Przeglądając Poradnię językową PWN natknąłem się na opinię dr. Adama Wolańskiego dot. zapisu dat; konkretnie nt. formy RRRR-MM-DD, którą dr Wolański bezapelacyjnie odrzucił. Wychodząc poza sferę języka polskiego, argumentował dalej, iż „w korespondencji z Wielką Brytanią datę zapiszemy cyfrowo jako 21/6/2009 lub 21/06/2009, lub 21.6.2009, a z USA — jako 6/21/2009 lub 06/21/2009.” Jest to opinia, która pomija istotę problemu i sens komentarza czytelnika Poradni. Z założenia jestem zwolennikiem przestrzegania reguł językowy, jednak w tym przypadku jasno trzeba przyjąć, iż korespondując z międzynarodowym odbiorcą, daty piszemy jako RRRR/MM/DD lub, wedle uznania, RRRR-MM-DD.

W międzynarodowych projektach tożsamość i kompetencja językowa współpracowników często nie są znane. Może to być Brytyjczyk w Nowym Jorku, Amerykanin w Szwajcarii, Francuz w Londynie, Japończyk w San Francisco itp. Dodatkowo w przypadku niejednoznaczności czytelnik może próbować zgadywać co autor miał na myśli: „Wiadomość przyszła od Europejczyka, więc pewnie chodziło o zapis dzień/miesiąc.”

Podstawową funkcją języka jest komunikacja. Zapis XX/YY/RRRR (czy też XX/YY bez określenia roku) komunikacji nie sprzyja. Wręcz przeciwnie; jest on źródłem nieporozumień i opóźnień. Z tego powodu powinien być odrzucony.

Perusing glossy magazines,¹ I was made aware of CVE-2024-2912 which describes how a POST request can lead to Remote Code Execution (RCE) in BentoML servers. A feature most users would rather live without. Bugs happen and I don’t want to criticise the developers unjustly, but knowing the root of the issue was Python’s pickle module, I can only wonder: How the fuck is this still happening?

pickle is insecure by design

import pickle
pickle.loads(b'cos\nsystem\n'
             b'(S"echo evil"\ntR.')

pickle serialisation uses a stack-based virtual machine with a ‘reduce’ operation which allows calling arbitrary Python functions (as shown in figure on the right). It’s no surprise it keeps popping up in security vulnerabilities. It’s been known for decades using picule invites trouble.² The documentation highlights the dangers quite clearly, but that’s apparently not enough.

Call to action

I call upon you to stop this madness. There are easy steps you can take to make everyone safer:

• If you see a junior developer type import pickle, mentor them and explain the module must never be used due to security holes.
• If you see +import pickle line during a code review, reject the patch.
• If you write code yourself, use an alternative serialisation method, e.g. one listed below.
• And finally, if you’re Python project member, deprecate pickle. Many features have been deprecated already, so backwards compatibility is not a valid excuse. C managed to get rid of gets, I believe it’s possible to heal Python as well.

No. But yes. But no. It’s complicated, let me explain.

Greenwich Mean Time (GMT) is the local mean time in Greenwich, London. Local indicates it tracks the position of the Sun on the sky.¹ However, because Earth’s rotation speed varies, a second according to GMT has different lengths on different days.

Meanwhile, Coordinated Universal Time (UTC²) is based on atomic clocks which guarantee constant length of a second. Unfortunately, Earth refuses to conform to human standards. To account for that, leap seconds are occasionally applied to UTC. As necessary, one second can be added (resulting in time 23:59:60) or removed (resulting in day ending at 23:59:58) at the end of June or December.³

While GMT and UTC use different methods for tracking time and adjusting to the Earth’s irregular rotation, they are synchronised to within 0.9 s and for everyday purposes they are the same.

Unfortunately things can get more convoluted. Someone may incorrectly use GMT to refer to time zone in London which is UTC+1 during daylight saving time. Furthermore, throughout history there were additional conflicting definitions of GMT.

Conclusion

All in all, it’s best to use UTC to avoid ambiguity.

In ‘Your Screen is Secretly 30 Years Old’ video on The Science Asylum channel, Nick Lucid argues that 7-bit colour depth is sufficient for screens, claiming that 2 million colours (vs 16 million at 8-bit colour depth) ‘would be more than enough for most people’:

Can screens make fewer [than 16 million] colours without us noticing? The answer is absolutely yes. 16 million is an overkill. 2 million would be more than enough for most people. It’s just that controlling a screen with 16 million colours costs the same as the screen with 2 million because they use the same number of bytes.

