1. 13

    oof, it’s been a long time since my last post

    New country, new OS, ….

    Desks

    Work Laptop: MacOS Catalina Personal Laptop: MacOS Big Sur (MacBook Pro 13” M1)

    1. 5

      Whoa! That’s a nice view! Having windows on three sides must provide you with a good amount of light!

      1. 1

        They do! Echo is a problem though, I haven’t found a way to reduce it without covering the windows

      2. 1

        What was the old country and the new country, if I may ask?

        1. 3

          I went from India -> US -> Canada

          I didn’t know how much I would like it here, it’s been surprisingly awesome!

          1. 1

            Is that Vancouver?

            1. 4

              Yup!

              edit: should’ve lied, getting too close to being doxx’d

        2. 1

          I envy that view, beautiful!

        1. 3

          I highly enjoyed reading this for the tour of Lisps, and the conclusion that Racket might be a unifying force among Schemers. I’m interested in hearing the author explain a bit more on their thoughts about Racket.

          1. 26

            This article doesn’t introduce anything new on the table, and it shrugs away security as “just use PGP” which is not a reasonable alternative. Why doesn’t anyone encrypted mails? Because PGP tooling sucks, it’s UX sucks and it doesn’t work as user friendly as for example signal/whatsapp/you name it.

            1. 12

              I’ve been training non-tech people on practical computer security. In the past couple of years we’ve switched from introducing PGP as a viable but very difficult/brittle option to just using it as an exercise to understand the ideas behind public-key cryptography and not strictly hierarchical trust models.

              Given how easy it is to accidentally downgrade the channel, using it for very sensitive information is just a bad idea. Email clients with PGP plugins etc. just aren’t a “reasonably safe by default” option.

              1. 7

                I agree. I find the “email is not private, so I don’t treat it as such” argument a bit moot. PGP is so easy to misuse that it nearly shouldn’t be seen as secure. Why try convincing people that the privacy story of email is okay instead of attempting to do better? :(

                1. 2

                  That’s because the point of the article is not privacy; it’s spam, privacy and workflow management.

                  1. 2

                    Another problem with PGP and email are mobile devices. I do not want to download whole inbox to my phone, but I want to be able to search through them. With chats it is less of the problem, as I search history a lot less frequent than my email.

                    1. -7

                      PGP tooling is completely fine! You can’t just say something sucks without giving any reason for it!

                      1. 15

                        The first time I used PGP, I started by generating a key pair for myself and the first thing the program asked me was if I want to use Elliptic Curve Cryptography or RSA. Then it proceeded to ask for various details like key size and so on. At the time, I was either in the final year of my computer science degree or already obtained it, and there were some real head-scratchers among those questions. Is Elliptic Curve Cryptography really more secure? What is a good key length? Question over question. Now, if this is what the onboarding process feels like for someone who has spent a significant amount of their life studying computers, I cannot imagine what it feels like if you’re new to computers. There is no way the masses are going to use a tool that asks you deep cryptographic questions, some of which cannot even be answered by industry experts.

                        PGP is fine in the sense that the software is robust and it works (though I’m really not a fan of the lack of perfect forward secrecy - I think it’s an issue that is hand-waved away far too often). But it’s not fine for people who just want to quickly connect without having to study cryptography - and that should be the target audience if you want widespread adoption.

                    1. 3

                      Slightly OT but recently Scaleway mistakenly deleted one of my instances along with its data :(

                      1. 2

                        I had that happen to me a year or two ago. Thankfully, I had a backup of the server, but it made me accutely aware of how fragile infrastructure sometimes is.

                        1. 1

                          Ouch, was that also with Scaleway?

                          I had things… mostly backed up :x

                          1. 2

                            Yep! :(

                            It was one of the small x86-64 virtual machines. They wrote something about their hypervisor dying. I ‘only’ lost data up to the latest snapshot, which was taken when the machine was last rebooted… 4 months prior.

