojure.read.eval=false
17:33abedracraigbro: I completely understand
17:33hiredmancemerick: speaking of reading things, nrepl seems to blow up if I put a data literal inside an expression, like (type #foo/bar ...) but not if I do something like (def x #foo/bar ...)
17:33abedrajust throwing out things to consider
17:34@rhickeyOk, here's the current package:
17:34@rhickeynew read-edn* functions, have none of the dangerous code of the reader
17:34@rhickeydefault for *read-eval* is 'unset'
17:35@rhickeyreads with 'unset' *read-eval* will fail
17:35@rhickeyyou can either bind (preferred in the end)
17:35@rhickeyor, use properties like -Dclojure.read.eval=false/true
17:36@rhickeythus no awkward root binding or thread propagation issues
17:36craigbroin CL *read-eval* defaults true
17:36craigbrojust a data point
17:36@rhickeyalso, no defaults - you must make some choice
17:37TimMcSounds great.
17:37thhellerIs it still required to sign the CA on paper to get a patch accepted into CLJS? (just opened CLJS-466 with patch)
17:37craigbrorhickey: the idea of shipping a lisp that can't read it's pwn pr without setting a config var or binding something strikes me as horrid
17:37Frozenlockcraigbro: Don't you have to use `eval'?
17:37Bronsarhickey: would the whitelist stuff be still there or not?
17:37@rhickeyBronsa: no
17:37cemerickrhickey: If I had had any inkling that you would have ever considered such a thing, I would have proposed it. :-)
17:38@rhickeysame old reader
17:38@rhickeycemerick: yeah, sure
17:38craigbroI feel like we're being scared into breaking the system
17:38TimMccraigbro: ALl that means is that the printer is too expressive.
17:38craigbro5 years of CL web dev, and noone ever suggested that *read-eval* default to false because someone might read bad data with it
17:38rboydkeep clojure weird
17:38abedrarhickey: +1 I like that idea
17:38technomancyrhickey: definitely an improvement; I approve.
17:39cemerickrhickey: you could add a ;-) sometime ;-)
17:39Raynesrhickey: I give my approval, because I know how important it is to you.
17:39ChongLicount me in, though I don't think this is really a vote
17:39@rhickeycemerick: I'm too exhausted to emoticon
17:39craigbrohah
17:39@rhickeyis that a verb?
17:39TimMcemote?
17:39Raynesemote
17:39TimMciconemote?
17:39technomancywe should take special care that the error message points is actionable and makes it clear what to do in the case of either trust or lack thereof
17:39technomancys/points //
17:40@rhickeytechnomancy: do you have a positive suggestion?
17:40TimMcNew bikeshed topic: Proper error message for read on unbound-*read-eval*.
17:41TimMcPass it on.
17:41ChongLihow many people are going to point their project.clj to clojure 1.5 and not expect some breakage? it seems reasonable
17:41craigbroTimMc: if pr needs it... then it's not too expressive
17:41ChongLithat alone seems like a big step to me
17:41craigbroking solomon option
17:42craigbroso it goes
17:42TimMc"read[-string] requires *read-eval* to be explicitly bound to true/false. If you don't know what that means, use false."
17:42craigbrocutting the baby in half, breaking code all over and shipping a broken lisp
17:42craigbrobut, hey, I'm a fuddy duddy, so I'll just finish up by saying "off my lawn!!!" 8^)
17:42@rhickeyI need to sleep on it, my fear is it saddles us with a permanent property, even after all code is better
17:43technomancyrhickey: the exception message itself is probably too short to explain it well, so it'd probably be best to make it point to *read-eval*'s docstring.
17:43abedrarhickey: I think it's a good start
17:43@rhickeytechnomancy: that's what it does now
17:43abedraPerhaps we should take it to the wiki?
17:43hyPiRionrhickey: I suppose read-edn and read-edn-string would still be usable without *read-eval* bound?
17:43technomancyrhickey: cool; let me take a look at the latest
17:44@rhickeynow means here on my machine :)
17:44amalloyhyPiRion: yes
17:44@rhickeyhyPiRion: yes
17:45@rhickeyIt could become a point of pride that an app/library not need the property
17:45craigbrohehe
17:45TimMccraigbro: https://gist.github.com/fogus/4716440
17:45TimMcAn example of some very good programmers forgetting to set read-eval to false.
17:46dnolenrhickey: I guess this set of options complicates developing libraries meant to be used by others that leverage read? the library shouldn't not dictate *read-eval* but will need to test by setting it?
17:46@rhickeyTimMc: did they have read-edn?
17:47@rhickeydnolen: no, as before, the *read-eval* policy is at the app, not library level
17:47TimMcNope! It's CL or something.
17:47hyPiRionokay, then I'm very fine with this. Only concern is that clojure packages for linux distros doesn't has read-eval as a setting you can turn on/off. But that's not fault of the language itself, though.
17:47hyPiRion/s/has/have/
17:47@rhickeya lib should be written presuming the caller will set the policy and binding
17:47Raynesdnolen: Well, exactly. They can set it in the tests.
17:48@rhickeyTimMc: joking
17:48TimMcWell, you never know.
17:48craigbrohey, what is Goldsith's first name?
17:48TimMcrhickey: I assume you meant "an equivalent to read-edn".
17:48dnolenrhickey: yes, I just meant complicated testing - but I guess it's not a big deal, but it does seem like a lot of pointless breakage.
17:48dnolencomplicating
17:49@rhickeydnolen: you seem to be the only one with me on the pointless
17:49hyPiRiondnolen: `lein test :read-eval false`? Or some property in project.clj?
17:50hyPiRion(Sure, Leiningen doesn't cover all Clojure use cases.)
17:50abphyPiRion: It get's worse.. properties, flags, bindings
17:50craigbroTimMc: also, no evidence it is *read-eval* there either
17:50craigbrorhickey: I agree it is pointless breakage
17:50@rhickeya huge number of apps will never use read
17:50hyPiRionabp: Not really. Just ship with read-edn instead.
17:50@rhickeygiven read-edn
17:51TimMccraigbro: "adding one line of code--'setf *read-eval* nil'--fixes the problem"
17:51craigbroTimMc: thanks
17:51TimMcIt's kind of buried, sorry.
17:52craigbrothere are other ways past a lisp reader
17:52@rhickeyand thus the ones that use read will be doing so because they need the power of read
17:52augustlwhat does a set use to determine the identity of a java object? It's hashCode or something?
17:52augustls/It's/Its/
17:52TimMchyPiRion: This would be to set up the default binding in the test.clj files?
