1. 5

    I don’t understand how/if webmentions are significantly different from the pingbacks everbody used to have on their WordPress blog (because I think they were enabled by default?) and then promptly disabled because of too much spam.

    1. 7

      Webmentions have been modeled after pingback. They are basically a refinement.

      Regarding spam, well, as always when you are exposing a write permission though the web, you are more or less vulnerable. This problem has and is still discussed within the indieweb community. A protocol, Vouch has been proposed to address this problem.

      And as mentioned below, you still can moderate or simply not display your webmentions altogether.

      1. 3

        Webmentions have been modeled after pingback. They are basically a refinement.

        Did anyone ever care about pingbacks though? Even the non-spammy ones?

        1. 1

          Presumably? I mean, they got implemented, right? Someone spent the time to make that happen.

          1. 1

            Did anyone ever care about pingbacks though? Even the non-spammy ones?

            I can only speak for myself, but I did. It often gave me access to blogs by people with similar interests that I would have otherwise never known about to visit. It used to be that a large percentage of bloggers would list their favourite blogs somewhere on every page (sidebar/footer) so finding one blog with an author who shared similar interests could end up in a twenty five link binge.

            I guess it was a different time, then again it was over a decade ago.

        2. 3

          I was wondering that, unless these aren’t intended to be published in verbose and instead used more as a notification for the author and only really published publicly as a counter?

          If the pingbacks had been used simply to list in the authors admin places where their articles had been mentioned and not published alongside comments to the article then there would have been a lot less spam.

          1. 3

            Vouch was mentioned here already, but for now, just requiring a valid h-entry reply/like/repost/etc. instead of just a link works well enough. Of course spammers can start posting proper replies, but they haven’t yet.

          1. 2

            Definitely gonna use it :) Nice work!

            1. 2

              AKA. - understanding what a Monad is as well as other classic FP patterns.

              1. 21

                Stylus is using the same theme database without collecting your history:

                1. 7

                  +1

                  But the problem is: how to ensure that Stylus (or any alternative) won’t become the next “Stylish”?

                  1. 7

                    I’ve written a couple of my own extensions, partly for this reason. For certain complicated or common needs (like ad-blocking) I have no choice but to find an extension I trust and use it. But in other cases I just end up writing my own because I can’t find something that doesn’t feel sketchy.

                    Ironically, one of my extensions was recently removed from the Firefox store because there was some incidental code in a dependency (that isn’t used at runtime) that makes a network request.

                    1. 1

                      I’ve written a couple of my own extensions, partly for this reason.

                      This is the “hacker’s approach” that I prefer.
                      Everyone should be able to hack software for his own need.

                      For certain complicated or common needs (like ad-blocking) I have no choice but to find an extension I trust and use it.

                      Well, actually you can also review them, if the sources are available.

                      1. 6

                        Well, actually you can also review them, if the sources are available.

                        Certainly an important part of the process, but both major browsers push updates to extensions silently, and there’s no guarantee that the code my browser runs is the same code that was in the OSS repository. It’s a crap situation all-around, really.

                        1. 4

                          This is the “hacker’s approach” that I prefer.

                          I prefer it too, but as far as I can tell webextensions goes out of its way to make this tedious and annoying.

                          I’ve tried building webextensions from source, and as far as I can tell there is no way to permanently install them. You can only install them for a single session at a time. (Hopefully there’s a workaround someone can suggest, but I didn’t find one at the time.) It was pretty appalling from a hackability/software-freedom perspective, so I was pretty surprised to see it coming from Mozilla.

                          1. 2

                            Idk about mozilla, but I made my own permanently installed extension for an appliance with chromium. Precisely to avoid the risk of updates or unavailability due to internet outages.

                      2. 4

                        Consumers should demand that extensions don’t improperly use personal info, and that the browser vendors only allow extensions that adhere to these rules.

                        1. 17

                          Consumers should demand that extensions don’t improperly use personal info

                          Do you know any consumer that want extensions to sell their personal info?
                          I mean, it’s like relying on consumers’ demand for pencils that do not explode.

