Fosstodon

Dominik Chrástecký - BlogTranspiling PHP for older versions Transpiling lets you write your package or application using the latest PHP features—even if your runtime is older. This is especially useful for libraries (where you can’t just bump the PHP version without inconveniencing your users) and can be a lifesaver when upgrading legacy apps. <a href="https://chrastecky.dev/programming/transpiling-php-for-older-versions" rel="nofollow noopener" translate="no" target="_blank">https://chrastecky.dev/programming/transpiling-php-for-older-versions</a>

Semantically SecurePreviously, I wrote about <a href="https://scottarc.blog/2024/10/14/trust-rules-everything-around-me/" rel="nofollow noopener" target="_blank">how code-signing and threshold signatures could allow the WordPress community</a> (whether they continue to support WordPress or decide to hard-fork the project onto something else) to mitigate the risk of another Mullenweg tantrum (<a href="https://ma.tt/2024/10/on-dhh/" rel="nofollow noopener" target="_blank">which are in surplus</a> this season) leading to another <a href="https://anderegg.ca/2024/10/13/acf-has-been-hijacked" rel="nofollow noopener" target="_blank">successful violation of community trust</a>.One reason why the community might not want to do a hard-fork is that it could be disruptive to the entire WordPress Developer job title. Namely, it would make plugin and theme development and maintenance painful to support both WordPress and whatever the fork is named.But that’s not actually a significant technical hurdle.Because WordPress (and, by extension, its plugin and theme ecosystem) is copyleft licensed, the Forkers could easily write some infrastructure involving <a href="https://github.com/rectorphp/rector" rel="nofollow noopener" target="_blank">Rector</a> (or a more specialized fork of Rector, heh) to plumb plugin/theme updates into the forked ecosystem.That is to say, because of the existing work into helping open source software support wider ranges of PHP versions, I believe the “supporting WordPress and ForkPress” is not a significant technical challenge.Additionally, if the ForkPress leadership sets up the plumbing to make this happen, the existing WordPress developers the world over won’t need to lift a finger to make it happen. (And since it’s all copyleft, they’re already licensed to do so, provided the output of their code transpiler is similarly licensed.)There would still be some friction, naturally.If the people leading a hypothetical WordPress fork actually heed my advice about making code-signing ubiquitous (and controlled by the developers of each plugin and theme), there would need to be an identity verification and hand-off process for the third-party developers to decide, “Instead of ForkPressAutoTranspileBot, I should be the one to ship this code and sign releases.”Doing this hand-off on a first-come, first-serve basis would be a nightmare for the forked ecosystem.We would need a way to make key management easy and secure, even for developers who don’t live in privileged countries with booming economies. As fun as it would be to say, “FIDO2 Tokens or Bust,” that’s prohibitive to many, and we need to be conscientious about those challenges.But the one thing we have the technology to prevent today is forcing plugin/theme developers to write two different versions of their code to manage different APIs that follow different naming conventions. In that regard, it could be made painless (but not frictionless).If Matt Mullenweg decided to be intentionally disruptive to these forks, it would require making drastic changes to the WordPress core that breaks compatibility with all existing plugins and then using some legal mechanism to prevent the forked code from following suit (which the GPL enables the fork to do). Not only would it be stupid to try that, it wouldn’t accomplish anything productive.But, okay, so what? We can guarantee plugin/theme compatibility in a fork. What does that give us?First, it gives the fork free reign to make breaking API changes (i.e., to remove any trademarks from the source code and avoid legal peril from Automattic), which matters for non-technical reasons.But it also allows the fork to use “newer” PHP language features (i.e., <a href="https://www.php.net/manual/en/language.namespaces.php" rel="nofollow noopener" target="_blank">namespaces</a>). And new plugins can be written for modern PHP then transpiled to support WordPress’s norms.As cool as that is, there is still an open problem to the plugin ecosystem. And it’s not a new problem, by any means.But since I promised I have ideas for security enhancements, I’d like to offer this one to the community to chew on.Who Sources Your Source Code?Code-signing addresses supply-chain custody problems: Did the software come from the person that it should have? It doesn’t solve the problem of, “What if the developer of a plugin or popular theme goes rogue and ships crypto-miners?”When I proposed <a href="https://gossamer.tools/" rel="nofollow noopener" target="_blank">Gossamer</a>, I specified Third-Party Attestations as a building block for building defenses against this sort of attack. That certainly could be useful for WordPress (or a fork thereof): Require a third party to at least spot check the code changes from the previous release to make sure nothing deliberately malicious was shipped.Another idea I’d like to propose is to perform a differential analysis of the cyclomatic complexities of each unit of PHP and/or JavaScript code. I probably lost some of you, so I will elaborate.For each release of a plugin or theme:<ol><li>Use a library like <a href="https://github.com/sebastianbergmann/complexity" rel="nofollow noopener" target="_blank">sebastian/complexity</a> (PHP) or <a href="https://github.com/pilotpirxie/cyclomatic-complexity" rel="nofollow noopener" target="_blank">cyclomatic-complexity</a> (JS) to estimate the complexity of every unit of code within a codebase.</li><li>Store these snapshots alongside each release.</li></ol>When a new release is proposed, compare the new code release with the previous one.Large differences in the structure of the code should be flagged for manual review (especially if it’s only a minor version bump or patch release).Additionally, compare the current snapshot with the last version that was marked as manually reviewed. If each piecemeal change was small, but there was a lot of them, it may add up to warrant additional third-party scrutiny.This isn’t entirely novel. In fact, this sort of work sounds right up the alley of the <a href="https://www.wordfence.com/" rel="nofollow noopener" target="_blank">WordFence</a> team to build, should they choose to embark on this task.WordPressed For TimeI have several other ideas about ways to improve the assurance and robustness of the ecosystem, but some of them require secure code delivery (code-signing + transparency logs + reproducible builds) to already exist to be worthwhile.In the interest of a positive and productive conversation about the future of the ecosystem that accounts for damn-near half of websites, consider the ideas shared on these pages freebies.A better future is possible, if only we have the will to build it.<a href="https://scottarc.blog/2024/10/14/a-wordpress-hard-fork-could-be-made-painless-for-plugin-theme-developers/" class="" rel="nofollow noopener" target="_blank">https://scottarc.blog/2024/10/14/a-wordpress-hard-fork-could-be-made-painless-for-plugin-theme-developers/</a><a rel="nofollow noopener" class="hashtag u-tag u-category" href="https://scottarc.blog/tag/cyclomatic-complexity/" target="_blank">#cyclomaticComplexity</a> <a rel="nofollow noopener" class="hashtag u-tag u-category" href="https://scottarc.blog/tag/software-compatibility/" target="_blank">#softwareCompatibility</a> <a rel="nofollow noopener" class="hashtag u-tag u-category" href="https://scottarc.blog/tag/software-security/" target="_blank">#softwareSecurity</a> <a rel="nofollow noopener" class="hashtag u-tag u-category" href="https://scottarc.blog/tag/transpiling/" target="_blank">#transpiling</a> <a rel="nofollow noopener" class="hashtag u-tag u-category" href="https://scottarc.blog/tag/wordpress/" target="_blank">#WordPress</a>

