1. 7

    The author doesn’t mention it but the @<domain> argument to dig specifies what dns server to query. This is useful for learning but also debugging DNS caching problems.

    For example, my Unifi router is bad at DNS. When I create a new subdomain my router will not resolve it until I restart its DNS resolver (dnsmasq). How did I figure this out? By doing dig mysubdomain.example.org @1.1.1.1 and seeing the correct ANSWER (1.1.1.1 is Cloudflare) and then doing dig mysubdomain.example.org @192.168.0.1 and getting nothing (that private IP is my Unifi router/DNS server).

    1. 7

      The main impact _why had on my life is that I will never forget that “addiction is like Pokemon!”

      1. 11

        Whenever people mention _why, I immediately think of Mark Pilgrim. While his book Dive Into Python isn’t nearly as whimsical as _why’s, it was many people’s first introduction to Python. Similarly, Dive Into HTML5 was an critical reference if you didn’t want to have to parse the W3 specification.

        Similar to _why, Pilgrim also removed himself from the Internet. Incidentally, one of his essays is entitled “Addiction is…”; he was fired for writing it.

        1. 4

          I read _why’s poignant guide, but it was a slog and didn’t actually get me programming again. I read Dive Into Python and that was what set me on the path to professional programming. Mark was a real one.

          1. 3

            I didn’t know Pilgrim’s story. I miss his posts.

            1. 1

              Ah. I remember Mark, but wasn’t looped into that community enough to actively notice his disappearance (if that makes sense). I think I read Dive Into HTML5.

              I’m pretty close to joining the “computers were a terrible mistake” club myself, but for the moment, it’s how I keep my family fed.

          1. 35

            TL;DR: They stopped sending reverse deltas for rollback and now generate them on-the-fly during installation.

            1. 16

              They gotta be kidding, right?

              We discovered that these transforms and patches can be “observed” by the delta apply step

              “DISCOVERED”. No shit Sherlock! Also, easy to miss icing on the cake at the end of the article:

              [1] The approach described above was filed on 03/12/2021 as U.S. Provisional Patent Application No. 63/160,284 “REVERSE UPDATE DATA GENERATION”

              1. 7

                You clearly haven’t worked at a BigCorp or you’d know they force you to patent anything no matter how trivial. I have several such patents to my name, which I would be embarrassed to link to (the patent plaques I got went straight into the trash). All the nontrivial ideas I’ve had (some of which have shown up in research papers) have never been patented, to the best of my knowledge.

                1. 3

                  There is no pressure to patent things at Microsoft.

                  1. 1

                    I wasn’t pressured, I was just told “sign on the dotted line”. Ditto at Amazon. I’m sure things are no different at GOOG or FB. Big companies are forced to maintain an arsenal of defensive patents for strategic reasons, so I can’t blame them for responding to incentives.

                  2. 2

                    Can you just put references to the prior art in the patent application and save the examiner some time?

                    1. 2

                      Yep. An old colleague of mine has a patent for “generating a receipt after a transaction, but not showing the receipt to anyone at the time just storing it somewhere where it’ll get aggregated into a big receipt database” or something to that effect.

                    2. 6

                      That reminds me of those patch notes when after more than two decades, the Internet Explorer engineers discovered that the DOM can be stored in memory as a tree instead of a long string that contains all the elements [1]. Kind of a “car mechanic discovers the concept of a wheel” moment. The fact that this was a noteworthy thing a few years ago blew my mind. No wonder Internet Explorer was left in the dust by its competitors.

                      [1] https://blogs.windows.com/msedgedev/2017/04/19/modernizing-dom-tree-microsoft-edge/

                      1. 7

                        Using a string data structure (a highly optimized one mind you) for the DOM wasn’t a stupid decision at all back when the DOM really was “just text” and programmatic DOM manipulation wasn’t really a thing.

                        1. 1

                          Very true, though IE sucked at it even then. :-P

                    3. 3

                      That’s surprisingly sensible! You can probably generate the rollback delta as you apply the forward patch.

                    1. 5

                      Welp, here we go again.

                      Is Orion open-source?

                      Not yet, but we plan for it to be when we are ready to receive the benefits of open-sourcing Orion.

                      https://browser.kagi.com/faq.html

                      I’d want more details + commitments regarding their plans to open source the browser before I use it. If there are no commitments, how can they be held accountable, and how can people tell if they are following through with their promises or not (and therefore whether they are trustworthy or not)?

                      1. 5

                        before I use it

                        So you already use iOS or macOS? Clearly closed source hasn’t stopped you before ;)

                        1. 6

                          Here’s my comment from the previous thread:

                          Although I’m not a FOSS purist (I’m typing this on a Mac), I’m gradually moving everything I can towards open software and open hardware because I’ve been burned far too many times by proprietary crap being abruptly and arbitrarily discontinued with no recourse (among many other proprietary problems). I’m not willing to shoulder the switching costs when I learn to love this app and then it’s inevitably bought out by Facebook or @#$%ing Yahoo or something, and turned into an ad platform (ads in your terminal! innovation!) or just deleted (thanks for joining us on our incredible journey!). The right to fork is essential for any software my workflow depends on.

                          1. 3

                            I actually would understand your original comment better if you were a FOSS purist, because then I’d understand you had made the comment to try and spread the word to the proprietary heathens. As it stands I don’t see the point of making such a comment.

                            I sincerely don’t mean this in a mean way but your comment would be like chiming in a discussion of steak and saying “I’m not a vegetarian but I can’t believe that we’re talking about consuming this meat. We must be held accountable.”

                            Perhaps just an “FYI, for the curious, this is closed source: <relevant quote>” would be more sensible?

                            I’m only even saying all this because the presumption that everyone else is unwilling or should be unwilling to use proprietary software from so many on Lobsters is honesty just exhausting.

                            1. 1

                              OK, if we’re running with this metaphor, someone could want to reduce their meat consumption e.g. to reduce their GHG emissions, without being a vegetarian 100% of the time. That would be a valid choice, it would reduce the harm they cause even if they do not achieve “perfection.” As George Monbiot said,

                              Hypocrisy is the gap between your aspirations and your actions. Greens have high aspirations – they want to live more ethically – and they will always fall short. But the alternative to hypocrisy isn’t moral purity (no one manages that), but cynicism. Give me hypocrisy any day.

                              Frankly harm reduction is the best we can do most of the time, under our harmful capitalist system most choices cause some harm somewhere, and our time is better spent trying to change the system rather than eke out the marginal best choice as a consumer. Cory Doctorow says we need to stop conceiving of ourselves as ambulatory wallets.

                              In real life I am a vegetarian, I have never eaten meat because I was raised by vegetarians. I was not raised by FOSS purists, so I do not find it easy to eliminate proprietary software from my life, unlike meat, which I’ve never had and therefore do not miss.

                              I am saying that I currently use some proprietary software and have no immediate plans to eliminate it, but I would like to reduce the amount of proprietary software I use, so I am generally unwilling to add new proprietary software to my workflow.

                        2. 2

                          Orion founder here.

