/tech/ - Technology★

json is used everywhere by everything, your going to be forced to use it to interact with something at some point.

it works seamlessly with python, C on the other hand is fun to deal with. there's a bunch of c libraries to read it though. I just got done implementing cJSON, which was fun, but once you get the hang of it it's not that complicated.

i've never even bothered with xml, nothing i've interacted with required it over json, and json seems to naturally fit the data with no text bloat. i don't know why you would really want to represent data in html with custom tags.

fast but dont expect to use it in security oriented environments

>>902506

Care to elaborate? How can it impact security?

>>902507

>>how can javascript based language impact security

are you 5

>>902511

JSON isn't javascript.

>>902511

JSON is not executable, and therefore cannot directly post a security risk. Furthermore I'm not using jabbascript as my programming language.

Yes, I did state "jabbascript inspired" as a disadvantage, but that was an autistic joke and not intended to be serious.

If you use XML then never make anyone interact with it directly. The syntax is so painful to interact with.

>>not an executable thus its secure

that is retarded

>>902511

Are YOU retarded?

>>902520

you have a childs understanding of security

>>902511

>>902518

why claim a security issue and post zero evidence there's a security issue. how about you post some proof nigger. right now it sounds like the only thing you know about json is from a jewgle search to figure out what it stands for.

>>902521

You have no argument.

>>there isnt a security issue until you post an issue

lol

>>902524

>its insecure because it looks like javascript

lol

>>902524

>there's a security issue just because i say so on an imageboard with zero proof

http://langsec.org

All you need is a parser that's proven to be correct and bug-free.

>>just write everything in low level javascript based trash language because who cares

on it

>>902536

>hurr javascrip

Use CBOR then, you autistic retard.

>>use the same crap that has slightly different lineage

great

>>902540

It's an IETF standard, moron.

>>same crap different standard

wow what a fucking sea of change there columbus

>>902546

Let's just stop replying to him.

Protobuf is more efficient.

XML is dead, there is no reason to use it anymore, unless you are facing a particular edge case where you need XML, and if you were facing that case you would already know. So, use JSON.

Why has no one in this thread mentioned namespaces? Does JSON have an extension for them?

>>902564

Plus, I may be an XML nerd, but I think XML entities may have a handful of valid uses as well.

>>902565

is there data that can be expressed in xml and not in json and vice versa?

>>902567

>>902565

>>902564

>>902563

As I wrote in the OP, I've already implemented my stuff using JSON. So there's no pressing reason to change, I was just curious whether XML would offer any advantages. (Also I'm autistic about getting things perfect, so there's that.)

>>902567

Well, this depends on what you mean by "expression." You can add semantics like comment:'foo' or namespace:'bar' to your personal JSON format, but in order to endow such user-defined extensions with broader (context-insensitive) qualitative distinction, you would have to effectively fork JSON as a whole, so for those extensions to have permanent functional behaviors (being ignored, raising exceptions, and so on.)

>>902569

>>902567

But, to reply more straightforwardly, if you're asking about the subset of "hierarchical expression of text structures," no, I don't think so, unless either format imposes some obscure limitations on field length limits or character encodings.

>>902567

XML assumes some sort of schema/validation, so if you want that, it might be a valid reason to use XML. I'm sure there are are tools for validation of JSON too, but I don't think it's as common.

>>902529

I looked at a couple of those papers because I thought maybe it would be about solving actual problems, or just copying how Multics and VMS did it, but it's more UNIX and C bullshit. Multics in the 60s was better than UNIX in 2018.

http://langsec.org/papers/Bratus.pdf

>What unites the printf ’s handling of the format string argument and an imple-

>mentation of malloc?

They're both bugs caused by C bullshit that wouldn't happen if you used a different language.

>The “weird instruction” primitives they supply to exploits.

>This strange conf luence is explained in “Advanced Doug Lea’s malloc Exploits” [5],

>which follows the evolution of the format string-based “4-bytes-write-anything-

>anywhere” primitive in “Advances in Format String Exploitation” [14] to the

>malloc-based “almost arbitrary 4 bytes mirrored overwrite,” for which the authors

>adopted a special “weird assembly” mnemonic,

>aa4bmo .

In the time it took to turn bugs into a “weird assembly” language, they could have done a whole bunch of things, like building a Lisp machine.

>Such primitives enable the writing of complex programs, as explained by Gerardo

>Richarte’s “About Exploits Writing” [13]; Haroon Meer’s “The(Nearly) Complete

>History of Memory Corruption” [8] gives a (nearly) complete timeline of memory

>corruption bugs used in exploitation.

Do you know what's funny about all this? That “weird assembly” language is probably a better programming language than C.