                            1. 2

                              That’s the same with me, including the snapshot. The hypervisor went down for planned maintenance (expected to last between 1 minute and 1 hour), 4 or 5 hours later I got an email saying that the hypervisor had died and data had been lost :(

                              1. 2

                                Ouch. My condolences! For me, it ended up being an expensive event – I chose to migrate from the Scaleway VMs to a dedicated server. ;)

                      1. 9

                        It’s refreshing to have a post that highlights some of the positive sides of Scheme (portability and stability being some of those), instead of declaring that yet enough language is dead or, at least, dying. Scheme is such a fun language to write; there are few “no-nos” and complaints about unideomatic code. I guess this might be one of the reasons some people do not like it, considering Python’s popular “one way to do it slogan.” In any case, this made me want to open Emacs and write some Scheme!

                        1. 4

                          In any case, this made me want to open Emacs and write some Scheme!

                          On that topic, do you have any tips to improve the scheme development experience in Emacs? Geiser just doesn’t seem as complete as SLIME, which just keeps on annoying me.

                          1. 2

                            There’s but one SLIME, and I’ve not seen anything else come close in functionality. Many moons ago, you could use a subset of SLIME features with scheme48, with a random fork, a hope, and a prayer. I’m guessing no combination of the 3 ingredients will still work, today.

                        1. 10

                          I agree on the syntax of TeX being suboptimal, but I have a hard time agreeing with ignorant arguments like this:

                          Typesetting, taken by itself other than reading facilitation, is in general of little serious utility.

                          Isn’t reading facilitation the main purpose of typesetting? I think it’s kind of disingenuous to say “other than the main purpose of this thing, it’s useless.”

                          1. 8

                            Donald Knuth created TeX as a reaction to typesetting culture deterioration and gave everyone a tool to get great typesetting for free. Sadly, it didn’t stop deterioration.

                            E-book readers focused on FB2 and other essentially non-paged formats don’t help. Even with PDF, I’ve seen enough people neglect instant and effortless improvements that I wrote a <shamelessPlug>HOWTO</shamelessPlug>.

                            And with typesetting per se… Maybe in the time when so many people haven’t even seen decent typesetting, we should really be doing some advocacy.

                            1. 2

                              Do you think that it is impossible to bring good typesetting to Web engines?

                              1. 4

                                To do typesetting, you need to know the page geometry. It means web engines need to re-typeset the text every time the viewport size changes. Since web is not paged, it doesn’t have worst issue that requires manual tweaks more often—orphans and widows (i.e. paragraphs whose last or first line are on a different page. However, other readability issues like rivers or gaps between words the browser can’t hyphenate still exist. Near-magical typesetting for a range of viewport sizes can be much better than nothing of course.

                                There are definitely improvements. Firefox seems decent at hyphenation (in English anyway), though hanging punctuation would be nice. That said, Google Internet Explorer still doesn’t support hyphentation on most platforms.

                          1. 18

                            An acompanying blog post[1] from Terry Cavanagh, the game’s creator, contains some additional information on the source release as well as a bit of a code-post-mortem. I think it’s worth noting that the VVVVVV code is pretty horrendous (Cavanagh even admits so), yet the VVVVVV product is a best selling and well loved indie title. It shows that code quality is not equivalent to product quality.

                            [1]: http://distractionware.com/blog/2020/01/vvvvvv-is-now-open-source/

                            1. 5

                              code quality is not equivalent to product quality

                              … for one indie game. True enough, but I would be cautious about extrapolating from this.

                              1. 3

                                Games are somewhat different to most other software in that they are art, not tools. A quirk or oddity is far more tolerable in a piece of art than in a tool that one potentially has to use for hours every day.

                                1. 2

                                  Has there ever been a widely-used consumer product that has had great code quality? Like xmonad is cool but it isn’t exactly widely used.

                                  1. 2

                                    I don’t know of you consider database systems widely used, but SQLite is kind of well-known for their extremely extensive testing, and SQLite is very widely used, but most likely not that known to the ordinary consumer of the products that it’s used in.

