1. 2

    They’ve been in embedded with Atom processors for a while. VIA/Centaur best them to it with C3, etc.. They’re gonna be in a mobile eventually. Wonder why x86 is that surprising.

    Also, early Nokia 9000 Communicator had x86 CPU. I think it was a 386. Mobile returning to x86 instead of going to x86.

    1. 4

      Atoms have been used in early ASUS Zenfones already

      1. 1

        A baseband is not a CPU.

        1. 2

          It can have one embedded. Im just responding to what’s in the article:

          “I was looking at embedded x86 code running inside a baseband processor”

      1. 4

        I used to self-host. About a decade ago, as soon as Gmail introduced Google Apps (or whatever it was called back then), I switched, and have used it since. For my new domains I use fastmail, mostly because everyone told me how amazing it is. It’s okay, I guess, there’s nothing wrong with it, and I appreciate the business model (you know, actually paying for stuff), but I don’t see what’s so amazing about it. I suppose I view e-mail as a commodity, and every provider is the same to me, as long as it works.

        Since I am pissed about Google in general, and now Gmail in particular (they fucked up the UI and added more crap once again), I will move my primary account off Google. I think I will self-host once again. I know how to do it, and I’m generally the type of person who like to do things by myself, if it’s feasible. It’ll be one of my physical boxes, somewhere colocated in a DC. I don’t believe in cloud computing.

        1. 2

          Are there any technologies that is in Oracle Solaris 11 that is not there in OpenIndiana at this point?

          1. 2

            There was time when OpenZFS did not had encryption support and Oracle Solaris ZFS had it, but now its implemented, not yet pushed into latest OpenIndiana release but its in the upstream Illumos source and it will also be available on FreeBSD, Linux, macOS and other Illumos distributions.

            Currently its quite opposite, OpenZFS version has more features then Oracle ZFS, while device removal is available at both the OpenZFS also has ability to add a driver to RAIDZ (for example from 5 drives to 6 drives) the new DRAID implementation is in the works - similar to what is available on IBM Storwize V7000 or HPE 3PAR enterprise storage arrays, also ZSTD compression will be available on OpenZFS and not on Oracle ZFS …

            1. 1

              ZFS encryption is not yet available in the illumos source, as people are still working out issues with it.

            2. 2

              Kernel Zones, immutable zones, DTrace/mdb DWARF support.

            1. 4

              Cool, they shipped with my Go port for SPARC. Unfortunately we didn’t have time to update it to the latest Go version and merge it upstream so now the port is in limbo (more details of what happened for who is interested).

              By the way, Solaris is not illumos.

              1. 3

                Yeah why the #illumos?

                1. 0

                  because for some reason, the solaris/sunos tag was added as illumos

              1. -2

                From #cat-v’s /topic:

                no {bots,logging,politics,heh,keyboard shortcuts,transphobia}

                Please remove this. We don’t publish logs for a reason.

                1. 7

                  It’s weird that someone who dislikes codes of conduct requests that Lobsters enforce its community’s official site violating its own code of conduct (the quoted real one, not the joke one). I’m going to pass.

                  1. 8

                    And, hat off, I didn’t read closely enough or research to see if this is seriously or sarcastically anti-semitic, but if it’s the latter I guess this is a pretty good example of how the failure mode of “isn’t it funny that we’re imitating white supremacists so well” is that y’all look like a bunch of white supremacists.

                    1. 2

                      Same, nor do I want to read that closely. There’s far too much very serious anti-semitism in the world these days.

                      I would encourage everyone who hasn’t, to read the copy of the Daily Stormer style guide which was obtained by the Huffington Post. It explains exactly what function “it’s just a joke” serves, in the words of people who call themselves Nazis unironically. But have a loved one nearby when you read it, I don’t even have words to describe what a horrifying and unpleasant read it is.

                      This chat log was seven years ago. At that time, it was indeed the case that most people thought of Nazis as a historical phenomenon rather than a contemporary one. Also, I agree that people can change and grow. I am personally willing to take sl at their word when they say “I’m not a Nazi, racist, sexist, homophobe, or antisemitic” (elsewhere in this comment tree), not because I don’t find the chat log vile, but because that declaration is one that people who do subscribe to those ideologies are usually unwilling to make, in my experience.

                      I am hopeful that sl won’t prove me wrong in future.

                      1. 4

                        You could also take heart in the fact that I have never expressed affinity for such ideas, in the seven year old chat log or anywhere else. It’s never completely clear why anyone thinks I, or 9front, do hold an affinity for such ideas. It’s always precisely this kind of completely shallow, drive-by condemnation of things no one ever said or did, usually (as here) accompanied by a declaration that the accuser does not intend to bother to find out if what they are saying is true or not. It’s really that consistent and weird. It leaves me in a position where I have to decide whether or not to engage the accusation (which is almost always diminishing returns), or allow the person to wallow in their misunderstanding. One benefit of allowing people who aren’t thinking clearly to wallow in their misunderstandings is that they will often proceed to leave 9front alone. Really, it’s win/win, for our devs and for our users. But let me be clear: There is no political or ideological substance to the 9front project beyond simply using and maintaining Plan 9.

                        One small addendum: What people say on IRC is up to each individual. #cat-v has never been ban-happy, but people saying stupid things are usually questioned thoroughly, often resulting in humiliation. That includes Nazis, racists, sexists, homophobes, and antisemites.

                        1. 5

                          The reason I don’t intend to investigate is pretty simple: If the bad things are true, it’ll be clear in due time without me having to put in the emotional resources and time to investigate. If they’re false, I’m not taking action against you, so there’s no reason to put in those resources. The resources required would be substantial; I’ve had to do it in other communities I manage.

                          I appreciate and understand why good people do not enjoy having to say “I’m not a Nazi” frequently. Unfortunately, Nazis aren’t stupid - they’re as capable of anyone else of saying thoughtful words to explain why they don’t feel they should have to say “I’m not a Nazi”. Literally any words can be co-opted by people who don’t care what those words mean. There’s no magic incantation. But Nazis do pay some small social cost by saying “I’m not a Nazi”, so it’s at least something.

                          I appreciate your statement, it does help.

                          1. 5

                            Thanks for your candor. Your method seems sound, and I can identify with the reasoning behind it.

                            I do comprehend that mentioning [thing] will always draw complaints that one is promoting [thing]. A certain amount of responsibility comes with the territory, especially where 20th century Germany is concerned. The very first 9front propaganda image was this: http://9front.org/img/9frontfell01.png. It’s David Bowie, captured by a photographer in Victoria Station, circa 1976. If you know anything at all about this debacle, it might help to illuminate the spirit in which the original 9front propaganda was undertaken: You stand up to wave at your fans and some enterprising photographer catches you at just the right moment; immediately, the front falls off, and the Daiichi Fukushima disaster lands in your publicist’s lap (matters are complicated by your previous “clever” statements to the press about the intersection of politics and the occult). What happened was, most of the 9front developers are German, or otherwise (Eastern) European, and big fans of things like Monty Python, cat-v, Milton Friedman. Inevitably, people started making jokes. Perhaps just as inevitably, outsiders to the project started noticing these jokes and expressing offense. This only caused the jokes to escalate. It might seem unconscionable to software evangelists, but 9front developers don’t care about attracting users or presenting a professional face to potential investors or employers. Everyone is only there to run and maintain Plan 9 for their own use. And our typical experience with people who show up on IRC to express outrage is that: 1.) it’s no use arguing with them, 2.) they probably don’t have much to offer the project in the first place. I think I mentioned earlier that most of these people tell us up front they have no interest in finding out what is really going on. Like I said, it’s win/win.

                            I will say that some idiots on IRC cloud the issue. I argue with them regularly.

                            1. 2

                              If they’re false, I’m not taking action against you

                              Honestly, I think that the “hat-off” comment of @pushcx was quite dangerous.

                              Implying that “y’all look like a bunch of white supremacists” is an action.

                              In itself, nothing I would care to flag if directed to me, but I think it’s worth to remember that Nazi were used to burn books.

                              If you do not “read closely enough”, you will end supporting their propaganda.

                              1. 3

                                All I can ask is that you trust my experience as a community manager, and my status as a person belonging to groups that fall squarely within Nazis’ targeting criteria. Nobody has the resources for a lengthy discussion of how to handle this on lobste.rs, but I can promise that thought is going into it.

                        2. 0

                          I am very confused about what point you are trying to make. I haven’t even posted in the thread that you linked to. Perhaps you were referring to a different thread? (apparently I did, but it was hidden because I was responding to a deleted comment.) While it is true that I dislike codes of conducts, what relevance does it have now?

                          And, btw, the 9front CoC changes with every refresh. Perhaps you saw one that you thought was relevant. I don’t know which one you were referring to.

                          1. 3

                            I was comparing the one you quoted prohibiting positing logs with the joke one I linked.

                            1. 2

                              i think the main part is that the log was hosted on 9front.org

                              1. 1

                                9front.org is a separate entity from #cat-v.

                                1. 5

                                  In that case, it is even weirder that I’m being asked to enforce the chat room’s code of conduct against the site and I’m glad I’m staying out of it.

                                  1. 1

                                    maybe /u/4ad was asking OP to remove it, not a mod.

