1. 4

    They should have used canonical S-expressions instead of JSON: they are simpler to parse & emit; they are better-suited to handing encryption; and they readily handle binary data.

    It’s a matter of taste, but I also think that they’re a lot more attractive:

    (request
     (using ietf.org/rfc/smap-core ietf.org/rfc/smap-mail)
     (method-calls
      (method1 ((arg1 arg1data) (arg2 (arg2data))) "#1")
      (method2 ((arg1 arg1data)) "#2")
      (method3 () "#3")))
    

    vs.:

    {
      "using": [ "ietf.org/rfc/jmap-core", "ietf.org/rfc/jmap-mail" ],
      "methodCalls": [
        ["method1", {"arg1": "arg1data", "arg2": "arg2data"}, "#1"],
        ["method2", {"arg1": "arg1data"}, "#2"],
        ["method3", {}, "#3"]
      ]
    }
    
    1. 2

      Any particular reason not to go for ... (method1 (arg1data arg2data) "#1") ...?

      Then, the attractiveness thing sort of gets lost when you go for actual canonical S-expressions with binary data, doesn’t it? No more looking at the raw expressions in a text editor.

      And is JSON really that hard to parse?

      1.  

        Any particular reason not to go for ... (method1 (arg1data arg2data) "#1") ...?

        I was just following the original style directly. Certainly a more common way to write that in a Lisp would be the way you indicated.

        Then, the attractiveness thing sort of gets lost when you go for actual canonical S-expressions with binary data, doesn’t it? No more looking at the raw expressions in a text editor.

        I dunno, this looks pretty good to me:

        (cert
             (issuer (hash sha1 |TLCgPLFlGTzgUbcaYLW8kGTEnUk=|))
             (subject (hash sha1 |Ve1L/7MqiJcj+LSa/l10fl3tuTQ=|))
             …
             (not-before "1998-03-01_12:42:17")
             (not-after "2012-01-01_00:00:00"))
        

        The only bits which are binary are the hashes, and the rest of the expression is fine. The whole thing can be edited in a text editor, if necessary.

        And is JSON really that hard to parse?

        No, not really — but it’s still more complex than S-expressions.

    1. 10

      I, too, first thought that this bar was for site expense. I think it wouldn’t hurt to make “Adopt Lobsters Emoji” text visible, at least on desktop, as right now it’s just a number within the progress bar.

      As for making it hideable, I don’t really get the purpose of this proposal — the bar takes less space than a single story. In fact, this very thread takes more space on the front page than the element it proposes to collapse, and unlike the bar, this thread doesn’t even give the warm glow.

      As much as I hate the obscure UI elements that obstruct and slow down my UX when browsing the different sites (especially as they may pop in and out), I have absolutely zero objection against this tiny bar on the front page here, which is implemented as static HTML/CSS in less than 400 characters. In fact, I do object to getting it bloated with all the logic that the hiding would require.

      1. 8

        It’s certainly not tiny, and while it’s not that large, it is by far the heaviest element on the front page.

        I definitely support, in decreasing order of preference:

        • Getting rid of it
        • Making it hideable directly (rather than requiring users to block parts of the page)
        • Making it smaller and less contrasty to reduce visual weight
        1. 4

          That’s a good point about it being the visually heaviest element on the page - and for such a light, text-only site, it really stands out. (I made a similar point a while ago about a different feature.) I’ve taken most of the color out of the progress bar and reset it to the default font size so it fits in a little more smoothly.

          1. 1

            Thank you, it’s much better now.

      1. 2

        There is not actually anything specific to NixOS in this article, you can follow along fully anywhere that has plain nix installed.

        That said, I’m not convinced of baking development tools like hindent and hlint into a per-project nix expression. I’d leave nix to do the building only. Maybe I’m just not disciplined enough, but I’m sure I’d find myself running vim from a non-nix-shell terminal and wondering why the tools are missing.

        1. 3

          This was a lot of fun, well done on the interactive article. I wish the solver-assisted final version would pointed out some deduction you could have made when you err, as it is making a mistake is needlessly frustrating. Edit: turns out the known cells are marked a subtle (to my eyes) red.

          It’s also quite easy to get it spinning in seemingly clear situations, such as when you’ve uncovered nothing but a few isolated numbers. (Try it: ask for help right from the start, and spread those over the board. Here it gets very slow starting at 5 or so uncovered squares.) It should not be too hard to modify the AI to only permute all squares that neighbor uncovered ones, and treat the other squares equally.