                                    1. 2

                                      Infrastructure typically requires a higher baseline level of quality versus user facing code. Conversely, it is one step removed from revenue, thus it tends to be under appreciated and under funded relative to its importance.

                                      Choose your poison. The amount of value generated by SQLite is likely in the billions, thanks in no small part to the quality of engineering that went into it.

                                  2. 1

                                    There was some other obscure indie title called “Minecraft” that was supposed to have very terrible code. Microsoft bought it for more than 2 billion dollars.

                                    It might happen more than you think with video games, as opposed to other kinds of software.

                                    1. 1

                                      Agreed. I might even say that poor code quality is correlated with high-quality games, but that doesn’t mean the relationship is causative. Many brilliant video games are made by creatives who don’t care so much for developing their programming skill. That doesn’t mean that high-quality, maintainable code is a bad idea.

                                    2. 4

                                      It shows that code quality is not equivalent to product quality.

                                      Games are different from many other pieces of software in that you can create it once, and then never (or rarely) have to update it, especially for smaller games. A lot of the problems with “poor quality code” is that it becomes hard to update code, not that the original code doesn’t work.

                                      Quoting from the article:

                                      Looking back through it myself all these years later, I find it really funny how much of it is basically just the same parts copy and pasted over and over, with the values changed. This basically makes it impossible to read and maintain ten years later, but back when I was in the thick of it, it made it really fast to iterate and add new things

                                      1. 1

                                        Yeah, the most succinct summary I’ve heard was “VVVVVV’s code can afford to be bad because it was made in 7 months with not much plans for large scale post-launch support”

                                      1. 3

                                        This reminded me of a paper examining and quantifying the implications of insecure StackOverflow snippets on the security of Android apps.

                                        1. 2

                                          I really like that there is a focus on making the decisions made by the compiler more visible. Sometimes it can feel like compilers are doing opaque magic.

                                          This, however, leaves me a bit speechless:

                                          In this new release of GCC, the switch statements can be translated to a linear function expression by the use of the -ftree-switch-conversion. This means that the compiler tries to find any linear function a * x + y that can apply to the given values on the switch.

                                          Wow!

                                          1. 10

                                            I really feel like the messaging experience had moved backwards in the past 10 years for one on one convos.

                                            I used to just have pidgin, have a single client for loads of protocols, and be in a pretty good place! Now it’s a whole thing and I need 10 different apps

                                            The one thing that’s a bit nicer is how sharing media between apps on mobile makes sharing a file pretty easy nowadays, but still….

                                            1. 4

                                              I think that one of the reasons for this is the increasing prevalence of mobile clients. With desktops (and to some degree laptops) you can be constantly connected. Mobile clients such as phones require push notifications (or occasional polling) to deliver messages without wasting energy. Some protocols support this while other just assume a constant, stable connection.

                                              1. 6

                                                This is a big weakness for IRC on mobile imho. It can be mitigated with bouncers and proxies like IRCweb but the fundamental architecture is predicated on a connection that either works all the time or tries to reconnect if there’s an issue.

                                            1. 2

                                              If you want to know more about the rise of Pornhub (and the owner, MindGeek) to have a de facto monopoly on online porn, it is worth listening to Jon Ronson’s podcast The Butterfly Effect. Jon Ronson traces the effects of the rise of Pornhub, and how it has impacted specific people around the world. It’s great!

                                              1. 1

                                                Trying to instigate a possible migration away from Facebook groups for a small part-time organisation. I’m currently thinking that Zulip might be a good solution, but their mobile apps seem a bit underdeveloped, and I’m having a hard time getting iOS notifications working.

                                                1. 4

                                                  This article has a lot of good points, especially about dynamic certificate signing after seeing out-of-band authentication.

                                                  However, I disagree with calling TOFU (trust on first use) an anti-pattern. TOFU is completely fine if clients use a bit of caution. It’s worth mentioning that GnuPG seems to be transitioning towards a TOFU model from the current web-of-trust model. TOFU is not inherently insecure.

