1. 4

    The fact that time zones can be picked by major cities instead of by their semi-standardized name is a massive UX improvement instead of “basically bad UI that derives from the IANA zone keys”.

    I think it is the only somewhat understandable way to do it and combined with location detection also very convenient.

      1. 12

        For all those who don’t understand what Hamburg has to do with it, the justification of this DMCA takedown request is based on a decision of a German court (Hamburg Regional court) that took down a service similar to youtube-dl, and the law in question is materially the same as a US law, if I understood the wording right.

        1. 10

          That, and that particular Hamburg court is known to be heavy-handedly in favour of major copyright owners, so that’s where they invariably go to sue when they make a claim under German law.

          1. 2

            hmm is that court responsible for many more YouTube videos being unavailable in Germany than anywhere else?

            1. 2

              No, that’s about GEMA being more zealous than other right holder associations about the terms they license music videos to YouTube.

              1. 3

                Ehm. No. No love for the GEMA (as an event organiser that likes musical interludes and someone who had to implement their “API” for clients, I hate them with a passion). YouTube/Google has run an effective campaign against them, though by… telling only what was interesting to them. And I also have no love for them.

                GEMA, in contrast to the RIAA, is state-regulated. They are a special private entity. This means they are strictly disallowed to favor a party, by law. The sticking point in the negotiations with GEMA was that YouTube wanted essentially “mass rebates” - and they get them everywhere, except in Germany. And the GEMA is not allowed to give them. There was even a 2 year trial run with YouTube to test such a model out, which was later not accepted by the regulators. YouTube then chose to not have the videos available. It’s not like the GEMA didn’t license them (in fact, they must license them to anyone who agrees with the common terms), YouTube just didn’t want the conditions and tried to strong-arm.

                And that’s good, because every smaller player around them cannot get this advantage.

                Also note that GEMA, in contrast to the RIAA, represents artists, not labels, due to the way copyright in Germany works.

                The GEMA is fucked on how it has no modern management and its distribution is unfair and how they are so big that they don’t have to move. Also, how they assume that everything needs to be paid for except if proven otherwise. Deeply so. But please light a fire under their arse for the right reasons.

                But all people see is “I don’t get my music on the internet and YouTube says it’s GEMAs fault”. It’s also YouTubes fault. Rule of thumb: if 2 big players in the media industry battle, look closely, they will probably try to sway you on your emotions.

                1. 2

                  I had my own run-ins with GEMA, and I’m pretty sure that they could have decided on a schedule that includes better rates for high volume customers (just: for all high volume consumers). Not saying that YT didn’t try to strongarm them (they probably did), but where GEMA is involved, I default for the other side:

                  The state regulation part is legally correct, but misleading: These days it’s wielded more as a weapon to prevent competition (to GEMA) from appearing, because the regulator is (for whatever reason) strongly interested in keeping the situation GEMA-only (even though the law doesn’t say that there must be only one such organization).

                  Why is there interest in creating competition to GEMA? Because while it’s supposed to serve all musicians (they also collet for other right holder organizations, but that’s just an invoicing service) it does not: Its internal pay schedule is twisted towards having a relatively small set of folks benefit financially - who are, incidentally, the same that have voting rights within the organization (most artists do not). It’s interesting to note that this kind of corruption (which exists for a really long time) doesn’t matter to the regulatory body (so what exactly do they regulate again?).

                  Finally, the regulatory body in question is the German patent and trademark office (DPMA). Since I also default to the other side whenever they come up (except when it’s the European Patent Office in which case I can only hope for divine intervention that eradicates them both), that side of the story really has no chance for my sympathy, like, at all.

                  edit to add a point that brings us back on topic: The original question was if the Hamburg court is responsible for the wide-spread blocks of music videos in Germany. They’re not, but I guess I can clarify my original statement in that it’s due to YouTube and GEMA fighting over fees. Even without declaring who’s in the right or wrong here (likely: both wrong), it’s the origin of limited music video availability on German YouTube.

                  (Full disclosure: I work at Google, but never had anything to do with artists, their collection agencies, labels, YouTube or the DPMA or EPO through my employer. This is personal.)

                  1. 1

                    I agree with most of your points, but they are not of interest in the YouTube/GEMA relationship. Its broken payout structure towards its artists is not of interest for YouTube, not was it addressed in that dispute, because that’s not in play here. It’s dominance and assumption that they can claim all music until proven wrong is bad, but was also not challenged by YouTube.

                    I have worked for competitors to YT, and its behavior was hugely damaging in the space from our point of view.

                    This is no question of who’s more fucked up. YouTube ran a very expensive sway campaign and lost (and in the process, may even have strengthened the hold of GEMA more.

                    They’re not, but I guess I can clarify my original statement in that it’s due to YouTube and GEMA fighting over fees.

                    Yes, you should.

      1. 3

        I have to read this it breaks the tag record!

