1.  

    I do.

    In all the time I’ve been using git (I was an earlyish adopter, mercurial user prior), however, I consistently get teammates approach me to ask about code before looking at git blame. Most people review PRs by looking at the entire diff too.

    So lately I ask myself if it’s worth the effort.

    1.  

      I’m in the same boat at my current job. I have a small team of junior devs, and the practices they’ve learned from bootcamps and stuff, particularly in git, can be a be demotivating.

      I generally now just look at diffs. But, I do appreciate articles like these, and I definitely try to reinforce better habits.

      1.  

        Most people review PRs by looking at the entire diff too.

        Are you suggesting not looking at the entire diff? Or just not only the diff?

        1.  

          I review each commit in sequence.

          Assuming the commits are written well, this is much faster as I’m reviewing related changes together.

          When people put unrelated changes into the same commit, or related changes into different commits, I have to change mental contexts whilst reviewing, which takes away energy/effort from doing a good job of the review.

          1.  

            I meant any care given to having the commits reflect my intentions is lost. It’s as if I’d pre-squashed all the commits.

            1.  

              There’s still later, when you need to revert part of the work, and it’s easy because it was a single commit…

              1.  

                That’s a big limitation of git. It should be much easier to back out a whole series of commits.

                The typical git way to do this is to merge with ancestor so you can just back out the merge commit itself. Still not quite the same thing as undoing a merge, but close enough.

                1.  

                  I actually meant the other way around - I’ve made 10 sensible, self-contained commits and only have to revert one to fix an issue.

                  That means that I get to keep the rest of the functionality I built running while I rollback one change.

                  If your change history is a spatter of half-commits and unrelated changes are rolled together, you have to manually pick apart the bits you want to rollback (or just reset to a known good state).

                  Even if a reviewer isn’t using the commit log, the operations team and future maintainers are.

        1. 6

          One thing I always want to tell people about commit messages:

          There’s no length limit.

          In fact, write as much as you can. Go crazy. Write some more. Explain. Talk about how your day went. Tell us how you found the problem. Put benchmarks that show why your change makes things faster. Show the stack trace or test output that you’re fixing. Quote other people. Put an email chain in the commit message.

          In a well-curated commit history, commit messages become source-level documentation available via an annotate/blame operation. Most people hate writing documentation, but commit messages are about the only time when our tools force us to write something. Take this opportunity to really write something. It’s the only time when writing is really required in any way. There’s no need for a length limit because most of the time the commit messages are hidden away, and most interfaces will hide the full commit message anyway (or can easily be configured to do so).

          If you want practice jamming lots of information into a small amount of space, that’s what the first line of the commit message is, but after that, don’t feel constrained by length limits.

          These are examples of my favourite kind of commits:

          https://www.mercurial-scm.org/repo/hg/rev/4fb2bb61597c?style=gitweb

          https://www.mercurial-scm.org/repo/hg/rev/ed5b25874d99

          https://www.mercurial-scm.org/repo/hg/rev/1423ff45c322

          https://www.mercurial-scm.org/repo/hg/rev/dd028bca9221

          https://www.mercurial-scm.org/repo/hg/rev/8d5584d8345b

          1.  

            I agree in that length limit hinders rich information being put into the commit to better explain the intent and reasons of the changes. However, GitHub/GitLab hasn’t really make it easy to read long commit messages in their UI, which is a bummer.

          1. 5

            A pewter statue of John Romero’s head on a spike.

            I am so tempted to pay money just for this.

            By the way, Freedom is in on the joke too. They used Richard Stallman’s head on a stick instead for the final boss:

            https://www.spriters-resource.com/pc_computer/freedoom/

            1. 5

              This project does not involve machine learning. If anything, its development might be called “machine teaching”. I know how to play through Castlevania. And the challenge was to capture my knowledge into a computer program.

              That was unexpected these days. Good job! :)

              1. 2

                That was unexpected these days.

                It is also well written down on a nicely formatted page. This is exactly the kind of content I am reading Lobste.rs for, thanks.

                (Okay, I’ve also been obsessed with Castlevania the last few weeks, that’s perfect timing)

                1. 1

                  Because of the TV series? I enjoyed that a lot myself. When Bloody Tears finally started playing…

                  1. 2

                    Mostly due to discovering Curse of the Moon, which is essentially a re-imagination of Castlevania III (on which the series is based) which reminded me that I much prefer the Konami-created Castlevanias to the games that are coming out as part of the Metroidvania revival. Timespinner is nice for a low-budget game but I’m playing Portrait of Ruin and the music and sprite-work that went into the game are just top-notch. Heaps of fun despite being 12 years old by now.

              1. 2

                The hg update alias to hg checkout comes from analogy with svn and I think cvs. A bare hg update corresponds to the svn command (after a pull, which doesn’t exist in svn) and an hg update $rev also matches the idea of updating to some revision other than the latest one.

                In fact, most of the hg terminology matches svn terminology whenever possible, which at the time was the status quo. Git ignored a lot of existing VCS conventions, one of the reasons why its UI feels so complicated to many people. Now that git is the status quo, hg’s once-standard conventions feel like the odd ones out.

                By the way, you can abbreviate all commands to their shortest unique prefix. I often type stuff like hg up -r $rev or hg di. There are also a few built-in aliases you’ve already found like co for checkout/update and ci for commit (“check in”, from cvs and svn).

                1. 4

                  Revsets are one of the killer features of hg.

                  I feel so naked without revsets. I can just query, slice, and dice so easily through any repo with revsets, and I love how they work everywhere. I have forgotten what it’s like to work without them.