17:52@rhickeythis entire thing exists to avoid people having to switch from read to read-edn - seems quite bogus
17:53hyPiRionTimMc: That's my idea, but it's just a proposal. :)
17:53abprhickey: You still absolutely can't stand it, right? ;)
17:53@rhickeyright
17:53mattmossMaybe I missed something, but... I don't understand fully the need to have the third, unset state of *read-eval*. I suppose it throws if unset, but if libs/app can bind it anyway, wouldn't I always be best to rebind *read-eval* just before reading?
17:53TimMcThat kind of statement makes me feel very twitchy about the possibility of writing secure code in Clojure.
17:53mattmossI don't use #= or read-string myself, so I'm not up on typical useage.
17:54craigbroTimMc: the clojure reader != the common lisp reader 8)
17:54abpI too, on the other hand I understand people wanting something to be done about it.
17:55abpBut considering the years with true as default. Now it's a problem and we need to fix it in two days somehow..
17:55technomancyabp: have you been following the rubygems.org exploit?
17:56technomancyabp: http://www.kalzumeus.com/2013/01/31/what-the-rails-security-issue-means-for-your-startup/
17:56abptechnomancy, roughly
17:56craigbrogiven read-edn... my preferences now are default stay the same, default is false, and the bound to nil and throw error option is anathema 8^)
17:56TimMcabp: 1. Apathy caused the delay, 2. a recent exploit caused the emergency.
17:56craigbroTimMc: a recent exploit in clojure code, or are you refering to ruby
17:56gfredericks(binding [*data-readers* {'eval #'eval}] (read-string "#eval (+ 1 2)"))
17:56TimMccraigbro: Ruby/Rails.
17:57abpRails, for programmer convenience, used YAML to implement JSON deserialization. => Clojure programmers use their compiler read for edn deserialization for convenience?
17:57technomancyabp: ring's cookie store was recently found to be vulnerable to the same bug for cases where user data was placed in the session
17:57abptechnomancy: I know.
17:57craigbrotechnomancy: assuming they got the app secret
17:57technomancycraigbro: no
17:57abpexactly
17:57gfredericksI've only spent the last hour reading the day's conversation so I'm not fully caught up; I haven't been able to figure out why #= is still a needed feature at all given data readers
17:58craigbrotechnomancy: ok, am I misreading that code then?
17:58technomancyyou can do it without getting the secret if user data is placed in the session
17:58matthaveneri wonder if python folks are freaking out too. pickle deserialize has similar eval problem
17:58amalloymatthavener: less, from what i hear. allegedly they are already pretty paranoid about unpickling untrusted data
17:58craigbroif you can modify that cookie without the app secret, that's the actual bug 8)
17:59technomancymatthavener: maybe because that's been documented from the outset
17:59craigbrosorry, I use in mem session store with ring, I misunderstood that patch
17:59matthavenertechnomancy: yeah, i think thats the biggest difference
17:59TimMctechnomancy: It probably helps that the name "pickle" is weird.
17:59TimMc"What the hell is 'pickle'? I'd better go read the docs."
17:59matthavenerTimMc: maybe the solution is to rename "read" to "unpickle" in clojure :P
18:00dnolenthis is interesting - http://github.com/search?l=clojure&amp;q=read-string&amp;ref=searchresults&amp;type=Code, read-string usage according to GitHub
18:00craigbrodnolen: went over that earlier 8)
18:01@rhickeytechnomancy: as long as the reader has a mode that's unsafe, you shouldn't be using it for internet data. e.g. there was (and is) a hole around record literals not being governed by *read-eval*. The only safe thing is something that does not have that possibility at all, e.g. read-edn. People will *have to* switch in order to be safe. We need to move people off read ASAP, not assuage them with defaults
18:04mattmossWhy not... "People will *have to* switch in otder to be _unsafe_" ? Or is that part of the decision going on? (ima n00b)
18:05mattmossMaking things globally safe breaks too many people/
18:05mattmoss?
18:05TimMcYeah.
18:05hyPiRionmattmoss: That's been the discussion for the last 5 hours.
18:05TimMcPeople don't see eye-to-eye on that tradeoff.
18:05hyPiRionIf not more.
18:06abphyPiRion, much more.
18:06mattmosshyPiRion: Yeah, I kinda got that... just a lot of details flying past I wasn't getting the whole pic.
18:06craigbroTimMc: check the last part of this out
18:06craigbrohttp://letoverlambda.com/index.cl/guest/chap4.html
18:06craigbroskip down to Reader Security
18:07@rhickeychanging the default doesn't make it safe. If we changed the default as soon as there was a cry for it, without looking further, everone would happily be using dangerous reader where record format is not governed by flag - i.e. still not safe, but feeling good about ourselves
18:07craigbroTimMc: i present that as an example of the various problems with (read) that are not just *read-eval* being true
18:07@rhickeyread-edn is safe - use it for untrusted sources
18:08@rhickeythat must be the mantra
18:08TimMcrhickey: read-edn is unsafe if a dependency brings in an unsafe data_readers.clj
18:09craigbroTimMc: we discussed that earlier, binding *data-readers* is the proper way to be safe with it
18:09TimMcMmm, right.
18:10@rhickeyTimMc: a dep could open a port too, c'mon
18:10@rhickeythe hyperbole is think in here
18:10craigbrowell, a backdoor is different than a incompletely understood data reader
18:10akhudekVery widespread posting/education about the issue seems the best way to address this. Don't think the defaults for read matter given that read is ultimately unsafe no matter the defaults.
18:11abedracraigbro: is it"
18:11abedra?
18:11mattmossIf read is unsafe while new read-edn is safe, how many will switch or even be aware? If read is made safe and "unsafe-read" is unsafe, people will be very aware. They might just switch to the unsafe one, but that's on them and it's visible in the code.
18:11mattmossThat breaks people, but I'm of the school that says you have to break someone to make them stronger. ;)
18:11dnolenmattmoss: read will never be safe
18:12jballanchmm...if I want to carry out the same modification on all the values in a hash, but leave the k/v associations in tact...what's the most "Clojure-like" way to do that?
18:12@rhickeyfor absolute security use your own reader, written in Ada :)
18:12craigbrosure, a backdoor implies intent by the author of the dependency. An unsafe data-reader does not, and could simply be that they didn't think fully about how to read an integer and used read 8^)
18:12abpmattmoss, https://groups.google.com/d/msg/clojure-dev/zG90eRnbbJQ/dMjhl5b26l8J
18:12gfredericksjballanc: (into {} (for [[k v] m] [k (f v)]))
18:12mattmossabp: YEah, I just skimmed that.
18:12jballanchmm...not update-in?
18:13hyPiRionHurray, rhickey is in mood to emote again.
18:13craigbrorhickey: it's the balance of security vs. extensibility. edn gets it correct IMO. I don't bring up bdining *data-readers* to poo poo or to score points
18:13abpmattmoss: Thats the answer to unsafe-read
18:13mattmossdnolen: Why not? Maybe I'm missing somehting, but rhickey just indicated that read-edn is safe. So read *could* be safe if it was limited to what read-edn does (or similar), and unsafe-read does what read does.