        1. 3

          He also talks about Haskell and lenses, so I could have upped it further!

          1. 2

            Next time :) It is almost 5k words, very dense, and with tons of links to other resources, so does cover quite a bit of ground.

        1. 4

          The main point of this article is to suggest that exceptions should be used for “ask forgiveness not permission” flow control in the current stack frame to clarify code by replacing if/else statements. The discussion is limited to using exceptions for local flow control. The author does not address in any serious way flow control that passes beyond the current stack frame.

          1. 2

            I think the point is not to clarify if/else statements but that exception capture the intention more. If I want to cast something to an int, I should try to and deal with failure. If I instead try to check first the implementation of the check might not match the implementation of actual action. This is typical for file handling. If you check if a file exists and then read it you have a race condition. You should try to read it and handle failure.

            1. 1

              Yes. Their exception version of the float to int check code handles many more failure cases than the if/else one. This doesn’t mean advice about exceptions as larger scale flow control is incorrect.

              Regarding file handling, yes it is important to know about O_CREATE or the + file flags in Python and handle errors correctly.

            2. 1

              The author does not address in any serious way flow control that passes beyond the current stack frame.

              Such as?

              I’m not exactly sure what you’re alluding to here, i.e. are you referring to using catching throws from a thread/process (in a hypothetical language where this would be very easy) instead of queue/channels for communication?

              1. 4

                One common criticism of exceptions is that they’re a “hidden” control flow, separate from the execution path you can see in the source file, which imposes an additional and persistent cognitive load on readers. Basically, if you’re using exceptions, any function can return at any expression without your knowledge. I think this is what ZicZacBee was alluding to. Your examples sidestep this criticism by always using unqualified ‘except’ clauses — it’s not possible for exceptions to escape your blocks. But this carries it’s own set of liabilities: what if your float conversion failed due to an out-of-memory issue? Shouldn’t that have a different effect than it being NaN or whatever?

                1. 1

                  But this carries it’s own set of liabilities: what if your float conversion failed due to an out-of-memory issue? Shouldn’t that have a different effect than it being NaN or whatever?

                  OOM issues are particularly easy to avoid since exceptions for things like OOM and sigkill are rather specific in most languages. E.g. in python one can do except Exception: and catch basically everything besides those.

                  But more generally, yes, this is an issue and I even mentioned it in the article as one of the tradeoffs.

                2. 3

                  Yes, I’m thinking of throwing as a channel for passing the control to a catch higher in the stack frame for something beyond what could be called ‘error handling’. If writing an Akka like system in Python with exceptions well bets are off. The article covers EAFP in local cases with brief examples. It’s a great way to do it. To use that as a basis to disregard other advice about using exceptions for flow control is poor reasoning. Many practices that are a good fit in a 20 line script do not scale to a larger project.

                  1. 1

                    If writing an Akka like system in Python with exceptions well bets are off

                    I mean, I agree that if you’re writing an actor based system using exceptions as control flow isn’t exactly ideal, but it’s not something that would even cross my mind. The concept of exception shouldn’t even exist in an actor-based paradigm. It’s comparing apples with oranges. I’m talking about imperative programming here.

                    Many practices that are a good fit in a 20 line script do not scale to a larger project.

                    Agree, but I don’t think the particular example you gave is relevant as to why this is the case with exceptions as control flow.

                    1. 1

                      If a larger system uses exceptions for flow control the location of the code that handles the exception is likely to end up based on the call stack. If this buys us something of more value than the cost of the complexity, it could be worth doing.

                      Yes, apples with oranges, we are comparing small imperative code snippets that use exceptions as flow control with a large systems that use exceptions as flow control. One of these it is a good fit and the other it is not.

              1. 3

                I think the issue is somewhat buried in “I find a seemingly-satisfying solution (usually on Stack Overflow)”. If you find something on SO and do your due diligence to think about how it works and why, this problem will be much smaller. And you can also learn things from answers that are wrong or don’t work.

                1. 3

                  I don’t understand how spam is a reason for federation. Spam is exactly the kind of problem that you get because of federation since there is no central way to reprimand users. If you block an entire server you are pushing around the responsibility and punishing people who don’t deserve it.

                  1. 1

                    If you block an entire server you are pushing around the responsibility and punishing people who don’t deserve it.

                    Not true. You are pushing the moderation decision on the server operator. They have the option to punish the individuals on their server that have triggered the action in the first place, and then be reinstated, or not. The good faith users of the server should have the option to lobby for punishing of the bad faith ones.

                    I feel like this system is better for everyone, as it allows small groups to police themselves, instead of relying of an uncertain central authority.

                  1. 5

                    Part of my answer is that focusing on technology underpinnings is the wrong question, but that’s a half-story. The rest the reason I think OStatus is on the wrong track:

                    I need to be able to transparently migrate service provider. I should be able to switch from one service provider to another, and, after doing so, should not have to worry about the old provider any more. Such a feature makes it possible to take risky bets on service providers, and if it doesn’t work out, it’s not a permanent loss. People need to be able to make such risky bets, otherwise they’ll only register with service providers that they know will be reliable, and that means big services get bigger and small services can’t get off the ground.