                                    1. 4

                                      In #lobsters 4ad explicitly asked for the story on Lobsters to be deleted.

                                      1. 1

                                        ah. well there you go.

                                    2. -1

                                      An IRC channel topic is not a “code of conduct”, and you know it.

                                      1. 5

                                        Yeah, it’s an encoding of rules for conduct and not a code of conduct.

                                        Please just leave me out of whatever this weird drama is. I’m not replacing the dead link with a live one because I already feel like we ducked a flamewar and I don’t want to tempt fate, let’s just stop commenting so it falls off the homepage and /comments.

                            2. 6

                              Ehm… this is published on 9front.org

                              1. 1

                                This was published years ago as part of an attempt to contextualize a factually inaccurate article written about 9front by a rogue journalist who has since left the field. The parent directory contains more information, including his note of apology. I have restricted access to the raw IRC log (the original interview from which the article was sourced took place entirely on IRC), pending an unlikely change in #cat-v policy.

                                1. 1

                                  i don’t see anything in http://9front.org/press/sdtimes/ - did you intend to restrict access to the entire directory?

                                  1. 1

                                    Curiouser and curiouser. The directory listing is apparently, though inadvertently, excluded by the CMS (werc), which the old content was moved into… several years ago. This makes me wonder how he found the file in the first place; though it’s easy enough to imagine it turning up in search requests or other pages on the site that used to link to it in the past.

                                    1. 1

                                      I’ve fixed things so that now there is a short explanation and links to the remaining files.

                              1. 2

                                For someone who knows absolutely nothing about gaming, World of Warcraft, or this thing in particular… what is this? Can someone explain?

                                1. 4

                                  World of Warcraft is a massively popular 16 years old game, and maybe one of the most popular games ever. Since its launch in 2004 it’s been changing and evolving into what it is today, which is something completely different to what it was in its inception. Given that a large number of people would like to play the Vanilla WoW, that is, the first version of the game before any expansion was released, Blizzard has decided to roll out a “classic” version with all the content prior to the first expansion. This expansion was released in late 2006, and since there have been many more. Before the company’s official announcement that they would be releasing this classic version, many requests were made for it by fans but they were turned down by Blizzard citing several arguments such as: “the vanilla wow doesn’t exist anymore since the codebase has continued to evolve” and “Vanilla wow would be looking back and we want to move forward”. However, a vanilla WoW paid server named Nostalrius, maintained by fans for fans gained such popularity that during its peak it had more than 100k players on it. Sadly, it had to be closed in 2016 after Blizzard sent them a cease and desist order. It would seem that from the whole episode the company realized that there was actually a market for a classic WoW and they eventually changed their mind.

                                  1. 6

                                    World of Warcraft is a popular commercial subscription-based cloud-hosted enterprise legacy app featuring a low grade CRM system married to a highly complex logistics system in a standard 3 tier architecture deployed in a fully sharded configuration. Like many legacy systems, it has undergone significant schema mutation over the course of its deployed lifecycle in response to customer demand. Notably, it started out with a mostly-denormalized schema and, with the advent of improved database performance, a better understanding of the customer base’s requirement envelope, and feature creep, it has moved towards Codd’s 3rd normal form.

                                    As with many legacy apps, some customers’ business needs mandate that they stay pinned to older versions of the app. Interestingly, customers have here asked that an earlier version of a cloud-provided app be made available 12 years later, which poses some interesting issues having to do with incompatible schema migration. Given that the app is also written in a mix of obscure legacy languages, the traditional approach of simply migrating the queries and schema together is technically formidable.

                                    One established practice here is to create a proxy facade layer. In this pattern, you keep the interface to the legacy client application exactly the way it is, but create an intermediate layer which translates the db calls to and from the normalized format. This incurs round trip cost and bugs are common in edge cases, especially in frequently-undocumented minor shifts in API and field meaning, and especially given the expected low coverage of unit and functional tests in a 12 year old codebase. This technique is frequently overused owing to underestimation of the cost and time complexity of ferreting out the edge cases.

                                    The other established practice is to perform a one-time wholesale schema migration, normally done either through an ETL toolchain like Informatica, or more commonly through hand-written scripts. This approach frequently takes more developer time than the facade approach, owing to needing to “get it right” essentially all-at-once, and having a very long development loop.

                                    Whatever the technique used, schema migration programs of this scope need a crisp definition of what success looks like that’s clearly understood by all the involved developers, project managers, data specialists, and product leaders. Too frequently, these types of programs fail owing to incomplete specification and lack of clearly defined ownership boundaries and deliverable dependencies. The industry sector in which this legacy app resides is at greater than average risk for failure of high-scope projects due to fundamental and persistent organizational immaturity and improperly managed program scopes.

                                    Also, they better not nerf fear, because rogues were super OP in vanilla and getting the full 40 down the chain to rag with portals was tough enough.

                                    1. 2

                                      As someone who levelled through Stranglethorn Vale via painstaking underwater+Unending Breath grinds in order to escape OP rogue stunlock love, I say to you: Bravo Sir!. Also, f**k the debuf cap.

                                  1. 7

                                    I don’t understand why OP didn’t actually progress from the “evaluating Rust based on online documentation” stage to the “trying to implement a solution in Rust” stage. The exact issue being looked at, responding to certain OS signals, is entirely trivial due to this crate, which came up with a simple DDG search.

                                    If the language has the problem that people are fighting with the language in order to become productive with it, perhaps something is wrong with the language, and not the programmers?

                                    This misses the point. Rust is opinionated about how code should handle sharing access to data, and about when data should be shared rather than copied. It has been observed that people often take time to adjust to this, which is noted in the docs. I don’t see why that’s an issue.

                                    1. 9

                                      I don’t understand why OP didn’t actually progress from the “evaluating Rust based on online documentation” stage to the “trying to implement a solution in Rust” stage.

                                      Author provided a solution in Rust…did you not read the whole article?

                                      1. 3

                                        He did a somewhat superficial research on what libraries or crates could be used though.

                                        It is the same with ocaml/reason actually: he complains about the lack of a build system but the vast majority of packages are now using dune/jbuilder that is trivial to learn and use, well documented and extremely powerful, and he does not even mention it. He picks Containers as standard library replacement but it seems unclear to me if he has even evaluated base or core for example (even if I like containers myself). He also mention the introduction of multicore as something present even though it is nit yet part of the runtime yet

                                        1. 8

                                          somewhat superficial research

                                          I think that’s pretty realistic for almost anyone in the same situation though. If I’m trying to decide between 3 or 4 different languages for a task that needed to be done yesterday, how much time do I really have to learn all the nuances of the ecosystem?

                                          So, yeah, complain that he didn’t know about X, or didn’t know about Y… But, really, if you are a member of the Z community for which X and Y is relevant, instead of complaining that people missed this well known tool, help make sure that a newcomer’s first introduction to Z informs them of X and Y. That’d be super helpful.

                                          1. 1

                                            I agree with you, but I think the three communities mentioned above are doing the best to make sure that this is the case.

                                            And about the reason/ocaml stuff, what I mention appears in most reason tutorials, almost every package and any recent blog or forum thread, and there are dozen of discussions on the current lack of multicore, so I still believe the research was superficial.

                                            This said, I wasn’t claiming that the post is bad per se, I have found it quite interesting and I agree that the current situation is not bad but still suboptimal. I was actually pleasantly surprised to see that he dod actually implement some quite non trivial example code in all those, and even contributed to pony!

                                            EDIT: updated twice to try and clarify my complaints

                                        2. 2

                                          Your question confused me for quite a while, as I was unable to find this Rust solution in the article, despite multiple reloads. The page looks like this to me: https://leotindall.com/static/noRustVersion.png

                                          Eventually, I looked at it on my mobile phone where, mysteriously, there is a code snippet. I was baffled until I realized that, indeed, the only difference between my mobile device and my laptop is… I have JavaScript disabled in my browser on my laptop.

                                          So, my apologies to OP on this one. I was unfair. On the other hand, this serves as a great cautionary tale: make sure your site works without JavaScript.

                                          1. 2

                                            make sure your site works without JavaScript.

                                            Why draw the line at Javascript?

                                            1. 1

                                              Not him, so I can only answer for myself.

                                              JavaScript is turing complete, so it can do everything and can communicate results outside my control, so I want the ability to stop that.

                                              CSS is also turing complete, but AFAIK it can’t communicate outside without JavaScript, and unlike JavaScript it’s really hard to make it do something crazy like mine bitcoin (which with JavaScript is very easy to do).

                                              1. 7

                                                Now I want to write a Bitcoin miner in pure-CSS.

                                                CSS is also turing complete, but AFAIK it can’t communicate outside without JavaScript

                                                Enter: CSS Exfil and friends.

                                                1. 1

                                                  Good lord.

                                              2. 1

                                                You’re right, I should revise that statement: make sure your site works without requiring me to allow you to execute arbitrary code just to read an article you wrote.

                                                To be clear, there is an obvious tradeoff here: syntax highlight on the server side is annoying. My blog solves this by having an acceptable no-JS fallback that is less pretty but is not missing content.

                                              3. 1

                                                That sure would be confusing! It looks like the author embedded a gist, rather than using Medium’s code tool. I assume you can embed code in Medium without JavaScript….