                          I believe the commitment is there already in the sentence you quoted (“when we are ready to receive the benefits of open-sourcing”). That means that we’d like to have benefit that would outweigh the risk and resource investment needed for maintaining an open-source project. I understand if that may sound vague to you, but that is the best I can do right now.

                          What I can say though is that closed-source projects are in general less likely to be discontinued than open-source ones. The reason is that running an open source project requires additional resources that many smaller startups do not have. Doing what we do (focus on product and move to open source only when the benefit outweighs the risk) actually increases the chances of Orion succeeding and should address your main concern in a positive way.

                          Please let me know if this makes sense and if not what do you think we should address further.

                          1. 2

                            The reason is that running an open source project requires additional resources that many smaller startups do not have

                            I disagree here because I think that you are conflating four things:

                            • Providing an open-source codebase.
                            • Maintaining an open-source project.
                            • Managing an open-source community.
                            • Monetising an open-source codebase.

                            The first of these requires fewer resources than maintaining a proprietary codebase because the hosting and CI tools are free from companies like GitHub for open source but not for proprietary. The requirements for this are simply that your code is somewhere where people can download it, under an appropriate license. This doesn’t require you to make it easy to build, to provide contributor documentation, or to accept community contributions. It does require you to ensure that your code is of a quality that you’re happy to have other people read, that you aren’t relying on security by obscurity, and that you actually have the rights to all of the code that you’re distributing. If you’re not doing these things anyway then I would have deep concerns about your product’s viability.

                            Maintaining an open-source project is more effort. You need to have some docs that let people build the code, you need to have a build system that isn’t tied to internal things. These are also valuable for a proprietary project because they help onboarding (you do intend to hire new developers at some point, right?). It also requires you to spend some time reviewing PRs and issues from external contributors. These can be of variable quality and so may be a net drain. In my experience, they’re generally a net positive (for the bad ones, it doesn’t take much effort to reply with ‘Thank you for the report but this doesn’t give us sufficient detail to reproduce the bug, please can you add some more information?’ and close it if they don’t reply in a couple of weeks. You may also need some form of CLA and other legal overhead. Building a pool of external folks who are already familiar with your codebase is great for having a strong hiring pipeline and external contributors can often multiply the impact of your in-house expertise (remember that far more smart people don’t work for you than do) but this isn’t free.

                            Managing an open-source community is a lot harder. This generally isn’t a problem until you have a lot of external contributors.

                            Monetising open source is a lot harder. Proprietary software is built on a fundamentally flawed economic model: You do something hard (write software) for free and then charge money for doing something easy (copying software). In spite of that, it works moderately well because consumers understand it by analogy with physical goods. Making money from an open-source codebase requires you to either come up with a model where people pay you to write the code (e.g. allow subscribers to vote for feature requests and implement them once they have a certain number of votes) or to give away the software and sell some value-added service (a lot of cloud providers, for example, contribute to open source so that they have a big pool of things potential customers want to run on their infrastructure).

                            If you don’t have a way of monetising the project after it’s been open sourced then the only possible plan for your company is an exit strategy involving a company in a complementary market buying you and paying you to develop the program as open source. In your case, the only possible company I see here is Apple (making macOS more attractive may sell more Macs) but I don’t see them wanting to pay for an open source Safari competitor. From the FAQ, it looks as if your path is to sell a subscription that is effectively the same as the free version (you get to beta-test buggy versions and communicate with the devs, but if it’s an open-source project then I can build my own nightly versions and file issues / PRs, so that’s not really a win, and if I’m paying I don’t want to be beta testing I want the reliable version). I’ve seen a few companies try this model but I’ve never seen one succeed (and I’ve contributed to a few of them).

                            1. 2

                              As for the vagueness, it’s fine, it’s nice that you intend to open source it eventually, I’m just saying that I probably won’t use it while the plans remain vague.

                              Some more concrete goal or timeline would make me feel more comfortable using a product that is not yet open source. For example, say “we need to make more money than we’re burning before we can invest the time+energy to make this a proper open source project”, and then publish your financial progress, as SourceHut sometimes does. (In terms of building faith that your business will continue to exist, being open about finances seems like a good idea anyway.)

                              Or, if you know you’ll be OK if you make it through this year, say “we’ll start open sourcing things piecemeal beginning next year”, and people can check your repo to see if things begin getting added at that time. Basically, provide some signposts to set expectations, and lay out intermediate steps between 0% open source and 100% open source so that people can follow your progress and feel confident that you will get there eventually, that there is forward movement. Otherwise it’s easy to dismiss as empty marketing promises.

                              1. 1

                                I’m not sure you understand my main concerns. Two of the top reasons why I want to use open source software are:

                                1. Can the community continue to develop Orion if your business fails? I don’t care as much as you presumably do about managing the likelihood of your business failing, frankly I expect most businesses to fail at some point. The question is, what happens after that?
                                2. Can the community fork the project if you become evil? Your business could be very “successful”, but make lots of money by doing terrible things, and I want the option to stop supporting you if that happens.

                                There are a number of other reasons I think open source is vital, such as the right to repair and stop throwing away electronics due to forced obsolescence during the climate crisis, but those two are the most relevant to this thread.

                                1. 0

                                  Well put, I agree both of these arguments are valid and sensible.

                                  I can also notice that if one was to follow these expectations religiously, they would be left out of some of the best things in internet user’s life - macOS and iOS, Google and DuckDuckGo (depending in which camp you are), Flickr and Tumblr, Github and Reddit, iCloud Mail and Gmail, YouTube and Wikipedia, Instagram and Twitter …

                                  If you already made a leap of faith for some of these closed-source software projects, I hope you can consider making one for Orion too!

                                  1. 2

                                    Now that I think about it, the properties you list also contain excellent examples of why I’m concerned about building to last on a proprietary foundation.

                                    You list Google and Gmail, but you’re not listing all of the products that Google has killed off. It’s a timely concern, since apparently Google is adding RSS feeds to Chrome again, which has reminded everyone of when Google single-handedly destroyed the RSS ecosystem by achieving world domination with Google Reader and then killing it. If these products had been open source and built with the help of the community, they might have survived, even if their market was too small to interest Google, or opposed to Google’s financial interests.

                                    It’s also interesting that you list Flickr and Tumblr, two websites I once loved that were destroyed by Yahoo. They have made partial recoveries under new management, but they are shadows of their former selves. If the founders had gone for some form of exit to community instead of selling to a corporate overlord that cared nothing for what they had built, those potentially revolutionary platforms might be much more relevant today.

                                    TL;DR: Talking about the wonderful things that exist today shows some survivorship bias, you’re ignoring all of the dead products. And many of these could be much better products with stronger communities today if they weren’t built on a proprietary corporate model.

                                    1. 2

                                      Are you saying that Wikipedia is not open source? MediaWiki is GPLv2 licensed software, and the content is licensed under Creative Commons Attribution-ShareAlike. It’s hard to think of a better example of the benefits of collaborative culture and FOSS.

