1. 8

    I’ve struggled with an issue tracker in a company large enough to… have similar problems, and think that the normal books about software development in companies ought to help. Just think of “the public” as a really large collection of teams that use your service,and file bugs for it.

    As I saw it, the main problems were related to the dual nature of the issue trackers. One one hand it was where people outside the team registered things, on the other hand it was one of the team’s internal tools. So it was part of the interface and also part of the implementation, and the two roles posed different needs.

    For example, you may say that implementation tracker should track only issues for which there will be something to track, ie. things you won’t act on should be closed, no matter why you won’t. For example, our funding came from a few countries, and we had bugs that related only to other countries. But if the tracker is part of your interface towards the rest of the company (or the world) then it may be politically difficult to say “wontfix”, or worse.

    So on the day that you consider a new bug, closing or rejecting it may be politically inadvisable, risk getting into an extended discussion. If it’s in public, you may risk a shitstorm. But if you don’t close, your issue tracker grows a tiny little bit worse in its capacity as internal tool.

    I imagine this is worse for open source things, for which there is no lower limit to the quality of bug reports. I have seen “bugs” that were really design principles.

    1. 4

      As I saw it, the main problems were related to the dual nature of the issue trackers.

      Backstory for the thread: I had exactly this epiphany couple of days ago https://github.com/rust-analyzer/rust-analyzer/issues/10593#issuecomment-947537009. And, given how obvious is this in retrospect, I felt very surprised that I hadn’t just knew that as a part of common wisdom.

    1. 3

      They had three options, and I quote:

      1. Eliminate SAVEPOINT calls completely.
      2. Eliminate all long-running transactions.
      3. Apply Andrey Borodin’s patches to PostgreSQL and increase the subtransaction cache.

      I haven’t looked at those patches and won’t comment on the wisdom of using them. From a quick glance, Andrey doesn’t seem clueless, though.

      Eliminating long-running transactions is considered good practice. Those tend to cause problems somehow, sooner or later. I can see why they considered this possibility, but I have problem with their reasons for choosing not to… I find it very, very difficult to believe that autovacuum is the ultimate cause of long-running transactions. Autovacuum may be found loitering near long-running transaction, waiting to be allowed to clean up, but I’ve never seen it be the cause of an overlong transaction.

      So I think they spent a month on getting rid of SAVEPOINT because finding the real reason for the long-running transactions would have taken even longer. That blog posting is commendable honesty on their part.

      1. 1

        The lobsters crowd seem to be bad at bikeshedding today, or maybe they’re just lazy.

        The colour scheme reminds me of something — some SaaS/editor I used briefly, I think? Can’t quite remember what. Was it inspired by anything specific?

        Thank you.

        1. 5

          I’d say I was influenced by my experience with macOS and iOS dark modes in stock apps, Apple’s design guidance on that topic, and some color contrast goals. I avoided inventing a new palette and just made adjustments for a dark environment. So for instance, colored text is a bit paler as if it emits its own light, rather than being a pigment on a lit page.

        1. 37

          Uhm, dithering isn’t a particularly good way to reduce image size, if you define “good” in terms of visual perception at equal file size. Modern software based on perceptual analysis does better than that 80s dithering. Instead of dithering the image using ancient methods first and then using webp, just use webp alone, the encoder’s -size/-psnr options let you reach your preferred size with the best possible visual quality.

          Of course one might also discussing whether each image pays its way. An image doesn’t necessarily justify its load time.

          1. 11

            To add to that:

            Most photo CODECs that are designed for things that look like photos. They assume that colour changes are typically gradual, because most photos have large regions of almost the same colour. JPEG really baked in that assumption because you need an infinite number of cosines to represent a square wave. Newer CODECs are a lot better at sharp discontinuities in terms of quality, but it’s still the worst case for compression ratio.

            When you dither, you are making every pair of adjacent pixels a sharp colour discontinuity. That’s going to hit the worst case for any CODEC optimised for photos, so you’ll get much worse quality for the same file size than if you don’t dither first.

            1. 2

              I remember reading a discussion on the Low-tech Website (a fully-solar powered website) about the same topic. Dithering simply is not the appropriate tool for this purpose, you get better results with more conventional tools.