                  1. 1

                    There’s also a cool video showing this in action:

                    https://www.youtube.com/watch?v=1tZ-y0PzV8g

                    1. 2

                      We’re kind of confused in #mercurial how this happened. The clone should have worked. :-(

                      Can you help us debug?

                      1. 8

                        Hope you enjoy your mercurial experience! If you get stuck, mercurial’s online help is really good, much more readable than git’s manpages. There are also some really nice topics you can search for in the help, I’d suggest “hg help revsets” to start :)

                        If you run into trouble or just want to chat about hg, the #mercurial IRC channel on freenode is active and generally welcoming to questions from new mercurial users.

                        Oh also you should edit this post and click the check mark indicating you authored the content.

                        1. 1

                          I’d suggest “hg help revsets” to start

                          great idea, will do :-)

                          Oh also you should edit this post and click the check mark indicating you authored the content.

                          I thought I did when posting. Thanks for pointing that out, fixed now!

                          1. 2

                            I’d also like to extend an offer to help!

                            If I see you around #mercurial, I’ll do my best to be helpful.

                            edit: Wait, I just recognised who you are! Hi Kamal! If you ever wanna hang out IRL and chat hg I’d love to as well.

                            1. 1

                              :wave:

                        1. 3

                          I’m mainly at @offby1@wandering.shop, having chosen that instance. I’ve got offby1 at mastodon.social, mastodon.technology, and mastodon.cloud as well, but those are mostly fallow.

                          1. 2

                            Wait, you’re the other offby1, right? The one in perpetual combat with offby1 of Freenode?

                          1. 3

                            @JordiGH@mathstodon.xyz

                            We have LaTeX! So does https://scholar.social, and I think we’re the only ones right now.

                            I deliberately try to avoid talking about too many computer nerds things because there needs to be more to life than that.

                            1. 36

                              Such irony in the title here–“open source” is not about you; it’s a movement to hijack the free software movement and turn it into something a company can profit from, riding on free software goodwill and stripping the political aspects that are hard to reconcile with shameless capitalism.

                              I don’t think it’s what Rich meant here, but it does nicely serve to underscore the vast gulf between the oss and free software camps; if you are in software because you want to make the world a better place, move right along.

                              1. 25

                                it’s a movement to hijack the free software movement

                                There’s a problem with this statement, it doesn’t apply to me.

                                When I was open-sourcing my project I wasn’t joining any movement. I didn’t sign any contract. I use the words “open source” in a plain sense: this is a source code that someone can get and use according to the posted license. I’m totally fine with any company making profit off of this code. No company ever indoctrinated me into thinking this, and I deliberately chose BSD license over GPL exactly to not having to be associated with Free Software movement (I don’t hate it, I just didn’t want to). Yes, for real. People like me exist.

                                What I’m saying is, we already have a term meaning “open source + a particular ideology”. It’s Free Software. Please don’t try to appropriate “open source” to mean anything more than “available source code”. And no, I don’t really care what OSI thinks about this “term”. It’s their idea, not mine. I need some words to describe what I’m doing, too.

                                1. 9

                                  When I was open-sourcing my project I wasn’t joining any movement

                                  That’s exactly the difference between the “free software” movement and Open Source. You made @technomancy’s point for him.

                                  1. 1

                                    It’s contradicting the framing that he’s somehow been duped out of believing in the fsf’s ideology by an open source movement.

                                  2. 9

                                    P.S. In fact, there was a time when “Free Software” also wasn’t associated with not letting companies profit from it. Here’s a classic Mark Pilgrim on this: https://web.archive.org/web/20091102023737/http://diveintomark.org/archives/2009/10/19/the-point

                                    Part of choosing a Free license for your own work is accepting that people may use it in ways you disapprove of.

                                    1. 5

                                      Check Selling Free Software from 1996.

                                      1. 6

                                        I came here to share this link. the GPL, and free software, was never about gratis, was never about not paying for software. It has always been about liberty and the freedom to control one’s own software.

                                      2. 3

                                        2009 is classic? Am I old?

                                        1. 1

                                          “Classic” in a sense “explains well”, has nothing to do with being old :-)

                                      3. 5

                                        Just because you use a term doesn’t mean you get to define it. Saying “I don’t care what OSI thinks or why the term was invented” seems pretty strange to me… it’s their term and has a history, like it or not.

                                        1. 8

                                          What word should I use if I publish source code so people can use it but don’t care about furthering the cultural revolution?

                                          1. 5

                                            “Open source”.

                                            1. 1

                                              Billionaire. In a historical interview, that’s what the CEO of Apple believed he’d become if a lot of things lined up, one being getting a whole, networking stack for free from BSD developers. The other thing he envisions is them begging for money at some point so their projects don’t close down. He bragged his main competition would be contributing their fixes back since they got themselves stuck with la licence de la révolution. Attendees were skeptical about such a one-sided deal going down.

                                            2. 4

                                              No :-) The only way a natural languages is defined is through use, and the most common usage becomes a definition. OSI didn’t make this term theirs by simply publishing their definition, they just joined the game and have as much weight in it as every single user of the word.

                                              1. 4

                                                True, but also like it or not language evolves over time (always to the chagrin of many). This is not unique to technology or English. At the end of the day it doesn’t matter what either OSI or /u/isagalaev thinks, society at large makes the definitions.

                                                Having said that, if you step outside of the FOSS filter bubble, it seems pretty clear to me that society leans towards /u/isagalaev’s definition.

                                                1. 3

                                                  Also, as a sensible dictionary would, Merriam-Webster defines both current interpretations of it: https://www.merriam-webster.com/dictionary/open-source

                                              2. 4

                                                we already have a term meaning “open source + a particular ideology”. It’s Free Software.