                                      I also have to question your description of these things as the best things in an internet user’s life. Nowadays, people frequently talk about doing a digital detox, because the internet is toxic to your mental health. Why is that? The sites you listed must take some responsibility. People may need to use these products in order to survive, but that doesn’t make them good, or good for the people using them, anymore than a coal miner being forced to risk black lung disease in order to feed their family is “benefiting” from coal.

                                      Many of these corporations are also responsible for real-world death and destruction, to a degree that is too depressing to list here. The lack of accountability and ethics among these names is shocking and horrifying, and they illustrate perfectly why the right to fork for ethical reasons is essential.

                              1. 9

                                I don’t like the examples simply because you’re using a lot of filler text in a work environment where everyone’s just trying to get things done.

                                You: What titles? Yeah, I can definitely do that. What products are you wanting on there?

                                To me makes much more sense as something like “We might be able to, which titles?”. It doesn’t suggest you have time for it, it doesn’t suggest you’re promising to do it (never promise, surely), and it saves you reiterating their question.

                                You: We haven’t touched prices today. Hmm, I haven’t had anyone mess with prices today. What products are involved? I’ll check it out

                                Again, why not just “The prices have changed?” and maybe “Which products, buddy?” if they reply with a dry “yeah”. What’s with all the unnecessary verbosity? The corporate nicety is something we can all see through, and we have to spend time extracting the core message from “friendly” messages just as if they were sarcastic or unkind messages. Let’s just skip that part entirely.

                                1. 16

                                  nicety

                                  A “nicety” is a small or precise detail, not the state of being nice; that’s “niceness.”

                                  What’s with all the unnecessary verbosity?

                                  Human communication is filled with redundancy; English especially. We do not communicate using minimal ASTs because the signal-to-noise ratio in all of our communication channels is very poor. Adding some additional information requires adding many additional words. When the post suggests “Hmm, I haven’t had anyone mess with prices today. What products are involved? I’ll check it out”, that’s communicating more than “The prices have changed?”. It communicates, “I am surprised to hear this and doubt it’s related to anything I have control over. Give me some more information so I can work on it - but it’s not a bother and I’m not trying to get rid of you, which would be a reasonable reading of that question.”

                                  You may not want to provide that reassurance and context-setting, but it’s not reasonable to say that it’s “unnecessary verbosity.”

                                  1. 11

                                    Perfectly said!

                                    And if you understand what @mtset said but still can’t imagine why you would want to convey all that, just remember that you might not benefit from all that information but the recipient might, and perhaps far more often than you realize. Some examples:

                                    • I worked with a software quality tester who always felt like bringing problems to programmers made him a burden. The total lack of explicit, POSITIVE receptivity to their bug reports over a long period of time created that feeling, and that’s reasonable.
                                    • I worked with a developer who was absolutely terrified of messaging senior developers on the team because he was afraid of how his questions would be perceived. Being explicit that those questions are welcome was almost as important for this person’s career as answering the questions.
                                    • Program Managers often have no idea how a request will be received because they often don’t know the magnitude of what they are asking, in terms of investment required. Every interaction you have with a person where you have a lopsided amount of information means they will be happy to get all that extra context.

                                    Etc…

                                    1. 8

                                      The key thing that is communicated with all the extra words is “Even if I’m not sure I agree, your input is valid and I am taking it seriously.”

                                    2. 7

                                      Again, why not just “The prices have changed?” and maybe “Which products, buddy?” if they reply with a dry “yeah”. What’s with all the unnecessary verbosity?

                                      The author’s suggestion means something completely different than yours and the distinction is important. His response (nicely) indicates “That assumption sounds wrong but I’ll engage in figuring out the problem regardless” because ultimately the assumption being right or wrong is totally irrelevant.

                                      And fwiw, “buddy” is never taken as friendly in most parts of the US (particularly the east coast) as it will be perceived as sarcastic friendliness.

                                      1. 1

                                        Okay, s/buddy/<your regional slang here>/, no big deal?

                                      2. 6

                                        we have to spend time extracting the core message from “friendly” messages just as if they were sarcastic or unkind messages.

                                        The core message alone can easily be misinterpreted as negative/sarcastic/unkind — our brains are predisposed to discover threats. Look up “negativity bias.” In spoken communication there is usually enough metadata in the form of facial expressions or at least tone of voice, but textual communication is very easy to misconstrue.

                                        1. 4

                                          “Manners – simple things like saying ‘please’ and ‘thank you’ and knowing a person’s name or asking after her family – enable two people to work together whether they like each other or not. Bright people, especially bright young people, often do not understand this. If analysis shows that someone’s brilliant work fails again and again as soon as cooperation from others is required, it probably indicates a lack of courtesy – that is, a lack of manners.”

                                          From “Managing Oneself” (1999) by Peter Drucker

                                          1. 1

                                            The examples lacked please/thank you also. I’m not arguing for the removal of politeness, but stripping unnecessary content.

                                        1. 12

                                          @hwayne, “Sup nerds” is my opening, dammit.

                                          1. 10

                                            Clearly, ‘sup nerds’ is not meant here in its commonplace profane meaning: it is intended as a opening invocation akin to the Homeric ‘Muse, sing me’, and in this modern, altered, form calls down the blessing of 2500 years of dieting scholars (‘sup nerds’).

                                            1. 1

                                              Are you anna kendrick’s character from pitch perfect?

                                            1. 2

                                              Thanks for the hard work as always and for shipping this UI improvement, about which I have absolutely no criticism or feedback of any kind.

                                              1. 22

                                                I’ll never understand why WSL wasn’t named “Linux Subsystem for Windows”.

                                                1. 21

                                                  Because Windows has historically had several subsystems, including the OS/2 subsystem, POSIX subsystem, and, most famously, the Win16 subsystem, which were all called e.g. “Windows Subsystem for OS/2”. WSL1 built on roughly the same model, and so ended up with a similar name. WSL2 is entirely different, but we’ve got the name stuck now.

                                                  Note, I’m not really disagreeing with you, but just explaining that this naming convention is just how Windows has named its subsystems for a long time.

                                                  1. 4

                                                    Would it have made more sense to call it “OS/2 Subsystem for Windows?” Or is there some reason the reverse made more sense?

                                                    1. 6

                                                      Back in the 90s, when this showed up with the first versions of Windows NT, the word “applications” was either explicit or obviously implicit (I sincerely forget which) for all of these. So “Windows Subsystem for OS/2 Applications,” or “…for POSIX Applications,” if you will. At the time, Windows NT was trying to subsume minicomputer and (in some cases) mainframe environments, but not vice-versa, so the ambiguity the elision has in 2021 just didn’t exist in 92 or whenever this was.

                                                      1. 3

                                                        One wonders why the word “Windows” was not implicit too. Of course it is a Windows subsystem. It is a subsystem on your Windows. You don’t have subsystems for other operating systems on your Windows than for Windows. Otherwise it would not be a _sub_system, right?

                                                        1. 1

                                                          The Windows 2000 bootscreen would say “built on NT technology”. I always thought that was slightly amusing (I would have done the same though since not everyone knows that NT stands for “new technology”; most people in fact don’t know).

