Blinking Commits

svckr 10 years ago |

    git commit -F <(curl https://raw.githubusercontent.com/thiderman/doge/master/doge/static/doge.txt) # [0]

Oh god do I feel bad about this. What have I done?

[0] https://github.com/thiderman/doge

manojlds 10 years ago | |

    git commit --allow-empty -F <(curl https://raw.githubusercontent.com/thiderman/doge/master/doge/static/doge.txt)

0x0 10 years ago |

Funny timing, with the recent "Terminal escape sequence XSS" post on oss-security in mind: http://www.openwall.com/lists/oss-security/2015/08/11/8

thephyber 10 years ago | |

> So the basic TL;DR: please don't use really ancient terminal programs that are vulnerable to this stuff. Disappointing that he would make this statement and then not bother to recommend specific ones to avoid and/or use.

creshal 10 years ago |

Regrettably (?), you can't use this to implement marquee.

But you can make your text black with a black background. Or re-order lines, which I suspect to be "fun" for git logs.

jamie_ca 10 years ago | |

I think the most devious would be to simply move the cursor up one line. This would result in the 'git log' line being overwritten, and hiding the commit from casual scrutiny.

WalterGR 10 years ago | |

ANSI control characters include cursor positioning, so in theory you could implement marquee messages. The problem would be introducing delay. I don't recall if you can do that using ANSI. You can emulate it by doing repeated cursor repositioning, but that would be rendered so quickly that the commit message would have to be enormous to include any appreciable delay.

jamesdsadler 10 years ago |

iTerm2 supports images in the terminal. May as well take this as far as it will go.

https://iterm2.com/images.html

Edit: even animated gifs

dmix 10 years ago | |

Ranger utilizes this well on (not just on iterm) http://ranger.nongnu.org/ - a VIM-style terminal-based file explorer via w3m.

rnhmjoj 10 years ago | | |

Unfortunately only with iTerm2 it seems able to play animated gif.

rurounijones 10 years ago |

I actually quite like the idea of control codes in commit messages for internal teams where you can implement rules.

It could be useful for highlighting risky commits in red or other visual markers.

Would play merry hell with almost every other way of viewing commits though :D

rudolf0 10 years ago | |

>I actually quite like the idea of control codes in commit messages for internal teams where you can implement rules.

>It could be useful for highlighting risky commits in red or other visual markers.

Yeah... that is really not a good idea. You are not supposed to take this blog post seriously.

Why not just agree on some terminology like CRITICAL/MINOR/SECURITY, which a visual interface can then highlight?

    SECURITY: Fix XSS in spline reticulation

If it detects "SECURITY" it adds a red background, etc. Anyone viewing the raw text version of the commit messages will still get the message without having to see a bunch of gibberish.

rurounijones 10 years ago | | |

> You are not supposed to take this blog post seriously.

And you were not supposed to take my comment seriously... I thought I made that obvious with the last sentence but oh well.

tempodox 10 years ago |

Has nothing to do with git, or committing, it just applies VT100 control codes that work anywhere in a compatible terminal.

trampi 10 years ago | |

"XSS has nothing to do with {my website framework}, it just applies javascript that work anywhere in a compatible browser."

Actually it has something to do with git. Git should strip or escape the user input before displaying. XSS and SQL Injections are the same kind of issue -> do not trust the user input and escape the input before interaction with it happens.

couchand 10 years ago | | |

Why would git strip formatting from my message? If my team wants colorful messages why should git be the one to say we're wrong?

Git commit messages are used for lots of different things, but at the end of the day it's just another piece of data included in a hash in a content-addressable file system.

If you're doing something with that tool where including formatting like this would be considered a vulnerability, it's on you to take care of that. It's exactly the same with any other bug or exploit in your codebase: it's not git's fault that you committed it.

trampi 10 years ago | | |

If you need to have this feature, then you should have to opt in (git config for example). But i have very good reasons to say that the default should properly escape the messages before printing them. I would not like it to clone a repo from github and having "git log" let my terminal go crazy. You unterstand, that this issue can have bigger impact than blinking commit messages, right?

couchand 10 years ago | | |

Terminal attacks are not new and the solution isn't to expect every individual program to escape terminal escape codes.

    The ideal solution is to sanitize all data before displaying it
    on your terminal, however without a custom terminal application
    or data filter, you can't guarantee that every tool you use on
    the command-line is going to strip escape sequences. The
    responsibility should rest on the actual terminal emulator; any
    features that allow file or command-line access should be
    disabled by default and more attention should be paid to new
    features that implement any use of escape sequences. [0]

Are you cloning untrusted repositories to your computer and running git log blindly?

[0]: http://marc.info/?l=bugtraq&m=104612710031920

tetrep 10 years ago | | |

no?