                                                You can’t remove politics from this question; the act of pretending you can is in itself a political choice to support the status quo.

                                                1. 2

                                                  You can remove “politics” from open source, and that is precisely what open source has done.

                                                  The term open source can be operationally defined (i.e., descriptive, constructed, and demonstrable). From Wikipedia, citing the book “Understanding Open Source & Free Software Licensing.” (Though feel free to use Merriam Webster or the OED as a substitute): “source code is released under a license in which the copyright holder grants users the rights to study, change, and distribute the software to anyone and for any purpose.”

                                                  The license terms are selected that most parsimoniously accomplish the stated definition. (i.e., make it possible for the stated definition to become externally correspondent and existentially possible). The fewest number of rules (formula, statements, decisions) possible to accomplish the work–producing a limited number of legal operations (rights, grants, privileges) that can be fully accounted for.

                                                  It is the deflationary nature of the process that removes “politics.” Making the license commensurable and testable while removing suggestion, loading, framing, or overloading. BSD/MIT are small and shrinking, whereas GPL 2/3 are large and growing. That’s the difference.

                                                  1. 2

                                                    “source code is released under a license in which the copyright holder grants users the rights to study, change, and distribute the software to anyone and for any purpose.”

                                                    You can still get patent sued for that due to laws paid for by lobbyists. The effects of politicians on what we can and can’t do with open-source mean it’s inherently political. The people who say they want its benefits with no interest in politics or whose licenses don’t address it are still involved in a political game: they’re just not players in it.

                                                    1. 1

                                                      I’m not sure why do you think I’m trying to “remove politics”. Of course I do have some political view on this, however vague it might be. This is totally beside the point. The point is that I don’t want to proclaim/discuss my political views every time I want to say that the code is available. It’s a completely valid desire.

                                                    2. 1

                                                      Why BSD license over public domain? The latter makes the source code more “available”, does it not?

                                                      (If you wonder how I feel about the GPL, check my repos.)

                                                      1. 11

                                                        The latter makes the source code more “available”, does it not?

                                                        No. In jurisdictions that don’t recognise public domain (e.g. France) and in which authors cannot give up their copyright, giving it to the public domain is meaningless and it’s as if the code has no free license at all. It’s the same as “all rights reserved”.

                                                        1. 2

                                                          That’s very interesting. Would folks in such jurisdictions be interested in working together with others to reform copyright law? Perhaps among .. other things?

                                                          1. 2

                                                            Why? It’s a different branch of copyright law and the idea of authorship being something you cannot give up is fundamental to those. You can only perpetually license.

                                                            CC0 is a great license to use in those cases, btw.

                                                            1. 2

                                                              Why?

                                                              One reason being that some people think copyright, or perhaps even more generally, intellectual property, is unethical. Another reason could be a desire for a single simple concept of “public domain,” perhaps similar to what we have in the US.

                                                        2. 1

                                                          I like the idea of retaining an exclusive right to the project’s name, BSD is explicit about it.

                                                      2. 10

                                                        Companies are profiting massively from both. The License Zero author figured out the reason is the FOSS authors focused on distribution methods instead of results. That’s why Prosperity straight up says commercial use like many non-free licenses mention. The other one says any change has to be submitted back.

                                                        The license needs to explicitly mention them making money or sharing all changes to achieve what you’re describing. That plus some patent stuff. The “free” licenses trying to block commercial exploitation are neither believably free nor stopping commercial exploitation after companies like IBM (massive capitalist) bet the farm on them. I mean, the results should prove they dont work for such goals but people keep pushing old ways to achieve them.

                                                        Nope. Just reinforcing existing systems of exploitation by likes of IBM. We need new licenses that send more money and/or code improvements back.

                                                        1. 3

                                                          It should not be the job of a license enforced by copyright to extract rents. That’s the playbook we are fleeing.

                                                          1. 2

                                                            ““open source” is not about you; it’s a movement to hijack the free software movement and turn it into something a company can profit from”

                                                            The commenter wrote as if they expected whatever license or philosophy was in use to prevent companies from using the software for profit or with exploitation central focus. Several companies are making billions leveraging FOSS software. One even lobbies against software freedom using patent law since suits won’t affect it. So, if the goal is stopping that and spreading software freedom, then the so-called “free” licenses aren’t working. Quite the opposite effect moving billions into the hands of the worst, lobbying companies imaginable.

                                                        2. 2

                                                          I just don’t see “open-source” being an hijack of “free software” for corporate purposes. Why would corporate care, they can exploit the free labor of free software just as much, the politics are not visible in the final software product. If anything, it seems like the social goals of free software have been diluted by other programmers who like the technical side of it, but neither care or agree about the politics.

                                                          1. 3

                                                            Why would corporate care, they can exploit the free labor of free software just as muc

                                                            Depends on the market. If it’s software they sell directly, the copyleft requirement means they have to give up their changes. Those changes might be generating the customers. They might also be causing lock-in. Better for them to keep their changes secret.

                                                            Your point remains if it’s anything that lets them dodge the part about returning changes, esp SaaS.

                                                            1. 3

                                                              I just don’t see “open-source” being an hijack of “free software” for corporate purposes.

                                                              It’s not really a matter of opinion. That hijacking is exactly what happened in 1998. The fact that today you forgot that this is what happened means that it worked: you stopped thinking about free software, as the OSI intended to happen in 1998.

                                                              OSI was created to say “open source, open source, open source” until everyone thought it was a natural term, with the goal of attracting corporate interests. They even called it an advertising campaign for free software. Their words, not mine.

                                                          1. 3

                                                            Work stuff is… well, I don’t actually know, have the meeting to determine that in about an hour.