                                                          1. 1

                                                            “NT” did stand for New Techology but I think by the time W2000 rolled around it was just its own term - “Windows NT” was the server version of Windows.

                                                            1. 1

                                                              This joke was already running around cca. 2002 or so: https://imgur.com/a/UhSmCdf (this one’s a newer incarnation, I think). By that time the NT was definitely its own term. I remember people thinking it stood for “networking” as early as 1998 or so.

                                                  2. 5

                                                    This is from the company that named the phone they pinned all their iPhone rivalry hopes to the “Windows Phone 7 Series” so honestly I don’t think we can ask too much.

                                                    Think of it this way: you’d like it to be

                                                    (Linux Subsystem) for Windows

                                                    But instead it is:

                                                    Windows (Subsystem for Linux)

                                                    There’s just a missing apostrophe to denote possession that would fix it all:

                                                    Windows’ Subsystem for Linux

                                                    1. 2

                                                      but it’s not for linux, it’s for windows.

                                                      1. 2

                                                        Windows Subsystem for (running) Linux.

                                                        1. 1

                                                          but you don’t run linux (the kernel), you just run a GNU userland right?

                                                          (inb4 “I’d like to interject…”)

                                                          1. 2

                                                            In this particular case, WSL2 literally is purely about the Linux kernel. You can use any distro you want, including those with a BSD or Busybox userland.

                                                            1. 1

                                                              what does it mean to be “about the linux kernel”

                                                              1. 2

                                                                It is a Linux kernel running in a virtual machine. WSL1 was a binary compatibility layer, WSL2 is actually a VM running a Linux kernel.

                                                                1. 1

                                                                  I see, thanks

                                                    2. 2

                                                      My understanding is that by that point there were a few “Windows Subsystems” already, not necessarily implementing other OS APIs.

                                                      1. 1

                                                        There were originally 5, I think: • Win32 • WOW – Windows on Windows – the Win16 subsystem • DOS • OS/2 (for text-mode apps only) • POSIX (the NT Unix environment)

                                                        OS/2 was deprecated in 3.51 and dropped in 4.

                                                        64-bit NT drops the old WOW16 subsystem, but replaces it with WOW32 for running Win32 apps on Win64.

                                                        The POSIX subsystem has now been upgraded to be Linux-kernel compatible.

                                                        WSL 2 is different; it’s a dedicated Hyper-V VM with a custom Linux kernel inside.

                                                    1. 35

                                                      Unlike say, VMs, containers have a minimal performance hit and overhead

                                                      Ugh. I really hate it when people say things like that because it’s both wrong and a domain error:

                                                      A container is a packaging format, a VM is an isolation mechanism. Containers can be deployed on VMs or they can be deployed with shared-kernel isolation mechanisms (such as FreeBSD Jails, Solaris Zones, Linux cgroups, namespaces seccomp-bpf and wishful thinking), , or with hybrids such as gVisor.

                                                      Whether a VM or a shared-kernel system has more performance overhead is debatable. For example, FreeBSD Jails now support having per-jail copies of the entire network stack because using RSS in the hardware to route packets to a completely independent instance of the network stack gives better performance and scalability than sharing state owned by different jails in the same kernel data structures. Modern container-focused VM systems do aggressive page sharing and so have very little memory overhead and even without that the kernel is pretty tiny in comparison to the rest of a typical container-deployed software stack.

                                                      Running everything as root. We never let your code run as root before, why is it now suddenly a good idea?

                                                      This depends entirely on your threat model. We don’t run things as root because we have multiple security contexts and we want to respect the principle of least privilege. With containerised deployments, each container is a separate security context and already runs with lower privileges than the rest of the system. If your isolation mechanism works properly then the only reason to run as a non-root user in a container is if you’re running different programs in different security contexts within the container. If everything in your container is allowed to modify all state owned by the container then there’s no reason to not run it all as root. If you do have multiple security contexts inside a container then you need to think about why they’re not separate containers because now you’re in a world where you’re managing two different mechanisms for isolating different security contexts.

                                                      1. 22

                                                        I think you mean an image is a packaging format, whereas a container is an instance of a jail made up of various shared-kernel isolation mechanisims (including the wishful thinking) as you mentioned.

                                                        Yes, the terminology is unfortunate. My reimplementation of Docker calls it an “instance” rather than “container”.

                                                        1. 3

                                                          yeah, the “’never run as root in your container” thing kills me

                                                          1. 9

                                                            IIUC that’s all because the way Linux isolates users (with the whole UID remapping into a flat range thing) is weird and there’s way too many security bugs related to that.

                                                            1. 1

                                                              I don’t know if this is still true, but part of where this advice comes from is that it used to be that running as root meant running as root on the host (i.e. the mechanism you’re talking about was not used by Docker). In theory this was “fine” because you could only get at stuff on the container environment, but it meant that if there was a container breakout exploit you were unconfined root on the host. So running as non-root in the container meant that you’d have to pair a container breakout with a privilege escalation bug to get that kind of access.

                                                              In other words: the isolation mechanism did not work properly.

                                                          2. 1

                                                            That’s interesting. I haven’t actually bench tested the two in years. I’ll have to revisit it.

                                                            1. 1

                                                              You might want to have a look at NVIDIA’s enroot or Singularity for some lower-overhead alternatives. I’ve briefly looked at enroot after I saw the talk about Distributed HPC Applications with Unprivileged Containers at FOSDEM 2020, but sadly haven’t gotten a chance to use them at work yet.

                                                              1. 2

                                                                Have you tried https://github.com/weaveworks/ignite to just run a docker image in a VM instead of a container?

                                                                1. 1

                                                                  No, haven’t stumbled across that before. Thanks, that looks very interesting!

                                                                  1. 1

                                                                    That seems interesting. I wonder what benefit it provides compared to the shared-kernel isolation mechanism used by docker run <container>. Do I get stronger isolation, performance boost, or something else?

                                                                    1. 2

                                                                      I think there are always tradeoffs, but a VM may be easier to reason about than a container still. It’s a level of abstraction that you can apply thinking about a single computer to.

                                                                      I do think that you get stronger isolation guarantees too. You can also more easily upgrade things, so if you have a kernel vulnerability that affects one of the containers, you can reload just that one. There are many issues that affect hypervisors only or guests only.

                                                                      At launch we used per-customer EC2 instances to provide strong security and isolation between customers. As Lambda grew, we saw the need for technology to provide a highly secure, flexible, and efficient runtime environment for services like Lambda and Fargate. Using our experience building isolated EC2 instances with hardware virtualization technology, we started an effort to build a VMM that was tailored to run serverless functions and integrate with container ecosystems.

                                                                      It also seems like a compromise between the user interface for a developer and an operations deep expertise. If you have invested 15 years in virtualization expertise, maybe you stick with that with ops and present a container user interface to devs?

                                                                      For me, one of the big things about containers was not requiring special hardware to virtualize at full speed and automatic memory allocation. You’re never stuck with an 8GB VM you have to shut down to prevent your web browser from being swapped out when you’re trying to open stack overflow. You know 8gb was suggested, but you also see that only 512MB is actually being used.