              The comments on that page are very informative.

              1. 3

                In a way I think the Low-Tech Magazine makes the dithering of images an aesthetic choice which has a bit of retro charm mixed with the resurgence of dithering (see Return of the Obra Dinn, a game that’s characterized by this style).

                That said I tried dithering some graphics with GMIC but I have to say that the LTM results are somewhat more pleasing. If someone knows how to reproduce that, I’d be interested.

            1. 1

              I’ll report what was common to two rather different organisations. Very different size, very different in many respects, but both called themselves “agile”.

              When something really urgent came up and I noticed (because I kept an eye on the stream of reports from the SaaS provider that reported our crashes), I might just fix it without waiting. Or if I was in heads-down mode working on something, I wouldn’t notice because in that case I wouldn’t keep an eye on that. If I fixed it, I’d mention that in the daily standup and someone else would review my fix in a hurry and we’d get it merged. If something less urgent came up I’d add it to my (plain text) file of notes for next week, and mention it in the weekly what-to-work-on meeting, and we’d usually have a fix deployed in less than two weeks.

              And the key is: Agile doesn’t mean “you may only act according to preapproved plan”. Agile means that the team trusts its members and if someone’s deviations from what was agree during standup/status meetings aren’t a net benefit, then the team discusses that afterwards and that team member adjusts. An agile team accepts some mistakes and learns, instead of trying to prevent wasted time by planning.

              I did receive negative feedback for some of my deviations, but also positive from some. And some of the negative feedback was of the form “well that didn’t need fixing in such a hurry, but I can see why it looked awfully urgent before the root cause was known”.

              1. 7

                I was doing a code review and was about to comment that COUNT(*) is an antipattern, but decided to do some investigation whether that’s (still) the case and provide some background info. Then I found this post, so I was completely wrong here! I wonder where that “knowledge” came from - perhaps misguided handed down information? Or MySQL-specific info that I mistakenly took with me when I switched to Postgres all those years ago?

                1. 2

                  Interesting, I have always “known” that count(1) is the correct way, but no idea where I got that from either.

                  Though if count(1) were actually slower that would be bonkers. I should hope Postgres can be very confident 1 is not NULL and not check it for every row…

                  1. 2

                    Postgresql can compute count() amazingly quickly in some/many cases, but it remains a sign of bad code.

                    When you use a good database (and postgresql is the best database in my neutral, modest and well-informed opinion), then you should use it by issuing queries that reflect your goal as closely as the query language allows. If your use can be described as “something something all the rows something something small result”, then you have a detour via all the rows. That detour is long and may be costly for the database. (Or may not: Postgresql has many tricks to to count without actually looking at all the rows). Conceptually count() is a about all the rows, though.

                    It may also show that the way you express your task isn’t quite right, and maybe that you don’t really understand what you’re trying to do with the database or the best way to express it in code.

                    EDIT: count() is usually used to count all the rows in a table, and my argument above is based on that. However, it can also be used to count a smaller set for rows, and my argument holds for that case too. In that case, the detour is via a number. Databases operate on sets, and if your code leaves set domain that’s often a sign of a detour, which in turn is a sign that the queries aren’t as clear as they could be, and a lack of clarity is a sign of bugs.

                    1. 5

                      For the review in question, it was a COUNT(*) with a WHERE condition, so essentially it meant “how many rows match this condition?” which is indeed expressed perfectly with a COUNT.

                      1. 2

                        Then we get into the issue of count(*) versus count(thingy), where the former counts all rows while the latter excludes rows where that column is null. Which one is a more precise expression of the thing to count? Whichever is more precise is (warning: more designy-touchy-feely verbiage follows) has ≥51% chance of being faster too.

                        Part of what postgresql will do to avoid counting rows in the slow way is to look for a usable index. So if you have a suitable index on the table and the query is a suitable expression of the code’s intent and harmonious with your other use of the table, the ducks often line up naturally and postgresql counts quickly.