18:13gfredericksjballanc: don't see why you would need it
18:13abpmattmoss: "How does one make libraries then, that call read for you? Should there be safe and unsafe variants of every library? Will they compose? Dynamic binding exists precisely for this purpose. The bottom can't be something that hardwires a choice. Rich"
18:13craigbroI bring it up to support the argument that you had best fully understand just what code surface is exposed when reading data from untrusted sources.
18:14ivaraasenAda isn't secure enough IMO. should be written in MUMPS. security through obscurity.
18:14mattmossMy apologies guys... stuff is over my head, I guess, without spending a lot more time on the issue.
18:14abedracraigbro: security is a balance of extensibility, connectivity, and complexity
18:14craigbroI think read-edn works great as a default for reading from possibly untrusted sources
18:14abedraall have problems
18:15TimMccraigbro: I don't think you'll get an argument on that one.
18:16@rhickeybeta9 on its way - read-edn*, old reader, no properties for now
18:17jballancgfredericks: that for comprehension just seems somehow more complicated than it needs to be :-/
18:17abprhickey: Probably docs on read* should be really explicit about security in the first line then. If they aren't by now.
18:17craigbroas long time security dork, I find the tippy toe'ing hilarious
18:18cemerickcraigbro: "tippy toe'ing"?
18:18abedracraigbro: ^^
18:18craigbrooh my god we gotta do something!
18:18gfrederickswhat's the record vulnerability? just that arbitrary constructors can be called?
18:19amalloygfredericks: "just", yes
18:19craigbrotho I suppose the pending 1.5 release is responsible for most of the urgency
18:19hiredmangfredericks: well before then you can cause arbitrary classes to load
18:19gfredericksright
18:20amalloyas i understand it, calling arbitrary constructors is exactly what the rails yaml vulnerability allowed
18:20hiredmanclojure namespaces, for example, when aot compiled are just a big fat static init that is run when they are loaded
18:20gfredericksso for replacing constructors and #= with data readers, the main pain is backwards compat? or am I missing something?
18:20abedracraigbro: as someone who's full time gid is security at a company who uses Clojure, I think it is important to follow up and discuss it. I'm not interested in "tippy toe'ing" whatsoever
18:20abedras/gid/gig
18:20craigbroabedra: where you at?
18:21@rhickeygotta run, please try beta9 when it shows up, thanks for the feedback
18:21abedracraigbro: Groupon
18:21Bronsano regex for read-edn?
18:21craigbrochicago?
18:21abedrayes
18:21nDuffHeh.
18:21craigbroah, my hometown, in VT right now tho for a few weeks
18:21craigbroI am also at a suecirty company using clojure, ThreatGRID
18:22TimMcDoes Clojure currently use #= for anything? Or is it only there as an escape valve for user code these days?
18:23TimMcPerhaps some sort of *print-dup* functionality?
18:23FrozenlockTimMc: Apparently 'some mysterious individuals' use it.
18:23craigbroTimMc: I recall from a previous discussion that it is used in the compiler and some other places, but I do not concretely know
18:23hiredmanif you bind *print-dup* to true it is used a lot
18:23TimMcOK.
18:23cemerickThe compiler does not need to use it, though it currently does.
18:23gfrederickshiredman: but that could be replaced with an #eval reader, right?
18:23gfredericksat worst
18:24cemericksorry, except for tagged literals
18:24hyPiRionTimMc: I think I may have a need for it in Swearjure at some point. Don't know what I'll use it for yet though.
18:24TimMc(binding [*print-dup* true] (pr-str {:a '[b]})) ;;= "#=(clojure.lang.PersistentArrayMap/create {:a [b]})"
18:24hiredmangfredericks: uh, are you proposing adding a reader literal to allow for arbitrary code evaluation?
18:24gfrederickshiredman: not adding anything -- you can already add it with binding
18:25TimMcJust in dynamic scope.
18:25gfredericksyeah
18:25hiredmanactually I asked rich about this at the conj when he announced reader literals
18:25FrozenlockTimMc: looks like (read-string "{:a [b]}" :P
18:25gfredericksso you can get nearly equivalent functionality already by opting-in
18:25gfredericksso if we only use #= 0.001% of the time then maybe that's okay?
18:26hiredmanthe reason print-dup does that (using #=) is print-dup is very literally "print something that when read in will give me the same thing, classes and all"
18:26hiredmanso literals can never be that
18:26gfredericks#eval (PAM/create {:a [b]})?
18:26FrozenlockSo print-dup shouldn't be used if you use clojure on different backends? Cljs/clj
18:27hiredmanbecause literals are almost the opposite, here is a semantic tag for the following data, you choose the representation
18:27gfredericksthat's an interesting point
18:27hiredmangfredericks: maybe
18:28gfredericksokay; it's sad to me that the reader will be forever unsafe :/
18:28craigbroyou can't have it any other way 8)
18:28craigbroif you want circular data too work too
18:28TimMcread-clj, read-clj-string
18:28craigbrohehe
18:29Frozenlockcircular data?
18:29hyPiRionre circular data: I've not yet found a way to let a persistent structure contain itself.
18:29gfrederickshyPiRion: lazy seq?
18:29abedra /quit
18:30hyPiRiongfredericks: boo. I think I meant Maps, Sets or Vectors.
18:30gfredericks,(let [v (promise), h {:foo (lazy-seq [@v])}] (deliver v h) h)
18:30clojurebot{:foo ({:foo ({:foo ({:foo ({:foo (#)})})})})}
18:31gfrederickshyPiRion: I was actually interested in the ability of repeat and cycle to return seqs that point to themselves
18:31gfrederickscurrently repeat creates lots of new objects when it could get away with one
18:32hyPiRiongfredericks: Potential JIRA issue?
18:32gfredericksI wasn't convinced the core folk would think it's worth the effort
18:32craigbroyou know, on the circular data thing, I was confusing the CL reader with clojure
18:32hiredmanhttp://stackoverflow.com/questions/357956/explanation-of-tying-the-knot
18:33tomojthat would make (= (repeat 3) (next (repeat 3))) true, right?
18:33hyPiRioncraigbro: yeah, I figured.
18:33craigbrowith immutable data types, it's not gonna happen
18:33tomojer
18:33tomoj(let [r (repeat 3)] (= r (next r)))
18:33gfrederickstomoj: that's an interesting implication
18:33tomojnot that anyone should rely on that..
18:33Frozenlock,(let [abc {:a 1 :b (:a abc)}] abc)
18:33clojurebot#<CompilerException java.lang.RuntimeException: Unable to resolve symbol: abc in this context, compiling:(NO_SOURCE_PATH:0)>
18:33gfredericksit hadn't occurred to me that it could change behavior
18:34hyPiRioncraigbro: that's not entirely true, Oz has immutable datatypes but have structures which may contain themselves.