                          Yes, they might ask for it… if only they knew they should!
                          (I’m not just sarcastic: perfect symmetric information is the theoretical assumption of free market efficiency)

                          1. 2

                            I was being half sarcastic. Marketing is basically information arbitrage, after all.

                            But as a practical matter I believe voluntary regulation is the way forward for this. Laws are struggling to catch up, although it would be interesting to see how GDPR applies here.

                            1. 5

                              I believe voluntary regulation is the way forward for this.

                              Gentlemen agreements work in a world of gentlemen.
                              In a world wide market cheating is too easy. It’s too easy to hide.

                              GDPR reception shows how much we can trust companies “voluntary regulations”.

                              Laws are struggling to catch up

                              True. This is basically because many politics rely on corporate “experts” to supply for their ignorance.

                          2. 3

                            In theory the permissions system should govern this. For example, I can imagine a themeing extension needing permission to access page content; but it should be easy to make it work without any external communication, e.g. no network access, read-only access to its own data directory (themes could be separate extensions, and rely on the extension manager to copy them into place), etc.

                            1. 2

                              It can leak data to its server by modifying just css, not even touching DOM, by adding background images for example. I don’t know if it’s even possible to design browser extensions system so extension effects are decently isolated.

                              However, these exfiltration hacks might attract attention easier than plain XHR.

                              1. 1

                                Hmm, yes. I was mistakenly thinking of a theme as akin to rendering given HTML to a bitmap; when in fact it’s more like a preprocessor whose result is sent to the browser engine. With no way of distinguishing between original page content and extension-provided markup, you’re right that it’s easy to exfiltrate data.

                                I can think of ways around this (e.g. setting a dirty bit on anything coming from the theme, or extending cross domain policies somehow, etc.) but it does seem like I was being a bit naive about how hard it would be.

                          3. 2

                            Theoretically, you could audit the GitHub repo (https://github.com/openstyles/stylus) and build it yourself. Unfortunately that doesn’t seem too feasable.

                            1. 1

                              For this reason I install the absolute minimum extensions. I usually only have privacy badger installed as I’m fairly sure the EFF won’t sell out.

                          1. 2

                            Shameless reddit cross-post. In my defense, I find the first page hilarious.

                            Hope you’re not reading this comment before the paper though.

                            1. 5

                              Excuse me, have you heard about our lord and savior nix?

                              More seriously, the Haskell build environment is clearly a problem. I tried using a stackage nix overlay for a while, it was quite a long setup, and having to rebuild the entire package for each update was too much demanding for my 7-year-old computer. I saw some bazel-based setups but haven’t tried myself…

                              Stackage is really great, but I agree the stack tool could be more user friendly. But in the end, I still use stack and have to delete randomly my .stack directory every once in a while.

                              Rants are usually fun, but we could also talk what makes the racket build-system great and see how we could transpose that and slowly derive to a similar system.

                              [Edit] BTW, cabal != cabal-install. “ I came to Stack to avoid Cabal.” => stack actually use cabal.

                              1. 1

                                I thought stack is invented to avoid cabal install, it’s the same as ruby’s gem install vs bundle (which uses gem internally). So i’m not sure what are use cases for stack install.

                                Nix is the same bundler, but for system-level packages, which is great and unifying, but I don’t understand why use it if your project and its dependencies are mostly in haskell.

                              1. 2

                                The (original) title is misleading.

                                I can’t help but imagine how different Android would be if various concepts from guix (or nix I guess) had predated Android 1.0.

                                1. 10

                                  I can’t help but imagine how different Android would be if various concepts from guix (or nix I guess) had predated Android 1.0.

                                  They did! The original Nix paper came out in 2006:

                                  https://nixos.org/~eelco/pubs/phd-thesis.pdf

                                  I’m always impressed that these ideas were explored 12 years ago. There’s been lots of thinking, and it’s paid off :)

                                  1. 3

                                    The project actually started at least three years before that: https://github.com/NixOS/nix/commit/75d788b0f24e8de033a22c0869032549d602d4f6

                                1. 6

                                  I was thinking about how we also could transpose this to FOSS projects. Maybe instead of using bug solving as an excuse to go though a new code-base we could use code-review.

                                  I’ll give it a try.