          I’d dispute the claim that this is more fun than classic Minesweeper, though! Nothing wrong with a bit of twitch. And if it’s the puzzling you’re going for, it will be hard to beat a good hand-crafted minesweeper puzzle, such as https://www.gmpuzzles.com/blog/2017/12/minesweeper-john-bulten/ or (shameless plug) https://maybepuzzles.files.wordpress.com/2016/05/mines.png.

          1. 3

            Hand-crafting doesn’t scale! When I wanted minesweeper puzzles (but I was OK with small ones), I implemented a brute-force solver, a very primitive pattern-based solver, and then ran them in a loop: generate a field, if nothing can be opened ot marked — open a random empty cell next to the already opened ones (if there are any), if pattern-matching allows doing something — do it, else let the human try. That actually produced quite interesting (small) puzzles.

          1. 4

            Nice work, some thoughts:

            • Print line number where assertion failed
            • Way to compare doubles, possible with an optional precision
            • Way to compare blocks of memory
            • Consider renaming to snow.h
            1. 3

              I really would have liked to print the line number where the assertion fails, but I’m not sure if that’s possible. Because of the use of macros, everything ends up on the same line after the preprocessor, so __LINE__ will be the same for everything. If you know of a way to fix that, I’d love to hear it. (The "in example.c:files" message was originally supposed to be "in example.c:<line number>")

              More different asserts is a good idea, and so is renaming the header - the thing was under the temporary name “testfw” until right before I made this post.

              1. 2

                Looks neat! I feel that the line number of the end-of-block would still be useful, but don’t quite see how to word that without seeming incorrect.

                1. 2

                  It’s not just at the end of the it block which the error occurs in; it’s the end of the entire invokation of the describe macro. In the example.c file for example, __LINE__ inside of any of those it blocks will, as of the linked commit, be 62.

            1. 4

              At a glance it seems okay, but I guarantee those colour choices will look like crap on a light background. For most (all?) testing frameworks I’ve used that output in colour, I always have to find the “no colour” option or else I can’t read it.

              1. 2

                I support I sort of consider it the user’s responsiblility to have configured a color scheme where most colors are readable. However, it would be both easy and a good idea to make it possible to configure the color scheme (at least from the source code), and I should probably add an option to output without colors (and enable that option by default when the output is not a TTY).

                1. 3

                  I use solarized light, and nearly everyone these days uses some form of dark colour scheme. The output from the Catch2 testing framework, for example, is mostly unreadable with the colour choices. In other cases, I’ve run across similar problems.

                  If you’re going to offer colour output, I think you need to have an option to turn it off. (And I see that you’ve added #ifndefs around them.) If/when this ever gets a main function to manage test suites (most serious ones do), don’t forget the --color=no option.

                  1. 2

                    I added support for theming first because that was very easy to add.

                    I just pushed a commit to add support for –no-color (and which disables color when stdout is not a TTY and such): https://github.com/mortie/snow/commit/c41d869c613a3a587279c6f833f74c609cb3bbf5

                    The commit after that adds support for the NO_COLOR environment variable mentioned by @mulander.

                  2. 3

                    @jcs created http://no-color.org/ to propagate a consistent option to disable colors.

                    1. 2

                      Looks like I get to be the first software to support NO_COLOR on that list :)

                  3. 1

                    I always wanted a terminal which would automatically corrected colors based on contrast. At least a separate color scheme for default background color.

                    It should not be that hard, maybe I could add PoC using suckless’s st to my overly long TODO list…

                    1. 1

                      It’s actually quite readable in black on white. Though I agree with the general sentiment, and it’s probably quite a bit worse on a yellowish background.

                    1. 2

                      This game is great. The computer destroyed me though (predictably since it will play perfectly every time through a brute force search). I imagine it would be much better to play against another (less than perfect) human.

                      1. 3

                        I wrote a multiplayer version of Quinto about 6 years ago, with a couple of rewrites since. An online demo is available at http://quinto-demo.jeremyevans.net/ if you can find another person to play with. Source code is at https://github.com/jeremyevans/quinto if you want to run your own server.

                        1. 2

                          That’s amazing! Small world. I’d love to see your CoffeScript source code, but couldn’t find it in the repo - is it intentionally kept secret, or is that just an accident? Either way, great game choice, and awesome project!

                          1. 2

                            The code was originally written in CoffeeScript+Node. The server was rewritten in Go, and then later rewritten in Ruby. At some point, I stopped using CoffeeScript on the front end and just started editing the resulting Javascript file directly. All of the information is in the repository if you look in the history: https://github.com/jeremyevans/quinto/tree/7ad48e43f76c1a9a847d5a677a8f11c69c9fa5bc

                        2. 2

                          There’s potential for beating a computer that plays the highest scoring move each time. You can play to avoid setting up long parallel plays, and it may be worth saving 5s and 0s since those can extend words of length greater than 1.