                                          1. 6

                                            This news caused the public release for XSA-267 / CVE-2018-3665 (Speculative register leakage from lazy FPU context switching) to be moved to today.

                                            1. 16

                                              These embargoed and NDA’d vulnerabilities need to die. The system is broken.

                                              edit: Looks like cperciva of FreeBSD wrote a working exploit and then emailed Intel and demanded they end embargo ASAP https://twitter.com/cperciva/status/1007010583244230656?s=21

                                              1. 8

                                                Prgmr.com is on the pre-disclosure list for Xen. When a vulnerability is discovered, and the discoverer uses the responsible disclosure process, and the process works, we’re given time to patch our hosts before the vulnerability is disclosed to the public. On balance I believe participating in the responsible disclosure process is better for my customers.

                                                Pre-disclosure gives us time to build new packages, run through our testing process, and let our users know we’ll be performing maintenance. Last year we found a showstopping bug during a pre-disclosure period: it takes time and effort to verify a patch can go to production. With full disclosure, we would have the do so reactively, with significantly more time pressure. That would lead to more mistakes and lower quality fixes.

                                                1. 2

                                                  This is a bad response to the issue. The bad guys probably already have knowledge of it and can use it. A few players deemed important should not get advanced notification.

                                                  1. 15

                                                    Prgmr.com qualifies for being on the Xen pre-disclosure list by a) being a vendor of a Xen-based system b) willing and able to maintain confidentiality and c) asking. We’re one of 6 dozen organizations on that list–the criteria for membership is technical and needs-based.

                                                    If you discover a vulnerability you are not obligated to use responsible disclosure. If you run Xen you are not obligated to participate in the pre-disclosure list. The process consists of voluntary coordination to discover, report, and resolve security issues. It is for the people and organizations with a shared goal: removing security defects from computer systems.

                                                    By maintaining confidentiality we are given the ability, and usually the means to have security issues resolved before they are announced. Our customers benefit via reduced exposure to these bugs. The act of keeping information temporarily confidential provides that reduced exposure.

                                                    You have described a voluntary process with articulable benefits as “needing to die,” along with my response being “bad.” As far as I can tell from your comments you claim “the system is broken” because some people “should not get advanced notice.” I’ve described what I do with that knowledge, and why it benefits my users. I’m thankful the security community tells me when my users are vulnerable and works with me to make them safer.

                                                    Can you improve this process for us? Have I misunderstood you?

                                                    1. 11

                                                      Some bad guys might already have knowledge of it. Once it’s been disclosed, many bad guys definitely have knowledge of it, and they can deploy exploits far, far faster than maintainers, administrators and users can deploy fixes.

                                                      1. 8

                                                        You’re treating “the bad guys” like they’re all one thing. In actuality, there’s a string of bad guys from people who will use a free, attack tool to people who will pay a few grand for one to people who can customize a kit if it’s just a sploit to people who can build a sploit from a description to rare people who had it already. There’s also a range in intent of attackers from DOS to data integrity to leaking secrets. The folks who had it already often just leak secrets in stealthy way instead of do actual damage. The also use the secrets in a limited way compared to average, black hat. They’re always weighing use vs detection of their access.

                                                        The process probably shuts down quite a range of attackers even if it makes no difference for the best ones who act the sneakiest.

                                                        1. 4

                                                          The process probably shuts down quite a range of attackers even if it makes no difference for the best ones who act the sneakiest.

                                                          I believe the process is so effective at shutting down “quite a range of attackers” that it works despite: a) accidental leaks [need for improvement of process] b) intentional leaks [abuse] c) black hats on the pre-disclosure list reverse engineering an exploit from a patch. [fraud] In aggregate, the benefit from following the process exceeds the gain a black hat would have from subverting it.

                                                    2. 9

                                                      Well, it’s complicated. (Disclosure: we were under the embargo.)

                                                      When a microprocessor has a vulnerability of this nature, those who write operating systems (or worse, provide them to others!) need time to implement and test a fix. I think Intel was actually doing an admirable job, honestly – and we were fighting for them to broaden their disclosure to other operating systems that didn’t have clear corporate or foundation backing (e.g., OpenBSD, Dragonfly, NetBSD, etc). That discussion was ongoing when OpenBSD caught wind of this – presumably because someone who was embargoed felt that OpenBSD deserved to know – and then fixed it in the worst possible way. (Namely, by snarkily indicating that it was to address a CPU vulnerability.) This was then compounded by Theo’s caustic presentation at BSDCan, which was honestly irresponsible: he clearly didn’t pull eager FPU out of thin air (“post-Spectre rumors”), and should have considered himself part of the embargo in spirit if not in letter.

                                                      For myself, I will continue to advocate that Intel broaden their disclosure to include more operating systems – but if those endeavoring to write those systems refuse to honor the necessary secrecy that responsible disclosure demands (and yes, this means “embargoed and NDA’d vulnerabilities”), they will make such inclusion impossible.

                                                      1. 18

                                                        We could also argue Theo’s talk was helpful in that the CVE was finally made public.

                                                        Colin Percival tweeted in his thread overview about the vulnerability that he learned enough from Theo’s talk to write an exploit in 5 hours.

                                                        If Theo and and the OpenBSD developers pieced enough together from rumors to make a presentation that Colin could turn into an exploit in hours, how long have others (i.e., bad guys) who also heard rumors had working exploits?

                                                        Theo alone knows whether he picked-up eager FPU from developers under NDA. Even if he did, there’s zero possibility outside of the law he lives under (or contracts he might’ve signed) that he’s part of the embargo. As to the “spirit” of the embargo, his decision to discuss what he knew might hurt him or OpenBSD in the future. That was his call to make. He made it.

                                                        Lastly, I was at Theo’s talk. Caustic is not how I would describe it, nor would I categorize it as irresponsible. Theo was frustrated that OpenBSD developers who had contributed meaningfully to Spectre and Meltdown mitigation had been excluded. He vented some of that frustration in the talk. I’ve heard more (and harsher) venting about Linux in a 30 minute podcast than all the venting in Theo’s talk.

                                                        On the whole Theo’s talk was interesting and informative, with a sideshow of drama. And it may have been what was needed to get the vulnerability disclosed and more systems patched.


                                                        Disclosure: I’m an OpenBSD user, occasional port submitter, BSDCan speaker and workshop tutor, FreeNAS user and recommender, and have enjoyed many podcasts, some of which may have included venting.

                                                        1. 4

                                                          If Theo and and the OpenBSD developers pieced enough together from rumors to make a presentation that Colin could turn into an exploit in hours, how long have others (i.e., bad guys) who also heard rumors had working exploits?

                                                          It was clear to me the day Spectre / Meltdown were disclosed that there would be future additional vulnerabilities of the same class based on that discovery. I think there is circumstantial evidence suggesting the discovery was productive for the people who knew about it in the second half of 2017 before it was publicly disclosed. One can safely assume black hats have had the ability to find and use novel variations in this class of vulnerability for at least six months.

                                                          If Theo did pick up eager FPU from a developer under embargo that demonstrates just how costly it is to break embargo. Five hours, third hand.

                                                          1. 4

                                                            If Theo did pick up eager FPU from a developer under embargo that demonstrates just how costly it is to break embargo. Five hours, third hand.

                                                            I have absolutely no idea what point you’re trying to make. Certainly, everyone under the embargo knew that this would be easy to exploit; in that regard, Theo showed people what they already knew. The only new information here is that Theo is every bit as irresponsible as his detractors have claimed – and those detractors would (of course) point out that that information is not new at all…

                                                            1. 1

                                                              With respect, how is Theo irresponsible for reducing the time the users of his OS are vulnerable?

                                                              Like, the embargo thing sounds a lot to the ill-informed like some kind of super-secret clubhouse.

                                                          2. 4

                                                            Theo definitely wasn’t part of the embargo, but it’s also unquestionable that Theo was relying on information that came (ultimately) from someone who was under the embargo. OpenBSD either obtained that information via espionage or via someone trying to help OpenBSD out; either way, what Theo did was emphatically irresponsible. Of course, it was ultimately his call – but he is not the only user of OpenBSD, and is unfortunate that he has effectively elected to isolate the community to serve his own narcissism.

                                                            As for the conjecture that Theo served any helpful role here: sorry, that’s false. (Again, I was under the embargo.) The CVE was absolutely going public; all Theo did was marginally accelerate the timeline, which in turn has resulted in systems not being as prepared as they otherwise could be. At the same time, his irresponsible behavior has made it much more difficult for those of us who were advocating for broader inclusion – and unfortunately it will be the OpenBSD community that suffers the ramifications of any future limited disclosure.

                                                            1. 6

                                                              Espionage? You’re suggesting one of:

                                                              1. Someone stole the exploit information, leaked it to the OpenBSD team, a team known for proactively securing their code, on the off-chance Theo would then further leak it (likely with mitigation code), causing the embargoed details to be released sooner than expected,

                                                              2. OpenBSD developers stole the exploit information, then leaked it (while committing mitigation code), causing the embargoed details to be released sooner than expected.

                                                              The first doesn’t seem plausible. The second isn’t worthy of you or any of the developers on the OpenBSD team.

                                                              I’m sure you’ve read Colin’s thread. He contacted folks under embargo after he wrote his exploit code based on Theo’s presentation. The release timeline moved forward. OSs that had no knowledge of the vulnerability now have patches in place. Perhaps those users view “helpful” in a different light.


