Tag: version

在 Git/Mercurial/Subversion 上 "-" 發生的問題

在「[ANNOUNCE] Git v2.14.1, v2.13.5, and others」這邊看到 - 開頭產生的問題:

These contain a security fix for CVE-2017-1000117, and are released in coordination with Subversion and Mercurial that share a similar issue. CVE-2017-9800 and CVE-2017-1000116 are assigned to these systems, respectively, for issues similar to it that are now addressed in their part of this coordinated release.

這算是老問題了,Git 對應的修正主要是朝 filter input 的方向修正,包括了禁用 - 開頭的 hostname,以及禁止 GIT_PROXY_COMMAND- 開頭,另外是禁止開頭是 - 的 repository name:

  • A "ssh://..." URL can result in a "ssh" command line with a hostname that begins with a dash "-", which would cause the "ssh" command to instead (mis)treat it as an option. This is now prevented by forbidding such a hostname (which should not impact any real-world usage).
  • Similarly, when GIT_PROXY_COMMAND is configured, the command is run with host and port that are parsed out from "ssh://..." URL; a poorly written GIT_PROXY_COMMAND could be tricked into treating a string that begins with a dash "-" as an option. This is now prevented by forbidding such a hostname and port number (again, which should not impact any real-world usage).
  • In the same spirit, a repository name that begins with a dash "-" is also forbidden now.

然後中華電信的 DNS server (168.95.1.1 & 168.95.192.1) 都查不到 marc.info,改用 Google 的 8.8.8.8 才查得到... =_=

MySQL 5.6/5.7/5.8 在 single thread 時的效能比較

作者 Mark Callaghan 在討論 MySQL 在量小的時候,新版可能反而比舊版慢:「The history of low-concurrency performance regressions in MySQL 5.6, 5.7 and 5.8」。

One example of the regression occurs for in-memory sysbench where MySQL 5.7 and MySQL 8 get 60% to 70% of the QPS compared to 5.6, which is the same as writing that 5.6 gets 1.43X to 1.67X more QPS than MySQL 5.7 and MySQL 8.

其實不算太意外,因為功能愈來愈多,而且最佳化的重心都放在用量大的各種情境下。並沒有針對 single thread 時的情境最佳化...

PHP 的主力版本進入 7.0 與 7.1 了...

在「PHP Versions Stats - 2017.1 Edition」這邊分析了 Packagist 上的 access log 而得到的:

可以看到 PHP 7.0 與 7.1 總算是慢慢爬上來了... 另外一個頗有趣的數字是在 comment 提到的 HHVM

@ocramius: These numbers ignore Travis CI and other CI systems that set the "CI" env var in their workers. Without excluding those HHVM is around 0.95% so it's still low but those .36% is probably actual usage.

還是有人在用...

GitHub 在 Merge Pull Request 時支援 Rebase 了

有些人認為儘量保持原狀,但有些人認為儘量維持 tree 的乾淨,而這次推出的 rebase 則是把後者的需求補上了:「Rebase and merge pull requests」。

在網頁行動版的 Twitter 上增加快速鍵

現在 Twitter 的網頁版愈做愈慢,於是有不少人在桌機上是用提供給行動裝置的版本瀏覽 (也就是 mobile.twitter.com 這個站),但這個站的功能其實頗陽春。

sindresorhus/refined-twitter 這個專案則在行動版本上面增加了許多快速鍵,在 Google Chrome 上可以透過 Store 安裝:「Refined Twitter」。

之前沒用過行動版的網站,這速度快好多啊...

MediaWiki 的 EmailDiff 套件

先前 MediaWiki 所提供的「變更通知」都只有在信件裡「通知」,而沒有在信件裡列出「改變的內容」,這使得讀信的人要再點進去看... (於是就懶的點了)

而前陣子看到有人寫了 extension 來輸出 diff,解決了這個問題:「MediaWiki extension EmailDiff: notification emails improved」。

信裡變成有這樣的內容:

Version differences:
@@ -846,5 +887,3 @@
 In cattle, temperament can affect production traits such as carcass and meat 
 quality or milk yield as well as affecting the animal's overall health and 
-reproduction. Cattle temperament is defined as "the consistent behavioral and physiological 
-difference observed between individuals in response to a stressor or environmental 
+reproduction. If you succeed in tipping a cow only partway, such that only one 
+of its feet is still on the ground, you have created lean beef. Such a feat is 
+well done. Naturally, being outside, the cow is unstable. When it falls over, 
+it becomes ground beef. Cattle temperament is defined as "the consistent behavioral 
+and physiological difference observed between individuals in response to a stressor or environmental 
 challenge and is used to describe the relatively stable difference in the behavioral 
 predisposition of an animal, which can be related to psychobiological mechanisms.

這樣可讀性高非常多,來找人裝看看好了...

跑 WordPress 的 PHP 版本統計

在「Why We’re Still Seeing PHP 5.3 In The Wild (Or: PHP Versions, A History)」這邊看到一些有趣的統計資料,雖然是 2015 的舊文章,但因為統計資料是公開的,可以透過同樣方式抓到現在的情況。

作者在 2015 年七月 (大約是月底) 的數字是:

$ curl http://api.wordpress.org/stats/php/1.0/ | jq '.'
{
  "5.2": 13.603,
  "5.3": 32.849,
  "5.4": 40.1,
  "5.5": 9.909,
  "5.6": 3.538
}

剛剛跑的數字是:

$ curl -s https://api.wordpress.org/stats/php/1.0/ | jq .
{
  "7.0": 0.423,
  "5.6": 12.429,
  "5.5": 17.188,
  "5.4": 35.824,
  "5.3": 24.754,
  "5.2": 9.382
}

可以看到即使是 2016 年的現在,PHP 5.3 與 PHP 5.4 還是超級大宗,但都已經沒有安全性更新了。

作者猜測 shared hosting 在 WordPress 佔的比重還是很大,而大多數的 shared hosting 商不太管這個,架完後就放著跑沒打算升級了...

WordPress 應該強硬一點啊,在「Requirements」這邊這樣寫怎麼會有 hosting 商想升級:

Note: If you are in a legacy environment where you only have older PHP or MySQL versions, WordPress also works with PHP 5.2.4+ and MySQL 5.0+, but these versions have reached official End Of Life and as such may expose your site to security vulnerabilities.

就「會動」啊...

PHP 的生命週期

PHP 網站上的「Supported Versions」與「Unsupported Branches」可以看到今年九月初 PHP 5.4 就已經停止維護了 (包括安全性更新也停了)。

在「PHP Versions Stats - 2015 Edition」這邊利用 Packagist 的資料分析,還是可以看到很多人用 PHP 5.3 與 PHP 5.4:

唔,很符合 PHP 社群以及各家 hosting 萬年不更新的使用習慣...?

Composer 的版本選擇方式

Composer 是目前 PHP 世界裡比較紅的套件管理工具,內建了一些 autoload 模組,以及 Packagist 這個巨大的 ecosystem。

在「Installing Composer Packages」這篇文章裡提到要如何在 Composer 裡指定套件的版本。在這之前,你需要先知道什麼是 Semantic Versioning,然後再來看作者的論述。

直接講結論,文章裡推薦用 ~ 的方式指定版本,這通常會是你要的結果:用 ~1.2 表示 >=1.2.0,<2.0.0;而用 ~1.2.3 則可以表示 >=1.2.3, <1.3

在對付 compatibility 問題時還蠻常見的情況。