                                  1. 3

                                    It’s a great way to start contributing to a codebase. Highly recommended.

                                  1. 9

                                    @NinjaTrappeur is there something specific you’d like to relate about Readline?

                                    1. 9

                                      Yes, this C library is actually used by a lot of CLI utilities (zsh, bash, …), making all the keybinding listed in this Wikipedia article available in a lot of programs.

                                      For example, the Ctrl-_, Alt-l are actually really useful in a shell context.

                                      It is maybe common knowledge, but I just discovered that recently. I though it may be useful for some other people. I was apparently wrong.

                                      I have trouble understanding why this is off-topic though.

                                      1. 14

                                        I was apparently wrong.

                                        I’m sure it is interesting to many people, I think it’s hard to understand your intention when you post a random wikipedia page though. Adding a description would probably help people appreciate the contribution more.

                                        1. 6

                                          You are right, I’ll try to be more clear when I’ll share similar links in the future. Thanks for this helpful remark.

                                        2. 5

                                          zsh does not use readline afaik, it’s mostly used by gtk and glib applications for providing line editing, and other applications that choose to use it. Most of the features readline offers either imitate behaviour specified by the POSIX terminal interface0 or are quality-of-life emacs bindings, so they’re often supported in other software and especially in shells.

                                          1. 1

                                            Aha, you’re right! Thanks for the clarification.

                                      1. 5

                                        This really hits home. Thanks for sharing!

                                        1. 3

                                          none of which, I should add, support any open syndication standards.

                                          Youtube is exposing its channels content through RSS

                                          I agree with the idea of the article, but looks like an over-simplification to me. On the other hand, who really cares as long as the idea is clearly transmitted.

                                          1. 1

                                            If YouTube decides to remove RSS you can always use their API too.

                                          1. 5

                                            I just recently set up an MTA (OpenSMTPd) behind my Tor-ified network. Setting up an MTA behind Tor, especially when Tor is the authoritative DNS server on the network (as it should be in this setup), can be quite difficult to get right.

                                            Tor’s built-in DNS server does not support MX record lookups and returns a zero-record DNS result with an rcode of 4 (NOTIMPL). This causes MTAs like Postfix and OpenSMTPd to freak out. If the DNS server returned an rcode of 0 (NOERROR), OpenSMTPd would have fallen back to a simple A/AAAA lookup.

                                            I already had at my disposal a very special custom, modular DNS server that can perform any arbitrary action on a DNS request and on the corresponding response. I simply wrote a module for this DNS server that overwrote the response’s rcode to 0 if it was 4 prior to handing the response back to the originating client.

                                            I set my resolv.conf to point to my custom DNS server. My custom DNS server was configured to point to Tor as its upstream resolver.

                                            At that point, OpenSMTPd started working! I can now send emails to (almost) any domain, even other .onion servers. After sending some test emails, I found out that Google-hosted email services block MTAs behind Tor.

                                            1. 1

                                              Wow, that’s a great writeup, thanks. The more I read about PF, the more I want install a BSD on my router…

                                              Are you still using this torified web access? Do you manage to keep your sanity despite the captchas? I find Cloudfare and google really annoying when accessed though Tor.

                                              1. 3

                                                I’ve been sitting 100% behind my Tor-ified setup both at work and at home for around a year now. I use the Privacy Pass extension to help with captchas.

                                            1. 1

                                              I’ve been collecting resources for automating verification and/or synthesis of programs. Although plenty exist for data, there’s a lot less for control flow. They usually need some clean or at least precise way to specify it that a mechanical translation handles from there. I’m surprised I haven’t seen recursion schemes before this post since it superficially looks like it would help there. Maybe it could be built on CakeML or something.

                                              1. 3

                                                Have you read Functional Programming with Bananas, Lenses, Envelopes and Barbed Wire? I guess you might be interested in a more lang-neutral formalism of this same concept.

                                                1. 1

                                                  Thanks for the link. :)

                                                  1. 5

                                                    This may also be helpful while going through that paper: http://blog.ezyang.com/2010/05/bananas-lenses-envelopes-and-barbed-wire-a-translation-guide/

                                                    (Although, it brings it back into the Haskell domain, but still may be more comprehensible than some of the notation in that paper…)

                                              1. 3

                                                Does anyone know if there’s a simpler alternative to Google Analytics which only shows hit counts? For my site, all I’d love to know is which pages have been viewed how many times. I really don’t care about anything else.