                    That means domain names can’t form part of my permanent identity. If it looks like notriddle@example.com, then it means I’m now chained to example.com, and even if I decide to switch to another providers, I either get to send a message to all my contacts asking them to change, or I get to worry about example.com being able to host a permanent forwarding address. I can also own my own domain, but what happens if I screw up and it expires?

                    1. 2

                      domain names can’t form part of my permanent identity

                      Well.. the alternative is cryptographic keypairs as in SSB. But this makes multi-device hard, and making keys manageable by normal people is also hard (I guess deriving keys from passphrases is convenient but then the hard problem is recovery from loss/theft).

                      I can also own my own domain, but what happens if I screw up and it expires?

                      Don’t screw up? People have been owning personal domains for a couple decades now, with good results mostly.

                      Seems like the bigger barrier to mass adoption of personal domains is having to pay money at all in a world where most online communication has been free :/

                      1. 1

                        In your version you don’t actually really belong to a federation instance anymore. It acts more or less like a cache. I think this is a cool idea but doesn’t really match what most people mean when they discuss federation.

                        It’s probably difficult to form a sense of community in this case or to set up an instance for your friends since people don’t belong to an instance in any meaningful sense.

                        Conceptually, it seems more like p2p to me.

                      1. 8

                        I am sitting here reading this very entertaining article on website bloat, with my phone, in my bathtub. …as my phone suddenly asks me “Charging your phone? Earn money for charity while you do!”

                        We deserve the apocalypse.

                        1. 1

                          I agree, but just to point out the downside: it makes the whole system harder to analyze.

                          If you ever assume that your system is secure because the attacker does not know X which could be derived from the code by deobfuscating it you are probably making a mistake. Also, obfuscation is a break-once attack, afterwards your secret is out. Oh wait, it’s not really secret, just another obstacle. But in the end you just want to make the attack expensive enough for an attacker. What if the deobfuscated code is shared with other attackers? Now it’s free for them! But an attacker won’t share his deobfuscated version of the code because he probably doesn’t want to do free labor. …the rabbit hole continues

                          So, yes, you can use obscurity to make an attacker’s life more difficult but you should not rely on it for your system to be secure. Hence, avoid security BY obscurity.

                          Just build your system to be secure without the obscurity. Then throw it in on top if you want.

                          1. 5

                            Editors are not a group you can reasonably compare. A JPEG editor and a WAV editor have nothing in common and exactly the same applies to “text” editors. You don’t want to edit HTML and Java and Latex and ToDos and emails in the same way.

                            If you squint a little you probably would want to edit all programs in the same way but that unfortunately doesn’t work because you just cannot refactor Python like you refactor Java. So even trying to do such a comparison for IDEs is tricky.

                            All of these discussions about how far away the arrow keys - or your mouse - are, are completely pointless in comparison. This article almost caught on to this fact and gives a list of editors with their strength but doesn’t make it to the conclusion that text editors are just not a reasonable thing to discuss anymore. Nobody edits “text”. And the people who do use Word.

                            1. 9

                              All of these discussions about how far away the arrow keys - or your mouse - are, are completely pointless in comparison. This article almost caught on to this fact and gives a list of editors with their strength but doesn’t make it to the conclusion that text editors are just not a reasonable thing to discuss anymore. Nobody edits “text”. And the people who do use Word.

                              That’s amusing. Just last night my roommate had a problem where all the cells in her document were set to “£0.00” after saving, it would have taken about 8 hours for her to recover it.

                              Luckily she already had the list, she just wanted it in a Libreoffice table. I opened vim (Because raw sed is line-based), and just used the expressions: :%s/$/"/, :%s/ \r/, "/. I saved it as a .csv and opened it in Libreoffice Calc, copied the cells, then imported it into Writer by doing C-V and selecting “RTF”.

                              It took five minutes, not 8 hours. A handful of small adjustments that added 2 minutes on to it, and the table was exactly as before.

                              You are severely underestimating the power and use of the tools programmers have been using for the last 60 years. The arrogance on display is absolutely staggering.

                              The purpose of a tool like Vim, is to make your editing commands become muscle memory, so you do not have to think about what you want to do, and then do it. You can simply do it reflexively. I’ve been using it for 8 years on all kinds of information, and it’s extremely powerful.

                              I wonder, when I hit d} in vim, am I still editing text? The operation itself runs over a paragraph. What about di) which deletes the contents of a set of brackets, do you think you can find a use for that in programming? If your answer here is “paragraphs and argument lists are all text”, that means you’re coming close to the realization that “XML is text”, “S-Expressions are text”, and pretty much every format you can think of is a form of text.