                                                  1. 7

                                                    It depends how stable the list of hosts is and how stable the route to connect to them is.

                                                    In a cloud setting where machines come and go, each ssh session might be a first use. IPs get re-allocated to different VMs over time so the known_hosts will have collisions. In that case TOFU becomes more or less useless.

                                                    Another issue is if you machine is always connecting using the same channel. Either because it’s on a fixed network, or because you are always using a VPN. In that case it becomes easier for an attacker to place himself as a MITM and not being detected.

                                                    1. 2

                                                      The only way TOFU works securely is if you manually validate (with your eyeballs) the key fingerprint for every single new host you encounter. Who does that? And if it’s a box you don’t manage, how do you even do that? Ask your buddy in the next cubicle if he has the same fingerprint? Maybe he’s been MITM’d too?

                                                      Even if you do validate the fingerprint of every host, that might scale for your homelab or toy k3s cluster on AWS but not much else. My ~/.ssh/known_hosts file at work is 9 years old and 1232 lines long. I can guarantee you that I did not (and still do not) have the time or inclination to verify all of those manually. I don’t have any evidence of it, and I generally trust the people I work with but it’s entirely technically possible that a bad actor somewhere in the company could have intercepted my SSH sessions.

                                                      Signing SSH host keys is relatively easy to set up and manage (compared to user key signing, which requires extra work of the users) and solves enough problems that it’s very much worth doing over TOFU.

                                                    1. 3

                                                      The ellipsis and hamburger menus often seem to be a place to put things that don’t fit. Kind of like having a “miscellaneous” folder – everything goes in there without much regard.

                                                      1. 4

                                                        Learning the deep end of LaTeX stuff like writing your own classes and packages. Not going to lie, it’s a lot more straight-forward than I thought. It’s just a couple of identifiable macros (\NeedsTeXFormat and \ProvidesClass) and declare your new settings.

                                                        1. 2

                                                          I still find the \makeatletter command mildly amusing.

                                                          1. 2

                                                            Ha. Not that deep yet. DIY document classes, though, are relatively “deep” when any question or information you want to find on-line are 99% of the time “oh just use the so-so package!” and piling features thick on a article-classed per-document basis. Heck, I didn’t know what \makeatletter really did until you brought it up.

                                                          2. 1

                                                            Congratulations on taking the dive into LaTeX! I can highly recommend reading some of the TeXbook by Don E. Knuth and getting an understanding of Plain TeX and exactly where the boundary is between TeX and LaTeX.

                                                          1. 8

                                                            Rust isn’t actually a great functional programming language IMO, though it is still good enough to reap many of the benefits. But in lots of cases doing things the functional way “feels bad” because you are more concerned with your program’s memory behavior then its applicative behavior. This means all the nice functionality that allocates behind the scenes, (partial application, constructing closures, etc) gets a lot noisier.

                                                            1. 3

                                                              The im-rs crate is worth considering if you want fast immutable data structures in Rust.

                                                              1. 2

                                                                Shoot, I keep looking at that and saying “this is awesome”, then not finding a use case for it and forgetting about it.

                                                            1. 2

                                                              I’ll be visiting Berlin until Tuesday (any general recommendations on what to see, besides the “standard stuff” would be nice) to meet up with relatives, and in what time is left I’ll have to be probability/statistics for an exam next Thursday.

                                                              My university didn’t think it was necessary to inform us of when the exams will take place, until after we made our plans for this summer, and I’m kind of dealing with it now ^^

                                                              1. 2

                                                                If you’re into archaeology and history, you should visit the Neues Museum. In general, the Museum Island (Museumsinsel) is interesting, and has very fair prices for university students. Have a nice trip!

                                                                1. 2

                                                                  Sounds interesting, will see if I’ll make it.

                                                                2. 2
                                                                  1. 2

                                                                    Idk if the Turkish Market counts as the “standard stuff” but it’s worth checking out.