This article interrogates that statement. To provide a visual baseline, Fig. 1 compares two grey gradients: one uses 8 bits per component (bpc) while the other uses 7 bpc. Fewer colour discrete levels lead the 7 bpc gradient to exhibit clearly visible banding (where rather than smooth transition between colours, places where colours change can be identified) immediately undermining the premise that 7-bit colour depth is perceptually indistinguishable from higher bit-depths.

If you’re a digital archivist, photography enthusiast or data hoarder, you’ve likely faced the ‘No space left on device’ error. Before you start deleting your files, there’s a way to reclaim space without losing a single pixel: JPEG XL. Unlike typical lossy transcoding which degrades quality, JPEG XL allows for bit-for-bit reconstruction of the original files.

JPEG XL is the newest image file format developed by the Joint Photographic Experts Group with, among other features, better compression. Normally converting between formats with lossy compression is inadvisable as it exacerbates quality loss; however, JPEG XL offers lossless JPEG transcoding.

Unlike normal conversion (e.g. from JPEG to AVIF), JPEG transcoding doesn't re-encode the image data. It merely repackages the existing information so that the original JPEG file can be recreated bit-for-bit. And all that with 22% better compression.

Even though using Linux has never been easier, newcomers often hit a confusing roadblock: the overwhelming choice of a distribution. Someone coming from Windows or MacOS will find the very concept of a ‘distribution’ to be alien, and the endless listicles and user arguments about which one is ‘best’ only make the confusion worse.

This article aims to clear up that confusion by providing a better way to think about Linux choices, so you won’t be overwhelmed by all the different options if you’re thinking of switching.

The chilly afternoon in Łódź was no match for the warm welcome Andrzej Sapkowski and Adam Badowski received as they entered the stage. The author of the Witcher book series and co-CEO of CD Projekt Red (CDPR) arrived at the 36th International Festival of Comics and Games to explore a simple but elusive question:

What makes a Witcher story?

The panel was moderated by Michał Giersz, who wasted no time to start the conversation. According to him, having Geralt, Ciri, Yennefer or Triss by itself doesn’t make a Witcher story. Narratives without those characters may still feel like Witcher tales. In trying to find the essence of the Witcher stories, he asked about aspects that Sapkowski focuses on first when writing.

I’m delighted to share my paper I’ve presented at the IEEE/IFIP International Conference on Dependable Systems: ‘Be My Guest: Welcoming Interoperability into IBC-Incompatible Block­chains’.

It introduces the concept of a guest block­chain which runs on top of a block­chain and provides features necessary to support the Inter-Blockchain Communication (IBC) protocol. This enables trustless cross-chain interoperability between blockchains which would otherwise not support IBC-based communication. We demonstrate our approach by deploying the guest blockchain on Solana connecting it to the Cosmos ecosystem with performance comparable to native IBC implementations.

Updated on the 31st of July to reflect the fact deadline for both petitions have now passed.

The dystopian interpretation of the ‘you’ll own nothing and be happy’ phrase feels increasingly prescient.¹ As corporations hide behind lengthy Terms of Service and End User License Agreements,² the concept of ownership becomes alarmingly ambiguous. This erosion of consumer rights has given rise to the Stop Killing Games (SKG) movement.

In 2015 I’ve stumbled upon the Classic Tetris World Cham­pion­ship. Even though I’d never played NES Tetris, I started following the event with interest. I keenly remember watching the historic 2018 final which was a prelude to the next generation of players picking up the game.

In contrast, world of racing games offer an example of fleeting ownership. While generations continue to enjoy NES Tetris, with a 13-year-old famously ‘beating’ the game 34 years after its release,³ Ubisoft’s 2014 game The Crew didn’t even last a decade. In 2024, Ubisoft didn’t just shut down the servers; it began revoking players’ licenses, seemingly doing everything in its power to ensure the game couldn’t be preserved or revived by the community.

In the previous post, I criticised Rust’s contribution process, where a simple patch languished due to communication hurdles. Rust isn’t unique in struggling with its process. This time, the story is about Python.

Parsing HTML in Python

As its name implies, the html.parser module provides interfaces for parsing HTML documents. It offers an HTMLParser base class users can extend to implement their own handling of HTML markup. Of our interest is the unknown_decl method, which ‘is called when an unrecognised declaration is read by the parser.’ It’s called with an argument containing ‘the entire contents of the declaration inside the <![...]> markup.’ For example:

from html.parser import HTMLParser

class MyParser(HTMLParser):
    def unknown_decl(self, data: str) -> None:
        print(data)

parser = MyParser()
parser.feed('<![if test]>')
    # Prints out: if test
    # (unless Python 3.13.4+, see below)
parser.feed('<![CDATA[test]]>')
    # Prints out: CDATA[test