                                                            But non-work, I’m making some progress on my from-scratch gui library again and am not quite out of steam yet. It is amazing how a few fairly minor visual tweaks and behavior bugs make it feel so much better to me, so probably going forward on that, though I also cannot put off the text layouter rewrite forever… but eh, I will probably just keep polishing the little things this week, and do the fun part of using the language reflection to generate more and more guis from object definitions.

                                                            1. 1

                                                              That’s a D GUI library, right? What OS are you targetting?

                                                              1. 2

                                                                Yes, on Windows it uses the native widget set (or the custom ones with a compile flag) and on Linux it uses 100% custom. I might add more later, but it is primarily for my personal use and all I really care about right now are Windows and Linux so that’s my focus.

                                                            1. 4

                                                              Teaching myself C++ with Stroustrup’s A Tour of C++ and the exercises from exercism.io

                                                              Kinda sad though, because there are only 11 C++ mentors there and about a zillion students. If anyone who knows C++ is looking for a great way to give back to the community without the mondo commitment of joining an OSS project, maybe consider signing up as a mentor. You can give people feedback on their problem solutions as you have time and help a really awesome community project.

                                                              1. 2

                                                                I don’t feel like joining some website, but if want to chat with me (JordiGH on Freenode or @JordiGH@mathstodon.xyz), I’d be happy to help with C++.

                                                                1. 1

                                                                  That’s very kind of you, thanks!

                                                                  This is NOT an advertisement or any kind of promotion, but I realized I didn’t give people a good sense for what Exercism is.

                                                                  Katrina Owen who is a fairly well respected dev in the Ruby community and lately has been doing Go stuff got interested in the problem of educating new programmers, so she created Exercism, a totally open source teaching platform that gives accomplished practitioners a framework for helping newbies that focuses mentor’s efforts on actually providing helpful feedback on people’s code and newbie’s efforts on solving carefully selected problem sets.

                                                                  It’s really quite revolutionary in my opinion, and it’s taken off big in Ruby and Python (and Perl not surprisingly) but not so much in other languages. Maybe the gestalt of those communities is different, I dunno.

                                                                  I’ve enjoyed it tremendously and have used it to good effect for Python and Ruby in the past.

                                                                  1. 1

                                                                    @JordiGH@mathstodon.xyz

                                                                    Just followed you there and replied to your “C++ as first language” query. I love Mastodon! Such high signal to noise ratio there. It’s like the intertubes before eternal September! Best we enjoy it while we can. Such things never last forever :)

                                                                1. 5

                                                                  Not at work, doing advent of code 2015 to practice for this year’s contest. Also going through https://github.com/data61/fp-course to make sure I understand the fundamentals of writing code in Haskell.

                                                                  At work, adding more tape and band aids to our cloud product written in Go.

                                                                  1. 2

                                                                    Are you actually going to try to compete? You have to be awake at the time the puzzles are published and try to work on them as quickly as possible. You’re going for that?

                                                                    1. 3

                                                                      I’m competing against my coworkers who are also playing. We have a private leaderboard where we gain bragging rights by solving the problems faster than others in our favorite fun language.

                                                                  1. 41

                                                                    Wow, that’s pretty terrible.

                                                                    On the other hand, I can’t help but to feel sorry about Dominic, we all make mistakes, this public shaming is pretty violent.

                                                                    I guess we should sometimes take some time off to read the license before using a library:

                                                                    THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

                                                                    (F)OSS is not a consumer good.

                                                                    1. 11

                                                                      I agree that shaming people is toxic and unproductive. No one wants to be shamed and no one is perfect.

                                                                      But I see another dimension to the negative responses Dominic has received. Non-hierarchical, self-governing communities like open source software are organized by social norms. Social norms work through peer pressure - community members conform to the norms of the community not because they are compelled to by law but because it would cost them standing in the community not to. This isn’t inherently good. Some norms are toxic and self-policing via peer pressure can lead to shaming. What I see in some of the critical comments addressed to Dominic is an attempt to establish a clear social norm about what to do when you are ready to abandon a package. The norm is desirable because it increases the general level of trust. Even if the landscape is generally untrustworthy, you can have some confidence that people aren’t handing their packages off to strangers because it’s the norm not to do that. The desire for some norm here, whatever it is in the end, is reasonable.

                                                                      Ending the discussion with “don’t worry about it Dominic, everyone makes mistakes, and anyways you’re not liable for it” signals to everyone that they’re not responsible for the consequences of what they do. In a strictly legal sense, that might be true. Even then, I’m skeptical that the warranty clause would cover negligence in the distribution of the software rather than the software itself. But in either case, don’t we want a community where people do feel responsible for the actions they take and are open to receiving feedback when an action they’ve taken has a bad result? This dialogue can occur without shaming, without targeting anyone personally, and can be part of the same give-and-take process that produces the software itself.

                                                                      1. 6

                                                                        Blaming people in any security issue is toxic, no matter what happens. In any organization with paid people where you should expect better, the most important rule of a post-mortem is to remain blameless. It doesn’t get anyone anywhere and doesn’t get remotely close to actual root cause. Instead of asking about why Dominic gave away a critical package, people should be asking why some random maintainer were able to give away a critical package.

                                                                        Ending the discussion with “don’t worry about it Dominic, everyone makes mistakes, and anyways you’re not liable for it” signals to everyone that they’re not responsible for the consequences of what they do.

                                                                        By putting blame on Dominic, people are not taking responsibilities. The main issue is that many core libraries in the JavaScript ecosystems still depends on external, single-file, non-core, likely unmaintained library. People who should take responsabilities are the ones who chose to add a weak single point of failure by depending on event-stream.