                        1. 1

                          It’s been ages since I did any serious database work, but it feels like an antipattern to me if it’s in a frequently used thing because the rule of thumb for databases should be ‘don’t compute on the hot paths’. If you need the number of things that match a particular condition frequently then your normalised database should have that list in a separate table and can then either update a count on insert or query the count dynamically depending on how you want to trade concurrency of inputs (updating a count is a serialising operation) with speed of queries (reading a count entry is faster than counting the elements in a table).

                          More generally though, there’s a point that the article hints at but doesn’t explain the detail of: If you’re querying the count and actually want anything other than an approximation then you’re almost certainly doing something wrong. The reason for this is one word: concurrency. Unless the count is part of a transaction, you’re racing against other updates, so the count that you get is correct when you query it but isn’t necessarily right when you do whatever you’re doing based on the end. If your count is part of a transaction, then you’re doing an expensive serialising operation as part of a transaction and so are probably introducing bottlenecks. If you don’t have multiple concurrent writers, then using an RDBMS is probably overkill.

                    1. 7

                      “Yes, we want”… there’s want and want. Want as in “this has high enough priority that we’ll sacrifice these things for it: ”, and want as in “we’ll sacrifice nothing, this is the lowest-priority item we know, but we still consider it a positive trait”.

                      Reading that, I get the impression that the PGP people think their “want” is the first kind, but their list of desirable things they’ll sacrifice is empty, so it actually is the other kind.

                      1. 23

                        Always vaguely annoyed when Cloudflare takes over more stuff, but I can understand not wanting to deal with all this bullshit when you’re just one person. If he reads this, thanks for the service :)

                        Not all of the interactions were positive, however. One CISO of a US state emailed me and threatened all kinds of legal action claming that icanhazip.com was involved in a malware infection in his state’s computer systems. I tried repeatedly to explain how the site worked and that the malware authors were calling out to my site and I was powerless to stop it.

                        Shades of when CentOS hacked Oklahoma City’s website.

                        1. 4

                          Always vaguely annoyed when Cloudflare takes over more stuff

                          I’m genuinely curious as to why? Cloudflare seems at least so far the least “evil” of large internet companies.

                          1. 7

                            Cloudflare seems at least so far the least “evil” of large internet companies.

                            Still, I would prefer it to be more decentralized. Lots of Internet traffic is already going through CF.

                            1. 1

                              The protocols that the Internet relies on have an inherent centralising effect on Internet services. While a decentralised Internet would be nice, I don’t know of any good proposals for making this happen while also solving the numerous problems to do with how to share power and control in a decentralised manner while still maintaining efficiency and functionality.

                              inb4 blockchain :eyeroll:

                            2. 2

                              Unless cloudflare turns out to be working closely with no such agency. Then the decentralization crowd will be vindicated and we will still need to solve all the problems cloudflare solves for us.

                              1. 3

                                Of course the decentralisation crowd solve them right now instead of waiting.

                                There’s always someone in the peanut gallery who’s vindicated, because the peanut gallery is rich in opinions. For any opinion, there’s someone who holds it, doesn’t volunteer or otherwise act on it, is vindicated on reddit/hn/…/here if something bad happens or can be alleged to happen, and blames the people who did volunteer.

                                Blaming those who volunteer is a shameful thing to do IMNSHO.

                            3. 3

                              It looks like the site (though still managed by post author) migrated entirely to Cloudflare’s systems in 2020 or so.

                            1. 15

                              There are a lot of accusations in this and the subsequently linked posts against this ominous person called Andrew Lee. With all the democratic impetus on these resigning statements, please audiatur et altera pars. Where’s the statement from Lee to the topic? What does he think about this? Does he not want to comment (that is, takes the accusations as valid) or is it simply not linked, which I would find a dubious attitude from people who insist on democratic values? Because, if you accuse anyone, you should give him opportunity to explain himself.

                              Don’t get me wrong. What I read is concerning. But freenode basically is/was the last bastion of IRC. The brand is well-known. The proposed alternative libera.chat will fight an uphill battle against non-IRC services. Dissolving/attacking the freenode brand is thus doing IRC as a whole a disfavour and should only be done after very careful consideration and not as a spontaneous act of protest.

                              1. 13

                                Where’s the statement from Lee to the topic?