                                                              Edit: Still boggling over the espionage comment. Had to flesh that out more.

                                                              1. 8

                                                                Theo has replied:

                                                                In some forums, Bryan Cantrill is crafting a fiction.

                                                                He is saying the FPU problem (and other problems) were received as a leak.

                                                                He is not being truthful, inventing a storyline, and has not asked me for the facts.

                                                                This was discovered by guessing Intel made a mistake.

                                                                We are doing the best for OpenBSD. Our commit is best effort for our user community when Intel didn’t reply to mails asking for us to be included. But we were not included, there was no reply. End of story. That leaves us to figure things out ourselves.

                                                                Bryan is just upset we guessed right. It is called science.

                                                                He’s also offered to discuss the details with Bryan by phone.

                                                                1. 4

                                                                  Intel still has 7 more mistakes in the Embargo Execution Pipeline™️ according to a report^Wspeculation by Heise on May 3rd.

                                                                  https://www.heise.de/ct/artikel/Exclusive-Spectre-NG-Multiple-new-Intel-CPU-flaws-revealed-several-serious-4040648.html

                                                                  Let the games begin! 🍿

                                                                  1. 1

                                                                    What’s (far) more likely: that Theo coincidentally guessed now, or that he received a hint from someone else? Add Theo’s history, and his case is even weaker.

                                                                    1. 13

                                                                      While everyone is talking about Theo, the smart guys figuring this stuff out are Philip Guenther and Mike Larkin. Meet them over beer and discuss topics like ACPI, VMM, and Meltdown with them and you won’t doubt anymore that they can figure this stuff out.

                                                                      1. 6

                                                                        In another reply you claim your approach is applied Bayesian reasoning, so let’s go with that.

                                                                        Which is more likely:

                                                                        1. A group of people skilled in the art, who read the relevant literature, have contributed meaningful patches to their own OS kernel and helped others with theirs, knowing that others besides themselves suspected there were other similar issues, took all that skill, experience and knowledge, and found the issue,

                                                                        or

                                                                        1. Theo lied.

                                                                        Show me the observed distribution you based your assessment on. Show me all the times Theo lied about how he came to know something.

                                                                        Absent meaningful data, I’ll go with team of smart people knowing their business.

                                                                        1. 4

                                                                          Absent meaningful data

                                                                          Your “meaningful data” is 11 minutes and 5 seconds into Theo’s BSDCan talk: “We heard a rumor that this is broken.” That is not guessing and that is not science – that is (somehow) coming into undisclosed information, putting some reasonable inferences around it and then irresponsibly sharing those inferences. But at the root is the undisclosed information. And to be clear, I am not accusing Theo of lying; I am accusing him of acting irresponsibly with respect to the information that came into his possession.

                                                                          1. 3

                                                                            Here is at least one developer’s comment on the matter. He points to the heise.de article about Spectre-NG as an example of the rumors that were floating around. That article is a long way from “lazy FPU is broken”.

                                                                            Theo has offered to discuss your concerns, what you think you know, what he knew, when and how. He’s made a good-faith effort to get his cellphone number to you. If you don’t have it, ask.

                                                                            If you do have his number, call him. Ask him what he meant by “We heard a rumor that this is broken.” Ask him what rumor they heard. Ask him whether he was referring to the Spectre-NG article.

                                                                            Seriously, how hard does this have to be? You engaged productively with me when I called you out. You’ve called Theo out. Talk to him.

                                                                            And yes, I get it. Your chief criticism at this point is responsible disclosure. But as witnessed by the broader discussion in the security community, there’s no single agreed-upon solution.

                                                                            While you’ve got Theo on the phone you can discuss responsible disclosure. Frankly, I suggest beer for that part of the discussion.


                                                                            Edit: Clarify that Florian wasn’t saying he knew heise.de were the source.

                                                                          2. 0

                                                                            Reread the second sentence in my reply you linked.

                                                                          3. 2

                                                                            This is plain libel, pure and simple.

                                                                            1. -2

                                                                              It is Bayesian reasoning, pure and simple.

                                                                              That said, this is a tempest in a teacup, so call it whatever you want; I’m gonna go floss my cat.

                                                                        2. 6

                                                                          Sorry – I’m not accusing anyone of espionage; apologies if I came across that way.

                                                                          What I am saying is that however Theo obtained information – and indeed, even if that information didn’t originate with the leak but rather by “guessing” as he is now apparently claiming – how he handled it was not responsible. And I am also saying that Theo’s irresponsibility has made the job of including OpenBSD more difficult.

                                                                          1. 9

                                                                            The spectre paper made it abundantly clear that addtional side channels will be found in the speculative execution design.

                                                                            This FPU problem is just one additonal bug of this kind. What I’d like to learn from you is:

                                                                            1. What was the original planned public disclosure date before it was moved ahead to today?

                                                                            2. Do you really expect that a process with long embargo windows has a chance of working for future spectre-style bugs when a lot of research is now happening in parallel on this class of bugs?

                                                                            1. 5
                                                                              1. The original date for CVE-2018-3665 was July 10th. After the OpenBSD commit, there was preparation for an earlier disclosure. After Theo’s talk and after Colin developed his POC, the date was moved in from July 10th to June 26th, with preparations being made to go much earlier as needed. After the media attention today, the determination was made that the embargo was having little effect and that there was no point in further delay.

                                                                              2. Yes, I expect that long embargo windows can work with Spectre-style bugs. Researchers have been responsible and very accommodating of the acute challenges of multi-party disclosure when those parties include potentially hypervisors, operating systems and higher-level runtimes.

                                                                              1. 10

                                                                                Thanks for disclosing the date. I must say I am happy that my systems are already patched now, rather than in one month from now.

                                                                                I’ll add that some new patches with the goal of mitigating spectre-class bugs are being developed in public without any coordinated disclosure:

                                                                                http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/9474cbef7fcb61cd268019694d94db6a75af7dbe

                                                                                https://patchwork.kernel.org/patch/10202865/

                                                                            2. 5

                                                                              Thanks for the clarification.

                                                                              I don’t think early disclosure is always irresponsible (the details of what and when matter). Others think it’s never irresponsible; and some that it’s always irresponsible. Good arguments can be made for each position that reasonable people can disagree about and debate.

                                                                              One thing I hope we can all agree on is that we need clear rules for how embargoes work (probably by industry). We need clear, public criteria covering who, what, when and how long. And how to get in the program, ideally with little or no cost.

                                                                              It’s a given that large companies like Microsoft will be involved. Open-source representatives should have a seat at the table as well. But “open source” can’t just mean Red Hat and a few large foundations. OSs like OpenBSD have a presence in the ecosystem. We can’t just write the rules with a “You must be this high to ride” sign at the door.

                                                                              And yeah, Theo’s talk might make this more difficult going forward. Hopefully both sides will use this event as an opportunity to open a dialog and discuss working together.

                                                                              1. 6

                                                                                Right, I completely agree: I’m the person that’s been advocating for that. I was furious with Intel over Spectre/Meltdown (despite our significant exposure, we learned about it when everyone else did), and I was very grateful for the work that OpenBSD and illumos did together to implement KPTI. This time around, I was working from inside the embargo to get OpenBSD included. We hadn’t been able to get to where we needed to get, but I also felt that progress was being made – and I remained optimistic that we could get OpenBSD disclosure under embargo.

                                                                                All of this is why I’m so frustrated: the way Theo has done this has made it much more difficult to advocate this position – it has strengthened the argument of those who believe that OpenBSD should not be included because they cannot be trusted. And that, in my opinion, is a shame.

                                                                                1. 11

                                                                                  Look at it from OpenBSD’s perspective though. They (apparently) tried emailing Intel to find out more, and were told “no”. What were they supposed to do? Just wait on the hope that someone, somewhere, was lobbying on their behalf to be included, with no knowledge of that lobbying?

                                                                1. 9

                                                                  There is apparently very little constructive to be said about a twitter thread with very little content.

                                                                  Yes, I’ve flagged.

                                                                  Please, consider the same.

                                                                  1. 14

                                                                    I am making a very frowny face at the snarky hot takes about these. Contemptuous knee-jerk gripes are bad in and of themselves, rarely lead to good conversation, and erode community norms. We’ve already seen Reddit, Digg, and YC News fall down that slippery slope.

                                                                    I don’t know if this is encouraged by the fact that the story link goes to twitter instead of a longer explanation in an article or talk, but it probably doesn’t help.

                                                                    1. 10

                                                                      Those communities had more damage done to them by the garbage of Twitter posts and hotcakes than by people trying to keep weeds out.

                                                                      Everybody wants a garden, nobody likes being interrupted by the gardeners.

                                                                      1. 2

                                                                        I think @pushcx was agreeing with my review of the comments thus posted. I… think?

                                                                        1. 3

                                                                          I was, and so was friendlysock.

                                                                      2. 1

                                                                        Let’s post agreed upon community norms on the wall of our bike shed. 🦞

                                                                        1. [Comment removed by author]

                                                                          1. 1

                                                                            In Soviet Russia…

                                                                            Shall we really go back to slashdot’s Natalie Portman naked and petrified with hot grits nonsense and whatever happened on kuro5hin? Some of it gets a smirk but it’s not a good use of my time.