If there's one thing which truly pisses me off, it is the
attempt to pretend that there is anything vaguely "academic"
about this stuff.  I mean, can you think of anything closer
to hell on earth than a "conference" full of unix geeks
presenting their oh-so-rigourous "papers" on, say, "SMURFY:
An automatic cron-driven fsck-daemon"?

I don't see how being "professional" can help anything;
anybody with a vaguely professional (ie non-twinkie-addled)
attitude to producing robust software knows the emperor has
no clothes.  The problem is a generation of swine -- both
programmers and marketeers -- whose comparative view of unix
comes from the vale of MS-DOS and who are particularly
susceptible to the superficial dogma of the unix cult.
(They actually rather remind me of typical hyper-reactionary
Soviet emigres.)

These people are seemingly -incapable- of even believing
that not only is better possible, but that better could have
once existed in the world before driven out by worse.  Well,
perhaps they acknowledge that there might be room for some
incidental clean-ups, but nothing that the boys at Bell Labs
or Sun aren't about to deal with using C++ or Plan-9, or,
alternately, that the sacred Founding Fathers hadn't
expressed more perfectly in the original V7 writ (if only we
paid more heed to the true, original strains of the unix
creed!)
                                                   
       In particular, I would like to see such an article
   separate, as much as possible, the fundamental design
   flaws of Unix from the more incidental implementation
   bugs.

My perspective on this matter, and my "reading" of the
material which is the subject of this list, is that the two
are inseparable.  The "fundamental design flaw" of unix is
an -attitude-, and attitude that says that 70% is good
enough, that robustness is no virtue, that millions of users
and programmers should be hostage to the convenience or
laziness of a cadre of "systems programmers", that one's
time should be valued at nothing and that one's knowledge
should be regarded as provisional at best and expendable at
a moment's notice.

My view is that flaming about some cretin using a
fixed-sized buffer in some program like "uniq" says just as
much about unix as pointing out that this operating system
of the future has a process scheduler out of the dark ages
or a least-common-denominator filesystem (or IPCs or system
calls or anything else, it -doesn't matter-!)


The incidental -is- fundamental in dissecting unix, much as
it is in any close (say, literary or historical) reading.
Patterns of improbity and venality and outright failure are
revealed to us through any examination of the minutiae of
any implementation, especially when we remember that one
cornerstone of unix pietism is that any task is really no
more than the sum of its individual parts.  (Puny tools for
puny users.)

>>902511

>>902521

>thinks JSON is insecure

>doesn't know about entity vulnerabilities and escaping tags in XML

I hate LARPers

>>902706

Look I think Unix is flawed as well but what the fuck are you even talking about

>>902706

Reminder that you could solve all of your problems by creating a new LispOS yourself.

>>902706

I would like to thank you for your posts. You've made me take a step back and actually see that C and Unix was not as good as I thought they were. Thanks to your posts I actually tried out Common Lisp (using ecl) and actually enjoy the language quite a bit. It just really clicks with me and is nice to work in.

Once again thanks for your posting.

>>902741

>what the fuck are you even talking about

I'm talking about how much C and UNIX suck compared to other languages and operating systems. If a malloc has so many bugs that they can form their own assembly language, it sucks. Why does C suck so badly with its array pointer bullshit that you can't even add bounds checking?

Here's another example.

http://langsec.org/insecurity-theory-28c3.pdf

>Not for lack of trying

>Various "trustworthy computing" initiatives

>Lots of "secure coding" books

>Mounds of academic publications

>Yet software still sucks!

Software sucks because UNIX weenies don't care and they ignore all that stuff. A lot of security and error handling techniques were known in the 60s when Multics was created, but that didn't stop the UNIX programmers from ignoring them.

>There must be something we are doing wrong

>Science to engineers: some problems are not solvable, do not set yourself up to solve them

>"There is a law of nature that makes it so, no matter how hard you try"

What they're doing wrong is using C. C sucking is a law of nature and the problem of C sucking is not solvable, but that doesn't mean all software has to suck forever, only C software. C sucks so badly that people completely give up on trying to make software not suck. Some languages have the opposite effect.

>>902767

That's what I'm trying to accomplish. I post these quotes because most of them are still valid today. The UNIX weenie mentality hasn't changed at all. Common Lisp does a lot of things well and is a good general purpose language. An OS written in it would eliminate an enormous amount of bloat and waste that is part of every program now.

    Yes, and they've succeeded.  Hordes of grumpy C hackers
    are complaining about C++ because it's too close to the
    right thing.  Sometimes the world can be a frightening
    place.