                                                                        1. 2

                                                                          It depends what you mean by blame. If you mean assigning moral responsibility, especially as a pretext for shaming them, then I agree it’s toxic. I think I was clear that I agree this shouldn’t happen. But if blame means asserting a causal relationship between Dominic’s actions and this result, it’s hard to argue that there isn’t such a relationship. The attack was only possible because Dominic transferred the package. This doesn’t mean he’s a bad person or that he should be “in trouble” or that anything negative should happen to him as a consequence. A healthy social norm would be to avoid transferring packages to un-credentialed strangers when you’re ready to abandon the package because we’ve seen this opens an attack vector. Then what’s happened here is instructive and everyone benefits from the experience. And yes, ideally these dilemmas are prohibited by the system. Until that is the case, it helps to have norms around the best way to act.

                                                                          1. 1

                                                                            I understand you don’t condone the attacks and shaming going around. However I would argue that even if you agree that the blaming is toxic, that building some social norm around it is better than nothing, I believe that even hinting that it was somehow Dominic’s fault is a net negative.

                                                                            The attack was only possible because Dominic transferred the package.

                                                                            This is exactly what I’m condoning. By looking at individual and their action you scope the issue at that level. The attack was taking over a dependancy. It is possible to do so in so many way, especially for packages such as Dominic’s. This time it was a case of social engineering, next time it might as well be a case of credential hijacking, phishing or maintainer going rogue.

                                                                            A healthy social norm would be to avoid transferring packages to un-credentialed strangers when you’re ready to abandon the package because we’ve seen this opens an attack vector.

                                                                            I would say pushing this rethoric is actually unhealty and only lead people to rely on those social norm and use it as an excuse to disown their accountability. It would be much healthier to set expectation right and learn proper risk assessment about dependancies management.

                                                                            Then what’s happened here is instructive and everyone benefits from the experience. And yes, ideally these dilemmas are prohibited by the system. Until that is the case, it helps to have norms around the best way to act.

                                                                            The same issue have come up so many time in the past few years, especially in the NPM ecosystem, it should be well past the “learn from the experience” and I believe it’s time the relevant actors actually move toward a solution.

                                                                      2. 17

                                                                        I’ve done a similar thing before. After leaving the Elm community, I offered to transfer most of my repos over to the elm-community organisation. They accepted the most popular ones, but not elm-ast (and maybe one or two others). A few months later I received an e-mail from @wende asking if he could take over so I took a look at his profile and stuff he’s done in the past and happily gave him commit access thinking users would continue getting updates and improvements without any hassle. Now, @wende turns out to be a great guy and I’m pretty sure he hasn’t backdoored anyone using elm-ast, but I find it hilarious that people somehow think that maintainers should be responsible for vetting who they hand over control of their projects to or that they could even do a good job of it OR that it would even make any sort of a difference. Instead of trusting one random dude on the internet (me) you’re now trusting another.

                                                                        Don’t implicitly trust random people on the internet and run their code. Vet the code you run and keep your dependency tree small.

                                                                        1. 25

                                                                          Vet the code you run

                                                                          Or trust well-known, security-oriented distributions.

                                                                          keep your dependency tree small

                                                                          Yes, and stay away from environment, frameworks, languages that force dependency fragmentation on you.

                                                                          1. 4

                                                                            Or trust well-known, security-oriented distributions.

                                                                            That too! :D

                                                                            1. 3

                                                                              and stay away from […] frameworks

                                                                              I wouldn’t say that as absolutely for the web. I suspect that things would likely go a lot more haywire if people started handling raw HTTP in Python or Ruby or what have you. There’s a lot of stuff going on under the hood such as content security policies, CSRF protection and the like. If you’re not actively, consciously aware of all of that, a web framework will probably still end up providing a net security benefit.

                                                                              1. 5

                                                                                Please don’t quote words without context:

                                                                                […] that force dependency fragmentation on you

                                                                                Frameworks and libraries with few dependencies and a good security track record are not the problem. (If anything, they are beneficial)

                                                                                1. 2

                                                                                  I interpreted “Yes, and stay away from environment, frameworks, languages that force dependency fragmentation on you.” as (my misunderstandings in brackets) “Yes, and stay away from [(a) integrated development] environments, [(b)] frameworks, [(c)] languages that force dependency fragmentation on you.” with a and b being separate from the “that” in c.

                                                                                  I apologize for the misunderstanding caused.

                                                                              2. 2

                                                                                Isn’t it the case that reputable, security-focused distributions acquire such status and the continuity thereof by performing extensive vetting of maintainers?

                                                                                The responsible alternative being abandoning the project and letting the community fork it if they want to.

                                                                                1. 1

                                                                                  Or trust well-known, security-oriented distributions.

                                                                                  Then how do You deal with things like that: “The reason the login form is delivered as web content is to increase development speed and agility” ?

                                                                                  1. 2

                                                                                    As a distribution? Open a bug upstream, offer a patch, and sometimes patch the packaged version.

                                                                                    1. 1

                                                                                      That’s a good idea in general but sometimes the bug is introduced downstream.

                                                                              3. 9

                                                                                Most proprietary software also comes with pretty much the same warranty disclaimer. For example, see section 7c of the macOS EULA:

                                                                                https://images.apple.com/legal/sla/docs/macosx107.pdf

                                                                                I mean, have we held accountable Apple or Google or Microsoft or Facebook in any substantial ways for their security flaws?

                                                                                1. 4

                                                                                  In many other products accountability is enforced by law and it overrides any EULA. And that is tied to profit in the broad sense: sales or having access to valuable customer data & so on.