                                                                        2. 1

                                                                          I’ve flagged it too. The story here is probably interesting, but the twitter thread is just nonsense.

                                                                        1. 24

                                                                          It is completely unclear what this is. Office 365 seems to mean several different things. There’s a real Microsoft Office (non-365), which is just a Win32 application (#1). This is the good stuff. It costs a lot of money.

                                                                          Then we have at least two other things which are both called Office 365. First, there’s some kind of browser-based bullshit (#2). This, at best, competes with Google Docs. It doesn’t compete with any kind of real Microsoft Office.

                                                                          Then there’s another thing called Office 365, which seems to be a Win32 app (#3). It’s very similar to #1, except it’s subscription-based and it somehow integrates with the cloud.

                                                                          It is completely unclear if this posts refers to #1, #2, or #3.

                                                                          Edit: from Hacker News.

                                                                          I’m an engineer in Office. This is not the case. The desktop app’s are fully native, and will remain so. They utilize React Native for a few components, but otherwise are written in C & C++.

                                                                          So yeah, this story is bullshit.

                                                                          1. 5

                                                                            What I don’t really understand is how Andrew has a comfortable standard of living in NYC on $600 per/month.

                                                                            https://www.patreon.com/andrewrk/overview

                                                                            I’m guessing that there must be another source of Zig donations aside from Patreon?

                                                                            1. 7

                                                                              Savings?

                                                                              1. 2

                                                                                Oh woops, I misread the first paragraph, I thought it stated that Zig was supporting him entirely, when it’s actually about his programming supporting him.

                                                                                1. 3

                                                                                  Note that this isn’t his first attempt at doing this. But the project he was working on before Genesis didn’t find the same traction as Zig has. BUT, if I recall correctly, he also didn’t live in NYC the last time… Anyway, he’s got experience with living frugally, so I’m sure he knows what he’s doing here.

                                                                                  1. 2

                                                                                    he extrapolated the donations growth versus his savings.

                                                                                2. 2

                                                                                  What I don’t understand is if you are not working in NYC anymore, and only working on your own and getting donation, why doesn’t he move to anywhere but NYC to minimise his personal expense?

                                                                                  I’m sure there are cities in the US with 80% the fun of NYC at lower than 80% of the cost.

                                                                                  1. 17

                                                                                    I work remote, and there are places I could move that are < 20% of the cost.

                                                                                    My friends aren’t going to move with me, and I have enough money to live where I am. Why be wealthy and lonely?

                                                                                    1. -10

                                                                                      Didn’t know your city is the only source of friends in the world. That must be good for the economy.

                                                                                      1. 32

                                                                                        I know that this is very hard for some people to believe (seems to be harder the more western the society is), but some people don’t consider their friends a replaceable commodity. Not that I don’t want to make new friends, but these are my friends right now and I am more loyal to them than I am to a meaningless job or to money.

                                                                                        1. 4

                                                                                          Maybe because your partner has a job he/she really enjoys in this city? I mean, we’re lucky in our field to have a lot of different possibilities, in remote or not, mostly well paid. Let’s not forget that it’s a chance and not something everybody has.

                                                                                      2. 2

                                                                                        The usual reason is the significant other.

                                                                                        1. 1

                                                                                          There’s a shit-ton of them. Even Memphis TN that’s close to me with all its problems is low cost of living with all kinds of fun stuff to do. Just don’t live in or shop around the hood. Solves most of problems if you don’t have kids going to school or college.

                                                                                          There’s plenty of cities in the US that similarly have low cost of living with plenty going on. One can also live in areas 30-40 min from cities to substantially reduce their rent. The fun stuff still isn’t that far away. The slight inconvenience just knocks quite a bit off the price.

                                                                                          1. 4

                                                                                            I don’t remember the details, and I can’t find the link, but a few years ago someone did some research here in Berlin where they compared the cost of rent in more-or-less the city proper, and the cost of rent + public transportation tickets when you lived in the outskirts. It ended up being not much of a difference.

                                                                                            1. 2

                                                                                              Well, if you don’t workin in the city and need to commute then you spend even less. Though OTOH, you get tax returns for commutes in Germany so probably the commute is not that expensive to begin with.

                                                                                              1. 2

                                                                                                Berlin is currently the city with the highest increase in rent world-wide and a few years ago, it was unusually low.

                                                                                                Also, Berlin is hard to compare in many aspects, possibly because of a very unique city history.

                                                                                        1. 7

                                                                                          I have been exclusively working remotely for the past 12 years. I would never work differently in this industry ever again. Happy to answer any questions.

                                                                                          1. 1

                                                                                            can I ask how you got into remote working?

                                                                                            1. 3

                                                                                              It was a necessity, I was living in a very small town in a very poor country with no IT industry to speak of and no plans to move at that time. Remote work was the only possible option at that point, and it worked well for me. In the meantime, I have moved from there, but remote working stuck with me.

                                                                                          1. 3

                                                                                            Maybe @steveno or someone else can ELI5 this to me why is this advantageous over traditional, platform-agnostic, and dependency-less symlinking in a bash script? Cf. my dotfiles and the install script.

                                                                                            1. 3

                                                                                              Salt’s declarative nature means that you’re mostly describing the end state of a system, not how to get there.

                                                                                              So instead of saying “copy this stuff to this directory and then chmod” you say “I want this other directory to look like this”. Instead of saying “install these packages” you say “I want this to be installed”. You also get dependency management so if you (say) just want to install your SSH setup on a machine you can say to do that (and ignore your window manager conf).

                                                                                              If your files are grouped well enough and organized enough you can apply targeted subsets of your setup on many machines based off of what you want. “I want to use FF on this machine so pull in that + all the dependencies on that that I need”. “Install everything but leave out the driver conf I need for this one specific machine”

                                                                                              This means that if you update these scripts, you can re-run salt and it will just run what needs to run to hit the target state! So you get recovery from partial setup, checking for divergences in setups, etc for free! There’s dry run capabilities too so you can easily see what would need to change.

                                                                                              This is a wonderful way of keeping machines in sync

                                                                                              1. 2

                                                                                                Looking at my repository right now, there isn’t any advantage. You could do everything I’ve done with a bash script. The beauty of this setup for me, and I really should have stated this initially, is that I can have multiple machines all share this configuration really easily. For example, my plan is buy a RaspberryPi and setup an encrypted DNS server. All I need to do is install salt on the Pi and it gets all of this setup just like my NUC currently has. I can then use salt to target specific machines and have it setup a lot of this for me.

                                                                                                1. 2

                                                                                                  The beauty of this setup for me, and I really should have stated this initially, is that I can have multiple machines all share this configuration really easily

                                                                                                  You can also do this with a shell script.

                                                                                                  All I need to do is install salt

                                                                                                  With shell scripts you don’t need to install anything.

                                                                                                  1. 3

                                                                                                    As I previously stated, given what’s currently in this repository, there isn’t anything here that you couldn’t do with a shell script. That’s missing the point though. Salt, or ansible, or chef, provide you with a way to manage complex setups on multiple systems. Salt specifically (because I’m not very familiar with ansible or chef) provides a lot of other convenient tools like salt-ssh or reactor as well.

                                                                                                    1. 2

                                                                                                      I feel like your point is just that shell script is turing complete. Ok. The interesting questions are about which approach is better/easier/faster/safer/more powerful.

                                                                                                      1. 2

                                                                                                        If you’re targeting different distributions of linux or different operating systems entirely, the complexity of a bash script will start to ramp up pretty quickly.

                                                                                                        1. 2

                                                                                                          I disagree, I use a shell script simply because I use a vast array of Unix operating systems. Many of which don’t even support tools like salt, or simply do not have package management at all.

                                                                                                          1. 1

                                                                                                            I have a POSIX sh script that I use to manage my dotfiles. Instead of it trying to actually install system packages for me, I have a ./configctl check command that just checks if certain binaries are available in the environment. I’ve found that this approach hits the sweet spot since I still get a consistent environment across machines but I don’t need to do any hairy cross-distro stuff. And I get looped in to decide what’s right for the particular machine since I’m the one actually going and installing stuff.

                                                                                                        2. 1

                                                                                                          The beauty of this setup for me, and I really should have stated this initially, is that I can have multiple machines all share this configuration really easily.

                                                                                                          Have to agree with @4ad on this one. I have to use remote machines I don’t have sudo rights and/or often are completely bare bones (eg., not even git preinstalled.) My goal, in essence, is a standardized, reproducible, platform-agnostic, dependency-less dotfile environment which I can install with as few commands as possible and use as fast as possible. I don’t see how adding such a dependency benefits me in this scenario. I’m not against Ansible-like dotfile systems, but, in my opinion, using such systems for this task seems like an overkill. Happy to hear otherwise, though.

                                                                                                      1. 3

                                                                                                        Good job on the port! I figured you’d use a UNIX runtime instead of native OS/400 or something. I bet it would be quite challenging getting .NET on that model. Its architecture might still be worth targeting for some runtimes focused on high-security or high-availability, though. I think Ada, Rust, or maybe Erlang are a decent match for its style.

                                                                                                        The one question that popped into my mind was why IBM’s OS’s are using the Windows PE format. The backstory on that could be interesting given they previously worked on an OS together but split up.

