> To help the team stay in touch, a custom chatroom has been created using a Tcl/Tk script. The same script works as both client and server. The chatroom is private and uses a proprietary protocol, so that developers are free to discuss sensitive matters without fear of eavesdropping. The chatroom is implemented as just over 1000 lines of Tk code, and is thus accessible and easy to customize.
Curious if anyone has more details on this. Does it have encryption?
Fossil chat has the advantages that (1) it is fully encrypted and (2) it works from any web-browser, including on mobile phones.
Retr0id · 2h ago
> On the server-side, message text is stored exactly as entered by the users
I suppose the encryption is only at the TLS layer?
sgbeal · 1h ago
> I suppose the encryption is only at the TLS layer?
Correct unless the fossil repository in question uses SQLite's SEE (encryption) extension (which fossil can, but relatively few repositories use that, AFAIK).
E2EE group chat in 1000 lines would be rather impressive
therein · 59m ago
With a lot of the code that may be stashed away into libraries, it doesn't seem all that remarkable. I think the higher level logic and control flow for E2EE group chat could be condensed to 1000 lines with the proper abstraction. Tcl probably helped with that abstraction so credit where it is due.
Animats · 40m ago
> SQLite supports this syntax. But because of its TCL heritage, SQLite also allows the parameter to take the form of a TCL variable. Hence:
SELECT passwd, photo FROM user WHERE uid=$uid
Did they put "eval" in SQL parameter processing? Is there an SQL injection attack vulnerability there?
SQLite · 13m ago
> Is there an SQL injection attack vulnerability there?
No, at least not if you put the SQL inside of {...}, which IIRC the documentation strongly recommends.
The $uid is passed down into SQLite. It is a single token recognized by the SQL parser itself. It does not get expanded by TCL. The $uid token serves the same roll as a "?" or ":abc" token would in some other SQL implementations. It is a placeholder for a value. The tclsqlite3.c interface first parses the SQL, then asks for the names of all of the placeholder tokens. Then it binds the values in TCL variables of the same name to those placeholders.
Indeed, this whole mechanism is specifically designed to make it easy to write SQL-injection-free code. As long as you put your SQL inside of {...}, you are completely safe from SQL injections.
If your TCL script includes SQL text inside of "...", then TCL will do the expansion and SQL injection is possible. But as long as the SQL text is inside of {...}, SQL injection is not possible.
https://shemesh.larc.nasa.gov/fm/papers/Hayhurst-2001-tm2108...(This tutorial provides a practical approach to assessing modified condition/decision coverage (MC/DC) for aviation software products that must comply with regulatory guidance for DO-178B level A software)
kjs3 · 1h ago
I don't get the Tcl hate. I use it all the time on Cisco gear, and it's incredibly useful. Sure, if you try and turn it into a 10k+ LOC solution, life is going to suck. But in it's use case envelope, so much value.
But then I'm old and still use perl for small stuff, so probably not reading the room....
lanstin · 23m ago
Time does move on, but not necessarily for good reasons. TCL is the best way to embed programmability into C or C++ code; Oousterhout’s writings on modularity and composability explain why this is so useful to those that lack the experience of winning with it. But we have to use YAML for ops instead and wait for the scarse and slow Go or Java or whatever teams to extend their yaml interpreters every time we need a value to be a loop instead of one value.
mdaniel · 4h ago
The bottom half of that "talk" just reeks of NIH, and look, I appreciate if you're the author of SQLite you get damn near unlimited leeway to do whatever you want despite what some rando on the Internet says, but ... I sure am glad I don't work under those conditions
0cf8612b2e1e · 3h ago
Better alternatives in the year 2000? SQLites raison d’etre is to be stable and safe. Rewriting a working solution is anathema to that goal.
wizzwizz4 · 2h ago
SQLite predates most of the things you'd use instead. Given that in any case they'd be the ones left maintaining the wheels, long after everyone else has abandoned them, it makes sense for them to use their own wheels.
gjvc · 3h ago
would you be as bothered if they were instead using perl?
nurettin · 3h ago
Do you mean the part where they use a tcl script to extract comments and function signatures into documentation as opposed to using something like doxygen?
kevin_thibedeau · 3h ago
Vibe coders don't do test coverage. That's for old people.
nurettin · 3h ago
Shame, adding tests, or at least some experiments would actually improve vibe coding by several factors. But perhaps it depends on what you are coding.
kjs3 · 2h ago
I sure am glad I don't work under those conditions
I think we're all glad you don't work on things that require long term stability.
Curious if anyone has more details on this. Does it have encryption?
Fossil chat has the advantages that (1) it is fully encrypted and (2) it works from any web-browser, including on mobile phones.
I suppose the encryption is only at the TLS layer?
Correct unless the fossil repository in question uses SQLite's SEE (encryption) extension (which fossil can, but relatively few repositories use that, AFAIK).
No, at least not if you put the SQL inside of {...}, which IIRC the documentation strongly recommends.
The $uid is passed down into SQLite. It is a single token recognized by the SQL parser itself. It does not get expanded by TCL. The $uid token serves the same roll as a "?" or ":abc" token would in some other SQL implementations. It is a placeholder for a value. The tclsqlite3.c interface first parses the SQL, then asks for the names of all of the placeholder tokens. Then it binds the values in TCL variables of the same name to those placeholders.
Indeed, this whole mechanism is specifically designed to make it easy to write SQL-injection-free code. As long as you put your SQL inside of {...}, you are completely safe from SQL injections.
If your TCL script includes SQL text inside of "...", then TCL will do the expansion and SQL injection is possible. But as long as the SQL text is inside of {...}, SQL injection is not possible.
https://en.wikipedia.org/wiki/Modified_condition/decision_co...
https://shemesh.larc.nasa.gov/fm/papers/Hayhurst-2001-tm2108... (This tutorial provides a practical approach to assessing modified condition/decision coverage (MC/DC) for aviation software products that must comply with regulatory guidance for DO-178B level A software)
But then I'm old and still use perl for small stuff, so probably not reading the room....
I think we're all glad you don't work on things that require long term stability.