                                                                      Most hardware these days has hardware acceleration for virtualization and firecracker supports the virtio memory ballooning driver as of Dec 2020, so many of the reasons I would have used containers in 2013 are moot.

                                                                      As an ops person myself, I find containers to often have an impedance mismatch with software defaults. Why show a container that is limited to two cores that it has 64 cores? Haproxy will deadlock itself waiting for all 64 connection threads to get scheduled on those two cores. You look in there and you’re like ‘oh, how do I hardcode the number of threads in haproxy now to two…’. It’s trivial with haproxy, but it’s not default. How many other things do you know of that use nproc+1 and will get tripped up in a container? How many different ways do you have to configure this for different runtimes and languages?

                                                              2. 1

                                                                Containers can be deployed on VMs

                                                                OT because I agree with everything you said, but I have yet to find a satisfying non-enterprise (i.e. requiring a million other network services and solutions).

                                                                Once upon a time, I was sure VMware was going to add “deploy container as VM instance” to ESXi but then they instead released Photon and made it clear containers would never be first-class residents on ESXi but would rather require a (non-invisible) host VM in a one-to-many mapping.

                                                                1. 2
                                                                  1. 1

                                                                    We use this at my work (Sourcegraph) for running semi-arbitrary code (language indexers, etc.), it works really well.

                                                              1. 6

                                                                Disgusting work. And the security angle is pure BS. Its entire purpose is to deny us our computing freedom. To “protect” the code from us like we’re some adversary.

                                                                This will only be used by scammers and those who now try to block right clicks with an alert()

                                                                1. 6

                                                                  I don’t think this is about how to make your website more secure. This is a “hey, here’s shit evil people could do, you need to be aware of it” kind of thing.

                                                                  1. 5

                                                                    Disgusting work.

                                                                    I think this is great, assuming browser vendors are willing to fix it. @freddyb Do you know if firefox is vulnerable to this too?

                                                                    1. 3

                                                                      I think treating this sort of thing as a vulnerability that can be fixed is a losing battle.

                                                                      1. 4

                                                                        Why ? Browser vendors are already implementing pretty good js environment segregation for webextensions, I can’t imagine why they wouldn’t be able to do the same for debuggers.

                                                                        1. 2

                                                                          I think those issues can be treated as fixable, but I don’t think they will all be fixed. Most of the things in part 2 are about calling into site-code (e.g., overridden prototypes), which I consider possible. But some of the things posted here (and in part 1) are hard to resolve. Especially when they cause additional second-level side-effects like source map URLs, the layout shift that comes from enabling DevTools etc.

                                                                          I’ll try to get a definite answer from the team though :)

                                                                        2. 1

                                                                          if that’s the case then it’s an admission of defeat

                                                                    1. 2

                                                                      Co-locating GraphQL queries with the thing that wants the data is truly such an amazing pattern for solving data over-fetching.

                                                                      The one downside to this approach (that also sort of exists with the old, conventional approach) is that you (the server maintainer) don’t own the webhooks and their queries, so you need some sort of versioning scheme or some way of handling backwards compatibility when you need to break a query. Or you need to never break queries (like Facebook and their mobile apps).

                                                                      1. 20

                                                                        It’d be nice to have some actual background on hashing in here instead of just broad generalizations and links to various hash functions. Examples:

                                                                        • There’s no mention of cyclic redundancy checks and why they are not valid as crypto functions (a mistake some programmers have made).
                                                                        • There’s no mention of avalanche effects, which is a good way of seeing how “random” a digest scheme is (with some implications for how well the output can be predicted/controlled by an attacker).
                                                                        • The mentioned attack on JSON hash tables in PHP (if you dig into it) would’ve been a great place to talk about trivial hashes (e.g., f(x) =0 or f(x)=x) and why they cause problems even in non-hostile environments, but that would’ve required more of an introduction to how hashing works…)
                                                                        • Lots of usage of jargon like “non-invertible”, “collision-resistance”, “preimage attack resistance”, etc. which is probably inaccessible if your audience is programmers who “don’t understand hash functions”.
                                                                        • There’s not really an explanation about the differences/similarities of crypto-strong hash functions, password hash functions, and key derivation functions, other than a mention that there is some relation but which isn’t elaborated on at all.
                                                                        • There’s not really any useful information at all about perceptual hashing vs other forms of multimedia digest approaches–there’s just some Apple hate.
                                                                        • etc.

                                                                        Programmers might not understand hash functions, but infosec furries may also not understand pedagogy.

                                                                        (also, can you please cool it with the inflammatory article headlines?)

                                                                        1. 24

                                                                          Programmers might not understand hash functions, but infosec furries may also not understand pedagogy.

                                                                          Please don’t pick a fight. It seems more angry than friendly.

                                                                          1. 22

                                                                            Honestly I think it’s a valid concern. One of the biggest problems with the computer security world, as stated repeatedly by leading experts in the field, is communication and teaching.

                                                                            1. 23

                                                                              A valid concern would be “infosec experts may not understand pedagogy” but why call out “infosec furries” specifically? Unless we should be concerned about infosec furries in particular vs other infosec experts?

                                                                              Are these acceptable?

                                                                              • but infosec gays may also not understand pedagogy
                                                                              • but infosec women may also not understand pedagogy
                                                                              • but infosec people of color may also not understand pedagogy

                                                                              No. So why furries? People need to get over it and quit furry bashing. This isn’t acceptable behavior on Lobste.rs, and I’m tired of it.

                                                                              1. 3

                                                                                See elsewhere for the explanation; furry bashing doesn’t enter into it, though I see why you might have read it that way. Furries are internet denizens like the rest of us, with all that entails.

                                                                                1. 12

                                                                                  I agree with you that it’s a bad title.

                                                                                  I also think that you wouldn’t have reacted nearly this strongly to the title if it wasn’t a furry blog.

                                                                                  1. 11

                                                                                    I read your other comments. But you said what you said, and that undermines all your pontificating about the harm of “insulting/demeaning a group” and “the sort of microaggression/toxicity that everybody talks so much about.” Take your own advice.

                                                                                  2. 2

                                                                                    “Furry” is a kink, not an identity or protected class. And normally you have to get people’s consent before you bring them into your kink.

                                                                                    1. 7

                                                                                      I don’t see any sexual imagery in this blog post.

                                                                                      1. 2

                                                                                        The OP’s site has some pretty well reasoned and presented articles on precisely why “furry” cannot reasonably be summarized as “a kink”.

                                                                                        And, no, you do not “normally” have to get someone’s consent to introduce them to the idea of your kink, unless said introduction involves you engaging them in the practice of your kink.

                                                                                      2. 1

                                                                                        Sorry, I didn’t realize the “furry” part was what you were opposed to. It sounded like you were upset with the implication that the infosec world is bad at teaching.

                                                                                  3. 6

                                                                                    Programmers might not understand hash functions, but infosec furries may also not understand pedagogy.

                                                                                    (also, can you please cool it with the inflammatory article headlines?)