I mean, it would be super nice for your terminal emulator to just automagically filter out escape sequences when you, the user, do not want them and to allow them for programs that you do. a whitelist would work but would be super annoying to actually verify as so many programs output things from so many different inputs. it seems like programs themselves should decide if they need to output arbitrary data and, in cases where they don't, like git, they can filter it.

tempodox 10 years ago | | |

I see your point, and I agree. The OP didn't mention that aspect, but yes, git is darned crappy software, repeating stupid mistakes that are long forgotten elsewhere. Some developers don't seem to be learning from past mistakes.

wdewind 10 years ago | | |

> git is darned crappy software

Let's not go crazy now.

thom_nic 10 years ago | |

So to be clear, the article isn't suggesting that e.g. github will interpret the ANSI escape sequences, but they will be when you `git log` from a command line, right?

radlad 10 years ago | | |

Correct, this is an ANSI escape code[1] interpreted by terminals, not XSS.

[1] https://en.wikipedia.org/wiki/ANSI_escape_code

tempodox 10 years ago | | |

We cannot know (in principle) what GitHub does with data streams sent their way, but in the case of the blinking, the target is your terminal. It will interpret and “execute” (by modifying display) any text it is given.

thom_nic 10 years ago |

Anyone know if an issue has been opened (or any relevant discussion on the dev list) on stripping escape sequences? It does seem like it could be harmful.

catern 10 years ago |

To insert a literal character (like the Escape entered in this post) in Emacs, use C-q.

GuiA 10 years ago |

Of course, you can also use other escape codes to make your commits colored (e.g. [92m for green), underlined ([4m), etc.

caf 10 years ago | |

Or change the terminal title. ^[]0;title^G

LukeShu 10 years ago | | |

Or for screen and tmux:

    ^[ktitle^[\

Cthulhu_ 10 years ago |

So, 1990's Geocities commits are now a thing again? ^[[5m#UNDER CONSTRUCTION^[[0m

nichochar 10 years ago |

The writing style is clever and funny. You should keep writing!

dlss 10 years ago |

I think this post just changed my position on censorship :p

cousin_it 10 years ago |

Will it still work if I omit the closing bracket? Or put it in a different commit message, further down the page?

eldude 10 years ago |

This is a really entertaining writing style: technical enlightenment through demonstration via humorous examples. For the lazy (and additional humorous demonstration), I wish he'd provided an example gif showing it in action (i.e., Github, terminal, Sourcetree, etc...).

JoshM33k 10 years ago | |

(The terminal would be the only place it would display correctly it seems, but it would be nice to see the chaos it may or may not cause in Github and other tools.)

Finding someone who can write very technically while also being funny and charismatic is pretty rare (We computer types aren't always the biggest hits at parties). I also really appreciate his "last time on" opening paragraphs... it gives some context to the blog post and where's coming from in his headspace. Neat.

sbierwagen 10 years ago | |

The author uses female pronouns.

eldude 10 years ago | | |

There are no gendered pronouns in her blog post.[1]

At first, I was surprised to find I falsely assumed she was male in spite of evidence to the contrary, and was going to thank you for making me more aware of my own oversight. Upon review, however, I made the correct assumption that it was non-gendered. I'll forego the inciting comment, and corresponding cultural political flamewar over my use of a singular default male pronoun. If you down-voted me, please understand that doing so is alienating and a disservice to conversations. We should not punish commenters for failing to conform to our own personal cultural norms. This is consistent with the spirit of your comment; engineers need not conform to external expectations of a masculine identity.

[1] Her handles at the bottom are neither pronouns, nor in the blog post, and were inconsequential to me given my present lack of motive for reaching out to the author.

sbierwagen 10 years ago | | |

I didn't downvote you. (Downvotes are heavily rate-limited, at a guess, from very unscientific observation, I think I only get ten a day, so I save them for the really annoying comments.)

I'm not sure why you think he/his pronouns are nongendered. The nongendered pronouns in English are they/them.

eldude 10 years ago | | |

You're continuing to controversialize and divert from the original conversation. That said...

> I think I only get ten [downvotes] a day, so I save them for the really annoying comments.

10 downvotes a day? Please reconsider your behavior. You are almost certainly unnecessarily alienating commenters, and in this case, misguidedly so.

> I'm not sure why you think he/his pronouns are nongendered.

When I said "it was non-gendered," I was referring to the blog post, which meant your original comment, "The author uses female pronouns," is factually incorrect.

> The nongendered pronouns in English are they/them.