18:34gfredericksyou can do it in haskell amirite
18:34hyPiRionLet X be a set containing Y, then unify X and Y.
18:35hiredmanthat is promises though
18:35hiredmanwhich I guess is more less how haskell does it too
18:35hiredmansort of wibbly wobbly on the immutable thing
18:35hyPiRionhiredman: Perhaps, but it's more transparent than what Clojure does (you have to deref etc.)
18:35craigbroyah, and what happens when you print them?
18:36craigbrowe force promises and such when we print, right?
18:36TimMc,(promise)
18:36clojurebot#<core$promise$reify__3678@6b6251c1: :pending>
18:36hyPiRioncraigbro: No, that wouldn't make sense. It should block.
18:36hyPiRionAt least if they were transparent.
18:36TimMc,(doto (promise) (deliver "yep!"))
18:36clojurebot#<core$promise$reify__3678@40869efe: "yep!">
18:37TimMc,(let [a (atom nil)] (reset! a a) a)
18:37clojurebot#<Atom@3f6f3a0: #<Atom@3f6f3a0: #<Atom@3f6f3a0: #<Atom@3f6f3a0: #<Atom@3f6f3a0: #<Atom@3f6f3a0: #<Atom@3f6f3a0: #<Atom@3f6f3a0: #<Atom@3f6f3a0: #<Atom@3f6f3a0: #>>>>>>>>>>
18:37craigbro8)
18:37craigbroyou hit print-level limit I guess?
18:38TimMcYep.
18:38TimMc&(let [a (atom nil)] (reset! a a) a)
18:38lazybotjava.lang.StackOverflowError
18:38craigbrofun
18:38TimMc,*print-level* ##(identity *print-level*)
18:38clojurebot10
18:38lazybot⇒ nil
18:42craigbroyah, the explicit nature of promises makes printing them different than in haskell
18:42craigbrothe inability to modify a cons cell is what stops you from getting looped lists
18:42hiredmanyou could do it in core.logic :)
18:44pbostrom_just catching up, what does it mean exactly that "read will never be safe"? I always assumed (binding [*read-eval* false] (read-string str)) would prevent any sot of nastiness
18:44pbostrom_s/sot/sort/
18:44technomancypbostrom_: that's correct
18:45craigbropbostrom_: you still have data-readers
18:46craigbropbostrom_: however, but you can bind *data-readers* as well
18:47craigbroi think of it this way, the YAML.load handling !ruby.class deserialization is like #=
18:48craigbroand issues with data-readers is like what happens when someone adds support for reading YAML to the XML parser
18:49craigbroaka, I can add a data reader for calls (read on a string, expecting a number for example, but I could craft something to get by any protecting regexp and slip it a #= form, and get remote code execution
18:49craigbroso that's like the actual remote code execution bug in Rails
18:50craigbrobbiab
18:54TimMc(defn read-really-safe-i-mean-it [s] (binding [*data-readers {}] (read-edn-string s)))
18:55craigbroTimMc: i've been scouring the reader for other vectors
18:56craigbroTimMc: I guess we could look at clojurebot code 8)
18:56TimMcWhat do you hope to find there?
18:57TimMcYou could also look at clojail.
18:59craigbrosafe-read in clojail just binds read-eval and munges exceptions
19:00Raynesclojurebot is not an example of safe anything.
19:00RaynesNot that clojail is completely safe.
19:00craigbroreading edn means you lose #() and some other syntactic sugar, and metadata
19:00RaynesBut it *tries* to be, hard.
19:01RaynesBut there are existing holes.
19:01aaelonyis there something like clojure.java.io for writing compressed files (from a lazy-seq) ?
19:01RaynesI haven't had time to fix them all yet.
19:01craigbroRaynes: just looking at the read cycle here
19:01RaynesBut they aren't related to read.
19:01BronsaEdnReader also reads "foo`bar" as a symbol
19:01RaynesJust saying, clojurebot relies mostly on restarting and people here not being asshats.
19:02Bronsawhile LispReader reads "foo`bar" as the symbol foo, and the syntax-quoted symbol bar
19:02Frozenlockaaelony: you could try https://github.com/Raynes/fs/blob/master/src/me/raynes/fs/compression.clj
19:03aaelonyI'm looking at that but likely need make-zip-stream somehow
19:03aaelonythanks
19:03RaynesThat compression stuff could probably do with a makeover.
19:04aaelonysomething Buffered would be cool...
19:04aaelonythis way, i learn java slowly but surely...
19:27zakwilsonA local meetup group has suggested writing the *nix ls program in a functional language and asked me to talk about Clojure since I already use it actively. This kind of implies I should write ls in Clojure. Of course, JVM startup time is bad. I know there have been a few attempts to run Clojure with a persistent JVM. Is there one I should actually use?
19:28seangrov`Well, repl-dev would be good for it
19:29amalloyhuh. i didn't expect this: ##(* 60 1/30
19:29hiredmanzakwilson: drip maybe?
19:29Raynesevalfail
19:29amalloy&(* 60 1/30)
19:29lazybot⇒ 2N
19:29amalloyzakwilson: the only one i'd recommend trying is drip. it probably even works
19:29RaynesDrip might help, but not significantly I wouldn't think. Especially if you ran it a bunch of times in quick succession.
19:30Rayneszakwilson: One thing I've noticed is that if you don't load a bunch of stuff and you don't use lein to for starting it up or anything, the startup is actually not too bad.
19:31Rayneszakwilson: Another option might be using a different implementation of Clojure.
19:31amalloyRaynes: drip actually has a DRIP_POOL option that lets you keep more than one jvm waiting
19:31amalloyi don't think it's well tested, though
19:31zakwilsonIt looks like drip makes the basic startup about ten times faster. That's pretty much what I'm looking for.
19:31RaynesInteresting.
19:31Raynesamalloy: How much memory does an idle JVM take?
19:32zakwilsonIt wouldn't be suitable for sticking in the middle of a loop in a script, but actually doing that would be silly. It'll do for a demo.
19:32amalloy*shrug* mostly it gets paged out, i imagine
19:33ToBeReplacedis there a clojure/clojurescript mustache implementation? or is anyone working on one?
19:33FrozenlockRaynes: Even if noir is deprecated, would you consider upping its dependencies? This is scary https://github.com/ring-clojure/ring/commit/7028d12759ababdcd523ed0881b79ecc0b38f334
19:34RaynesFrozenlock: I can do security updates that other people contribute.
19:35qzis it possible to get that binding *read-eval* false behavior by default?
19:35hyPiRionqz: Yeah, just do (alter-var-root #'read-eval (constantly false)) at the start of your program.