                                You can dig through IRC logs referenced in the resignation letter linked by pushcx above and see what he has to say to the admins directly, if you assume the logs haven’t been tampered with. My personal assessment is he makes lots and lots of soothing reassuring non-confrontational noises to angry people, and then when the people who actually operate the network ask for actual information he gives them none. When they offer suggestions for how to resolve the situation he ignores them. When they press for explanations of previous actions (such as him asking for particular people to be given admin access) he deflects and tries to make it seem like the decision came from a group of people, not just himself.

                                So yeah. Smooth, shiny, nicely-lacquered 100% bullshit.

                                1. 16

                                  I’ve now skimmed through some of the IRC logs. It’s been long that I read so heated discussions, full of swear words, insults, accusations, dirty language, and so on. This affects both sides. It’s like a transcript from children in the kindergarten trying to insult each other and it’s hard to believe that these persons are supposed to be adults. This is unworthy of a project which so many FOSS communities are relying on. Everyone should go shame in the corner and come back in a few days when they have calmed down.

                                  I’m not going to further comment on the topic. This is not how educated persons settle a dispute.

                                  1. 6

                                    Amen.

                                2. 11

                                  Lee has issued a statement under his own name now: https://freenode.net/news/freenode-is-foss

                                  1. 10

                                    As a rebuttal to the URL alone, freenode isn’t foss, it’s a for profit company. So before you even click through you are being bullshitted.

                                    1. 14

                                      freenode isn’t foss, it’s a for profit company.

                                      You can be for profit and foss. So this is a non-sequitur.

                                    2. 3

                                      Ah, thanks.

                                    3. 7

                                      Self-replying: Lee has been e-mail-interviewed by The Register, giving some information on how he sees the topic: https://www.theregister.com/2021/05/19/freenode_staff_resigns/

                                      1. 7

                                        “freenode” is both a brand and an irc network run by a team of people. if the team did not want to work with andrew lee, but wanted to continue running the network, their only option was to walk away and establish a new network, and try to make that the “real” freenode in all but the name.

                                        this is not the first brand-vs-actual-substance split in the open source world; i don’t see that they had any other choice after lee tried to assert control over freenode-the-network due to ownership of freenode-the-brand.

                                        1. 6

                                          who insist on democratic values?

                                          Democracy isn’t about hearing both sides. It’s about majority winning.

                                          Actually getting angry over one-sided claims and forming an angry mob is very democratic and has been its tradition since the time of ancient greeks.

                                          1. 5

                                            If and when a representative of Lee’s company (apparently https://imperialfamily.com/) posts something, a member can submit it to the site.

                                            As far as I know Lee or his company have made no statement whatsoever.

                                            1. 2

                                              Could this just be the death knell of irc? A network split is not good as people will be confused between Freenode and Libera Chat.

                                              Most young people that look for a place to chat probably look at discord first. For example, the python discord server has 220000 registered users and 50000 online right now. I don’t believe that the python channel on Freenode has ever gotten close to that.

                                              1. 16

                                                Having multiple networks is healthy.

                                                1. 11

                                                  I strongly believe that IRC is on a long slow decline rather than going to die out due to any one big event. Mostly because there are so many other IRC servers. It’s an ecosystem not a corporation.

                                                  1. 7

                                                    IRC has survived, and will yet survive, a lot of drama.

                                                    1. 3

                                                      Well, people were already confused between OFTC and Freenode. More the merrier.

                                                  1. 6

                                                    I submitted it as I see this relevant and anti-pitchfork enough to spread it.

                                                    Nice to see them self-hosting it and correcting the misunderstandings. I’m wonder why people are against opt-in usage statistics.

                                                    1. 24

                                                      Nice to see them self-hosting it and correcting the misunderstandings. I’m wonder why people are against opt-in usage statistics.

                                                      There is a cultural element in software that can never be meaningfully separated from the strictly technical aspects, and this is just one of them. I don’t necesarily agree with this position (i.e. opposition to usage statistics, even opt-in) but I can sort of see where it’s coming from.

                                                      First, there’s a general, and probably at this point well-deserved opposition to tracking technologies in general, because usage statistics have been misused often enough, and for long enough, that it’s hard to trust anyone gathering stats anymore, even if it’s done in good faith, and even if it’s done by trustworthy parties.

