<discocaml>
<piotrmjurek> Whole series from @teej_dv on raylib and building game engine
tremon has joined #ocaml
blendux has joined #ocaml
<blendux>
Good morning all! Has anyone used the ocaml-git package?
alfiee has joined #ocaml
Inline_ has joined #ocaml
Inline is now known as Guest2601
Guest2601 has quit [Killed (zinc.libera.chat (Nickname regained by services))]
Inline_ is now known as Inline
alfiee has quit [Ping timeout: 265 seconds]
jlrnick has joined #ocaml
Inline_ has joined #ocaml
Inline has quit [Killed (tantalum.libera.chat (Nickname regained by services))]
Inline_ is now known as Inline
alexherbo2 has quit [Remote host closed the connection]
alexherbo2 has joined #ocaml
Haudegen has quit [Quit: Bin weg.]
Inline has quit [Ping timeout: 252 seconds]
dylanj has quit [Remote host closed the connection]
alfiee has joined #ocaml
dylanj has joined #ocaml
alfiee has quit [Ping timeout: 248 seconds]
Inline has joined #ocaml
blendux has quit [Read error: Connection reset by peer]
blendux has joined #ocaml
jlrnick has quit [Ping timeout: 244 seconds]
alfiee has joined #ocaml
alfiee has quit [Ping timeout: 245 seconds]
Haudegen has joined #ocaml
undermine has joined #ocaml
alfiee has joined #ocaml
alfiee has quit [Ping timeout: 272 seconds]
alexherbo2 has quit [Remote host closed the connection]
euphores has quit [Quit: Leaving.]
<discocaml>
<mbacarella> not that ocaml developers write code with security vulnerabilities (😏) but sometimes ocaml code vendors and binds packages that have vulnerabilities. is there any notion in opam about what fixes are security fixes?
Haudegen has quit [Quit: Bin weg.]
<discocaml>
<mbacarella> not that ocaml developers write code with security vulnerabilities (😏) but sometimes ocaml code vendors and binds packages that have vulnerabilities. is there any notion in opam about what updates fix security vulns?
euphores has joined #ocaml
alfiee has joined #ocaml
<discocaml>
<octachron> Not right now, but having something similar to https://rustsec.org is discussed from time to time.
euphores has quit [Ping timeout: 260 seconds]
alfiee has quit [Ping timeout: 248 seconds]
euphores has joined #ocaml
<discocaml>
<mbacarella> it occurs to me that it's probably going to become harder than ever to build a business around niche languages if you can't do automated compliance surveillance around ecosystem vulns
<discocaml>
<mbacarella> given things like the increasing ubiquity of SOC2 and EU cyber resilience
<discocaml>
<mbacarella> are OCaml packages high profile enough to get CVEs?
<discocaml>
<mbacarella> there's surely more than 22 vulnerabilities in the entire OCaml ecosystem in the last 16 years
<discocaml>
<undu> The first CVE is for an implementation in C, not OCaml 😐
<discocaml>
<undu>
<discocaml>
<undu> > MITIGATION
<discocaml>
<undu> > ==========
<discocaml>
<undu> >
<discocaml>
<undu> > The problem can be avoided by using OCaml Xenstored variant.
alfiee has joined #ocaml
<discocaml>
<undu> It looks like there are oxenstored vulnerabilities that are missing from the list, anyway
<discocaml>
<undu> I believe they are all properly reported
alfiee has quit [Ping timeout: 244 seconds]
<discocaml>
<deepspacejohn> one of the nice things about using OCaml vs, say, JavaScript on GitHub is that you don't have dependabot opening a PR to fix a "critical" vulnerability in a random dependency every week.
deavmi has joined #ocaml
Haudegen has joined #ocaml
alfiee has joined #ocaml
alfiee has quit [Ping timeout: 248 seconds]
<discocaml>
<JM> I guess this says more about dependabot not supporting opam/dune than the lack of vulnerabilities in the OCaml ecosystem 😅
blendux has quit [Ping timeout: 260 seconds]
blendux has joined #ocaml
Serpent7776 has joined #ocaml
alfiee has joined #ocaml
alfiee has quit [Ping timeout: 252 seconds]
blendux has quit [Ping timeout: 248 seconds]
blendux has joined #ocaml
euphores has quit [Quit: Leaving.]