                                                                                    https://www.youtube.com/watch?v=S2xHZPH5Sng

                                                                                    1. 10

                                                                                      One of the things he talks about there is testing the hypothesis and seeing which title actually worked. I only clicked this link because I recognized your domain name and knew you had written interesting articles in the past and might legitimately explain something I didn’t know. If not for that, I probably would have bypassed it since the title alone was not interesting at all.

                                                                                      1. 9

                                                                                        Even so, it is still possible to write clickbait titles that aren’t predicated on insulting/demeaning a group.

                                                                                        • “Hash functions: hard or just misunderstood?”
                                                                                        • “Things I wish more programmers knew about hashes”
                                                                                        • “Programmer hashes are not infosec hashes”
                                                                                        • “Are you hashing wrong? It’s more common than you might think”
                                                                                        • “uwu whats this notices ur hash function

                                                                                        How would you feel if I wrote “Gay furries don’t understand blog posting”? Even if I raise good points, and even if more people would click on it (out of outrage, presumably), it would still probably annoy a gay furry who wrote blogs and they’d go in with their hackles raised.

                                                                                        1. 8

                                                                                          The important difference between what I wrote and your hypothetical is the difference between punching up and punching down.

                                                                                          My original title was along the same lines as “Falsehoods Programmers Believe About _____” but I’ve grown a distaste for the cliche.

                                                                                          1. 7

                                                                                            The difference between “Programmers don’t understand hash functions” and “Gay furries don’t understand blog posting” is quite obvious to me and I definitely don’t want to engage in whatever Internet flame is going on here. Especially since, uh, I have a preeetty good idea about what the problem here is, and I tend to think it’s about gay furries, not article titles, which is definitely not a problem that I have. (This should probably be obvious but since I’m posting in this particular thread, I wanted to make sure :P).

                                                                                            But I also think this title really is needlessly nasty, independent of how it might be titled if it were about other audiences. It’s a bad generalisation – there are, in fact, plenty of programmers who understand hash functions – and it’s not exactly encouraging to those programmers who want to get into security, or who think their understanding of these matters is insufficient.

                                                                                            I am (or was?) one of them – this was an interest of mine many, many years ago, at a time when I was way too young to understand the advanced math. My career took me elsewhere, and not always where I wanted to go, and I tried to keep an eye on these things in the hope that maybe one day it’ll take me there. Needless to say, there’s only so much you can learn about these topics by spending a couple of evenings once in a blue moon studying them, so I never really got to be any good at it. So I think the explanation is amazing, but it would definitely benefit from not reminding me of my inadequacy.

                                                                                            And I’m in a happy boat, actually, this is only an interest of mine – but there are plenty of people who have to do it as part of their jobs, are not provided with adequate training of any kind, have no time to figure it out on their own, and regularly get yelled at when they get it wrong.

                                                                                            Now, I realise the title is tongue-in-cheek to some degree, the playful furries and the clever humour scattered throughout the post sort of gives it away. If you think about it for a moment it’s pretty clear that this is meant to grab attention, not remind people how much they suck. But it’s worth remembering that, in an age where web syndication is taken for granted to the point where it sounds like a Middle English term, this context isn’t carried everywhere. Case in point, this lobste.rs page includes only the title. Some people might react to it by clicking because you grabbed their attention, but others might just say yeah, thanks for reminding me, I’ll go cry in a corner.

                                                                                            Even if I didn’t realise it was tongue-in-cheek, it probably wouldn’t bother me, partly because I understand how writing “competitively” works (ironically, from around the same time), partly because I’ve developed a thick skin, and partly because, honestly, I’ve kindda given up on it, so I don’t care about it as much as I once did. But I can see why others would not feel the same way at all. You shouldn’t count on your audience having a thick skin or being old enough to have given up on most of their dreams anyway.

                                                                                            I know this is a real struggle because that’s just how blogs and blogging work today. You have to compete for attention to some degree, and this is particularly important when a large part of the technical audience is “confined” to places like HN and lobste.rs, where you have to grab attention through the title because there’s nothing else to grab attention through. But maybe you can find a kinder way to grab it, I dunno, maybe a clever pun? That never hurt anyone. These radical, blunt (supposedly “bluntly honest” but that’s just wishful thinking) headlines are all the rage in “big” Internet media because, just like Internet trolls, they thrive on controversy, us vs. them and a feeling of smugness, but is that really the kind of thing you want to borrow?

                                                                                            (Edit: just to make sure I get the other part of my message across, because I think it’s even more important: title aside, which could be nicer, the article was super bloody amazing: the explanation’s great, and I like the additional pointers, and the humour, and yes, the drawings! Please don’t take any of all that stuff above as a criticism of some sort: I wanted to present a different viewpoint from which the title might read differently than you intended, not that the article is bad. It’s not!)

                                                                                            1. 15

                                                                                              How do you know that you’re punching up?

                                                                                              What if the person encountering your blog is a programmer from an underrepresented background, just barely overcoming imposter syndrome, and now here’s this scary suggestion that they don’t understand hash functions? What if they actually made one of the mistakes in the article, and feel like they’re a complete fraud, and should leave the industry? This is the sort of microaggression/toxicity that everybody talks so much about, if I’m not mistaken.

                                                                                              The point is: you don’t know. You can’t know.

                                                                                              So, err on the side of not adding more negative shit to the world accidentally in the name of pageviews–especially when there are many, many other more positive options in easy reach.

                                                                                              EDIT:

                                                                                              I wouldn’t care if it weren’t for the fact that you’re a smart dude and clearly passionate about your work and that you have good knowledge to share, and that it pains me to see somebody making mistakes I’ve made in the past.

                                                                                              1. 8

                                                                                                I wouldn’t care if it weren’t for the fact that you’re a smart dude and clearly passionate about your work

                                                                                                I’m neither of those things :P

                                                                                                and that you have good knowledge to share, and that it pains me to see somebody making mistakes I’ve made in the past.

                                                                                                I appreciate your compassion on this subject. It’s definitely new territory for me (since forever I’ve been in the “boring headline out of clickbait adversion” territory).

                                                                                                1. 9

                                                                                                  Do you actually not see a difference between saying a slightly negative thing about people of a certain profession and how they engage in that profession, and an ad-hominem using sexual orientation? What a weird and bad analogy?

                                                                                                  I’m trying to assume good intent here but all your comments make it sound like you’re annoyed at the furry pics and awkwardly trying to use cancel culture to lash out the author.

                                                                                                  1. 7

                                                                                                    Neither the label of programmers (with which I identify) nor of gay furries (with which the author identifies, according to their writing) is being misapplied. I’m sorry you feel that a plain statement of fact is somehow derogatory–there is nothing wrong with being a proud programmer or a proud gay furry.

                                                                                                    My point in giving that example was to critique the used construction of “ is ”. I picked that label because the author identified with it, and I picked the “bad at blogging” because it’s pretty obviously incorrect in its bluntness. If I had picked “lobsters” or “internet randos” the conjured association for the person I was in discussion with may not have had the same impact it that “programmers” had on me, so I went with what seemed reasonable.

                                                                                                    1. 4

                                                                                                      What do you gain by emphasizing soatok’s sexual identity, other than this morass of objections?