                                                      One way to look at it is that Google, Facebook & friends have ruined stat collection for all of us, I guess? The fact that it’s opt-in isn’t really relevant . The idea is that there’s a high chance that you are eventually going to get screwed because that’s what the tracking industry does. It’s a shady industry that attracts shady people and that results in shady business decisions even in matters that are not related to data collection because that’s how things run in a shady industry. It’s sort of like why some people don’t want to do business with oil & gas companies. Spilling oil into baby dolphin teritory is opt-in and you might think that if that’s a legitimate concern, you just opt out – but even if you do, you’re still going to have to deal with a lot of shady crap because that’s what that industry is like. It rarely happens that the same people who do shady crap drilling for oil (or misusing private data) are okay the rest of the time.

                                                      In other words, there’s a concern that a) you are going to be affected even if you opt out of data collection, and b) that if you do opt in, there’s a high chance that you are going to get screwed over, no matter what the fine print says today.

                                                      Second, there’s a more subtle effect involved, where analytics are opt-in, but a lot of development decisions are based only on collected data. There was an article on the frontpage here a while back about how Mozilla used that to deprecate the ALSA interface, leaving only the PulseAudio interface in, and thus proceeded to piss off orders of magnitude more people than their tracking showed. The general feeling in this case is that analytics, sure, is technically opt-in, but if you depend on that piece of software for anything important, then buddy you’d better opt in or the deprecation hammer will fall right on top of the features you use.

                                                      And third, which is an important thing to remember: Audacity is open source software. It contains contributions from lots of volunteers all over the world, some of whom might have never chosen to contribute to a piece of software that uses analytics, even if they’re opt-in. I can see why some of them would be pissed.

                                                      Edit: all that aside, there’s still the matter of the cultural element i mentioned above. It’s just that the tide is turning against data collection in general. It doesn’t have to be a rational thing, people don’t have to logically justify their choice of software or hardware. Whether they’re justified in their belief is irrelevant after a point. Lots of things in our culture can’t be logically justified and we still do them.

                                                      1. 8

                                                        The general feeling in this case is that analytics, sure, is technically opt-in, but if you depend on that piece of software for anything important, then buddy you’d better opt in or the deprecation hammer will fall right on top of the features you use.

                                                        Yes!

                                                        This is why I generally (though still selectively) opt-in on many cross-platform desktop applications: to represent my presence as a Linux desktop user, on behalf of the thousands who I know won’t. If a company doesn’t know you (i.e. people with your use patterns) use their thing, eventually a report to this-or-that a VP of Product is going to have metrics showing that you don’t exist, and don’t deserve support our further effort. In the case where you actually do exist, this can be inconvenient.

                                                        I participate in even more time-consuming tasks, like responding to Lenovo’s customer research surveys (and others). In free-form responses, I drop in upbeat excitement on behalf of whatever niche or minority usage that I honestly represent (features, industry focus, you name it: I want to be heard).

                                                        That said, I am under no illusion that folks will change on this, and do as I do. Least of all those persnickety Linux users.

                                                      2. 7

                                                        Usage statistics are a side channel. They’re explicitly a way to exfiltrate data.

                                                        1. 1

                                                          Usage statistics are valuable only for the maintainers, not to the users, at least not in a manner that’s direct enough to be observed. For example, recently someone who collects nothing didn’t notice that very few users completed a certain task, then made that task mandatory. The result was quite unpleasant.

                                                          Usage statistics can be said to be the best, cheapest, most effective ways to notice user problems. Much less skewed than problem reports, much less effort than running focus groups.

                                                          For someone who gets the software for free, there’s little reason to consider whether a particular feature makes developing the software simpler. Really, if you don’t pay for the software or its development, if you don’t even know the names of the developers, why would you accept something that might be a security risk, just to simplify some unknown people’s work? And it may be a security risk, because as Corbin notes, those statistics are a way to exfiltrate data from your system.

                                                        1. 2

                                                          How does ninja shave a minute off of the build time? What can it do that make can’t?