                                                                    1. 1

                                                                      No, didn’t know about this. I was thinking about Brandenburger Tor, Bundestag, … when I said “standard stuff”. No the best term, I know.

                                                                    2. 1

                                                                      Go visit a hacker space. C-base, raumfahrtagentur,… (there’s more. Ask the Internets)

                                                                      1. 2

                                                                        I regret not allocating time to see C-base. Is that considered a hacker space?

                                                                        1. 1

                                                                          It’s actually a space ship, but many people consider it a hacker space ;)

                                                                          1. 1

                                                                            Ah, yes. I read it was a spaceship, too. I regret missing it even more now.

                                                                      2. 1

                                                                        I literally just got back from Berlin. Here are some of my recommendations:

                                                                        • Eat as much doner and currywurst as you can. I recommend Mustafa’s track stand for doner and Curry36, which is located near Mustafa’s.

                                                                        • Cold war bike tour with Fat Iron Tours. The tour is about four hours and the bike ride isn’t strenuous. Our tour guide was really knowledgeable, and we learned a lot about life in Berlin during the Cold War. This is much better than the Checkpoint Charlie museum, which is disorganized mess with walls-of-texts as exhibits. It’s still cool to visit the stop.

                                                                        • Hitler’s bunker and Jewish Memorial

                                                                        • The Turkish Market is cool but only happens on certain days.

                                                                        • Neues Museum to see the bust of Nefertiti. In the words of a famous critic: “Description is useless. See it.”

                                                                        • Pergamon Museum to see the Ishtar Gate

                                                                      1. 3

                                                                        I’m currently reading Kitchen Confidential by Anthony Bourdain. The writing is lively and enjoyable, and the experiences detailed are fairly crazy.

                                                                        1. 1

                                                                          This looks interesting. I’m happy to see new ideas for window management, especially with Gnome integration!

                                                                          1. 2

                                                                            Anyone here who have experience with Yggdrasil who want to comment on that?

                                                                            1. 6

                                                                              I’ve been running Yggdrasil on seven boxen for the past two months, and it’s been running flawlessly from what I can tell.

                                                                              Yggdrasil is way easier to build than cjdns, and to peer with other nodes all you need is an IP address and a port number. You can literally have Yggdrasil up and running in less than half an hour. And Yggradrasil nodes on a LAN will auto-discover each other (like cjdns with the beacon activated).

                                                                              1. 2

                                                                                I’ve been using it for a while, and I have to say, for alpha it’s really good at just working consistently well without any crashes and similar issues. At least for me, I’ve heard someone had crashes, though that was fixed, apparently.

                                                                                Tunneling over tor, and even i2p works without problems (other than slowing things down, especially in case of i2p).

                                                                                Totally unlike my experience with cjdns, which, when I tested it, consistently kept dying at least few times a day, and had other issues, like weird 2 process model and when I sigterm master it leaves child running (so not good for daemontools), no support for tcp (so any kind of tunneling required ugly hacks which didn’t work well), requirement of nodejs just to build it… Maybe my experience is outdated, as it’s been more than year now, but all of it just left bad taste. Oh yeah, this isn’t about cjdns.

                                                                                Community is okay, developers are friendly and reasonable people, I’ve contributed some improvements for things I cared about, and they’ve been accepted.

                                                                                Overall, my experience is largely positive.

                                                                                1. 2

                                                                                  ive been running Yggdrasil from the start, its freakishly stable for something only in alpha.
                                                                                  Developers are very organized and helpful and listen to users, documentation is also amazing.
                                                                                  They keep adding well thought out features.
                                                                                  There is a good community developing around with lots of little projects to boot.
                                                                                  If you have not tried it, i highly recommend and you can find the devs in irc, more info on their website.

                                                                                  This is what the network currently looks like as of this post:
                                                                                  https://imgur.com/a/umwSyMn

                                                                                  1. 1

                                                                                    Does it somehow work across home routers with masquerading?

                                                                                    1. 2

                                                                                      Outbound peerings will work perfectly over a masquerading NAT.