🧿🪬🍄🌈🎮💻🚲🥓🎃💀🏴🛻🇺🇸WebDevelopers from the '90s who still edit HTML files on a live FTP server using table layouts when people complain about their transpiling devops ci/cd setups:<a href="https://mastodon.social/tags/webDev" class="mention hashtag" rel="nofollow noopener" target="_blank">#webDev</a> <a href="https://mastodon.social/tags/programming" class="mention hashtag" rel="nofollow noopener" target="_blank">#programming</a> <a href="https://mastodon.social/tags/web" class="mention hashtag" rel="nofollow noopener" target="_blank">#web</a> <a href="https://mastodon.social/tags/frontend" class="mention hashtag" rel="nofollow noopener" target="_blank">#frontend</a> <a href="https://mastodon.social/tags/ftp" class="mention hashtag" rel="nofollow noopener" target="_blank">#ftp</a> <a href="https://mastodon.social/tags/transpiling" class="mention hashtag" rel="nofollow noopener" target="_blank">#transpiling</a> <a href="https://mastodon.social/tags/reactJS" class="mention hashtag" rel="nofollow noopener" target="_blank">#reactJS</a> <a href="https://mastodon.social/tags/eleventy" class="mention hashtag" rel="nofollow noopener" target="_blank">#eleventy</a> <a href="https://mastodon.social/tags/devops" class="mention hashtag" rel="nofollow noopener" target="_blank">#devops</a> <a href="https://mastodon.social/tags/githubActions" class="mention hashtag" rel="nofollow noopener" target="_blank">#githubActions</a> <a href="https://mastodon.social/tags/docker" class="mention hashtag" rel="nofollow noopener" target="_blank">#docker</a> <a href="https://mastodon.social/tags/struggleStack" class="mention hashtag" rel="nofollow noopener" target="_blank">#struggleStack</a> <a href="https://mastodon.social/tags/webDeveloper" class="mention hashtag" rel="nofollow noopener" target="_blank">#webDeveloper</a> <a href="https://mastodon.social/tags/developer" class="mention hashtag" rel="nofollow noopener" target="_blank">#developer</a> <a href="https://mastodon.social/tags/development" class="mention hashtag" rel="nofollow noopener" target="_blank">#development</a> <a href="https://mastodon.social/tags/developers" class="mention hashtag" rel="nofollow noopener" target="_blank">#developers</a> <a href="https://mastodon.social/tags/webDeveloper" class="mention hashtag" rel="nofollow noopener" target="_blank">#webDeveloper</a> <a href="https://mastodon.social/tags/webDevelopers" class="mention hashtag" rel="nofollow noopener" target="_blank">#webDevelopers</a>