                        1. 1

                          The README at https://github.com/pwdless/cierge seems a better introduction, including details on how to deploy with docker; it runs on ASP.NET Core.

                          No mention of whether this is used in production anywhere, unfortunately.

                          1. 5

                            Fascinating read, including the RAM heating aside!

                            I’m curious about the implications of that racy ORQ stack probe though. If that’s actually not a no-op due to reading and writing back memory, isn’t that still a likely cause of even more obscure bugs? Say for a concurrent program sharing its stack space between multiple thread. Could the GCC probe be done in a safer (or more obviously safe) way?

                            EDIT: The LKML thread goes into the details a bit further: https://lkml.org/lkml/2017/11/10/188

                            1. 3

                              It shouldn’t cause any bugs, the mitigation works by writing to each page that’s beyond your current end of stack, i.e. uninitialized memory, up to the amount of stack your function needs. It’s trying to hit the end of stack guard page. Lots of good details in this stack clash exploit write up.

                              1. 2

                                Say for a concurrent program sharing its stack space between multiple thread

                                If I understand right, it’s okay because it’s probing beyond the end of the stack. I’m not allowed to use a region on my stack beyond the current stack frame at all for anything (on this thread or any other) at all without invoking UB. With the stack protection scheme that is in use there, it must be mandatory to have guard pages at the ends of stacks, so the end of a stack is never close enough to another data structure to be in danger.

                              1. 2

                                Why is this a surprise? Function calls will always have slight overhead, because of the indirection of a jump. That’s why inlining is a thing.

                                1. 10

                                  The surprising thing is I would expect {} to be syntactic sugar for dict().

                                  1. 3

                                    Really? Since {} is recognized by the parser, I’d expect to generate the opcode directly as part of the bytecode compilation pass.

                                    Frankly, I’m surprised that dict() doesn’t compile to an opcode, since it’s easy to inline. I guess doing that would take away the ability to rebind what dict() does in the local scope (but I don’t know why anyone would care besides that).

                                    1. 7

                                      You can even rebind it globally.

                                      $ python3
                                      >>> dict({1: 2})
                                      {1: 2}
                                      >>> import builtins
                                      >>> builtins.dict = list
                                      >>> dict({1: 2})
                                      [1]
                                      

                                      EDIT: use builtins instead of __builtins__, compare https://stackoverflow.com/questions/11181519/python-whats-the-difference-between-builtin-and-builtins

                                1. 1

                                  This is not well argued. I tripped over the claim that all four “big problems” are enabled by the unlimited powerful Javascript VM, while that point is hardly relevant to anything but “cryptojacking”. Also I’m missing any “jump the shark” moment. The article does summarize the rotten state of advertising nicely though.

                                  1. 6

                                    The malvertising problem also largely comes from having an unlimited powerful VM (doesn’t have to be JavaScript, ActionScript and Java were historically just as bad *). Having a VM available makes exploiting browser bugs to get drive-by software installation far easier.

                                    • The APIs provided to that VM represent a colossal attack surface.
                                    • Programs running on the VM can do stuff like making and freeing big allocations in specific patterns to massage the heap layout, or run timing attacks to discern the address of some data or code in the browser process.
                                    • The VM itself has bugs. It does a lot and the optimisations are really complicated and hard to get right. You see CVEs sometimes like “a buggy optimisation caused an ArrayBuffer and a function pointer to occupy the same space, which can be escalated into remote code execution”.

                                    There are still bugs sometimes in things like parsers for complex formats like videos which are exploitable without making use of the VM, but fewer of them. It’s harder to write exploits without the VM anyway because your most powerful tool for setting up the process internals the way your exploit code wants them is gone.

                                    Browsers are WAY harder to RCE with no JavaScript.

                                    (* if not worse, but I suspect mainly because the implementations were really bad rather than because those PLs are fundamentally worse than JavaScript in some way.)

                                  1. 1

                                    The author lost me near the start: The output is “cat\ndog\n” not “cat\ndog”, and trailing separators are sort of relevant for a technical discussion of splitting strings on separators.

                                    1. 2

                                      Not to mention that if I were writing this I’d not use the output of ls (1) to get the contents of the directory, I’d use the native options in my language of choice. But I’ve always been wary of “shelling out” for stuff like this.

                                      1. 2

                                        And even if shelling out, find -print 0 -maxdepth 1 -mindepth 1 is a more paranoia-compatible option than ls.

                                        1. 2

                                          Assuming the find on the system has max/mindepth extensions.