                                                I wish Netlify would provide some sort of basic log analysis of static sites, telling me the view count of each page.

                                                1. 5

                                                  If you have access to your web-server logs, Goaccess may be a good candidate. It’s quite easy to use and not really intrusive.

                                                  1. 1

                                                    I actually don’t since I’m on Netlify. Otherwise this would be an ideal solution.

                                                    Most of the static websites are hosted on either Github Pages or Netlify and (as far as I know) neither of those allow you to see the access logs.

                                                    1. 4

                                                      You can host a 1x1 pixel on Amazon S3 and enable logging for the associated bucket. Add a query string to identify the current page. A simple transformation on the logs (to remove original URI, keeping only the one in query string) and you should be able to use GoAccess.

                                                  2. 1

                                                    Does anyone know if there’s a simpler alternative to Google Analytics which only shows hit counts?

                                                    I think what you’re looking for is a web counter from the 90’s :)

                                                    1. 1

                                                      I don’t! But this sounds like a good service for someone to provide. Something SUPER lightweight. Could even eventually show it on https://barnacl.es

                                                      1. 1

                                                        back in the days https://www.awstats.org/ was a thing

                                                        1. 1

                                                          It still is. I know quite a few customers who still use awstats.

                                                      1. 1

                                                        Can anyone ELI5 how this works? Does the Fediverse get a new fork in Tor-space? Or will Onion only users still be follow-able by those of us in the DNS driven fediverse?

                                                        Also is each Onion instance a Tor hidden service with all the implied security challenges that brings?

                                                        1. 3

                                                          Reading through the toots, it looks like HTTPS requests are being proxied into Tor and responses are being proxied out. The Pleroma author says they’ll have a blog post about this shortly.

                                                            1. 1

                                                              Ah interesting! So it’s definitely not an island. I’ll look forward to that post!

                                                              I admire the Pleroma folks, that project’s existence is a sound refutation of folks dismissal of Mastodon just because it’s a Rails project.

                                                              (Which, really, I mean Rails has its problems, and security issues are among them, but doesn’t every other web framework in existence?)

                                                          1. 2

                                                            Nice post.

                                                            I was waiting for the author to publish the remaining part before submitting this.

                                                            It’s been 2 months, looks like part 2 is not going to happen…

                                                            1. 9

                                                              If you don’t mind the tinfoil, this could well be a shakedown test to see how Russia might deal with partitioning of the network in a time of relative peace, before being surprised during some other time.

                                                              Then again, that’s the sort of idle speculation I’d give back in my HN days.

                                                              1. 3

                                                                Maybe not the intention, but I can’t imagine the data point would go unnoticed.

                                                                1. 3

                                                                  According to the time line, it may seem related to telegram.

                                                                  Here’s my tinfoil take :)

                                                                  Russia banned the telegram app at the beginning of the month[1]. They basically blacklisted their domains.

                                                                  Telegram started to use the google app engine as a domain front [2].

                                                                  I guess Russia is trying to prevent domain fronting for future ban cases. I guess it is easier for them to send a takedown notice to a Russian cloud provider than sending that to a American one.

                                                                  [1]: https://www.nytimes.com/2018/04/13/world/europe/russia-telegram-encryption.html

                                                                  [2]: https://en.wikipedia.org/wiki/Domain_fronting

                                                                  1. 2

                                                                    Probably not the intention, because running the blocklist updates in that mode means that an external party can easily force a block of something critical inside Russia at the moment than neither the blocklist operators not ISPs have spare capacity to react sanely. People who are qualified to understand your point also know that Roskomnadzor is not qualified to prevent the risk I describe.

                                                                    But some note-taking about unexpected dependency chains will be done anyway.

                                                                    1. 1

                                                                      If you were to pile some more tinfoil on, what else might we expect to see from Russian authorities?

                                                                    1. 3

                                                                      Ocaml does this with GADTs, AFAIK.