I'm aware, and intimated as much: "I'll forego [discussing] my use of a singular default male pronoun". Yes, they/them is non-gendered, but it is also plural, making it grammatically historically incorrect. However, despite the informality of my comment, given the extreme propensity of the "generic he" to be controversialized, especially in technology and the internet, and the movement away from it during my lifetime, I'll placate to avoid the negative insinuations.

Educating yourself on the context of the matter would go a long way to ameliorate your sanctimonious attitude, and hopefully disincline you to feel the need to controversialize, divert and detract from conversations in the future.

tangent128 10 years ago | | |

On the matter of education, singular they is historically supported: https://en.wikipedia.org/wiki/Singular_they#Older_usage_by_r...

dragonwriter 10 years ago | | |

they/them are non-gendered by the older (grammatical) meaning of "gender".

he/his and they/them both have well-established non-gender-specific meanings in the more recent (social) meaning of "gender" (prior to that fairly recent linguistic evolution, words had gender and people had sex -- while its useful to have a term for the distinct feature of people referred to by "gender" as distinct from "sex", its a very different thing than grammatical "gender", and grammatical gender doesn't have a 1:1 mapping to linguistic constructs whose semantics refer to social gender), though he/his also has a gender-specific meaning (and there is considerable potential for ambiguity between the gender-neutral and gender-specific senses of he/his.)

brillenfux 10 years ago |

In the world of ANSI escape codes and terminal emulators things are never that easy.

Works for OS X apparently.

im3w1l 10 years ago |

Haha, what a coincidence. Just the other day we discussed string special cases[0][1], to which I contributed ansi escapes. Unicode "fonts" 𝓵𝓲𝓴𝓮 𝖙𝖍𝖎𝖘 seem to work in commit messages as well.

I think this is quite harmful, especially the character movement ansi escapes could be used for nefarious purposes.

[0] https://news.ycombinator.com/item?id=10035008

[1] https://github.com/minimaxir/big-list-of-naughty-strings/blo...

neckro23 10 years ago | |

I wrote a little thing that helps you make your commits 𝔢𝔵𝔱𝔯𝔞 𝔞𝔴𝔢𝔰𝔬𝔪𝔢: http://antglove.com/erger/

dantillberg 10 years ago | |

I recently had to write some code[0] that handles strings of UTF-8 with ANSI color escapes sprinkled throughout.

A fun exercise is to write a function that overwrites string A with string B, starting at index N. It's hard enough with unicode, but ANSI escapes make it more fun.

[0]: https://github.com/tillberg/ansi-log (Go logging library with support for ANSI colors and interleaving multiple writers)

icebraining 10 years ago | |

I think this is quite harmful, especially the character movement ansi escapes could be used for nefarious purposes.

Like what?

leni536 10 years ago | | |

- Push malicious commit

- Rewrite the commit hash in git log with character movement

Actually I don't know if it's a practical attack in any way, could cause some confusion.

lisivka 10 years ago | | |

If you can commit, why not just enter something like "Small fix in formatting" instead of drawing of LOT of attention to malicious comit?

jacquesm 10 years ago | | |

Hiding changes on previous lines.

Torn 10 years ago | | |

Annoying your coworkers, for one

fit2rule 10 years ago | | |

Just yesterday I ran across this example: "(っ˘▽˘)っ :cloud: ⊂(◕。◕⊂)" in the Parse SDK repo, which I found especially distracting, and in general, kind of turned me off from the project (even though I know Parse is awesome). I agree that UTF and special-chars should be permissable; I don't agree that if they don't actually communicate something, they should be used anyway. Maybe this cute 'moticon trend is trendy, but for my buck$, I'd rather things just be kept simple. My eyeballs see (っ˘▽˘)っ :cloud: ⊂(◕。◕⊂) as line-noise, mostly, and make me wonder if there are other such typo's to be found in the attached code-base.

coldtea 10 years ago | | |

>Just yesterday I ran across this example: "(っ˘▽˘)っ :cloud: ⊂(◕。◕⊂)" in the Parse SDK repo, which I found especially distracting, and in general, kind of turned me off from the project (even though I know Parse is awesome).

This reasoning turns me off from types who have it.

It's not like they use emoticons everywhere -- and if having one is the big distraction one can complaint about, then their repo is in excellent shape.

samuellb 10 years ago | | |

Some Unicode characters can also move the cursor in strange ways. I think most of them only work in GUI programs, though. (See the list of bad strings above)

mahouse 10 years ago | | |

I personally just find the committer to be immature, nothing else.

HerraBRE 10 years ago | | |

Immature to one is playful to another. :-)

It's all going to depend on the team; it would be a mistake to conflate seriousness with competence.

chippy 10 years ago | | |

I personally see it as a filter to exclude those who find things too seriously.

coldtea 10 years ago | | |

We are all gonna die anyway. The mature commiters too, including everybody they love.