                                    1. 4

                                      plt feels pretty obscure as an abbreviation. I don’t have a convincing longer suggestion, but maybe langtheory or languagetheory?

                                      1. 4

                                        ‘plt’ pretty much is the standard abbreviation though. In the ‘submit’ and ‘filter’ sections and in tag tooltips we can have it spelled out that this is for ‘programming language theory’.

                                      1. 13

                                        Bro project is a network security monitor: https://www.bro.org

                                        1. 5

                                          And here’s a mailing list message linking the project with the GDoc: http://mailman.icsi.berkeley.edu/pipermail/bro/2017-October/012542.html

                                          1. 2

                                            Slightly bizarre at first sight. When browsing the source at https://github.com/studio/studio, I find it hard to tell where things really happen. A curious mix of Smalltalk, Nix and R.

                                            There’s a bit of a rabbit hole here, continue with the author’s blog-in-github-issues at https://github.com/lukego/blog.

                                            1. 1

                                              The tour seems to be down to me, after choosing a language it keeps showing a loading animation.

                                              1. 1

                                                Sorry about that!! We were experiencing high load. The issue should be resolved now!

                                                1. 2

                                                  Thanks, works now. It’s certainly an impressive product. The different syntaxes feel a bit cute, though I see the advantage when getting programmers with different backgrounds up to speed. But in the end, the limitations of a purely functional model are likely to end up confusing with an imperative Java-like syntax, don’t you think?

                                                  Oh, and the gray dots in namespaced identifiers don’t invert colour when highlighted, barely visible on dark blue background.

                                                  1. 2

                                                    It is certainly valid to frame the “language inspired” syntaxes as a crutch to get people on board with the vision. And certainly the further a language falls from “pure FP” on the language spectrum, the less idiomatic the representation in a given language will be.

                                                    That said, we have a bunch of “imperative sugar” (that is not yet exposed in the sandbox) to try to ease the adoption for those coming from different backgrounds, such as representing do/while/for loops as specialized maps/folds.

                                                    And while Java or similar may be the “gateway language”, we hope the more someone buys into the overall vision, the less important any particular syntax becomes.

                                                    And we added the namespace bug to our issue tracking. Thanks for the feedback!

                                              1. 52

                                                I am on fastmail for my domain. Works fine, does everything I need.

                                                1. 7

                                                  I am also a happy fastmail.com customer since about 2 years now. I used mailbox.org before, a german email provider, which is quite cheap (1€ per month) and allowed to use custom email domains but their spam filter sucked. Fastmail’s spam filter is also not perfect, in fact Gmail has still by far the best filtering, but their service is great and I can use custom email domain’s too. They also develop JMAP a JSON based IMAP replacement.

                                                  1. 7

                                                    I’d say the fact that JMAP is JSON based is only marginally-relevant; it’s got several significant design improvements over IMAP - e.g:

                                                    • Folder renames no longer munge mail IDs (usually forces clients to re-download all messages).
                                                    • No persistent connection (IMAP keeps your mobiles radio awake).
                                                    • Flood control (some IMAP commands can send millions of identical lines in response).
                                                    • Saving a draft with an attachment doesn’t make you re-send the attachment.
                                                    • Subscribe to all changes in your mailbox via a single connection (vs one connection per folder)
                                                    1. 1

                                                      It’s more than IMAP replacement too, possibly better described as an alternative to Exchange ActiveSync.

                                                    2. 3

                                                      I’m with mailbox.org myself, with the 2.5EUR/month plan and a private domain. Mostly happy, I don’t have issues with spam. They seem to be quite opinionated on how to handle spam: https://www.heinlein-support.de/vortrag/spam-quarantaene-und-tagging-der-grosse-irrtum. But it seems classical spam tagging has been added recently, though I haven’t tested it: https://mailbox.org/update-des-webportals-bringt-nuetzliche-zusatzfunktionen-fuer-ihr-e-mail-postfach/

                                                      I’m not that happy with the web interface though, it seems to be https://en.wikipedia.org/wiki/Open-Xchange.

                                                      1. 1

                                                        Is JMAP even supported anywhere? Does anybody use it? Last I checked, not even Fastmail actually used this for anything. Seems like the project started with some energy but is mostly dead now? What a shame, as I’d love to use it somewhere… Please do correct me if I’m wrong.

                                                        1. 4

                                                          Hi, I’m some engineering guy at FastMail.

                                                          JMAP is currently going through the standardisation process at the IETF to become an RFC. Several companies have built or are building client and server implementations based on those drafts. We’re putting a lot of work into JMAP support in Cyrus.