                                                                                  Software companies got away with zero responsibility and this only encourages bad software.

                                                                                  1. 1

                                                                                    And how have we enforced that by law for those companies, regardless of what those EULAs have said? When macOS allowed anyone to log in as root, what were the legal consequences it faced?

                                                                                    1. 3

                                                                                      other products

                                                                                      e.g. selling cars without safety belts, electrical appliances without grounding…

                                                                                2. 2

                                                                                  It is a security disaster given how easy it is for js stuff to hijack cookies and sessions.

                                                                                  1. 1

                                                                                    It really isn’t if a well thought out CORS policy is defined.

                                                                                1. 2

                                                                                  Who the hell learned C++ as their first language anyway? I thought I was the only one, due to a fluke in 1998 when the AP Computer Science programme for US students decided to use C++ for that one year. I think they used it for one more year and then switched to Java.

                                                                                  Like, really, is teaching C++ to absolute beginners really a thing? Where? Anyone out there who can commiserate with me?

                                                                                  1. 1

                                                                                    Well, I was already a programmer by then, but I took a “intro to programming” class at the college for an easy A… and it used C++. That as 2007.

                                                                                    But I did C++ early in my programming myself anyway while self-teaching… but it was my third language, after basic on the ti-83 calculator and assembly language….

                                                                                  1. 4

                                                                                    Take a branch with only 3 small changes and it will get a whole lot of comments and suggestions. Take one with +100 changed files and it will get none.

                                                                                    That’s a great example of bikeshedding.

                                                                                    1. 2

                                                                                      But it’s a real problem. Nobody reads long diffs. You want your code reviewed, don’t you? Then make it shorter. If it must be longer, then turn it into a lot of small diffs, each requiring no further or minimal context.

                                                                                      1. 3

                                                                                        Thankfully some people don’t buy into this self-defeating rhetoric and can and do read longer diffs when the changes required are longer. Constraining the length of a change works for some problems and under some conditions, but it’s not a fundamental good or even universally achievable.

                                                                                        1. 4

                                                                                          It’s not a self-defeating rhetoric. It’s just hard to pay attention when your work is longer. It’s not because people are lazy or stupid or some other wrong thing. It’s because we’re humans and we are just not good at reading long and rambling bits of code that someone else wrote all at once. When every line of a giant hairball diff involves a context switch, nobody is going to read that, not even the original author.

                                                                                          I’m not saying you can’t make long changes. I am saying that you should split up your long changes. Split them as much as possible so each change has the least context possible to be understood. Books have sentences, paragraphs, chapters. Code has functions, modules, source files, repositories. Code review should use commits as the demarcation.

                                                                                          Move the effort of making the diff understandable to the writer, not the reader.

                                                                                          1. 1

                                                                                            Obviously if a change is rambling, it could probably stand to be improved – but something can be long without being rambling.

                                                                                            When every line of a giant hairball diff involves a context switch, nobody is going to read that, not even the original author.

                                                                                            I think you may be projecting a little. To stack my anecdote alongside yours, I have both read and written longer changes that required a lot of context to understand. I agree that it takes longer, which perhaps means I won’t get to do it all in one sitting – but I can take notes about my thoughts, as I would encourage all engineers to do, and I can pick up where I left off.

                                                                                            Split them as much as possible so each change has the least context possible to be understood.

                                                                                            I agree this can be beneficial when it’s possible, I just don’t think it always is. I’ve definitely seen people err too far on the side of microscopic changes. While the tiny change at issue may seem correct in isolation, the broader context is often actually very important and by avoiding understanding it you’re not going to give or get a very thorough review.

                                                                                            Code review, like designing and writing the code in the first place, and like testing it, takes time and energy. There’s just no magic bullet when the goal is thoughtful, consistent, and rigorous change to the software.

                                                                                            1. 2

                                                                                              The data is on the side of shorter reviews.

                                                                                              Our results suggest that review effectiveness decreases with the number of files in the change set. Therefore, we recommend that developers submit smaller and incremental changes whenever possible, in contrast to waiting for a large feature to be completed.

                                                                                              https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/bosu2015useful.pdf

                                                                                              Reviews should be of changes that are small, independent, and complete.

                                                                                              http://users.encs.concordia.ca/~pcr/paper/Rigby2012IEEE.pdf (based on data from https://users.encs.concordia.ca/~pcr/paper/Rigby2011Dissertation.pdf )

                                                                                              There is no large code change that cannot be split up into incremental, meaningful changes. It takes training to recognise those atomic boundaries, but they exist, and using them is helpful for reviewers.

                                                                                          2. 1

                                                                                            This is one of the things I really like about Go: the language designers explicitly design features to enable easier incremental changes.

                                                                                      1. 5

                                                                                        I like (and agree) with the sentiment, but the argument as presented is not convincing. I suspect that’s because it’s trying too hard to push the SCM product as opposed to talk about writing commits/checkins/whatever with the reviewers in mind.

                                                                                        The case presented is not compelling because it’s just as plausible and possible to do in Git (and probably Mercurial too). Maybe PlasticSCM makes it easier? I’m not sure. Regardless, the point about squashing commits is weak since you could just as easily squash the entire series commits to the smaller series presented. Furthermore, there’s no reason the commit message on the single commit that touches over 100 files can’t be as descriptive as a small series of commits to help guide the reviewers.

                                                                                        1. 3

                                                                                          This is how the core Mercurial team works, btw. The unit of review is the commit, not the PR (which the core hg team doesn’t even really do).

