The problem was with restrictive connections, not DNS based discovery for clustering. It wasn't possible (as far as I'm aware) to connect directly from one dyno to another through tcp/udp.
There are hundreds of files on your system that if you could write to them would cause a RCE. For example, `AUTOEXEC.BAT`. While the intermediate step (how do you go from writing a filename without an ^M to writing to an arbitrary file on the target OS?) is also somewhat surprising (and maybe points at some potential deeper fixes within git or potential TOCTOU bugs?), ultimately it's the exact same as several other vulnerabilities in this class from the same author (see the 2024 case-sensitivity bug they linked), so I forgive them for glossing over it.
You're correct that the GDPR specifically doesn't require this, but you're incorrect that "the law" doesn't—the 2004 EU ePrivacy Directive requires affirmative consent for all cookies, and it's being enforced much more strictly now in a post-GDPR world
No you didn’t. You’re misunderstanding the classification of strictly necessary vs functional vs marketing/tracking cookies. Go talk to a lawyer. I’m sure they will clear things up for you.
You're correct under the GDPR but incorrect under the older ePrivacy Directive. EU sites need to be compliant with both, and so the cookie banners persist.
> The Directive provision applicable to cookies is Article 5(3). Recital 25 of the Preamble recognises the importance and usefulness of cookies for the functioning of modern Internet and directly relates Article 5(3) to them but Recital 24 also warns of the danger that such instruments may present to privacy. The change in the law does not affect all types of cookies; those that are deemed to be "strictly necessary for the delivery of a service requested by the user", such as for example, cookies that track the contents of a user's shopping cart on an online shopping service, are exempted.
Language preferences are (in all of the deployments I've seen) legally categorized as functional cookies and not strictly necessary cookies. Same with e.g. dark mode/light mode or other preference toggles
The wording is annoying, but no. I’ve received legal advice on this topic. Functional cookies are not strictly necessary. It seems very backwards but it’s how the industry currently treats things.
Read: https://gdpr.eu/cookies/ …after you dismiss the cookie banner, of course. I add this not only as a quip but to highlight that even a gdpr explainer website which you’d expect isn’t doing the evil thing of tracking users, has interpreted the relevant laws such that it finds it necessary to promt the user in order to simply explain the gdpr and epd/epr…
> This is not an official EU Commission or Government resource. [...] Nothing found in this portal constitutes legal advice.
It's easier and safer to just claim that you must prompt for everything, and it serves the goal of obfuscating bad behaviour.
Cookies that are functionally necessary to do what the user is there for, not to track them, are OK, that's the spirit and intent of the law. Even if you think the wording means that, realistically, the EU isn't coming after anyone for a legitimate good-faith use of language cookies without a banner, and they'd clarify if that was how they intended to enforce it.
I did, I quoted stuff from it, but you are not helping. You should quote the things relevant to the point your are making. Especially when you notice people are not picking up. You also keep saying that gdpr is not EPD, but your link is short on details about this and with this point, you lead me to seek information in sections that are irrelevant.
But I see what you are saying now. That page lists the different purposes, including preference cookies (which include language preferences) and strictly necessary cookies, and I know asking consent is not necessary only for strictly necessary cookies (this page says it, I quoted that part earlier).
If that page is right, you are right and I was wrong. Thanks for persisting.
Well, that would be a shame, and that probably would explain why cd.cz makes me pick English each time I visit. I was assuming they could just save this preference in a cookie, but they obviously wouldn't be able to since I didn't provide consent, since I hide the cookie banners and they don't ask for consent later when needed.
I guess it it safe to ask consent in doubt, but I'm not yet convinced the language cookie cannot be considered strictly necessary. How can you correctly provide a requested service to a user if you don't use a language they understand, and how storing the language is not for fulfilling an explicit request from them?
> In the last decade, the spiciest street-legal tires have nearly surpassed the performance of a decade-old racing tire, and computer modeling is a big part of the reason
The "Mitigation and Service Restoration" phase here is definitely the weakest one in terms of explanation—5 hours for root cause discovery is a rough break, but somewhat understandable given the difficulty in isolating the hosts and debugging the obscure networking failure. But once they found the automated package update responsible, no detail was given at all for why it then took four hours to even consider a hotfix to disable the automatic package updates. Just a complete empty gap
Also, "token used for automatic updates"? So like, some kind of third-party vendor was automatically live-updating system packages on their running dynos??? Who the hell thought that would ever be a good idea? And once you've discovered an issue with it, why would you make that critical path remediation dependent on a third-party who probably doesn't even consider this a critical incident?
Here's a really simple question—once engineers confirmed the outage was major, why did it take 8 hours for someone to think of trying to log into the herokustatus Twitter account? Was there no one assigned to public comms during this incident?
reply