                              Is ParEdit, a mode for editing the structure of Lisp documents in Emacs, still editing text? What about rope, a refactoring tool for Python with both Emacs and Vim plugins, when you use those plugins, are you still editing text? Vim provides an interface for “text objects”, which allow you to manipulate XML rather easily, are you editing text, or the objects? Of course you are editing text. Because everything that isn’t a binary format is text.

                              In addition, both Emacs and Vim have binary editors built in. They both have extensive sets of plugins for editing programming languages while retaining the power of each environment, and the benefit of a uniform interface that you have experience and will log 100s of hours in.

                              You don’t want to edit HTML and Java and Latex and ToDos and emails in the same way.

                              You’re right, however, that you don’t want to edit all programs the same way. However, most modern text editors have functionality specific to what you’re editing. Hell, the exact commands used for alphabetically sorting the contents of CSS directives in Vim (:%g/{/ .+1,/}/-1 sort) dates back to before Vim existed – it was a feature of ed(1) – which isn’t even visual!

                              1. 2

                                So, I think your argument is: we are not editing text we are editing all kinds of things in a text representation. Which is also what I was trying to say.

                                I think we just disagree about the effectiveness of this approach. I agree that the editors we have are often better than nothing but I wouldn’t advertise vim for it’s ability to edit tabular data using :s. Neither do I think the incantation in your last line is something that I should have to know. I just want a CSS editor and then press the sort button.

                                #editorflamewar2020

                                1. 5

                                  So, I think your argument is: we are not editing text we are editing all kinds of things in a text representation.

                                  No, my point was that we are all editing text, we just smooth it over so we don’t have to care about the specifics. Text editors do this too, except they provide more power if you wish it. From your comment here and your other comments about this, you seem grossly uneducated about the capabilities of text editors as tools. I’ve linked you articles in another comment – please read them.

                                  I just want a CSS editor and then press the sort button.

                                  You don’t have to know it.

                                  nnoremap <leader> s :%g/{/ .+1,/}/-1 sort
                                  

                                  My leader key is set to f. So I can just type f s and the document is sorted. In emacs, I can set a mode switch, so that this keybinding is only available for CSS documents.

                                  1. 1

                                    In emacs, I can set a mode switch, so that this keybinding is only available for CSS documents.

                                    FYI, you can do the same in Vim with ftplugins.

                                    1. 1

                                      No need for anything complex, just use autocmd

                                  2. 2

                                    You are not expected to know this incantation. It is not a word, it is a sentence. Do you «know» the sentence «Neither do I think the incantation in your last line is something that I should have to know.» ?

                                    The reason we prefer to use a single editor with a language to think about editing in [without agreeing which one] is that things that are just out of reach of the functionality supplied by the editor/plugins/etc. are actually within reach if you express them in the slang of the editor.

                                    Learning such a language probably doesn’t pay off if handling the things typically represented as text is not an activity taking up a large share of your computer use. And maybe not if you just need five representations and the single-use options available for these representations are good enough from your point of view.

                                    But as there are more (and slightly less popular) things to handle, no thanks, I will take a small set of tools I know well and can push one step beyond over sorting through special-case solutions, with many of them missing «trivial» features I have come to depend on.

                                2. 5

                                  You don’t want to edit HTML and Java and Latex and ToDos and emails in the same way.

                                  Why not? As an Emacs user, I appreciate that different modes interpret concepts such as paragraphs, words, symbols, top level structures in their own appropriate ways, so that keybindings and other commands trivially adapt to the kind of file I’m working with. Sure, not everything fits perfectly into the abstract, primitive categories, but it’s still preferable to having n different editors and work environments for n different problems.

                                  1. 1

                                    “Why not?”

                                    Because having a dedicated editor is more efficient. PyCharm is better for Python and IntelliJ better for Java and Kile better for Latex and Trello better for Todos and Thunderbird better for Mails.

                                    The reason you can use Emacs reasonably well for all of those is that it actually tries to be n different editors for n different problems. org-mode barely has anything in common with other modes. Paredit as well, etc…

                                    1. 5

                                      Because having a dedicated editor is more efficient

                                      Having a dedicated editor may be more efficient for a single thing, but most of the projects I work on involve ‘text’ files with at least half a dozen different languages (programming languages, build system scriting, markup languages). If I had to switch between editors for each one then each editor would have to be a lot more efficient to offset the cost of the cognitive load from having different tooling for each file type.

                                      1. 3

                                        Well I always feel a lot less productive in IntelliJ editors, and find the Emacs equivalents a lot more comfortable. I guess that’s a difference in attitude, but I think it should be considered as a factor.