    I've been wondering about this.  I fantasize sometimes
about building better programming environments.  It seems
pretty clear that to be commercially viable at this point
you'd have to start with C or C++.  A painful idea, but.
What really worries me is the impression that C hackers
might actively avoid anything that would raise their
productivity.

    I don't quite understand this.  My best guess is that
it's sort of another manifestation of the ``simple
implementation over all other considerations'' philosophy.
Namely, u-weenies have a fixed idea about how much they
should have to know in order to program: the amount they
know about C and unix.  Any additional power would come at
the cost of having to learn something new.  And they aren't
willing to make that investment in order to get greater
productivity later.

    This certainly seems to be a lot of the resistance to
lisp machines.  ``But it's got *all* *those* *manuals*!''
Yeah, but once you know that stuff you can program ten times
as fast.  (Literally, I should think.  I wish people would
do studies to quantify these things.)  If you think of a
programming system as a long-term investment, it's worth
spending 30% of your time for a couple years learning new
stuff if it's going to give you an n-fold speed up later.

>>902706

>>903218

kill yourself rustnigger

>>903218

>What they're doing wrong is using C. C sucking is a law of nature and the problem of C sucking is not solvable, but that doesn't mean all software has to suck forever, only C software. C sucks so badly that people completely give up on trying to make software not suck. Some languages have the opposite effect.

yes. yes.

C could be good for things like making Quake game for hundred-Mhz computers. but it's horrible for developing operating systems, where you need security and reliability.

Why did UNIX idiots choose and keep using C instead of something like Ada? Yes, UNIX is older than Ada, but they kept using C instead of switching to something better. And if OS turned out to be slow, they could rewrite *some* parts in something faster and audit that parts very much.

but unix and open source idiots cannot into DESIGN and PLANNING. that's why they will always lose. linux is a big poop where random devs shit into.

> what are the shortcomings

There are none.

>>902501 (OP)

I think the biggest advantage of JSON is that it's human-readable. You can write a JSON file by hand in a text editor without problems, or you can take generated JSON and see what's inside.

The downside is that the JSON grammar actually has holes and it's never really clear which version of JSON one means.

http://seriot.ch/parsing_json.php

Being human-readable means that it's harder and slower to parse. If you don't need your data to be human-readable (e.g. when used for IPC) that's a pure downside. A good alternative would be MessagePack, it's similar to JSON, but binary, so it's smaller, simpler, and faster to parse.

https://msgpack.org/

The idea behind MessagePack is that you have a stream of binary data, and the first byte of each datum tells you immediately how to interpret the following data. For example, when reading and array, the first byte tells you what type of array it is, and when you know that you know how many bytes to read to get the size of the array, so you can allocate the necessary amount of memory, and then you read the actual content of the array. By contrast, in JSON you would first have to iterate through the list until you reach the closing bracket and count along the way to find out how long the array is.

>>902767

> tried out Common Lisp (using ecl) and actually enjoy the language quite a bit

You could have at least picked a Scheme, but Common Lisp is a Frankenstein monster that begs to be put out of its misery. Everything about the design of the language makes me rage. There is a beatiful language hidden somewhere under all that MIT autism.

Give one fucking example of a security vulnerability embedded in JSON, or never talk to me and my board again.

>>903257

Ada is a terrible language and no-one should use it.

>>903366

The problem with Maven isn't XML, and the best alternative being Gradle, you just swapping one declarative format for another (JSON).

>>903840

I hate gradle. It just seems to be REALLY slow to do anything.

>>902507

The traditional (stupid) way of parsing JSON is to eval() it in a Javascript interpreter. This is the accepted, canonical (stupid) way to do it. When people continue to do this, it opens up tons of security holes. Therefore, even stupider people will ban JSON rather than firing the incompetents under their care.

>>904003

>This is the accepted, canonical (stupid) way to do it.

I thought that was JSON.parse or something.

>>904003

No, the canonical way to parse JSON in javascript is to fucking JSON.parse() it. You have no idea what you're talking about, retard.

>>903927

A developer wrote some pretty deep and unnecessary hacks in a "Gradle Commons" project that the other projects inherit where I work.

Now every project is stuck, pinned on an ancient Gradle version for all time because nobody wants to go unravel that shit.

Still beats npm.

>>904070

You can't really compare npm and gradle as they differ in usage. You have to rerun gradle for every change which means that you have to wait for extremely long time for gradle to startup before it can compile and you can test out your changes. With npm at least you only have to run it when you are pulling down new packages.

I think there might be some sort of daemon or something you can get for gradle or maybe I'm just basing this off of an experience I had years ago with it, but I find it to take forever to do a regular compile.

>>903927

>>904072

https://guides.gradle.org/performance/