                                                          1. 4

                                                            I think part of this is down to the way that CMake uses them. The generated Ninja files rely entirely on Ninja for the build. The generated Makefiles invoke CMake bits to print useful messages. Ninja does the right thing for output by default: it buffers the output from every command and then prints it atomically for any command that produces output and shows the build command only for build steps that fail (unless you pass -v). With make, the build steps all inherit the controlling TTY and so are interleaved. It’s been years since I used make with CMake[1], but as I recall it wraps each compile command in a CMake invocation that captures the output and then tries to write it atomically. The CMake build rules also do more to produce pretty output in the form that is the default for Ninja.

                                                            In addition, it’s not about what Ninja can do that Make doesn’t, it’s about what Ninja doesn’t do. Ninja is not intended as a general-purpose scripting language. It doesn’t have macros, variables that are evaluated by running shell scripts, and so on, it is just a declarative description of build dependencies. It is designed with speed as its only goal, delegating all of the input complexity to a pre-build tool. Make is a far more flexible tool (particularly a modern Make such as GNU Make or BMake) that is designed to be useable without a separate configuration step, even if most uses do add one.

                                                            This makes it simpler to parse and get to the build step. For example, Ninja doesn’t have suffix rules. CMake is responsible for providing the full set of flags and build commands for every individual rules. This is I think Ninja is a little bit more clever about arranging the dependency tree to maximise parallelism. Not relevant for this, but important on more resource-constrained systems: Ninja is also able to have different-sized pools for different jobs, so if link steps take more memory then it can reduce the degree of parallelism during link steps.

                                                            [1] I have this in a file sourced from my .bashrc so CMake automatically uses Ninja:

                                                            # Set the default generator to Ninja.
                                                            export CMAKE_GENERATOR=Ninja
                                                            # Always generate a compile-commands JSON file:
                                                            export CMAKE_EXPORT_COMPILE_COMMANDS=true
                                                            # Give Ninja a more verbose progress indicator
                                                            export NINJA_STATUS="%p [%f:%s/%t] %o/s, %es "
                                                            
                                                            1. 3

                                                              Ninja’s scheduling is really very impressive.

                                                              Many years ago, I patched Jam to compile faster. My approach was different: When I had a choice of which job to start, I’d prefer the one that depended on the most recent source file. This produced amazingly fast compile times if there were errors. Builds that failed would generally fail very quickly, often in the first second. You can imagine what that does to digressions, and I thought it achieved that without any cost to successful builds.

                                                              Ninja was the first build tool to prove me wrong. The order in which it starts jobs is better that mine in some/many cases. Drat.

                                                          1. 2

                                                            What happens if you are at the receiving end of this Cellebrite software, and your phone is one of the phones that has these completely unrelated files on it?

                                                            Maybe your “interviewer” won’t find it as funny. Maybe it’s still better than the alternative? If they’re actually doing it, that is.

                                                            1. 5

                                                              If you are being “interviewed” by a government that does not have guarantees around civil rights and rule of law, a cheeky exploit likely won’t matter: the presence of Signal may be enough to convict you in the eyes of the state, let alone anything else found on your phone.

                                                              If the state does respect rights and rules of law, I think the presence of an exploit targeting forensic gathering tools that you didn’t install yourself could arguably introduce enough doubt to the process to exclude anything identified in the search.

                                                              1. 4

                                                                If the state does respect rights and rules of law

                                                                Show me a state whose spooks and counterterrorism apparatus respect rights and rules of law and I’ll show you a bridge you can buy for 5 bucks.

                                                                1. 3

                                                                  Some governments have been known to torture and imprison people on the basis of owning a Casio watch: https://www.theguardian.com/world/2011/apr/25/guantanamo-files-casio-wristwatch-alqaida

                                                                  Having Signal or WhatsApp on your phone is sure to be excuse enough if the government you’re dealing with doesn’t guarantee civil rights or the rule of law

                                                                2. 3

                                                                  Your interviewer won’t find it, that’s the point. Your interviewer’s software will parse the file, and the file triggers a remote code execution. But why would that remote code execution be displayed to the interviewer as user?