                                        The reason you can use Emacs reasonably well for all of those is that it actually tries to be n different editors for n different problems

                                        Major modes are interfaces, of sorts, connecting and implementing the files to existing subsystems (completion-at-point, imenu, xref, …), not their own Editors. Sure, some major modes have more additional keybindints, such as Org mode, but it’s not unrelated: I can still use isearch, avy, highlight-symbol-at-point, etc. or any other function that wasn’t written for a specific mode in mind. Paredit is a minor mode for S-Expression based file formats, so I don’t quite get your point here…

                                    2. 4

                                      You don’t want to edit HTML and Java and Latex and ToDos and emails in the same way.

                                      I most certainly want to do exactly that.

                                      1. 1

                                        Nobody edits “text”. And the people who do use Word.

                                        Thanks for making this point clear. I think programmers (usually systems programmers who post to Lobsters or The Orange Site) have basically boxed themselves into a “fake reality” where talking about plain text email and using vi for prose actually matter. I’m basically the only systems programmer on my team (excluding maybe one or two others), and talking to clients (who almost are all non-technical industries) or even other team members - they have big HTML signatures with images (and use formatting in their messages!), reply on top, use IDEs or maybe Notepad++ on Windows. They don’t tweak their window manager or Emacs config, they’re busy whatever line-of-business application.

                                        1. 2

                                          I’m not sure that applies to everyone. I have proselint jacked into vim and I use it frequently. The ability to perform operations on sentences or paragraphs without having to move your hand to the mouse is underappreciated.

                                      1. 2

                                        All of these “Turn vim/emacs/… into an IDE for Python/Java/Rust/…” tutorials, please come back when you have debugging support.

                                          1. 1

                                            Hey, that’s pretty cool! And even though I don’t think that it’s easy or integrated enough to satisfy me personally, it goes a long way in the right direction! I am going to try that out right now.

                                          2. 2

                                            Emacs debuggers are pretty advanced, they take after the Lisp Machine, which supposedly had one of the best debuggers in existence (thread here – unfortunately the website links to a shitty post that isn’t the original article).

                                            There’s a good post about C-related debugging here, Python debugging here and here. Java debugging is built in. Rust debugging here, which also uses the in-built debugger interface.

                                          1. 4

                                            I’m very satisfied with https://github.com/debauchee/barrier (synergy fork/continuation).

                                            1. 4

                                              Barrier doesn’t switch monitors. You need a separate monitor (or monitors) for each machine.

                                              1. 2

                                                Ah, yes. Slightly different use cases, I guess.

                                              2. 2

                                                Haim’s solution is pretty ingenius, though!

                                                Now that I know of it, I wish there was a DDC/CI tool I could use on OpenBSD :^)

                                              1. 4

                                                Cringy title, they’re definitely not amazing, and please don’t try them in your website.

                                                But I’m not claiming any authority on design so I’m not flagging although I’m tempted.

                                                1. 1

                                                  I mean, if it’s for your personal website I am all in favor of doing weird accessibility breaking and generally incomprehensible user interfaces! ;)

                                                  For example, this looks wonderful: https://arwes.dev/

                                                  1. 0

                                                    Oh hey that’s the framework I use on my personal website! https://wingysam.xyz

                                                1. 9

                                                  Really cool, thanks for sharing! Some unsolicited css feedback: there’s no margin on the left or right so it’s a bit hard to read on my phone..

                                                  1. 2

                                                    I had to take out my phone to figure out what the issue is so to spare others the effort:

                                                    No margin means on screens with a bevel some of the letters fall of the edge. How did we manage to make our screens so stupid? Are websites now supposed to detect the screen size including what the shape is to make sure the content displays properly?

                                                    1. 3

                                                      No margin means on screens with a bevel some of the letters fall of the edge. How did we manage to make our screens so stupid? Are websites now supposed to detect the screen size including what the shape is to make sure the content displays properly?

                                                      Text is always more readable with margins. Best example to me: Books also have margins, and you’d probably complain if there wasn’t.

                                                      1. 1

                                                        Haha; thanks. I had it set to margin auto, which for some reason made me think it would just do the right thing–silly assumption to make, I know. Pushed out a fix.

                                                      1. 7

                                                        I’m not even convinced that inconsistent style warrants discussion. Is there any evidence that mixed-style code is significantly harder to read? I think compared to things like good documentation and naming whether it’s

                                                        void frobnicate(foo* bar) {
                                                        ...
                                                        

                                                        or

                                                        void frobnicate(foo* bar) 
                                                        {
                                                        ...
                                                        

                                                        isn’t going to slow me down at all.

                                                        Either way, automatic reformatting is indeed probably be a good solution.

                                                        1. 20

                                                          I personally disagree — inconsistently formatted code causes me significant distraction. Yes, even braces on the “wrong” line.

                                                          I mostly wish that weren’t the case, of course. OTOH, though, if that part of my brain were “fixed”, it seems likely it’d reduce my ability to be the “details person” on my team that catches all the little typos/subtle logic bugs before they ship.