                                                                                          It produces commits that are each individually understandable, which is great because your log is actually readable and contains useful information:

                                                                                          https://www.mercurial-scm.org/repo/hg/

                                                                                          Look at how small commits tend to be, and look at how commit messages tend to explain just what this one change is doing. This also means that your commit history is now source-level documentation thanks to hg annotate/blame. The commit message is when your tools are forcing you to write something about your code, so you should take the opportunity to actually write something meaningful.

                                                                                          A history that nobody takes time to write is one that nobody takes time to read either, and at that point, what you really wanted was an ftp server to host your code with the occasional rollback mechanism to undo bad uploads.

                                                                                          1. 1

                                                                                            Except for the advertising section, it’s pretty similar to what I ask for my team, that they commit per component or logical unit (altough they clearly aren’t listening, maybe I need to be more strict)

                                                                                            They could also propose to use rebasing to transform the checkpoint form to the reviewer form, I undesrtand it could be used for that.

                                                                                          1. 6

                                                                                            Can we please stop using the “Make X Y Again” schema for advertising things? I know there is no ill intent behind this but some of us are directly affected by the policies and rhetoric that comes out of the very much sincere desire to roll back progressivism by decades.

                                                                                            1. 12

                                                                                              Your comment is off-topic.

                                                                                              You reasonably observe that the name of the project is derivative, acknowledge that the author bears you no ill intent, but nevertheless suggest the project name is harming you and yours.

                                                                                              You don’t address the author, you don’t talk about Medium as a platform, you don’t talk about blogging or anything apparently connected to the article. Your comment is a generic complaint. (Applies to any submission matching your pattern.)

                                                                                              We’re a community of practitioners. We show (create, invest, fix), rather than tell (scold, beg, demand).

                                                                                              1. 26

                                                                                                The title of this project is a riff on a political slogan that itself is a riff on various fascist slogans throughout history. Making a joke of it by using it as the name of a browser extension is, at the very least, in poor taste. The commenter you responded to made a polite request to the community to stop doing this thing that is in poor taste. There was no need for them to address the substance of the project because the comment was only concerned with the choice of title. In terms of scolding/begging/demanding, I see more of that in your comment than in the one you responded to.

                                                                                                1. 1

                                                                                                  Apologies for the off-topicness, but are Mel Brooks’ Hitler jokes/comedy in bad taste? Can something horrible be alleviated by ridiculing it?

                                                                                                  This is a philosophical question that doesn’t wven account for the author’s intent with the naming.

                                                                                                  And on the other side, would “Medium we can believe in” or “Medium we can” be more acceptable or less, and to whom?

                                                                                                  A rose by any other name… It seems to be a somewhat useful browser addition regardless.

                                                                                                  1. 2

                                                                                                    Can something horrible be alleviated by ridiculing it?

                                                                                                    Yes, somewhat, and only if actually done well. (And even then, sometimes the supposed object of ridicule can miss the point entirely and embrace whatever the “joke” was about.)

                                                                                                    I guess the point is, naming entirely unrelated things with the same pattern (“Make X Y again” here) is not comedy! It’s literally just spreading the slogan.

                                                                                                2. 19

                                                                                                  You can’t ignore politics when they are no longer ignoring you. However much you may think that Lobsters is a domain of pure, unadulterated reason and everything unreasonable is offtopic, the linked software decided to make a political slogan ontopic.

                                                                                                  You’re grandstanding here about how neutral Lobsters is, but there’s no neutrality on this moving train, and telling people to shut up about the politics that affects them isn’t nice.

                                                                                                  1. 9

                                                                                                    We’re a community of practitioners. We show (create, invest, fix), rather than tell (scold, beg, demand).

                                                                                                    I like this a lot! The internet would be a better place if there were more places that followed this philosophy.

                                                                                                    1. 0

                                                                                                      Yeah, wouldn’t that be something…

                                                                                                      :-/

                                                                                                    2. 8

                                                                                                      I also happen to feel playful takes on MAGA is putting googly eyes on swastika, and was about to post similar comment. Didn’t post as the earlier exchanges OT exchanges like this on Lobsters suggest ethics is a taboo subjects to many here.

                                                                                                      But seriously, screw this.

                                                                                                      1. -6

                                                                                                        Fine, let’s discuss ethics.

                                                                                                        Calling a playful riff on the MAGA slogan”putting googly eyes on a swastika” is bullshit. It’s the same authoritarian communist rhetorical technique that the East German government used when they called the Berlin Wall the “anti fascist defense wall”. I’m not a huge fan of Trump myself, but I’m even less of a fan of the anti-Trumpist faction in American politics characterizing Trump’s policies as literally Nazi-like so they can feel justified in weaponizing the social norm that “Nazis=bad” in western society against their poltiical enemies.

                                                                                                        Nothing the Trump administration is doing is in any meaningful way close to the bad things that the Nazis did - frankly most of what he’s been doing are the same things that every post-WWII American presidential administration has done, just with less high class verbiage to describe it. The people who claim otherwise are doing so in order to make themselves feel like they’re morally-righteous crusaders instead of people having ordinary political disagreements in the American political system.

                                                                                                        Lobsters isn’t a political discussion forum, but if people are going to say that nonpolitical articles that happen to reference the current US President’s campaign slogan should be considered forbidden, you’re already bringing politics into the space, and you shouldn’t expect that your particular poltics must go unchallenged. There’s nothing wrong with the title of the article, and people claiming otherwise are making a backhanded political argument that Trump is Bad on a technical forum.

                                                                                                        1. 3

                                                                                                          Now this is an off-topic comment.

                                                                                                          1. 10

                                                                                                            And yet despite being in good company, it is the only one flagged to death, because it comes from the perspective of the wrong tribe.

                                                                                                            You see why I object to politics and “ethics” discussions? This is sort of the reason why–people don’t get a fair shake.