19:36qzcool :)
19:42craigbrook
19:43craigbrowell #"" syntax does open up a possibl denial of service
19:43TimMcGood point.
19:44ChongLicraigbro: as does using the wrong sorting algorithm (eg quicksort)
19:44craigbrook, but on read...
19:44qzisnt #"" a regexp?
19:44craigbronot on evaluation. I'm not talking about exploits when you do something with the data
19:45ChongLiif the user is supplying the data, they can supply pathological anti-sorted data
19:46craigbroChongLi: I'm only worried about what gets passed to the pattern compiler, not after
19:46craigbroChongLi: also, computation complexity in a regexp is much higher
19:46FrozenlockRaynes: I'm far from being a pro with pull request; let me know if it's what you had in mind https://github.com/noir-clojure/noir/pull/139
19:46craigbrohttps://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS
19:46ChongLibasically any algorithm that operates on user data which has terrible worst-case complexity is a risk
19:47craigbroChongLi: yup
19:47RaynesFrozenlock: Yeah. I the only other thing I'd ask for is that you made sure it still works.
19:47FrozenlockAw I knew there was a trap.
19:47Rayneslol
19:48RaynesIf you can find any given noir app that is based on 1.3.0...
19:48RaynesCould clone refheap and checkout to pre-compojure.
19:48RaynesI don't know how useful the tests ever were.
19:48RaynesIt isn't really a big deal. I can test it out later.
19:49FrozenlockWell then... I'll just clojar it and try it on my own server.
19:49RaynesSince I know how to work refheap.
19:49RaynesBut yeah, I'd accept "Noir app x still works" as 'testing' it. :p
19:50FrozenlockWouldn't that be the same as testign with refheap?
19:50RaynesYes.
19:54toby3hello
19:54toby3anybody here?
19:54nDuffUsually.
19:54Frozenlocktoby3: There's always someone here.
19:55toby3oh, soory
19:55toby3sorry.
19:55nDufftoby3: that said, we're a high-latency channel; just because we're here doesn't mean we answer right away, or that we want to be pressed to do so.
19:55toby3no one is speaking, i thought i had not connected
19:56Frozenlocktoby3: We are busy doing stuff :P
19:56FrozenlockLike I, for example, am busy breaking the Noir library.
19:56clojurebotlibrary is "Our class libraries have destroyed our brains." - rhickey
19:56toby3ok
19:57toby3not understood exactly
19:57JanxSpiritsorry for the newb question but why isn't the say-foo function visible in this code? http://pastebin.com/GFFh9Ln5
19:58nDuffJanxSpirit: Could you consider a pastebin without all the ads?
19:58JanxSpiritsorry for that too
19:58nDuffJanxSpirit: refheap.com (written in Clojure and maintained by one of our own) would be ideal.
19:58ibdknoxJanxSpirit: order matters in Clojure
19:59ibdknoxJanxSpirit: you have to declare something before it is used
19:59JanxSpiritdoh
19:59toby3what is refheap used for ?
19:59JanxSpiritshould have known that
19:59JanxSpiritthanks ibdknox
20:02qzis there any good way to avoid mass-require of stuff that's common? for example nearly every my file requires clojure.string or clojure.java.io or such..
20:03craigbrons+
20:03tomojeditor snippets :P
20:03amalloyqz: no. files must declare what they depend on, or else how could a reader (human or computer) know where some arbitrary function comes from?
20:03tomojns+ is bad
20:04qzamalloy: well, that ns+ approach solves that. too bad its not in core
20:05qztomoj: why ns+ is bad?
20:07TimMcqz: slamhound :-)
20:07scgilardiyou take that back
20:07scgilardi:)
20:09tomojalso codeq?
20:10tomojthough that leads to "macros are bad"
20:10tomojeventually you've gotta have the code actually loaded up anyway, so might as well expand ns+ ?
20:18craigbrosorry to go back to this topic
20:18craigbrobut I saw some mention about a record constructor bug
20:18craigbroright now read will let you call constructors
20:19craigbroon any loaded java class
20:20nDuffcraigbro: You were there when the entire damned afternoon was spent talking about that, no? :)
20:20nDuffs/there/here/
20:20craigbroyah, but I didn't see the resolution of that record constructor issue. was that going to be changed?
20:21nDuffcraigbro: You could before, and will continue to in the future, be able to turn that off.
20:21nDuffcraigbro: moreover, in the future, there'll be an EDN-only read call, which also won't allow that.
20:22craigbronDuff: uhm, binding *read-eval* false doesn't turn off record constructors
20:22nDuffOh. Then use the EDN reader.
20:23craigbronDuff: sure, assuming that only uses data-readers. I'm asking because this makes read-string and read unsafe no matter what binding there is for *read-eval*
20:24nDuffOkay. Grok your question now. Correct answer is "I don't know".
20:24nDuffApologies about being flippant before.
20:25craigbrodude, after this afternoon, no apology needed 8)
20:28craigbro,(read-string "#java.io.FileWriter[\"/tmp/foo\"]")
20:28clojurebot#<SecurityException java.lang.SecurityException: denied>
20:28craigbrohehe
20:29craigbroI can touch or overwrite arbitrary files that way
20:30craigbro,(bindings [*read-eval* false] (read-string "#java.io.FileWriter[\"/tmp/foo\"]"))
20:30clojurebot#<CompilerException java.lang.RuntimeException: Unable to resolve symbol: bindings in this context, compiling:(NO_SOURCE_PATH:0)>
20:30craigbro,(binding [*read-eval* false] (read-string "#java.io.FileWriter[\"/tmp/foo\"]"))
20:30clojurebot#<SecurityException java.lang.SecurityException: denied>
20:30FrozenlockRaynes: well I don't know what I did wrong, but it chokes on "hiccup/page_helpers". (Which seems you were using in 1.3.0 anyway... weird)
20:30RaynesFrozenlock: Don't worry about it. I'll take a look asap.
20:34matthavenercraigbro: so basically, *read-eval* false just disables #=, but you can still call abitrary ctors?
20:37devnthe *read-eval* thread rages on
20:37devnyogthos|away: i'd like to talk to you if you have a chance -- priv msg me?
20:41craigbro1ok, I was looking at an old 1.5 clojure
20:42TimMcmatthavener: The idea is that there will be a separate reader for just "EDN", a safe Clojure subset.
20:42craigbro1the thing I just posted, is fixed in 5cf6aa3f
20:42craigbro1sorry
20:43durka42anyone use nakkaya's vision library?
20:43durka42(the opencv wrapper)
21:03tomoj(persistent! (reduce-kv (fn [ret k v] (if (nil? v) (dissoc! ret k) ret)) (transient m) m))
21:03tomoj(into-kv m (r/keep identity m))
21:03tomoj:(
21:04tomojoh, that won't work :D
21:04tomoj(into-kv {} (r/keep identity m)) I guess
21:13loganlinnwhat does ANN stand for (in the clojure google group)?