🍄🌈🎮💻🚲🥓🎃💀🏴🛻🇺🇸The project I get paid to work on takes > ten minutes to install, build, and test from a fresh repo. That's not hyperbole. It's just two <a href="https://mas.to/tags/websites" class="mention hashtag" rel="nofollow noopener" target="_blank">#websites</a> built with <a href="https://mas.to/tags/typescript" class="mention hashtag" rel="nofollow noopener" target="_blank">#typescript</a> <a href="https://mas.to/tags/nextJS" class="mention hashtag" rel="nofollow noopener" target="_blank">#nextJS</a> <a href="https://mas.to/tags/yarn" class="mention hashtag" rel="nofollow noopener" target="_blank">#yarn</a> <a href="https://mas.to/tags/nixOS" class="mention hashtag" rel="nofollow noopener" target="_blank">#nixOS</a> and <a href="https://mas.to/tags/jest" class="mention hashtag" rel="nofollow noopener" target="_blank">#jest</a>. There aren't even any <a href="https://mas.to/tags/e2e" class="mention hashtag" rel="nofollow noopener" target="_blank">#e2e</a> functional <a href="https://mas.to/tags/tests" class="mention hashtag" rel="nofollow noopener" target="_blank">#tests</a>! Ten fucking minutes everytime I switch branches!!<a href="https://mas.to/tags/struggleStack" class="mention hashtag" rel="nofollow noopener" target="_blank">#struggleStack</a> <a href="https://mas.to/tags/webDev" class="mention hashtag" rel="nofollow noopener" target="_blank">#webDev</a> <a href="https://mas.to/tags/transpiling" class="mention hashtag" rel="nofollow noopener" target="_blank">#transpiling</a>

keithzgAsking for a friend (literally a friend though I endorse this insane course of action) is there any transpiler *to* <a class="hashtag" href="https://fediverse.keithzg.ca/tag/csharp" rel="nofollow noopener" target="_blank">#CSharp</a> *from* something else (preferably <a class="hashtag" href="https://fediverse.keithzg.ca/tag/rustlang" rel="nofollow noopener" target="_blank">#Rustlang</a> or <a class="hashtag" href="https://fediverse.keithzg.ca/tag/python" rel="nofollow noopener" target="_blank">#Python</a>, other sane-ish options like <a class="hashtag" href="https://fediverse.keithzg.ca/tag/cplusplus" rel="nofollow noopener" target="_blank">#CPlusPlus</a> accepted)? There seem to be ones out there *from*, but that doesn't help someone being forced to use <a class="hashtag" href="https://fediverse.keithzg.ca/tag/c" rel="nofollow noopener" target="_blank">#C</a># . . . <a class="hashtag" href="https://fediverse.keithzg.ca/tag/transpiling" rel="nofollow noopener" target="_blank">#transpiling</a> <a class="hashtag" href="https://fediverse.keithzg.ca/tag/clr" rel="nofollow noopener" target="_blank">#clr</a> <a class="hashtag" href="https://fediverse.keithzg.ca/tag/dotnet" rel="nofollow noopener" target="_blank">#dotnet</a> <a class="hashtag" href="https://fediverse.keithzg.ca/tag/java" rel="nofollow noopener" target="_blank">#java</a>

Steven Hilton<a href="https://mastodon.social/@tomw" class="u-url mention" rel="nofollow noopener" target="_blank">@tomw</a> I think you could (???) write modern, modularized <a href="https://universeodon.com/tags/es6" class="mention hashtag" rel="nofollow noopener" target="_blank">#es6</a> and ship it to the browser now, using <a href="https://universeodon.com/tags/importmaps" class="mention hashtag" rel="nofollow noopener" target="_blank">#importmaps</a> to direct the browser to where your module files live. I haven't tried it yet, and the support may be limited, but... maybe that's The Future™.That may eliminate <a href="https://universeodon.com/tags/transpiling" class="mention hashtag" rel="nofollow noopener" target="_blank">#transpiling</a>, but we still have to deal with concatenation. With updated protocols like <a href="https://universeodon.com/tags/HTTP3" class="mention hashtag" rel="nofollow noopener" target="_blank">#HTTP3</a>, maybe multiple simultaneous connections will be less of a problem? And then <a href="https://universeodon.com/tags/minification" class="mention hashtag" rel="nofollow noopener" target="_blank">#minification</a>? I dunno man, maybe gzipping on the wire is good enough.But I feel your pain. I'm hopeful for the future.<a href="https://universeodon.com/tags/javascript" class="mention hashtag" rel="nofollow noopener" target="_blank">#javascript</a> <a href="https://universeodon.com/tags/programming" class="mention hashtag" rel="nofollow noopener" target="_blank">#programming</a> <a href="https://universeodon.com/tags/webdevelopment" class="mention hashtag" rel="nofollow noopener" target="_blank">#webdevelopment</a>Also, I want native <a href="https://universeodon.com/tags/css" class="mention hashtag" rel="nofollow noopener" target="_blank">#css</a> loops. I think that's the last thing we need <a href="https://universeodon.com/tags/preprocessors" class="mention hashtag" rel="nofollow noopener" target="_blank">#preprocessors</a> for.I haven't worked with built-in web components, but that could be the answer to the "always a new framework" problem. But if it was, it prolly would have more uptake by now. I honestly spend to much time thinking about this.