                                                                                                        1. 2

                                                                                                          AFAIK Aix does not use PE, it uses COFF. Windows NT started with COFF but moved to PE soon enough (you can find old pre-alpha versions that used COFF). Funny enough, the oldest version of mspaint.exe that uses PE runs on modern systems just fine.

                                                                                                        1. 6

                                                                                                          So full stack developer means web developer? What is this horseshit?

                                                                                                          I have worked on:

                                                                                                          • instruction sets
                                                                                                          • compilers
                                                                                                          • language design
                                                                                                          • functional programming stuff
                                                                                                          • kernels
                                                                                                          • drivers
                                                                                                          • filesystems
                                                                                                          • low-level embedded systems
                                                                                                          • high-level UI design for embedded systems
                                                                                                          • 3D graphics
                                                                                                          • games
                                                                                                          • networking protocols
                                                                                                          • cryptography
                                                                                                          • network servers
                                                                                                          • HTTP servers
                                                                                                          • GUI applications
                                                                                                          • databases
                                                                                                          • actual engineering (a.i. non-computers)
                                                                                                          • antivirus software
                                                                                                          • high frequency trading

                                                                                                          When I say “I have worked on” those things I mean I designed and implemented those things, not that I merely used those things. But apparently I am not a full stack developer because I have never worked on any web application.

                                                                                                          I have never worked on hardware, but I have a very good understanding of both how hardware really works, the engineering behind producing the hardware, and the physics that governs the silicon (but since I know more physics than computers, I guess that just means I can’t really be full stack).

                                                                                                          Full stack means that I am a generalist who understands… the whole stack, not just the web surveillance layer sitting on top.

                                                                                                          1. 5

                                                                                                            As exciting as this is, I’m wary about dependency in GNU tools, even though I understand providing an opembsd-culture-friendly implementation would require extra work and could be a nightmare maintainance, with two different codebases for shell scripts, but perhaps gmake could be replaced with something portable.

                                                                                                            1. 12

                                                                                                              This version of Wireguard was written in go, which means it can run on exactly 2 (amd64, i386) of the 13 platforms supported by OpenBSD.

                                                                                                              The original Wireguard implementation written in C is a Linux kernel module.

                                                                                                              A dependency on gmake is the least of all portability worries in this situation.

                                                                                                              1. 18

                                                                                                                While it’s unfortunate that Go on OpenBSD only supports 386 and amd64, Go does support more architectures that are also supported by OpenBSD, specifically arm64 (I wrote the port), arm, mips, power, mips. I have also implemented Go support for sparc64, but for various reasons this wasn’t integrated upstream.

                                                                                                                Go also supports power, and it used to run on the power machines supported by OpenBSD, but sadly now it only runs on more modern power machines, which I believe are not supported by OpenBSD. However, it would be easy to revert the changes that require more modern power machines. There’s nothing fundamental about them, just that the IBM maintainer refused to support such old machines.

                                                                                                                Since Go support both OpenBSD and the architectures mentioned, adding support in Go for OpenBSD+$GOARCH is about a few hours of work, so if there is interest there would not be any problem implementing this.

                                                                                                                I can help and offer advice if anyone is willing to do the work.

                                                                                                                1. 3

                                                                                                                  Thanks for your response! I didn’t know that go supports so many platforms.

                                                                                                                  Go support for sparc64, but for various reasons this wasn’t integrated

                                                                                                                  Let me guess: Nobody wanted to pay the steep electricity bill required to keep a beefy sparc64 machine running?

                                                                                                                  1. 25

                                                                                                                    No, that wasn’t the problem. The problem was that my contract with Oracle (who paid me for the port) had simply run out of time before we had a chance to integrate.

                                                                                                                    Development took longer then expected (because SPARC is like that). In fact it took about three times longer than developing the arm64 port. The lower level bits of the Go implementation have been under a constant churn which prevented us from merging the port because we were never quite synced up with upstream. We were playing a whack’a’mole game with upstream. As soon as we merged the latest changes, upstream had diverged again. In the end my contract with Oracle had finished before we were able to merge.

                                                                                                                    This could all have been preventable if Google had let us have a dev.sparc64 branch, but because Google is Google, only Google is allowed to have upstream branches. All other development must happen at tip (impossible for big projects like this, also disallowed by internal Go rules), or in forks that then have to keep up.

                                                                                                                    The Go team uses automated refactoring tools, or sometimes even basic scripts to do large scale refactoring. As we didn’t have access to any of these tools, we had to do the equivalent changes on our side manually, which took a lot of time and effort. If we had an upstream branch, whoever did these refactorings could have simply used the same tools on our code and we would have been good.

                                                                                                                    I estimate we spent more effort trying to keep up with upstream than actually developing the sparc support.

                                                                                                                    As for paying for electricity, Oracle donated one of the first production SPARC S7-2 machines (serial number less than 100) to the Go project. Google refused to pay for hosting this machine (that’s why it’s still sitting next to me as I type this).

                                                                                                                    In my opinion after being involved with Go since the day of the public release, I’d say the Go team at Google is unfortunately very unsympathetic to large scale work done by non-Google people. Not actively hostile. They thanked me for the arm64 port, and I’m sure they are happy somebody did that work, but indirectly hostile in the sense that the way the Go team operates is not compatible with large scale outside contributions.

                                                                                                                    1. 1

                                                                                                                      Having to manually follow automated tools has to suck. I’d be overwhelmed by the tedium or get side-tracked trying to develop my own or something. Has anyone attempted a Go-to-C compiler developed to attempt to side-step all these problems? I originally thought something like that would be useful just to accelerate all the networking stuff being done in Go.

                                                                                                                      1. 2

                                                                                                                        There is gccgo, which is a frontend for gcc. Not quite a transpiler but it does support more architectures than the official compiler.

                                                                                                                        1. 1

                                                                                                                          Yeah, that sounds good. It might have a chance of performing better, too. The thing working against that is the Go compiler is designed for optimizing that language with the gccgo just being coopted. Might be interesting to see if any of the servers or whatever perform better with gccgo. I’d lean toward LLVM, though, given it seems more optimization research goes into it.

                                                                                                                        2. 2

                                                                                                                          The Go team wrote such a (limited) transpiler to convert the Go compiler itself from C to Go.

                                                                                                                          edit: sorry, I misread your comment - you asked for Go 2 C, not the other way around.

                                                                                                                          1. 1

                                                                                                                            Hey, that’s really cool, too! Things like that might be a solution to security of legacy code whose language isn’t that important.

                                                                                                                      2. 1

                                                                                                                        But these people are probably more than comfortable with cryptocurrency mining 🙃

                                                                                                                      3. 3

                                                                                                                        Go also supports power, and it used to run on the power machines supported by OpenBSD, but sadly now it only runs on more modern power machines, which I believe are not supported by OpenBSD. However, it would be easy to revert the changes that require more modern power machines. There’s nothing fundamental about them, just that the IBM maintainer refused to support such old machines.

                                                                                                                        The really stupid part is that Go since 1.9 requires POWER8…. even on big endian systems, which is very pointless because most running big endian PPC is doing it on pre-POWER8 systems (there’s still a lot!) or a big endian only OS. (AIX and OS/400) You tell upstream, but they just shrug at you.

                                                                                                                        1. 4

                                                                                                                          I fought against that change, but lost.

                                                                                                                        2. 2

                                                                                                                          However, it would be easy to revert the changes that require more modern power machines.

                                                                                                                          Do you have a link to a revision number or source tree which has the code to revert? I still use a macppc (32 bit) that I’d love to use Go on.

                                                                                                                          1. 3

                                                                                                                            See issue #19074. Apparently someone from Debian already maintains a POWER5 branch.

                                                                                                                            Unfortunately that won’t help you though. Sorry for speaking too soon. We only ever supported 64 bit power. If macppc is a 32-bit port, this won’t work for you, sorry.

                                                                                                                            1. 3

                                                                                                                              OpenBSD/macppc is indeed 32-bit.

                                                                                                                              I kinda wonder if say, an OpenBSD/power port is feasible; fast-ish POWER6 hardware is getting cheap (like 200$) used and not hard to find. (and again, all pre-P8 POWER HW in 64-bit mode is big endian only) It all depends on developer interest…

                                                                                                                              1. 3

                                                                                                                                Not to mention that one Talos board was closer to two grand than eight or ten. Someone could even sponsor the OpenBSD port by buying some dev’s the base model.

                                                                                                                                1. 3

                                                                                                                                  Yeah, thankfully you can still run ppc64be stuff on >=P8 :)

                                                                                                                        3. 2

                                                                                                                          This version of Wireguard was written in go, which means it can run on exactly 2 (amd64, i386)

                                                                                                                          That and syspatch make me regret of buying EdgeRouter Lite instead of saving up for an apu2.

                                                                                                                        4. 2

                                                                                                                          I’m a bit off with the dependency of bash on all platforms. Can’t this be achieved with a more portable script instead (POSIX-sh)?

                                                                                                                          1. 3

                                                                                                                            You don’t have to use wg-quick(8) – the thing that uses bash. You can instead set things up manually (which is really easy; wireguard is very simple after all), and just use wg(8) which only depends on libc.