And all of their "serious" work will amount to absolutely nothing in just 100 years (that's it if they're lucky: for most their work wont matter at all in 10 or 20 years, their companies shuw down, or bought and dismantled, their startup dreams shattered etc.).

(A lot of them will even regret working so hard and giving importance to the BS they gave importance to after they retire).

Just to put some mature perspective on being playful.

Perceptes 10 years ago |

This works for me in OS X's built-in Terminal app, but not iTerm. Both report xterm-256color as $TERM, so I'm not sure what about iTerm is configured differently to prevent it from working there.

thechriswalker 10 years ago | |

iTerm2 has an option in your Profile: Text tab > Text Rendering: "Blinking Text Allowed"

Off by default; enable and blink like its 1989.

awendt 10 years ago | |

same here

rmc 10 years ago |

I wonder if GitHub do/will support this and parse it to HTML

MattBearman 10 years ago | |

If they did they'd have to wrap it a <blink> tag. Anything else would just be sacrilege

chrisfosterelli 10 years ago | | |

Unfortunately most browsers don't have <blink> support anymore

LukeShu 10 years ago | | |

Well, then it fits; many terminal emulators don't support \e[5m as blink anymore. Xterm, URxvt, and Konsole do, but the Linux terminal doesn't (gives it a grey background, not blinking), VTE-based terminals (gnome-terminal, lxterminal, ...) don't (ignored), Emacs term-mode doesn't (treats it as bold).

yuubi 10 years ago | | |

The "gray background" is really a "bright black" background. The old IBM CGA and successors had a flag for whether to interpret the top bit of the background color as intensity or blink[0]. It looks like Linux used to have it set to blink a few years back[1].

[0] http://webpages.charter.net/danrollins/techhelp/0087.HTM

[1] http://sourceforge.net/p/linux-fbdev/mailman/message/7849329...

gtremper 10 years ago | |

Its not supported currently at least. I get

    [5mFoo[0m

forgotmypassw 10 years ago | | |

There's absolutely no reason for it to be ever supported.

SnaKeZ 10 years ago | |

Killer feature :D

erikb 10 years ago |

Doesn't work in my gnome-terminal. Looks like the commands get escaped by git somehow. Did anybody test it?

rquirk 10 years ago | |

Doesn't work on Xfce either. On a virtual terminal thingy (ctrl-alt-f1) it shows a grey background with white text. I suspect blink is only implemented on the Mac's terminal, not in Linux-land.

daveloyall 10 years ago | | |

> I suspect blink is only implemented on the Mac's terminal, not in Linux-land.

...Lord, when did I get so old? :/

EDIT: https://en.wikipedia.org/wiki/VT100

erikb 10 years ago | | |

I suspect it's really not a terminal issue but something about git. Or does a Terminal that doesn't interpret a command print it in clear text? I just get the string back, the same way I entered it.

daveloyall 10 years ago | | |

What?

https://en.wikipedia.org/wiki/ANSI_escape_code

It's definitely a terminal thing. The "bug" in git is that it doesn't strip out the control characters or reject the commit if the commit message contains non-text data.

marcosdumay 10 years ago | | |

You can set Xterm and Konsole to be VT100 compatible. I dunno about Gnome Terminal.

Anyway, they default to "linux" for more than a decade.

baghira 10 years ago | | |

It does work in urxvt and konsole (and there's an option to turn it off). And as tempodox said, this is just VT100 stuff.

DonHopkins 10 years ago |

Who remembers when most of the blogs syndicating discussions about RSS all started blinking at once, when somebody posted an item whose title was "What happens when you put a <blink> tag into the title?"

madaxe_again 10 years ago |

Every time I use a control character, my mind strays back to CHR$141.

Although I do wonder what havoc you could wreak on hosted git services with cunning sequences of control characters. Smacks of injection.

alxndr 10 years ago | |

If anyone else is curious about CHR$141, it's how you can show doubly-tall letters on an Acorn BBC Micro's teletext display...

http://www.bbcbasic.co.uk/bbcwin/manual/bbcwinh.html

https://en.wikipedia.org/wiki/Teletext

forgotmypassw 10 years ago |

First emojis, now blinking text, this has to stop.

belgianguy 10 years ago |

Can you turn it off? I'd imagine a big project (e.g. Linux Kernel) could start to look like a Christmas tree...

ins0 10 years ago |

ok now i need a spam filter for git log - everything is flashing like "look at my nice changes here!" :)

Cthulhu_ 10 years ago | |

THIS COMMIT IS REALLY IMPORTANT!!11

leni536 10 years ago | | |

YOU ARE THE 1000000th VISITOR OF THIS GIT LOG!