aegilops :github::microsoft:<a href="https://fosstodon.org/@levynoise" class="u-url mention">@levynoise</a> it's not C++, but Nuitka does translation to C: <a href="https://nuitka.net/" target="_blank" rel="nofollow noopener" translate="no">https://nuitka.net/</a><a href="https://fosstodon.org/tags/nuitka" class="mention hashtag" rel="tag">#nuitka</a> <a href="https://fosstodon.org/tags/transpiling" class="mention hashtag" rel="tag">#transpiling</a> <a href="https://fosstodon.org/tags/python" class="mention hashtag" rel="tag">#python</a>

aegilops :github::microsoft:<a href="https://fosstodon.org/@levynoise" class="u-url mention">@levynoise</a> The CoPilot interface in VSCode isn't really set up for translating thousands of lines of code, I don't think.What's the reason for porting to C/C++, vs a safer language (Rust, Go, nim)?There's a basic Python to Rust transpiler here: <a href="https://pypi.org/project/python-rs/" target="_blank" rel="nofollow noopener" translate="no">https://pypi.org/project/python-rs/</a>You can also incrementally change to Rust with PyO3.Something like Nuitka can do automatic translation to C, while maintaining the original source.<a href="https://fosstodon.org/tags/Python" class="mention hashtag" rel="tag">#Python</a> <a href="https://fosstodon.org/tags/SourceToSourceTranslation" class="mention hashtag" rel="tag">#SourceToSourceTranslation</a> <a href="https://fosstodon.org/tags/CoPilot" class="mention hashtag" rel="tag">#CoPilot</a> <a href="https://fosstodon.org/tags/nuitka" class="mention hashtag" rel="tag">#nuitka</a> <a href="https://fosstodon.org/tags/transpiling" class="mention hashtag" rel="tag">#transpiling</a> <a href="https://fosstodon.org/tags/C" class="mention hashtag" rel="tag">#C</a>

Michael9I'm calling my new publishing framework a <a href="https://mastodon.online/tags/journal" class="mention hashtag" rel="nofollow noopener" target="_blank">#journal</a>. I'm building publishing systems around the concept of a <a href="https://mastodon.online/tags/timeline" class="mention hashtag" rel="nofollow noopener" target="_blank">#timeline</a>.Going to focus first on the content abstraction, from the perspective of a <a href="https://mastodon.online/tags/creative" class="mention hashtag" rel="nofollow noopener" target="_blank">#creative</a>, a <a href="https://mastodon.online/tags/writer" class="mention hashtag" rel="nofollow noopener" target="_blank">#writer</a>, an <a href="https://mastodon.online/tags/artist" class="mention hashtag" rel="nofollow noopener" target="_blank">#artist</a>.Will probably start with some hybrid of <a href="https://mastodon.online/tags/markdown" class="mention hashtag" rel="nofollow noopener" target="_blank">#markdown</a> and <a href="https://mastodon.online/tags/gemini" class="mention hashtag" rel="nofollow noopener" target="_blank">#gemini</a> <a href="https://mastodon.online/tags/gemtext" class="mention hashtag" rel="nofollow noopener" target="_blank">#gemtext</a>.Thinking about just <a href="https://mastodon.online/tags/transpiling" class="mention hashtag" rel="nofollow noopener" target="_blank">#transpiling</a> that native content format into output formats: gemtext, <a href="https://mastodon.online/tags/html" class="mention hashtag" rel="nofollow noopener" target="_blank">#html</a>, to be hosted in those idiomatic forms.May eventually work towards a native <a href="https://mastodon.online/tags/browser" class="mention hashtag" rel="nofollow noopener" target="_blank">#browser</a>.

Recent searches

Search options

Administered by:

Server stats:

#transpiling