<undermine>
/join #rhel
euphores has joined #ocaml
dylanj has quit [Remote host closed the connection]
dylanj has joined #ocaml
alfiee has joined #ocaml
alfiee has quit [Ping timeout: 276 seconds]
dylanj has quit [Remote host closed the connection]
dylanj has joined #ocaml
Haudegen has quit [Quit: Bin weg.]
Anarchos has joined #ocaml
dylanj has quit [Remote host closed the connection]
dylanj has joined #ocaml
dylanj has quit [Remote host closed the connection]
dylanj has joined #ocaml
dylanj has quit [Remote host closed the connection]
blendux has quit [Quit: Quit]
rgrinberg has joined #ocaml
dylanj has joined #ocaml
rgrinberg has quit [Client Quit]
rgrinberg has joined #ocaml
dylanj has quit [Remote host closed the connection]
dylanj has joined #ocaml
alfiee has joined #ocaml
<discocaml>
<shon_18152> It is true that the velocity of fixes is surely higher in a language ecosystem with a greater velocity of breaks (and just of work all around), but another factor here is that the way opam is run and designed *most* of the time you don't want (or need) upper bounds on dependencies. So we mostly don't need a dependabot.
<discocaml>
<shon_18152> At least, this is a half-baked thought I've entertained, and which I think has something to it.
<discocaml>
<shon_18152> Tho I think it could be quite helpful to have an automated process to send notifications for needed updates to package maintainers, to complement the addition of upper bounds in opam packages when publications introduce breaking changes.
alfiee has quit [Ping timeout: 260 seconds]
Inline has quit [Ping timeout: 268 seconds]
jlrnick has joined #ocaml
Anarchos has quit [Quit: Vision[]: i've been blurred!]
Anarchos has joined #ocaml
jlrnick has quit [Ping timeout: 244 seconds]
Inline has joined #ocaml
alfiee has joined #ocaml
alfiee has quit [Ping timeout: 246 seconds]
Anarchos has quit [Quit: Vision[]: i've been blurred!]
deavmi has quit [Ping timeout: 245 seconds]
bartholin has quit [Quit: Leaving]
Anarchos has joined #ocaml
Inline has joined #ocaml
Inline has quit [Killed (platinum.libera.chat (Nickname regained by services))]
Inline_ has joined #ocaml
dhil has quit [Ping timeout: 244 seconds]
Inline has quit [Killed (mercury.libera.chat (Nickname regained by services))]
Inline_ is now known as Inline
rgrinberg has quit [Quit: My Mac has gone to sleep. ZZZzzz…]
alfiee has joined #ocaml
Anarchos has quit [Quit: Vision[]: i've been blurred!]
alfiee has quit [Ping timeout: 244 seconds]
Anarchos has joined #ocaml
deavmi has joined #ocaml
Anarchos has quit [Client Quit]
Tuplanolla has joined #ocaml
Anarchos has joined #ocaml
Anarchos has quit [Client Quit]
Inline has quit [Ping timeout: 252 seconds]
alfiee has joined #ocaml
rgrinberg has joined #ocaml
alfiee has quit [Ping timeout: 246 seconds]
rgrinberg has quit [Quit: My Mac has gone to sleep. ZZZzzz…]
Inline has joined #ocaml
Anarchos has joined #ocaml
Serpent7776 has quit [Ping timeout: 252 seconds]
Inline has quit [Ping timeout: 252 seconds]
mange has joined #ocaml
alfiee has joined #ocaml
alfiee has quit [Ping timeout: 244 seconds]
Anarchos has quit [Quit: Vision[]: i've been blurred!]