                                                                                                    2. 5

                                                                                                      I’m trying to assume good intent here

                                                                                                      that’s exactly what friendlysock is hoping for

                                                                                                      1. 5

                                                                                                        you’re right but it’s best not to feed them

                                                                                                      2. 8

                                                                                                        What if the person encountering your blog is a programmer from an underrepresented background, just barely overcoming imposter syndrome, and now here’s this scary suggestion that they don’t understand hash functions?

                                                                                                        Or they may read this and think ‘I’m glad it’s not just me!’. As a programmer who probably has a better than average understanding of hash functions, I don’t feel demeaned by this generalisation, if I were worried about my level of understanding I’d feel comforted by the idea that I wasn’t in a minority in my lack of understanding.

                                                                                                        What if they actually made one of the mistakes in the article, and feel like they’re a complete fraud, and should leave the industry?

                                                                                                        Or they may feel better that this mistake is so common that someone writes about it on a list of mistakes programmers make.

                                                                                                        1. 1

                                                                                                          What if the person encountering your blog is a programmer from an underrepresented background….

                                                                                                          While I said you’re picking a fight (and would add: “look at the thread, it’s a fight”), I see what you’re saying in this paragraph. I also value non-judgmental explanations.

                                                                                                      3. 6

                                                                                                        My problem with the title isn’t that it’s insulting, but that it’s inaccurate. Clearly some programmers do understand hash functions, even if other programmers do not. If nothing else, @soatok, a programmer, presumably understands hash functions, or why else would he write a blog post purporting to explain the right way to use them?

                                                                                                        Programmers don’t understand hash functions, and I can demonstrate this to most of the people that will read this with a single observation:

                                                                                                        When you saw the words “hash function” in the title, you might have assumed this was going to be a blog post about password storage.

                                                                                                        Specifically is wrong, at least about me, and almost certainly among other programmers as well. I don’t claim to have deep knowledge about cryptography, and I do expect that there’s probably something I could learn from this blog post, which I will read more carefully when I have a chance. But I am aware that the computer science concept of hash functions is useful for a variety of programming problems, and not just storing password-related data.

                                                                                                  1. 4

                                                                                                    If you are Facebook, using React makes sense. For a plain business website, React just introduce a shit ton of complexity and security issues while providing very little, if any, advantages. Why people use that crap for normal websites is beyond me.

                                                                                                    1. 4

                                                                                                      If you are Facebook, using React makes sense.

                                                                                                      It’s been a while since I last used Facebook (and it was mostly for the “marketplace” stuff anyway), but when I last used it about a year ago it was slow, buggy, and generally just not a very pleasant experience.

                                                                                                      I don’t know the causes for this, but it’s not like React is necessarily working out all that great for them.

                                                                                                      1. 7

                                                                                                        I don’t work at FB, but having worked on many large web apps using many different frameworks, React likely isn’t the bottleneck. The poor performance is likely due to how much tracking they do. Tracking adds tons of excess events, http requests, and general bloat.

                                                                                                        1. 2

                                                                                                          We were in the middle of rolling out the new website one year ago. Check it out now. The new site (no blue bar at the top) is quite a bit faster, at least compared to the old one.

                                                                                                          1. 2

                                                                                                            It is even worse now than it used to be. Frequently freezes up entirely while typing and clicking buttons often does nothing at all. If react is supposed to prevent bugs, Facebook is about the worst advertisement I could imagine.

                                                                                                            1. 2

                                                                                                              While your personal experience may differ I promise that performance in general is MUCH better on the new site (individual interactions, the initial page load, incremental page loads, average and median, slower machines faster machines, etc). We measure extensively.

                                                                                                        2. 3

                                                                                                          If you are Facebook, using React makes sense.

                                                                                                          It makes sense if you’re building web applications, basically. Not that it’s the only technology anyone should ever use, it definitely competes with a few other amazing tools I can think of, but it’s still a viable choice.

                                                                                                          1. 3

                                                                                                            React just introduce a shit ton of complexity

                                                                                                            That’s true, as soon as you pull in React you’ll also need a bundler, something to strip the JSX, and all the complexity that comes from managing those tools. Not to mention how React components and hooks are both their own DSL that has its own separate rules from JS.

                                                                                                            and security issues

                                                                                                            Care to elaborate? Do you mean security issues from using tons of JS libraries? You can actually use React without pulling in tens of libraries to do everything, and if you’re still concerned about bundle/code size you can also use Preact in production.

                                                                                                            while providing very little, if any, advantages.

                                                                                                            This is simply not true. Keeping UI and application state in sync starts out simple but quickly becomes tremendously complex, so having a library that takes care of that for me is invaluable. Making reusable components is also hard and clunky and React also makes that incredibly easy.

                                                                                                            1. 2

                                                                                                              I don’t consider the jsx parser or bundler, which come preconfigured for most projects via create-react-app, as complexity. If we are considering that complexity, then anything that comes with dependencies is automatically complex even if you have no need to configure anything.

                                                                                                              The complexity of react is really based around understanding of hooks and lifecycle. If you’re building a webapp, you need to deal with state somewhere so that’s universal. I guess you could say jsx is complex but it’s basically html instead of a bunch of function calls, which should be pretty easy to understand.

                                                                                                              1. 2

                                                                                                                I would argue that hooks made JSX more complex because now there are extra things to consider when rendering your components. I only say this because I had a coworker who was learning React get thoroughly confused by when and how they could use hooks in relation to JSX syntax. Additionally, JSX isn’t just html but an additional hidden function call. It used to be a simpler h('div', attributes, children) but it’s gotten a little more complex under the hood with what that function does now.

                                                                                                                I’d also be tempted to argue that JSX is a poorer version of how to structure html because it only accepts attributes and not properties, so it actually adds extra complexity around how to set properties on real dom nodes. Which in turn complicates how one uses web components within React.

                                                                                                              2. 1

                                                                                                                Regarding security issues, I’m primarly thinking about, yes, dependencies and the use of JavaScript on the server side. When you first go down that Node.js rabbit hole, the libraries tend to stack up pretty fast. I’ve seen pretty simple webpages passing 100.000 files in node_modules - with God knows how many people behind them. And why JS are all kinds of bad ideas, is a whole discussion in itself.

                                                                                                                Add in the issues complexity in itself introduces and you end up with a system which, for a normal webpage, is totally overkill, hard to maintain, expensive to host and stable if you’re lucky.

                                                                                                                In my honest opinion, that whole Node craze, was a big mistake. There are numerous alternatives out there, but if I were to pick one, I would go with Elixir and Phoenix LiveView. That stuff is just on a whole other level.

                                                                                                            1. 1

                                                                                                              The quotes in the title are there for what? Emphasis? That’s not what quotes do: https://www.dailywritingtips.com/punctuation-errors-quotation-marks-for-emphasis/

                                                                                                              1. 1

                                                                                                                The quotes are there to undermine the idea that there is one real reason, as opposed to a myriad of essential, accidental, and contextual problems. Imagine me saying it with air quotes.