                                                                                                            1. 0

                                                                                                              This is a tough problem to solve, for sure.

                                                                                                              I am among those who have flagged it as off-topic, as per @alynpost ’s comment here

                                                                                                              https://lobste.rs/s/f4t0y2/make_medium_readable_again#c_ty2pp6

                                                                                                              (based on my understanding, posted here: https://lobste.rs/s/f4t0y2/make_medium_readable_again#c_szkkme)

                                                                                                              As both this downvote and the one I made on the other post were made in affect, I have removed them both.

                                                                                                              1. -1

                                                                                                                This whole discussion is a response to unnecessarily politicised title. Ironically, it’s the objection to the title was attacked by no ethics pls crowd.

                                                                                                            2. 2

                                                                                                              I’m not taking the bait. Would just remark that my reply, and your rant could be precisely avoided if the author stuck to fucking technicals for technical write up.

                                                                                                          2. 6

                                                                                                            How does one show, create, invest or fix in response to a negative pattern like the “Make X Y Again” headline?

                                                                                                            1. 4

                                                                                                              Indeed. I suppose one could suggest an alternate name for the project, in which case I will propose “Readable Medium” as a straightforward name for a browser extension that would entirely avoid any political connotations that only serve to distract from the substance of the project.

                                                                                                              1. 1

                                                                                                                I like that also because I find it humorous – a medium is a person who may do a “reading”, so “readable medium” sounds backward to me.

                                                                                                              2. 0

                                                                                                                If the title of the project bothers you, open an issue and try to convince the author of your point. If not possible, fork it.

                                                                                                              3. 3

                                                                                                                I downvoted this comment as “incorrect” but I have since reconsidered and removed my downvote.

                                                                                                                I initially read the comment to mean “never discuss anything political, (as defined by us the community*) on this site”.

                                                                                                                I know hope it reads “please feel free to discuss things political, but the focus should be on the technical contents of the submitted post”.

                                                                                                                In this spirit, I will submit a comment that both reflects my opinion on the linked content, and will serve as a template for an acceptable comment that also addresses the political/ethical implications.

                                                                                                                [start comment]

                                                                                                                This project strikes me as useful for now, but ultimately reactive. It’s easy for Medium to redesign their site to defeat the circumvention, and the developer and users will engage in a game of whack-a-mole to keep up.

                                                                                                                It’s a similar situation with ad blockers, with the significant difference that the market for ad-free browsing is much larger than the market for reading Medium without a bunch of banners.

                                                                                                                This segues nicely into the problems with Medium’s business plan. Ultimately, it’s just Wordpress.com with a nicer editor and draconian rules about CSS. There’s really no reason to pay for Medium apart from the content, and the content, for me personally, seems mostly to be cryptocurrency boosters nowadays. Essentially it’s content as a commodity… there has to be a critical mass of writers who are only available on Medium for it to be worth paying for.

                                                                                                                If Medium promised a cleaner reading experience as part of a paid tier, that would maybe help?

                                                                                                                As to the name of the linked project - it’s unfortunately hard to detect irony on the web, and considering the “alt-right” has had some success in shifting the conversation by “pretending” to be racist, saying it’s for the “lulz”, I am prepared to automatically assume that someone who seems to do the same is either on the same side as this political faction, or insensitive to how they appear by choosing this name.

                                                                                                                Personally I would add the name choice as a negative in evaluating this project.

                                                                                                                [end comment]

                                                                                                                If anyone upvotes or downvotes this comment, please let me know if it was because of the content, or the presentation, or the meta-narrative on how to handle political/ethical/sensitive submissions to the site.


                                                                                                                * who represents this community is another question that deserves discussion but that’s for another time.

                                                                                                                1. 0

                                                                                                                  Good comment, upvoted. You address the content of the article first, make good points and analysis, and close with minor but reasonable speculation and an opinion–and you don’t go on a screed.

                                                                                                                2. 2

                                                                                                                  @gerikson, @jamesmacaulay, @JordiGH, @varjag I’ll reply to all of you at once in the interest of my time.

                                                                                                                  I have had folk observe that I’m prone to understatement. I may have done that here describing the project name as derivative, when I could have said political slogan (h/t jamesmacaulay) or dog whistle (h/t gerikson). Both would have been more accurate.

                                                                                                                  The de minimis statement I made supporting my off-topic claim was “Your comment is a generic complaint.” I then provided a test so the claim can be falsified: “[Your comment] applies to any submission matching your pattern.” This same test holds without regard to the sentiment of the comment. A similarly context-free comment supporting, rather than detracting, this political slogan, dog whistle, or derivative name would also be off-topic.

                                                                                                                  We know that naming things is hard. The problem is featured in a widely known joke. (“There are two hard problems in computer science…”) We also know that names can be chosen because they’re provocative. (“There’s no such thing as bad publicity.”) Discussing names gets the benefit of the doubt regarding topicality. The comment in question is off topic qua a kind of behavior.

                                                                                                                  Thank you all for your replies.

                                                                                                                3. 1

                                                                                                                  I suppose to a progressive, the title would sound like “make medium awful again” – the exact opposite of what the author is trying to convey!

                                                                                                                  (I didn’t even pick up on the political reference until you pointed it out.)

                                                                                                                  1. 1

                                                                                                                    Can’t speak for others, but to me the original intent was clear given the context. But it’s hard to divorce the connotations of opression and hate from it. As @JordiGH said so eloquently, at this point it’s impossible to ignore politics as they won’t ignore you. Using this language will hurt people. I assume this wasn’t anyone’s intention by choosing this name, so I’m just trying to point this out hoping that when the next time comes around people can make a more informed decision.