                                                          At FM, we use it internally for some (but not yet all) of our UI-server interactions, and we’re working on converting the UI to use JMAP natively (once the standardisation work has stablised).

                                                          Finally, we’re just about to launch a new product that uses JMAP from top to bottom - Cyrus, Ix (a JMAP API generator) and Overture (a UI framework with a JMAP-backed storage layer).

                                                          So there’s lots happening on JMAP at FastMail and elsewhere.

                                                          1. 1

                                                            That’s really wonderful to hear. Once a year I email FastMail tech support asking them if there’s a JMAP thing, but the answer is always something like “no, and we don’t know when if ever.” And then I’m sad. This here is the first positive confirmation I’ve received, and I’m quite happy to hear it!

                                                            Hopefully once you release a fully JMAP designed system, you’ll have auto-exporters from existing tag-based systems like Gmail? Something like this would probably net you a massive user base.

                                                      2. 7

                                                        I switched to fastmail last month and I am very happy with it. Before that, I had been self-hosting for 10 years, but I started seeing my emails listed as spam after I switched VPS providers (despite correct SPF etc), and I wasn’t motivated enough to fight for my IP reputation again.

                                                        1. 5

                                                          Also Fastmail, moved from Google Apps for domains 2 or 3 years ago. Besides the advantages others mentioned, subdomain addressing is also a cool feature. Some mail providers support plus addressing

                                                          me+foobarbaz@mydomain.com

                                                          subdomains addressing is a bit nicer. You can make disposable addresses in the form of:

                                                          me@foobarbaz.mydomain.com

                                                          makes it easier to write rules and to drop mail when the address is sold to some spammer.

                                                          Also their support is pretty good. I had a small feature/refinement request twice, in both cases they had the feature implemented in their beta site in a couple of days.

                                                          1. 5

                                                            I went to fastmail two years ago when the server on which I’d hosted my own email for about eight years died. I was happy to give a great company about $60 a year to host my family’s email. I was probably spending $60 a month of my own time just to administer the damn thing.

                                                            1. 4

                                                              I’m on Fastmail too, with my own domain, for about ten years. The web UI is focused and fast, and the iOS app is just a webview, but a decent one that’s quick. I use Fastmail aliases and inbox rules to send to multiple external addresses, like a basic private listserve. Tons of advanced features for mail users, DFA, and no advertising or shenanigans with your inbox.

                                                              They went through a purchase by Opera a while ago, then a few years later Opera sold the business back to the original Fastmail employees – not a single hiccup or business misstep the whole time. They are laser focused. They contribute back to the open source mail server community.

                                                              The only issue on my wishlist is that they still don’t support the full CardDAV protocol, which means I cannot fully sync my Fastmail addressbook with iOS, Mac, Windows, or *nix apps, but they’re working on it, and it’s due soon (early 2018?).

                                                              I think it’s cheap for what you get, if you’re into that sort of thing.

                                                              1. 1

                                                                What exactly is missing from CardDAV support? I’m happily using it to sync contacts to my iOS/Android devices.

                                                              2. 2

                                                                Same here. I use fastmail for every new domain that I need email for and it’s pretty great.

                                                                1. 1

                                                                  Another vote for fastmail. Been a user for several years now. Has by far the best webui out of any provider. Very stable, and quick restoration of backups if you ever need them.

                                                                  1. 1

                                                                    Another +1 for Fastmail. I’ve used them for 3 years and have been pleased with all their services. Their documentation is clear, the system is not hard to use, and they answer questions promptly.

                                                                    The only thing I’m waiting for is HTTPS support on their web hosting. But if you need serious web hosting, Fastmail probably shouldn’t be yout first choice.

                                                                    1. 1

                                                                      Yep, fastmail here too, it’s superb.

                                                                    1. 1

                                                                      It’s helpful for me to see language-specific package management in the list of modern features. It’s something I’ve found to be rather a nuisance, but I suppose I’d be suffering more without. Is it misguided to hope for cross-language package management, based on something like nix?

                                                                      As an aside, while looking into the language package management history (I suppose things sort of started with CTAN and CPAN?), I ran across binary repository managers. Is the notion widespread? The Wikipedia articles read like something out of the marketing department of the listed projects…

                                                                      1. 2

                                                                        As far as I understand, this is a planned soft-fork of the blockchain BIP 148 scheduled for August 1, to activate segwit (BIP 141). Segwit (“segregated witness”) is meant to help bitcoin scale.

                                                                        EDIT: Nice background article here: https://bitcoinmagazine.com/articles/bip-148-and-bip-149-two-uasfs-activate-segwit/