                                                                                                                In retrospect, the ambiguities in what people mean by UML and techdeath, I should have called it Why “UML” “Really” “Died”.

                                                                                                              1. 5

                                                                                                                Visual Studio 2022 will be a 64-bit application

                                                                                                                Woah, it still wasn’t 64-bit?! o_0

                                                                                                                We’re working to move Visual Studio for Mac to native macOS UI

                                                                                                                Hmm. VS for Mac being based on MonoDevelop, will that work end up in the open MonoDevelop repo? Would MonoDevelop on GTK receive less attention now?

                                                                                                                1. 8

                                                                                                                  Woah, it still wasn’t 64-bit?! o_0

                                                                                                                  For some background:

                                                                                                                  https://web.archive.org/web/20170310075121/https://blogs.msdn.microsoft.com/ricom/2015/12/29/revisiting-64-bit-ness-in-visual-studio-and-elsewhere/

                                                                                                                  As far as I know, the philosophy in VS has been to move extensions out of the devenv process for resiliency, but having done so, multiple 32 bit processes end up being more compact than a single 64 bit process. The lack of 64 bit devenv has always raised eyebrows since almost everything else is these days, although it is a legitimate question to ask why an IDE really needs 4Gb of RAM. Things like compilation are going to be done by a large number of child processes, not the IDE process.

                                                                                                                  1. 1

                                                                                                                    A 32bit address space can cause problems even before your app has allocated 4gb of memory.

                                                                                                                    Depending on how you allocate and free memory, you might get a fragmented heap and not have room to allocate large chunks of memory anymore, well before you’ve allocated all addressable memory.

                                                                                                                1. 5

                                                                                                                  A splash’s screen with a loading indicator is very 90s so in some ways I appreciate the new site.

                                                                                                                  Here’s a thought: the person/people that made the new site are probably younger than the old site.

                                                                                                                  1. 1

                                                                                                                    The mind boggles

                                                                                                                  1. 7

                                                                                                                    This is insane…

                                                                                                                    I assume most people here that use Ubiquiti have disabled remote access to devices if they haven’t already.

                                                                                                                    Legal overrode the repeated requests to force rotation of all customer credentials, and to revert any device access permission changes within the relevant period

                                                                                                                    I’m struggling to see how this is good advice. Was it really to protect the stock value (rotating would reveal something bad happened and open it up to questions)? Even that is short sighted.

                                                                                                                    1. 24

                                                                                                                      A comment from a former employee lifted from the HN thread:

                                                                                                                      While I was there, the CEO loved to just fly between offices (randomly) on his private jet. You never knew where he’d pop up, and that put everybody on edge, because when he was unhappy he tended to fire people in large chunks (and shut down entire offices).

                                                                                                                      This seems consistent with some Glassdoor reviews; for example:

                                                                                                                      No one is safe here. you expendable just like the trashbag in your garbage can. owner gives unreasonable goals and when not met, he fires. upper management/cfo like money and rjp [Robert J. Pera, the CEO] clout over the product. over the consumer experience. the company morale is everyone tries to fly under RJP’s radar due to random firings. Upper Management is number people, worried about the stock more than employees and the product. Very muddy project mangement and very foggy leadership. No one really knows where the ship is sailing. Everyone is on the same ride trying to avoid a wreck at the same time avoiding RJP.


                                                                                                                      The company is a one-man show who completely ignores people value.

                                                                                                                      You are being questioned, demoralized and you even don’t believe your skills in the end.

                                                                                                                      No feedback, no HR, no planning.


                                                                                                                      • Incredibly toxic culture where most people would rather not have to deal with the CEO at all (“be invisible”) due to his behaviour and complete lack of respect towards his employees. I have witnessed or experimented a lot of what you can see in the other negative reviews on this site.

                                                                                                                      • This may vary from office to office, but there doesn’t seem to be a general HR department. If the CEO is being disrespectful or abusive, who can you complain to, really?

                                                                                                                      And a bunch more.

                                                                                                                      Seems like the owner/CEO is just a twat that everyone is afraid of, and for good reasons too. This kind of company culture incentives the wrong kind of decision-making; from a business, ethical, and legal perspective. It’s no surprise that whistleblower “Adam” wants to remain anonymous.

                                                                                                                      It’s all a classic story repeated untold times over history innit? People will go to great lengths to avoid strong negative consequences to themselves, whether that’s a child lying about things to avoid a spanking, a prisoner giving a false confession under torture, or an employee making bad decisions to avoid being fired. We only have several thousand years of experience with this so it’s all very new… Some people never learn.

                                                                                                                      1. 5

                                                                                                                        holy shit.

                                                                                                                        This kind of company culture incentives the wrong kind of decision-making; from a business, ethical, and legal perspective.

                                                                                                                        Indeed, and it makes its way right into the product too; you can tell when release feature quantity is prized over quality. This honestly explains more than I thought it could about my experience with their products so far — they feel so clearly half-baked, in a persistent, ongoing sense.

                                                                                                                        1. 3

                                                                                                                          I never even heard of Ubiquiti until a few days ago when there was a story on HN that their management interface started displaying huge banner ads for their products – I just use standard/cheap/whatever’s available kind of hardware most of the time so I’m not really up to speed with these kind of things. Anyway, the response from that customer support agent is something else. The best possible interpretation is that it’s a non-native speaker on a particularly bad day: the wife left him yesterday, the dog died this morning, and this afternoon he stepped on a Lego brick. But much more likely is that it’s just another symptom of the horrible work environment and/or bad decision making, just like your meh experience with their products.

                                                                                                                          1. 2

                                                                                                                            Yeah, I had similar experiences with Ubiquiti stuff–I bought it because I liked the idea of separating routing and access point functionality, but it never stopped being flaky. After the last time throughput slowed to a crawl for no reason I got a cheap TP-Link consumer router instead and I haven’t had to think about it once.

                                                                                                                        2. 1

                                                                                                                          I assume most people here that use Ubiquiti have disabled remote access to devices if they haven’t already.

                                                                                                                          Ironically, I can’t. The UniFi Protect phone apps require it, so I have to choose between security of my network and physical security of my house.

                                                                                                                        1. 4

                                                                                                                          I suggested “historical” tag. As tag description says, it is for histories, not for “historical” (as in outdated) things. ZFS is certainly not oudated but this is a history. By the way, can we rename the tag to just “history”?

                                                                                                                          1. 1

                                                                                                                            “historical” is just the adjective for things that pertain to history. It does not carry the connotations of being outdated or obsolete.

                                                                                                                          1. 1

                                                                                                                            It draws some weird similarities with the Javascript ecosystem, which also offers lots of choices and is very volatile…

                                                                                                                            JavaScript is not a volatile ecosystem in the sense the article is talking about (Linux as a stable platform for gaming). The only thing that’s volatile about JavaScript is the choice of tools you have when building. “JavaScript fatigue” refers to the fatigue of choice, not the fatigue of having to rewrite your code to keep it working (eg python 3). Once you build something it will work forever because JavaScript is an incredibly stable platform. JS written 20 years ago still executes perfectly in the browser. You don’t have to rewrite websites.