                                                                                                                            1. 2

                                                                                                                              I think the same as you, I’m sure it is possibe to achieve same results using portable scripts. I’m aware of the conviniences bash offers, but it is big, slow, and prompt to bugs.

                                                                                                                          1. 8

                                                                                                                            Good. If you’re a vocal asshole outside of the project, I don’t trust you to be able to magically turn it off and hide your prejudices inside the project either.

                                                                                                                            And people act like this is some bizarre new thing. If I engaged in harassment or inappropriate behavior on Saturday, so much so that people knew about it…I’d likely be fired from my day job too. Nobody wants that kind of association with their project/business. Plenty of employment contracts and employee handbooks have “good conduct” clauses, and have for decades.

                                                                                                                            Those of you concerned about this, serious question: what is an example of some behavior that you honestly think would be problematic under this new policy?

                                                                                                                            1. 17

                                                                                                                              Those of you concerned about this, serious question: what is an example of some behavior that you honestly think would be problematic under this new policy?

                                                                                                                              Mainly people digging Twitter to oust someone. One case immediately comes to mind, Rod Vagg and Node.js:

                                                                                                                              Most recently Rod tweeted in support of an inflammatory anti-Code-of-Conduct article. As a perceived leader in the project, it can be difficult for outsiders to separate Rod’s opinions from that of the project.

                                                                                                                              The article mentioned is The Neurodiversity Case for Free Speech, which I agree with. I really don’t want to be excluded from Go project by tweeting this reasonable article I agree with. This actually happened, and I fear it will happen after this revision of Go CoC.

                                                                                                                              1. 6

                                                                                                                                I don’t know enough about his situation to judge, but a quick reading shows that there were sufficient complaints from contributors and other Steering Committee members to bring his resignation to a vote, and 40% of the vote was for him to resign. Generally speaking I’m opposed to the concept of “where there’s smoke there’s fire” but if a lot of people are saying they don’t want to work with you…maybe the problem is you and not them.

                                                                                                                                (And they have in that article lists of explicit violations of the project’s policies, like discussing private moderation publicly, etc. That he wasn’t allowed a forum to answer to these charges is a flaw in the process to be sure, but he doesn’t deny they happened.)

                                                                                                                                And the problem, from what I gather, wasn’t that he tweeted about an article, but that he tweeted screenshots of rude responses about it. He’s a leader of the project, and as such needs to think about his position.

                                                                                                                                If thw CEO of Pepsi tweeted something on his “private” Twitter that the Pepsi Corporation felt brought them into disrepute…you don’t think PepsiCo would do something? Because they absolutely would. Like it or not, he was in a leadership position and discussed things relevant to the project’s governance in a (supposedly) flippant way.

                                                                                                                                …but like I said above, I’m not familiar with this issue, and am just providing my opinion based on the linked article (and the things it linked to).

                                                                                                                                EDIT: And I went back and read “The Neurodiversity Case for Free Speech”, which in my opinion is framing the argument very poorly. They seem to imply that there are people with atypical neurologies who are incapable of refraining from sexist, homophobic, and anti-Islamic speech. It’s basically saying “I can be an asshole and if it makes you uncomfortable…I have a condition!” It’s removing all agency from atypical neurologies or implying that prejudice and bigotry is an inherent part of atypical neurologirs, neither of which is true.

                                                                                                                                It also echos the old Kuro5hin “we’re just smarter than you and if you can’t handle it, too bad” argument, which was tiresome then too.

                                                                                                                                It goes on to say that Isaac Newton would run afoul of these sorts of things today. Well, sure. He owned shares in a slavetrading enterprise. He’s not gonna be in trouble for thinking he can transmute lead into gold, he’s going to get in trouble for talking about owning other humans. It’s a sttawman.

                                                                                                                                There’s a difference between the kind of behavior exhibited by, say persons with Aspberger’s Syndrome and people who are just assholes. If someone with Aspberger’s truly believes he should tell women he wants to touch their boobs and “just can’t help it”…that’s unfortunate, but it’s not appropriate behavior regardless. Nobody’s banning an Aspie because they forgot to say “please” or said that some piece of code is “garbage”. Aspies can be not-homophobes too, just like neurotypical people.

                                                                                                                                The article is seeming to say that people shouldn’t be held to any expected form of social behavior when working on a social project. It also falls into the “you have to know 100% every time without asking if someone else would be offended by what you say” which is logically falicious and not in line with what these Codes of Conduct actually say.

                                                                                                                                In other words, this “reasonable” article seems, to me, to be attempting to throw around some absurd examples and mischaracterized strawmen, and then claim that anyone should be free to act however they please socially with no repercussions.

                                                                                                                                That’s not how it works, or has ever worked, in any field of human endeavor.

                                                                                                                                1. 19

                                                                                                                                  No one should be obliged to refrain from anti-Islamic speech in order to participate in an open-source software project, especially if they do so outside of the confines of the project (I’ll grant that it’s reasonable for a project to make any discussion of religion off-topic within the confines of the project). When I said that these changes to the code of conduct were a way of controlling participants’ political speech, this is exactly the sort of thing I was talking about. Islam is a system of religious thought like any other and deserves no special protection from criticism, other than that which is granted equally to all religions in a religiously-pluralistic society. If the Go project can define anti-Islamic speech outside of the project as a banning offense, then they are acting as enforcers of a specific political ideology that privileges Islam as a sacred idea. This has no place in an open-source software project.

                                                                                                                                  1. 4

                                                                                                                                    Well said.

                                                                                                                                    I am more concerned about how, say, virulent your speech is. If you’re so anti-Islam or anti-Christian or anti-Atheist that it becomes obvious that you might have problems working with people of those philosophies then I would be concerned as to how well you’d function in a project that explicitly welcomes people of all (or no) faith.

                                                                                                                                    I am more concerned about consistent “women are just inherently worse at programming, it’s science!”-style posts. If that’s what fills your Twitter, I wonder how you’ll be when you review a woman’s PR, y’know?

                                                                                                                                    But you raise an excellent point.

                                                                                                                                    1. 3

                                                                                                                                      If (this is hypothetical) women are, in fact, inherently worse at programming, and one thinks programming is important and should be for everybody, this means women need additional support for programming. In fact, this is the exact position I hold: I think men are inherently worse at language (reading) as evidenced by standardized test score statistics, and reading is important, and boys need special support so that they can get equal score at reading.

                                                                                                                                      I don’t hold such position wrt women and programming, but if I were, I would review a woman’s PR with more care and time so that it is more helpful.

                                                                                                                                  2. 7

                                                                                                                                    You asked for an honest concern for the new Go CoC. If my concern, to be specific, tweeting a link to The Neurodiversity Case for Free Speech and being allowed continued participation to Go project, sounds honest and reasonable, please confirm.

                                                                                                                                    Thanks!

                                                                                                                                    1. 2

                                                                                                                                      I edited my comment above. From what I gather, the problem was twofold: he didn’t just tweet the article, but supposedly offensive screenshots of comments about the article; and he did it while in a leadership position of the project.

                                                                                                                                      And there were apparently many other complaints and violations of the project’s policies, so it wouldn’t appear to be as simple as “tweet a link, get banned.”

                                                                                                                                      But again, I first heard of this like 15 minutes ago.

                                                                                                                                      1. 10

                                                                                                                                        so it wouldn’t appear to be as simple as “tweet a link, get banned.”

                                                                                                                                        With Go, it would appear to be simpler than that. Post something totally innocuous that they don’t agree with, and get banned.

                                                                                                                                        They banned some guy on reddit because he was just expressing his opinion.

                                                                                                                                        (In case my own post gets deleted, here is a screenshot.)

                                                                                                                                        1. 1

                                                                                                                                          Reddit isn’t Go, though. We have to wait and see.

                                                                                                                                          (And he wasn’t “expressing his opinion”, he was accusing them of witch hunts before the thing was even promulgated. He wasn’t banned for his opinion, he was banned for being an asshole. Go into any volunteer organization and combatively accuse them of witch hunts and bigotry and see how long they welcome your effort…

                                                                                                                                          If he had said “I worry that the vague language and lack of public investigation to lead to abuse of those with minority political opinions,” he’d be fine. Instead he came in accusatorily with guns ablazin and then gets taken aback when people don’t like being talked to that way.)

                                                                                                                                          1. 9

                                                                                                                                            Note that /r/golang does use Go CoC, so it is fully relevant here.

                                                                                                                                            1. 9

                                                                                                                                              he was accusing them of witch hunts

                                                                                                                                              No, he wasn’t. He was responding to this post, essentially answering the question “what is wrong with CoCs in general?”. /u/zevdg had his own opinion, and /u/gildedlink had answered punctually to his objection.

                                                                                                                                              It looks like he was perfectly correct though.

                                                                                                                                              1. 1

                                                                                                                                                He accused the CoC of being used by “bigoted people…to exclude others based on superficial ideological labels…[and] to bully targets.”

                                                                                                                                                I shortened it to “witch hunt” but the idea’s the same.

                                                                                                                                                Again, if he had said “I fear the language is too vague and might be liable to abuse by people who wish to exclude minority viewpoints” he would’ve been fine. I you act like a jerk when expressing your opinion, people’s reactions might be based on your jerkiness and not the expressed opinions.

                                                                                                                                                EDIT: removed some of my own jerkiness. There was no reason for it, sorry.