                                                                      1. 5

                                                                        Nice, I really need to look at Ocaml: Haskell GADTs cannot express that. (Plus: I am french, looks like I should at least acknowledge INRIA’s great work, I miss patriotism here :) )

                                                                        Out of curiosity, what would be the Ocaml type signature for the interpFormat function?

                                                                        1. 4

                                                                          I’m not sure exactly, but here is a slidedeck on how Printf works in Ocaml once it was moved to GADTs:

                                                                          https://ocaml.org/meetings/ocaml/2013/proposals/formats-as-gadts.pdf

                                                                          EDIT: Sorry that’s not a slide deck it’s a short paper. And I think the Ocaml versions still requires the compiler to do some preprocessing, but now it turns it into what you would have to write by hand for the GADTs to work rather than doing all of the formatting type check logic in the compiler.

                                                                          1. 4

                                                                            Thanks for the link.

                                                                            The actual source code seems to be here: https://github.com/ocaml/ocaml/blob/trunk/stdlib/camlinternalFormat.ml#L57

                                                                            Once again, I am a rookie using OCAML (I just used back when I was a student to be honest). I spent 20 minutes on it and still don’t fully understand this code. In conjunction with the paper you sent, this looks like more like a macro system looping-back to the type system right? I think the same kind of trick is used by the Haskell singletons library (for nick, here’s the associated papers :) ).

                                                                            In this Idris example, the “computations on the type level” is performed out of the box without the need of any workaround. That’s the part I found very neat, looks like way more usable than what I saw so far.

                                                                            But again, I’m not an expert on dependent types and never used them in the real world. Maybe @puffnfresh could confirm or infirm that.

                                                                            1. 4

                                                                              Yeah, that’s completely right. Idris doesn’t have anything in the compiler about printf, you can do meta programming because you can write types depending on values.

                                                                              The point of the video is not to extend Idris with a type-safe printf, the point is that you don’t have to extend Idris.

                                                                            2. 1

                                                                              Thanks. I liked the paper form better since it had a detailed description of the problem, a few solutions with pro’s/con’s, and then the final one. Might come in handy when bootstrapping systems considering different ways to handle functions like printf.

                                                                        1. 3

                                                                          Got this link from an article posted on this website. Sorry if you already seen that, but I think this is a great showcase for dependent types.

                                                                          1. 7

                                                                            Hi thanks but I’ve already seen it :)

                                                                          1. 21

                                                                            There’s no wey Slack will let this exist for very long. They are interested in closing their platform, as we’ve seen with the IRC/XMPP gateway déprécations.

                                                                            1. 2

                                                                              I don’t think so. Wee-slack exists for nearly 4 years now, and to my knowledge, they did not have any problem so far.

                                                                              I guess the Streisand effect is on our side for things like this. Just look at popcorn time…

                                                                              1. 11

                                                                                (I was mostly posting for the wey pun. Sorry.)

                                                                                1. 4

                                                                                  Goddammit, I totally missed it ><

                                                                                2. 6

                                                                                  Wee-slack has an extremely niche appeal. They can afford to ignore things like that because the target market is tiny. I only hope that Wee-slack doesn’t get cut off when Slack does decide to kill this new one.

                                                                                  1. 4

                                                                                    Remember that a lot of companies didn’t have problems making compatible products until companies like Microsoft and Oracle were hitting them with copyright suits claiming API ownership or patent suits over core functionality. Any group is at risk in known and unknown ways if their work builds on proprietary work by a profit-motivated, selfish company. Double true on average if it’s public like Slack intends to be.

                                                                                    1. 2

                                                                                      Just set wee-slack up, it really seems to work pretty well, I had a bit of trouble with the tokens, but besides that it’s pretty sweet.

                                                                                    2. 1

                                                                                      And even if, then the best case scenario is still to be tolerated by the owners of a proprietary product while donating them free labor to play cat and mouse with their protocol.

                                                                                      This reminds me an awful lot at the times when I used GAIM (nowadays called pidgin) because that allowed me to chat with my school friends on ICQ even though I was on Linux which wasn’t supported by ICQ itself. GAIMs was really nice, but broke from time to time when ICQ modified the OSCAR protocol, until the developers catched up.