21:13tmciverAnnouncement
21:13loganlinnok
21:13loganlinnthats what I thought
21:14amalloyarbitrary news network
21:14amalloyaggregated noisy nonsense?
21:15RaynesExceptionally clever.
21:28semisighthey all
21:28semisightI found a bug in clojure.java.jdbc
21:28semisightand I wanna patch it
21:28semisightbut I'm having trouble
21:28semisightcan anyone help?
21:30jeremyheilersemisight: there's a lot of work that has been done on java.jdbc lately. is your bug regarding the latest master?
21:31semisightas far as I know it exists in the latest master yes
21:31semisightI know there's being work done in the dsl
21:31semisightbut this is in one of the older functions
21:33jeremyheilerwhat's the issue? (ping: seancorfield )
21:34semisightjeremyheiler: the insert-values function doesn't correctly handle column names that have special characters
21:34semisightI have column names with ampersands and the like, but these should be quoted before an insert statement
21:34semisightif I'm right this is a one line fix
21:35xeqisemisight: have you signed a CA perchance?
21:35semisightxeqi: nope
21:36xeqiblah
21:36semisightxeqi: does that make things harder?
21:37semisightI can work around this
21:37semisightbut I thought I'd contribute a fix
21:37xeqiclojure.java.jdbc is under the contrib umbrella, which means it can't accept patches without a signed and mailed CA, even for a 1 line fix
21:37jeremyheilersemisigh: It appears insert-values is deprecated for 0.3.0, anyway
21:38semisightxeqi: damn. can anyone contribute it for me?
21:38jeremyheilersemisight, Especially since you don't have a CA, your best bet is to get in touch with seancorfield
21:39semisightjeremyheiler: From what I understand it's deprecated for a future release. The current release has no replacement.
21:39xeqiheh, I'd recommend telling seancorfield what the issue is, he's the maintainer and could handle it
21:39semisightxeqi: ok, I'll try that
21:39semisightthanks
21:40xeqialso, feel free to mention you wanted to contribute a fix, but couldn't to the clojure google group :p
21:55TimMcxeqi: I thought that was usually on Wednesdays.
21:55xeqiby the time it makes it through group moderation ....
21:56TimMcheh
21:56TimMcAlways remember to lead your target.
21:58craigbroheh
21:59nonubyhow can I get from this input to this output with the least cognitive load (i.e. avoiding nesting maps) https://www.refheap.com/paste/9534
21:59nonubyessentially I just adding the key as the id
22:00yediwhat exactly does C-c C-l (load file) do in nrepl-jack-in?
22:00hiredmanfor
22:00yedii'm really struggling to get this repl workflow right
22:00amalloy&(doc for) ; nonuby
22:00lazybot⇒ "Macro ([seq-exprs body-expr]); List comprehension. Takes a vector of one or more binding-form/collection-expr pairs, each followed by zero or more modifiers, and yields a lazy sequence of evaluations of expr. Collections are iterated in a nested fashion, rightm... https://www.refheap.com/paste/9535
22:04TimMcThis EdnReader, is it just an eval-purge of the regular LispReader?
22:05nonubyfirst attempt: (flatten (for [topkey (keys a) toparray (topkey a)] (map #(merge {:id topkey} %) toparray)))
22:05xeqiTimMc: it looks similar
22:05xeqi~flatten
22:05clojurebotflatten is rarely the right answer. Suppose you need to use a list as your "base type", for example. Usually you only want to flatten a single level, and in that case you're better off with concat. Or, better still, use mapcat to produce a sequence that's shaped right to begin with.
22:06amalloy(for [[k vs] m, v vs] (assoc v :id k)), nonuby?
22:08nonubyamalloy that works, will digest why/how, thanks, much cleaner than what I had
22:11nonubyon (doc for) what does it mean by rightmost fastest?
22:12craigbroTimMc: a littel bit more than that
22:13TimMcLooking at the code, it appears to be a derivative version. I guess it would not have made sense to do it any other way.
22:14craigbroTimMc: way few dispatch macros, no record ctor, no deref macro, no anon fn macro, no quote, no unquote, no splice, no regex reader, no set reader, no comment read
22:15xeqitheres a set reader and comment reader
22:16TimMcWTF is RT/suppressRead?
22:16craigbroxeqi: you are right, there is a #{ set reader macro. there is no #! comment reader
22:16xeqiah, I saw the ; comment reader
22:17craigbroit's always false 8)
22:19TimMc,(clojure.lang.RT/suppressRead)
22:19clojurebotfalse
22:20TimMcI don't think I would hire someone whose code looked like this.
22:21xeqiI wonder how long it will take libraries (like ring) to give up backwards compatibility of clojure versions
22:23craigbroTimMc: the tabs?
22:24TimMccraigbro: The complete lack of comments in very important code.
22:26technomancyheh; lead you target. nice. =)
22:27gfredericksrich just complected a close-paren with an emoticon
22:27craigbroTimMc: it's pretty straightfoward code
22:27craigbroTimMc: suppressRead aside 8)
22:28callenbotTimMc: what code? where?
22:28callenbotoh, clojure.lang
22:28callenbotTimMc: https://github.com/clojure/clojure/blob/master/src/jvm/clojure/lang/RT.java#L1710
22:28callenbot //todo - look up in suppress-read var
22:29gfrederickslazybot: why you no handle TODOs
22:33Sleepy_nekohi
22:33Sleepy_nekoi'm new to clojure
22:33gfrederickssweet
22:34TimMccallenbot: Quite.
22:37craigbro,(::foo)
22:37clojurebot#<IllegalArgumentException java.lang.IllegalArgumentException: Wrong number of args passed to keyword: :sandbox/foo>
22:37craigbro,::foo
22:37clojurebot:sandbox/foo
22:37craigbro:/foo
22:37craigbro,:/foo
22:37clojurebot#<ExecutionException java.util.concurrent.ExecutionException: java.lang.RuntimeException: Invalid token: :/foo>
22:37craigbrosandbox:/foo
22:38craigbro,sandbox:/foo
22:38clojurebot#<ExecutionException java.util.concurrent.ExecutionException: java.lang.RuntimeException: Invalid token: sandbox:/foo>
22:38craigbro,sand/foo:
22:38clojurebot#<ExecutionException java.util.concurrent.ExecutionException: java.lang.RuntimeException: Invalid token: sand/foo:>
22:38mattmosshacker
22:39mattmoss:)
22:39warz,(+ 1 2 3)
22:39clojurebot6
22:39warzwoot
22:39craigbro,:::foo
22:39clojurebot#<ExecutionException java.util.concurrent.ExecutionException: java.lang.RuntimeException: Invalid token: :::foo>
22:40mattmoss,:x:x
22:40clojurebot:x:x
22:40gfredericksoh man clojurebot has an eval vulnerability
22:40mattkruse,(+ (+ 1 2) (+ 3 4))
22:40clojurebot10
22:40gfredericksif you type code preceded by a comma it will eval it
22:40craigbro,::foo
22:40clojurebot:sandbox/foo
22:40TimMc"People have been using read for something for which it is not suited."