                                                                  But as it happens, I sort of know someone who works with this. His employer will be angry at Cellebrite, and will the contract will soon say “all CVEs must be applied, or else they pay damages”. Moxie will not have overlooked this aspect.

                                                                  1. 3

                                                                    Not knowing more than what’s presented in the article, I imagined for example that the interviewer could have old reports open, or visible in a file browser, and then the exploit would modify them all. That could be one way to notice that something just happened.

                                                                    Like when I change some file from underneath my text editor, and it goes “the file changed on disk, what do you want to do?”

                                                                    1. 2

                                                                      A common fallacy of general computing.

                                                                      When you can program a computer to do anything, that includes any imaginable bad things. Just choose a meaning of “bad”, and general computing includes at an instance of that. The fallacy is to transfer the badness to general computing, or the developer who can choose freely what code to write and run.

                                                                      A program such as Signal can run any code on a Cellebrite computer, including code which is bad for the Signal user. That doesn’t make Signal bad, or imply that the Signal developers would act against their user’s interest, or even that they might. Just that they could.

                                                                      1. 1

                                                                        Modifying past and future reports is not something I came up with. It’s right there in the article.

                                                                        1. 1

                                                                          Yes, because it’s a good threat.

                                                                          Cellebrite has two main customer groups, one of them involves prosecution. That statement tells prosecutors that the report they use aren’t reliable. Those prosecutors need reliability and will tell their Cellebrite salescritters that, so it’s an excellent way to threaten Cellebrite’s Cellebrite’s income.

                                                                1. 35

                                                                  I shall use an apt source instead, which will be able to run arbitrary code with root privileges any time it wants.

                                                                  People got really nerdsniped with this whole “server could send different code to bash” twist, which merely adds extra points for style, but doesn’t materially change the security situation of installing arbitrary code.

                                                                  You either trust the source and security of the network connection, in which case it doesn’t matter what they could do but they don’t. Or you don’t trust the source, in which case they could just send you malware exe without being sneaky about.

                                                                  1. 13

                                                                    yeah apparently downloading some windows installer to run as admin, adding random npm/.deb repos to “sudo” into your system or pip-installing is the serious-security way of installing random stuff to run as the same user you do online banking

                                                                    1. 11

                                                                      It’s the whole circle of trust thing. I trust ubuntu, I don’t trust tool.sh. I trust some well-known certificate authority, I don’t trust a self-signed CA. Someone trusts me and they invite me to lobsters. All in the name of security, safety or some benevolent goal. You can barely prove software does anything at all and that’s where we’re at. It’s a collective practice that adjusts as we go. “Is secure” isn’t even a thing. It has no concept of time in it. Ubuntu apt repo is “secure” now. It’s not “secure” later (let’s say they let their domain lapse). Then it’s “secure” again.

                                                                      I like your “style points” thread. I was thinking the same thing. I’m not trying to jump on the word arbitrary here but I’ve just been noticing themes of software can barely be proved. You have like file size, benchmarks and maybe lines of code. That’s all the physical traits of software you get. Good luck to all of us. Like, virus scanners are style points on content hashing and code functionality. You still have no idea. Security is best effort. What is the complete list of what the latest version of curl “does”?

                                                                      I think it’s no different than functionality testing. All you can do is run and observe. All the haskell types in the world can’t prove “it’s secure” much less “it has no bitcoin miner in it”.

                                                                      1. 4

                                                                        I wonder how much distro maintainers review the code they pull in. I don’t think it’s feasible to review so much code. I’d expect that once a project is in, it just gets updated with “LGTM” level of scrutiny at best.

                                                                        I believe maintainers have the best intentions, but I don’t think they can be relied upon as a security barrier. I had to review source of dependencies I use for a high-security work project, and I have a first-hand experience how mind-numbingly boring, slow, and exhausting such code review is.

                                                                        A crypto miner isn’t going to be a big cryptominer.c that would stand out to someone packaging the code. More likely it’s going to be an obfuscated line of system(user_input) sitting among thousands of innocent lines of code, easy to overlook in a diff.