                                                          1. 4

                                                            I think it’s less in the example you give (which is pretty straightforward) and more calling out something like this:

                                                            void frobnicate(foo* bar)  {
                                                               if (abc) 
                                                               {
                                                                   } else if (def) {
                                                               if (ghi) {
                                                                   }  
                                                               }
                                                            

                                                            If you have enough indentation, I find it confusing.

                                                            1. 4

                                                              I agree. Ultimately it’s a non important detail. We all have preferences and different styles have their advantages and disadvantages. Hence the reason they exist. I’ve seen this taking 25-75% or the effort and time put into reviewing code. Often above 50%. Whatever importance this has, it is tiny when compared to what the code actually does, regardless whatever style it is written in.

                                                              1. 3

                                                                For me, it’s like reading a novel vs a variety of websites with different styles. I can surely get through either, but the former’s consistency reduces my effort significantly.

                                                                1. 3

                                                                  Is there any evidence that mixed-style code is significantly harder to read?

                                                                  Speaking as someone who actually has worked on code with inconsistent formatting … not really, no. Usually.

                                                                  On one project I worked on, each developer largely kept to their own directories, so everyone just kept to their own preferred style. Later in the project, though, we all finished the main work and started venturing outside of our little fiefdoms to fix bugs and whatnot. I would painstakingly write in the formatting style of whatever file I was in, at first, but then I noticed that nobody else seemed to be doing that, and over time you would see more and more places where the formatting style would abruptly shift for five lines. I found this deeply ugly, but apparently it didn’t bother the others enough to stop doing it. (Indeed, one engineer joked that it provided an instant fingerprint of who touched the code last, without having to look at version control.) So, it was annoying to me, but it didn’t really slow down comprehension.

                                                                  However, another project I worked on was run by a bunch of novice engineers with no consistent style. One day I wasted a bunch of time trying to debug a very long function before finally realizing that, through the course of modifying the code, the indentation had gotten out of sync with the braces depth, meaning that the end of an if block was actually dozens of lines off from where I had been reading. Only the lack of a consistent style (and primitive text editors) made such a glaring mistake possible.

                                                                  So, I’m more inclined to say: it doesn’t matter, until it does.

                                                                  1. 3

                                                                    Agreed. A sufficiently advanced code base will contain not only mixed formatting but mixed programming styles. Some parts will favor composition over inheritance, another might’ve been written in a semi-functional style.

                                                                    Yet other parts of the code will have been written at a time when certain language features weren’t available, like Java Collections or unique_ptr. It’s your job to read and understand all of them.

                                                                    If inconsistency is something you can’t tolerate, then you’ll have a long and unproductive career ahead of you. Maybe programming isn’t the right job for you?

                                                                    1. 2

                                                                      I agree it’s a small thing, but it’s the principle that’s important.

                                                                      Consistency only works if you’re consistent with it. :)

                                                                    1. 4

                                                                      A split staggered keyboard makes no sense to me. I have an Ergodox and a Kinesis Advantage and the columns are much more logical if you can turn the parts or have better spacing.

                                                                      Also, the relearning for those is trivial. Ok, the arrow keys are a pain!

                                                                      1. 1

                                                                        I love my ErgoDox but after months of trying I simply couldn’t get used to the default arrow keys so I moved them all to the right half in the Vim order along the bottom row and it’s working much better for me now. I just couldn’t adapt to using two hands for the arrow keys.

                                                                        1. 1

                                                                          Yeah, I also ditched the default layout. I don’t like that bottom row. I don’t use it now. The rest of the hardware layout is good though.

                                                                      1. 16

                                                                        In here, we see another case of somebody bashing PGP while tacitly claiming that x509 is not a clusterfuck of similar or worse complexity.

                                                                        I’d also like to have a more honest read on how a mechanism to provide ephemeral key exchange and host authentication can be used with the same goal as PGP, which is closer to end-to-end encryption of an email (granted they aren’t using something akin to keycloak). The desired goals of an “ideal vulnerability” reporting mechanism would be good to know, in order to see why PGP is an issue now, and why an HTTPS form is any better in terms of vulnerability information management (both at rest and in transit).

                                                                        1. 22

                                                                          In here, we see another case of somebody bashing PGP while tacitly claiming that x509 is not a clusterfuck of similar or worse complexity.

                                                                          Let’s not confuse the PGP message format with the PGP encryption system. Both PGP and x509 encodings are a genuine clusterfuck; you’ll get no dispute from me there. But TLS 1.3 is dramatically harder to mess up than PGP, has good modern defaults, can be enforced on communication before any content is sent, and offers forward secrecy. PGP-encrypted email offers none of these benefits.

                                                                          1. 6

                                                                            But TLS 1.3 is dramatically harder to mess up than PGP,

                                                                            With a user-facing tool that has plugged out all the footguns? I agree

                                                                            has good modern defaults,

                                                                            If you take care to, say, curate your list of ciphers often and check the ones vetted by a third party (say, by checking https://cipherlist.eu/), then sure. Otherwise I’m not sure I agree (hell, TLS has a null cipher).