22:40Sleepy_neko,(+ 1 2)
22:40clojurebot3
22:40mattkrusecool beanz
22:40TimMcAnd that's just after "For instance, programs that write programs often need to embed arbitrary unknown objects into code. I get the feeling a lot of people ready to change things are not leveraging many of Clojure's capabilities in this area."
22:40TimMc>_<
22:40mattmoss,(+(*)(+(*)(*)))
22:40clojurebot3
22:41mattkrusehow is that three?
22:41mattmoss,(*)
22:41clojurebot1
22:41TimMcHow isn't it?
22:41Sleepy_neko,(@)
22:41clojurebot#<ExecutionException java.util.concurrent.ExecutionException: java.lang.RuntimeException: Unmatched delimiter: )>
22:41craigbroTimMc: where thsoe quotes from?
22:41mattkruse,(* 2 3)
22:41clojurebot6
22:41gfrederickscraigbro: ML
22:42craigbrothe battlefield!
22:42craigbroholdon, lemme get some scotch first
22:42gfredericksI wonder what use cases he's thinking of that can't be handled by a macro
22:42TimMcI can't link to this goddamn new Google Groups.
22:42TimMchttps://groups.google.com/d/msg/clojure-dev/zG90eRnbbJQ/Q2sJTbNAAqYJ there
22:43craigbrogfredericks, anyone where the consuming program does not have all the code of the sending program
22:43FrozenlockPerhaps there should be an example of the awesome capabilities of #= and alike?
22:43craigbrogfredericks: or, anyone that depends on *print-dup* being true when spat out (aka, the same types being read in as were printed)
22:43gfrederickscraigbro: there could be a built-in macro? clojure.core/construct
22:44craigbrogfredericks: then it is the same as #= no?
22:44gfredericksno because the compiler does it
22:44gfredericksnot the reader
22:44ppppaulcan someone help me with a clojure.data.xml.zip question?
22:44ppppaulhttps://gist.github.com/boxxxie/4720053
22:44FrozenlockFrom the google group:
22:44gfredericksmay as well just have something called compile-eval to be totally general
22:44FrozenlockFor the future 1.6 release, we can be much more clean in how we separate things out, e.g.:
22:44Frozenlock
22:44Frozenlockread : Reads data only, no evaluation. Works for most "normal" Clojure code.
22:44Frozenlockread-edn : Reads edn data, with whatever tagged value handling is chosen
22:44craigbrothat it goes thru data-reader dispatch would be only difference?
22:44Frozenlockread-clojure : Read with support for #=(...), other dangerous stuff that might be in general Clojure code. Power users / the Clojure REPL will use this.
22:44gfrederickscraigbro: no it'd be a regular macro
22:44craigbrohmm, not getting this "compiler doing it" but
22:44ppppauli want to reuse zip locations with xml->
22:44craigbros/but/bit
22:45gfrederickscraigbro: that means after read-string nothing has happened
22:45craigbrodata readers are handled by the compiler
22:45gfredericks,(read-string "(compile-eval (MyType. 1 2))")
22:45clojurebot(compile-eval (MyType. 1 2))
22:45craigbroI mean data readers are handled by the darn reader, doh
22:45craigbrosorry, long day
22:45TimMc,(read-string "١٢٣٤٥")
22:45clojurebot#<NumberFormatException java.lang.NumberFormatException: Invalid number: ١٢٣٤٥>
22:45gfredericks(defmacro compile-eval [x] (eval x))
22:46technomancy(inc TimMc)
22:46lazybot⇒ 33
22:46TimMc,(read-string "123")
22:46clojurebot#<NumberFormatException java.lang.NumberFormatException: Invalid number: 123>
22:46craigbrohehe
22:46TimMcGood ol' Character/isDigit and its well-meaning users.
22:46technomancywestern imperialism!
22:47craigbrogfredericks: then you have to do some partial evaluation yourself, to do it safely, or eval everything
22:48gfrederickscraigbro: what's "everything"?
22:48craigbrothe entire thing you read in
22:48gfredericksI think if you're compiling code you're assuming it's safe
22:49gfredericksthe point is it gets eval'd at compile-time so that the constructed object gets embedded in your code, which is apparently an important capability that I don't know any uses for
22:49craigbroif you eval everything, then some things need to be quoted, anything not in that macro for example
22:49gfredericksyou don't eval everything
22:49gfredericksjust what's in the macro
22:49gfrederickswhich is what you're asking for by using the macro
22:49craigbroI think we're talking across purposes here 8)
22:50TimMcI wonder if one could confuse the reader by frobbing the PushbackReader while read is happening.
22:50craigbroI'm talking about #= eval-read, which is used by *print-dup* for example
22:50tbaldridgemy emacs just bugged out. It's trying to indent by lining up all args under the first argument. I'd like to swich back to the 2 space indent. Any ideas?
22:50craigbroand let's me preserve type information about the stuff I prit out, without squashing it to clojure primitive types
22:50craigbroTimMc: you mean in a dastardly way?
22:50tomojtbaldridge: huh? first arg is the default
22:51TimMcYes.
22:51craigbroTimMc: how do you get a ref to the PushBackReader to do dastardly things, but not also already have code exec?
22:51tbaldridgehttp://stackoverflow.com/questions/8662687/emacs-auto-indent-in-clojure-do-it-like-cl I'd like the first example. the second is what I have now
22:51TimMccraigbro: I don't envision an exploit.
22:52gfrederickscraigbro: so you do #=(MyType. 1 2) and I do (compile-eval (MyType. 1 2)) -- in what important respect are these different?
22:52craigbro[1 2 3 #=(MyType 4)]
22:52craigbroI read that, and I have my data
22:52tomojtbaldridge: weird, clojure-mode does the first by default. did you add any config changing indentation settings...?
22:52tbaldridgenot that I know of. I'll try restarting emacs
22:52gfrederickscraigbro: if you're reading data why not use data readers instead?
22:53gfredericksor just eval if you really like evaling
22:53craigbroif you use your macro mechanism, I then have to run something over the result, making (compile-evals run
22:53tomojtbaldridge: specifically for "(if ...)" ?
22:53TimMcHmm, EdnReader duplicates ReadException.
22:53tomojnot "(foo/if ...)" or "(something-that-isnt-if ...)"?