                                                                                                                                                1. 9

                                                                                                                                                  Your restatement is bad because I (and I think gildedlink) am against outside clause in its entirety, and my primary objection is not vague language. In fact, you seem okay with my “Mainly people digging Twitter to oust someone… Rod Vagg and Node.js”, but I don’t see much difference.

                                                                                                                                                  Or do you think I should be banned from Go project for saying the above?

                                                                                                                                                  1. 4

                                                                                                                                                    He said “frameworks like this”, he was talking about other CoCs just like this one and how they were used by other people. He wasn’t accusing these people (the Go people) of anything (although, now, I am, in case anyone is keeping score).

                                                                                                                                                    Again, if he had said “I fear the language is too vague […]”

                                                                                                                                                    He was saying what a CoC can do (and what it did do in other communities). He didn’t get a change to expands on his thoughts, or explain in depth how this particular CoC enables that phenomenon because he was banned.

                                                                                                                                                    As a related point, I am sure you realize that some of use are against the very idea of a CoC. While I have specific problems with this particular CoC (which have all been discussed here before by other people, so I won’t repeat them), my main ideological problem is with the existence of a CoC itself in any shape of form.

                                                                                                                                                2. 1

                                                                                                                                                  For the record, I appear to have been shadow banned from /r/golang as well. Not just regular ban, but shadow ban.

                                                                                                                                                  1. 1

                                                                                                                                                    Any idea why?

                                                                                                                                                    1. 4

                                                                                                                                                      Actually after some more investigation, I wasn’t banned, but they enabled global censoring. Every post now has to be approved by a moderator before it becomes visible to other people. In my opinion, this is a far worse outcome then if they had just banned me…

                                                                                                                                          2. 5

                                                                                                                                            Replying to edit:

                                                                                                                                            They seem to imply that there are people with atypical neurologies who are incapable of refraining from sexist, homophobic, and anti-Islamic speech.

                                                                                                                                            There is no such implication. It’s not about being incapable, it’s about being more difficult. Large text accessibility theme is not about being incapable of using small text.

                                                                                                                                            That’s not how it works, or has ever worked, in any field of human endeavor.

                                                                                                                                            Since humanity never made it fair for Aspies in its long history, humanity shall continue to make it unfair for Aspies forevermore. Got it. If your criteria for social change is “that’s not how it has ever worked”, there would be no women’s suffrage.

                                                                                                                                            1. 4

                                                                                                                                              How does being an Aspie make it more difficult to not be a homophobe? Homophobia is not a symptom of Aspberger’s Syndrome.

                                                                                                                                              1. 4

                                                                                                                                                It makes it more difficult to know what the implicit prevailing social norm is.

                                                                                                                                                But really, that’s not what I think is the core of disagreement. You find The Neurodiversity Case for Free Speech objectionable. Got it. Do you find it objectionable enough that tweeting a link to it should constitute a cause for ban for open source projects?

                                                                                                                                                1. 1

                                                                                                                                                  Not at all. But if that’s provided as supporting evidence that I lack impartiality to do my job according to the project’s rules and had been the subject of multiple complaints on top of documented violations of procedures and policies….well…

                                                                                                                                                  Now, do you think that treating gay people with common respect is purely a social norm that we should ignore if we feel like it?

                                                                                                                                                  1. 3

                                                                                                                                                    Yeah it’s also important to remember that a condition may be an explanation but it isn’t an excuse. I have ADHD and I do lack impulse control. That lack of impulse control is not an excuse to act out on others. I still need to apologize for my behavior and describe what steps I might take to avoid it in the future. It does not count as be an asshole free card. I still need to put a good faith effort into having good behavior and if I repeatedly am hostile to others then I may not be able to be involved in a group project.

                                                                                                                                                    1. 3

                                                                                                                                                      This is why I am in favor of Rust CoC. “Moderators will first respond to such remarks with a warning.” Rust CoC is explicitly against instaban.

                                                                                                                                                      Go CoC is not, and above /r/golang case seems Go CoC in fact can instaban. (It is possible that there was private warning, but short time frame makes it unlikely.)

                                                                                                                                                    2. 1

                                                                                                                                                      No, I don’t think so.

                                                                                                                                                    3. 1

                                                                                                                                                      It doesn’t, however, make it difficult to know what one’s values are, or to act accordingly. I don’t know what social norms have to do with it, and I find this argument insulting.

                                                                                                                                                2. 3

                                                                                                                                                  And the problem, from what I gather, wasn’t that he tweeted about an article, but that he tweeted screenshots of rude responses about it. He’s a leader of the project, and as such needs to think about his position.

                                                                                                                                                  I have an honest question which I hope you to reciprocate by answering. Do you seriously believe it would have been different if just link was tweeted and “Dude, What’s wrong with your head?” screenshot was not tweeted? I really have hard time believing this. “Yes” or “No” would be sufficient. Thanks!

                                                                                                                                                  1. 1

                                                                                                                                                    Well, before we go too far down this rabbit hole, we should remember that Node.js and Go are two separate projects and we should judge Go’s policy separately.

                                                                                                                                                    As for your question:

                                                                                                                                                    I don’t know. Maybe yes, maybe no. I think if the person in question has other complaints lodged against them, the scales might tip.

                                                                                                                                                    I personally wouldn’t care, but I’m not the Node.js TSC with their insider knowledge of his past behavior.

                                                                                                                                            1. 7

                                                                                                                                              Adobe should be in this list.

                                                                                                                                              I have unsubscribed from all the Adobe spam, but now they have sent a confusing E-mail saying that GDPR means I need to review my communication preferences. There is no indication that I can simply disregard this e-mail, and clicking the link in the e-mail will take you to a page that re-enables all the spam!

                                                                                                                                              Several companies have employed this exact scammy strategy, but Adobe is the biggest one that I remember.

                                                                                                                                              1. 1

                                                                                                                                                As far as I understand from reading the GDPR, you could send them an email with a request to erase all the data that they have on you, and they are obliged to remove it in a month.

                                                                                                                                                (IANAL)

                                                                                                                                              1. 12

                                                                                                                                                I’m updating my “Days Since Last Code of Conduct Story” sign from zero to zero. If someone would like to write the Standard Code of Conduct Epitome, I would take it as a kindness.

                                                                                                                                                And I’m being a little silly, but the other story’s conversation stayed pretty good and had people explaining their positions and sharing new thoughts without starting a flame war, so I hope that continues.

                                                                                                                                                1. 1

                                                                                                                                                  Once it’s been beaten to death it would be nice if at some point these are considered off topic. Not saying that moment is now, but there will be a point where people get fatigued from the wound being continually reopened by people who mostly want to stir the pot.

                                                                                                                                                  1. 10

                                                                                                                                                    Banning discussions about CoCs is only dumping more fuel into the fire while proving that the concerns of people who are against CoCs are valid.

                                                                                                                                                    At least this site makes it really easy to hide content one is not interested in, either via tags, or by using the hide button (which a few have used on this very story already).

                                                                                                                                                    I would not mind a “coc” tag, which would be more suitable than the “culture” tag used here.

                                                                                                                                                    1. 4

                                                                                                                                                      Given that I can’t really tell one COC thread from another, I would be quite happy if there was a COC tag so I could filter on it.

                                                                                                                                                      1. 4

                                                                                                                                                        There’s a ‘hide’ link under every headline. It will also remove comments from /newest, /replies, etc. (and anywhere they’re missed is a bug). You can review your hidden stories at /hidden.

                                                                                                                                                        1. 2

                                                                                                                                                          I’m aware. I like tags and being able to filter on them as its a one time thing and I don’t have to hide similar stories each time.

                                                                                                                                                          1. 3

                                                                                                                                                            There are only so many discussions to be had about positions on CoCs. It becomes draining to participate, and it’s hard to stay open to new ideas when the same points are rehashed. The ability to filter on a coc tag would definitely be helpful for my emotional being.

                                                                                                                                                      2. 2

                                                                                                                                                        It’s not uncommon for a forums to bar discussion after a subject becomes hotly debated for basically forever. It’s not about validating or unvalidating fears it’s about preventing a single issue from keeping a community in constant conflict. A CoC tag would probably just accelerate the problem since users who feel obligated to speak up on either side will simply search for the tag.

                                                                                                                                                  1. 21

                                                                                                                                                    First, the new code of conduct makes clear that people who participate in any kind of harassment or inappropriate behavior, even outside our project spaces, are not welcome in our project spaces. This means that the Code of Conduct applies outside the project spaces when there is a reasonable belief that an individual’s behavior may have a negative impact on the project or its community.

                                                                                                                                                    I am very disappointed. Go CoC’s restricted scope was a very good decision and protection against witch hunting.

                                                                                                                                                    1. 18

                                                                                                                                                      What constitutes “harassment” and “inappropriate behavior” is profoundly political. This is an attempt by the Go project to regulate the political speech of contributors. This is worth forking Go over.

                                                                                                                                                      1. 10

                                                                                                                                                        That is exactly what it is. The 0th and the 1st iterations were the same thing; but they lost a battle going from 0 to 1, and now they are fighting the war.

                                                                                                                                                        A fork is unviable at this point. It will always be a niche project at best, like gccgo is. There isn’t enough Go technical talent outside Google with enough social and political capital to spare to make this work.