                                                                            can be enforced on communication before any content is sent

                                                                            There’s a reason why there’s active research trying to plug privacy holes such as SNI. There’s so much surface to the whole stack that I would not be comfortable making this claim.

                                                                            offers forward secrecy

                                                                            I agree, although I don’t think it would provide non-repudiation (at least without adding signed exchanges, which I think it’s still a draft) and without mutual TLS authentication, which can be achieved with PGP quite easily.

                                                                            1. 1

                                                                              take care to, say, curate your list of ciphers often and check the ones vetted by a third party

                                                                              There are no bad ciphers in 1.3, it’s a small list, so you could just kill the earlier TLS versions :)

                                                                              Also, popular web servers already come with reasonable default cipher lists for 1.2. Biased towards more compatibility but not including NULL, MD5 or any other disaster.

                                                                              I don’t think it would provide non-repudiation

                                                                              How often do you really need it? It’s useful for official documents and stuff, but who needs it on a contact form?

                                                                            2. 3

                                                                              I want to say that it only provides DNS based verification but then again, how are you going to get the right PGP key?

                                                                              1. 3

                                                                                PGP does not have only one trust model, and it is a good part of it : You choose, according to the various sources of trust (TOFU through autocrypt, also saw the key on the website, or just got the keys IRL, had signed messages prooving it is the good one Mr Doe…).

                                                                                Hopefully browsers and various TLS client could mainstream such a model, and let YOU choose what you consider safe rather than what (highly) paid certificates authorities.

                                                                                1. 2

                                                                                  I agree that there is more flexibility and that you could get the fingerprint from the website and have the same security.

                                                                                  Unfortunately, for example the last method doesn’t work. You can sign anybody’s messages. Doesn’t prove your key is theirs.

                                                                                  The mantra “flexibility is an enemy of security” may apply.

                                                                                  1. 1

                                                                                    I meant content whose exclusive disclosure is in a signed message, such as “you remember that time at the bridge, I told you the boat was blue, you told me you are colorblind”.

                                                                                    [EDIT: I realize that I had in mind that these messages would be sent through another secure transport, until external facts about the identity of the person at the other end of the pipe gets good enough. This brings us to the threat model of autocrypt (aiming working through email-only) : passive attacker, along with the aim of helping the crypto bonds to build-up: considering “everyone does the PGP dance NOW” not working well enough]

                                                                                    1. 1

                                                                                      Unfortunately, for example the last method doesn’t work. You can sign anybody’s messages. Doesn’t prove your key is theirs.

                                                                                      I can publish your comment on my HTTPS protected blog. Doesn’t prove your comment is mine.

                                                                                      1. 2

                                                                                        Not sure if this is a joke but: A) You sign my mail. Op takes this as proof that your key is mine. B) You put your key on my website..wait no you can’t..I put my key on your webs- uh…you put my key on your website and now I can read your email…

                                                                                        Ok, those two things don’t match.

                                                                              2. 9

                                                                                I’d claim I’m familiar with both the PGP ecosystem and TLS/X.509. I disagree with your claim that they’re a similar clusterfuck.

                                                                                I’m not saying X.509 is without problems. But TLS/X.509 gets one thing right that PGP doesn’t: It’s mostly transparent to the user, it doesn’t expect the user to understand cryptographic concepts.

                                                                                Also the TLS community has improved a lot over the past decade. X.509 is nowhere near the clusterfuck it was in 2010. There are rules in place, there are mitigations for existing issues, there’s real enforcement for persistent violation of rules (ask Symantec). I see an ecosystem that has its issues, but is improving on the one side (TLS/X.509) and an ecosystem that is in denial about its issues and which is not handling security issues very professionally (efail…).

                                                                                1. 3

                                                                                  Very true but the transparency part is a bit fishy because TLS included an answer to “how do I get the key” which nowadays is basically DNS+timing while PGP was trying to give people more options.

                                                                                  I mean we could do the same for PGP but if that fits your security requirements is a question that needs answering..but by whom? TLS says CA/DNS PGP says “you get to make that decision”.

                                                                                  Unfortunately the latter also means “your problem” and often “idk/idc” and failed solutions like WoT.

                                                                                  Hiw could we do the same? We can do some validation in the form of we send you an email encrypted for what you claim is your public key to what you claim is your mail and you have to return the decrypted challenge. Seems fairly similar to DNS validation for HTTPS.

                                                                                  While we’re at it…. Add some key transparency to it for accountability. Fix the WoT a bit by adding some DOS protection. Remove the old and broken crypto from the standard. And the streaming mode which screws up integrity protection and which is for entirely different use-cases anyway. Oh, and make all the mehish or shittyish tools better.

                                                                                  That should do nicely.