22:53TimMcReaderException, rather
22:53gfrederickscraigbro: I'm trying to address rich's use case, which is code compilation; yours is handled by data readers and eval proper
22:54craigbrogfredericks: data-readers means that the receiving side has to know how to construct my objects entirely
22:54craigbromeaning, we have to sync our ontologies
22:54gfredericksokay so use eval then
22:54craigbroor, have a general purpose data-reader, in which case #= already does it
22:54craigbrodo you think this is what CL standards committee meetings were like?
22:55craigbrohehe
22:55amalloytbaldridge: for most functions, the second is normal; if and various other functions indent the first way. are you saying that everything is indenting like that now?
22:55tbaldridgetomoj: yeah, when I originally type forms, they show up correctly but then when I run CTRL+ALT+\ it switches everything to the 2nd version
22:56tomojdon't use that, use paredit-reindent-defun
22:56tomojI think it's M-q by default
22:56craigbroTimMC: pretty sure it's scoped to EdnReader tho
22:56craigbroaka, it's really EdnReader/ReaderException (or however you notate that in java)
22:56tomojwell.. I assume you're using paredit :)
22:57tomojand perhaps indent-region is not the problem
22:57tbaldridgetomoj: that did it, thanks
22:57craigbrogfredericks: are you expecting me to go read the ML so we can talk about the same thing now???
22:57lazybotcraigbro: How could that be wrong?
22:57craigbrook, scotch acquired, I can read it
22:57gfrederickscraigbro: no, just not very motivated
22:58TimMccraigbro: Yes, but I wonder if there's Clojure code out there that will assume all the read* fns use the same exception class.
22:59craigbrowell, since read-edn* don't exist yet, it would be dumb 8^)
23:00craigbrosince ReaderException is also private to LispReader...
23:00craigbroerr, contained in..
23:00TimMcpublic
23:00TimMc(try ... (catch clojure.lang.LispReader$ReaderException re ...))
23:01craigbrothere we go
23:01craigbro$
23:03proger79A newbie question: Is it possible to get function object MessageBox/Show without using '/' to use it as: (def mb (??-??-?? "Show" "MessageBox" "System.Windows.Forms.dll")) in ClojureCLR?
23:06craigbroTimMc: which ML is that one?
23:07TimMccraigbro: Which one?
23:07TimMcclojure-dev is probably what you're looking for, if it's about read-eval
23:10TimMcWell, I don't see any code in my checkouts relying on LispReader$ReaderException that should be switched over to EdnReader's version, so I guess that's OK?
23:10TimMc&(name 'foo/bar/baz)
23:10lazybot⇒ "baz"
23:11craigbroTimMc github code search 8)
23:17TimMc&(identical? 'foo 'foo)
23:17lazybot⇒ false
23:17Frozenlockwut
23:17Frozenlockaren't they the same symbol?
23:18TimMcNo, but I'm confused now because I see a Symbol.intern() call in the reader.
23:18xeqi&(= 'foo 'foo)
23:18lazybot⇒ true
23:19TimMcAh, Symbol.intern(...) interns the components.
23:19TimMc&(identical? (name 'foo) (name 'foo))
23:19lazybot⇒ true
23:20FrozenlockTimMc: Stop it! You're confusing me!
23:20craigbro&(^"bar" 'foo)
23:20lazybotclojure.lang.ArityException: Wrong number of args (0) passed to: Symbol
23:20TimMcFrozenlock: The reader calls this: https://github.com/clojure/clojure/blob/master/src/jvm/clojure/lang/Symbol.java#L59
23:20craigbro,^"bar" 'foo
23:20clojurebotfoo
23:21craigbroTimMc: the two symbols not being identical gets me
23:21craigbro&(= 'foo ^"bar" 'foo)
23:21lazybot⇒ true
23:22craigbrobut a robot once told me I don't understand how symbols work in clojure
23:22craigbroso it may be correct
23:22amalloythat's what keywords are for
23:22TimMcSymbols aren't really intended for use in identity comparison, unlike keywords.
23:23TimMc&(identical? :foo (keyword 'foo))
23:23lazybot⇒ true
23:23craigbroit's CL brain damage I am trying to recover from
23:23gfrederickscraigbro: it's cuz they gotsta have metadata
23:24TimMcgfredericks: That explanation used to satisfy me, several hours ago.
23:24gfrederickso_O
23:24gfredericksTimMc: are you having some sort of clojure crisis?
23:24craigbrogfredericks: sure, but why not have them work like keywords, as in, once intered, you always get the same one back by name?
23:24TimMcMore work, is my guess.
23:24gfrederickscraigbro: what would (with-meta 'foo {:bar :baz}) give you?
23:25craigbroexplosion!
23:25TimMcgfredericks: '[foo foo] could safely give you back two references to the same object. Why doesn't it? Extra work!
23:25amalloyyeah, all interning symbols would do for you is take up space and time, while providing the false expectation that they're always interned
23:25gfredericksTimMc: well that part I don't object to
23:26gfredericksbut like amalloy says it doesn't matter all that much
23:26craigbroone of those edge cases that only gets you when doing some metaprogramming
23:26TimMc= is fine
23:26gfredericksokay fellahs I'ma set read-eval to true and go to bed
23:26craigbroit makes writing "DSLs" (hate the word) a bit more difficult
23:27amalloyi can't imagine why, craigbro
23:27tpopewhat about keywords, are those interned?
23:27gfredericksyes
23:27TimMcYou betcha.
23:27TimMcThat's what they're for, really.
23:28gfredericksor rather, as TimMc said, "You betcha."
23:28TimMc,(Keyword/find 'foo)
23:28clojurebot#<CompilerException java.lang.RuntimeException: No such namespace: Keyword, compiling:(NO_SOURCE_PATH:0)>
23:28TimMc,(clojure.lang.Keyword/find 'foo)
23:28clojurebotnil
23:28TimMc,:foo
23:28clojurebot:foo
23:28TimMc,(clojure.lang.Keyword/find 'foo)
23:28clojurebot:foo
23:28amalloyyou're quite lucky nobody had tried :foo recently, or that example would be a bit sillier
23:29TimMcI actually thought I *had* tried it recently. :-P
23:29tpopethat matches my assumption
23:29tpopeI had never stopped to ponder whether symbols were interned
23:29tpopebut the fact they aren't still comes as a surprise
23:31TimMcI wonder why they intern their ns and name.
23:32amalloyTimMc: fast equality comparisons
23:32amalloyi assume so, anyway. i can't imagine any other reason
23:32amalloypossibly also to reduce the amount of space taken up by N different copies of the same symbol: they can't be pointing at different strings
23:33TimMcRight.
23:34TimMcSo each 'foo/bar allocates at most one new object instead of 3. (Well, + hashcode.)
23:35TimMcI see that the toString caches its return value.
23:35TimMc*at best
23:43yediwhy is software so absurdly difficult to set up sometimes?
23:44amalloybecause we're just monkeys