                                                                                  Edit: except, of course, as Hanno said: “an ecosystem that is in denial about its issues and which is not handling security issues very professionally”…that gets in the way a lot

                                                                                  1. 2

                                                                                    I’d wager this is mostly a user-facing tooling issue, rather than anything else. Would you believe that having a more mature tooling ecosystem with PGP would make it more salvageable for, say, vulnerability disclosure emails instead of a google web form?

                                                                                    If anything, I’m more convinced that the failure of PGP is to trust GnuPG as its only implementation worthy of blessing. How different would it be if we had funded alternative, industry-backed implementations after e-fail in the same way we delivered many TLS implementations after heartbleed?

                                                                                    Similarly, there is a reason why there’s active research on fuzzing TLS implementations for their different behaviors (think, frankencerts). Mostly, this is due the fact that reasoning about x509 is impossible without reading through stacks and stacks of RFC’s, extensions and whatnot.

                                                                                    1. 0

                                                                                      I use Thunderbird with Enigmail. I made a key at some point and by now I just send and receive as I normally do. Mails are encrypted when they can be encrypted, and the UI is very clear on this. Mails are always signed. I get a nice green bar over mails I receive that are encrypted.

                                                                                      I can’t say I agree with your statement that GPG is not transparent to the user, nor that it expects the user to understand cryptographic concepts.

                                                                                      As for the rules in the TLS/X.509 ecosystem, you should ask Mozilla if there’s real enforcement for Let’s Encrypt.

                                                                                    2. 4

                                                                                      The internal complexity of x509 is a bit of a different one than the user-facing complexity of PGP. I don’t need to think about or deal with most of that as an end-user or even programmer.

                                                                                      With PGP … well… There are about 100 things you can do wrong, starting with “oops, I bricked my terminal as gpg outputs binary data by default” and it gets worse from there on. I wrote a Go email sending library a while ago and wanted to add PGP signing support. Thus far, I have not yet succeeded in getting the damn thing to actually work. In the meanwhile, I have managed to get a somewhat complex non-standard ACME/x509 generation scheme to work though.

                                                                                      1. 3

                                                                                        There have been a lot of vulns in x509 parsers, though. They are really hard to get right.

                                                                                        1. 1

                                                                                          I’m very far removed from an expert on any of this; so I don’t really have an opinion on the matter as such. All I know is that as a regular programmer and “power user” I usually manage to do whatever I want to do with x509 just fine without too much trouble, but that using or implementing PGP is generally hard and frustrating the the point where I just stopped trying.

                                                                                        2. 1

                                                                                          You are thinking of gnupg. I agree gnupg is a usability nightmare. I don’t think PGP (RFC4880) makes much claims about user interactions (in the same way that the many x509 related RFC’s talk little about how users deal with tooling)

                                                                                        3. 1

                                                                                          Would you say PGP has a chance to be upgraded? I think there is a growing consensus that PGP’s crypto needs some fixing, and GPG’s implementation as well, but I am no crypto-people.

                                                                                          1. 2

                                                                                            Would you say PGP has a chance to be upgraded?

                                                                                            I think there’s space for this, although open source (and standards in general) are also political to some extent. If the community doesn’t want to invest on improving PGP but rather replace it with $NEXTBIGTHING, then there is very little you can do. There’s also something to be said that 1) it’s easier when communities are more open to change and 2) it’s harder when big names at google, you-name-it are constantly bashing it.

                                                                                            1. 2

                                                                                              Can you clarify where “big names at Cloudflare” are bashing PGP? I’m confused.

                                                                                              1. 1

                                                                                                Can you clarify where “big names at Cloudflare” are bashing PGP? I’m confused.

                                                                                                I actually can’t, I don’t think this was made in any official capacity. I’ll amend my comment, sorry.

                                                                                        1. 1

                                                                                          Maybe not directly related but the discussion about commenting and recovering previous commands covers some of the same use-cases: tldr.

                                                                                          The idea is to be available like a man page but to give you common invocations instead.

                                                                                          Makes the command line better in my opinion.

                                                                                          1. 15

                                                                                            No history searching is supercharged without fzf: https://github.com/junegunn/fzf

                                                                                            1. 2

                                                                                              How do you deal with the crappy fuzzy matching of fzf? like https://github.com/junegunn/fzf/issues/1823

                                                                                              1. 1

                                                                                                I haven’t had any problems with it, I wouldn’t call it crappy either. What completion system (in any software) do you know of that solves the issue you described there? I don’t personally know of any autocomplete that works on editing distance instead of something like /f.*o.*o/.

                                                                                                1. 1

                                                                                                  Hm, ok. I didn’t investigate further. I still use fzf for history search just not for cd anymore.

                                                                                              2. 1
                                                                                              1. 1

                                                                                                Whenever I see something like this all I can think is: Fuck translation. Make everyone use English.

                                                                                                Good command of English is almost necessary for lots of things and definitely incredibly useful. Make people practice and let’s all benefit from not needing translations anymore.

                                                                                                English is also the best of the widespread languages to standardize on.