                                                                        So I think security of a distro is mainly based on a the level of reputation that packages need to have to get included in the first place. They probably don’t have a better way to assess reputation than you do. Then it’s just hoping that developers won’t go rogue, it’s not a bayesian-thanksgiving-turkey attack, and that someone else somehow is reviewing all of that code.

                                                                        1. 4

                                                                          It depends. More than zero, I’ve known one who read every line and wouldn’t miss anything big. He would pretend not to have noticed an easter egg and maybe he didn’t notice, but either a crypto miner or a dependency that makes crypto mining trivial? No way. Distribution packagers look at every dependency and see whether it could/should be turned into a separate shared package.

                                                                          There’s another relevant point: The distribution packagers see bug reports, and are loyal to the distribution and its users. They will have some interest in, perhaps sympathy with the software they package, but if there’s any situation where loyalty matters, they’ll be on the side of the distribution and its users.

                                                                          1. 2

                                                                            I wonder how much distro maintainers review the code they pull in. I don’t think it’s feasible to review so much code.

                                                                            Traditionally, a maintainer would be expected to be intimately familiar with what they were packaging, and could reasonably expect to understand the entirety of what the program does if not literally read all its code. That’s totally intractable in today’s world, but I don’t think we (distros) have completely moved away from the former world view.

                                                                        2. 4

                                                                          Installing apt packages/rpms/whatevers from untrusted sites harbor the exact same risk, yes. Which is why you shouldn’t do that either.

                                                                          The main problem here isn’t that there is arbitrary code executed on your machine, but that most people do not take even a short moment to reflect on that, and happily copy-and-paste installation instructions.

                                                                        1. 7

                                                                          Queuing theory. Retry with exponential back-off and jitter. Is this stuff people pick up from blog posts or are they actually taught in a typical undergraduate CS program?

                                                                          1. 4

                                                                            Pick up from asking friends while struggling with an issue, or from reading papers and blog posts. Or at university. I think the statistics professor gave me a nudge. I’d read the TCP papers at the university library and asked about something after, I think, a lecture about the Poisson distribution, and got a really helpful monologue about skewed distribution of input. (Translated to programmerese: use backoff and make sure you don’t accidentally synchronise.)

                                                                            There are many good papers. It’s a bit difficult to explain how to recognise the good ones. Reading the morning paper archives and the papers it links to might help.

                                                                            1. 8

                                                                              use backoff and make sure you don’t accidentally synchronise

                                                                              I once took down pretty much the whole Google App Engine platform, in the middle of a Republican convention that Google/YouTube was sponsoring/covering (yes, that happened), because I didn’t think about that. Whoops.

                                                                              (Also just terrible project management, ridiculous demands from Google/YouTube to me, the solo developer at the agency they’d outsourced to, and other reasons. But definitely the thing that technically happened is I DDOSed App Engine, and Google paid me to do it)

                                                                            2. 1

                                                                              Yes, I was specifically taught these concepts at my undergraduate CS program in my networking programming course. Graduated in 2019 from Edinboro University of Pennsylvania, which is not an especially well known program. But of high quality!

                                                                            1. 39

                                                                              My take on this is that RMS recognizes that his behaviour is troubling, but doesn’t see fit to apologize for it, unless he’s doing so in private (which I assume we’d have heard about if that were the case). An acknowledgement without an apology or amends isn’t even worth the time it took to read it. I’m no less disappointed in him than I was when I first learned of his harassing behaviour towards women in his orbit, and I’m no less disappointed in the FSF today than I was when they reinstated him (and yes, I have read the FSF statement as well as Stallman’s).

                                                                              As an industry, we need to learn that nobody is so great at their job that they can be given a pass for harassing.

                                                                              1. 12

                                                                                isn’t even worth the time it took to read it.

                                                                                Which you clearly didn’t take….

                                                                                And I quote verbatim…

                                                                                I apologize to each of them.

                                                                                1. 6

                                                                                  That sentence applies to the people to whom he’s been intemperate, not to the many others he’s offended or hurt or creeped out over the years. Try harder.

                                                                                  1. 5

                                                                                    Ah.

                                                                                    You are taking the apology as only applying to offenses mentioned in that paragraph, I’m taking as applying to that paragraph and the preceding paragraph, indeed, the whole statement.

                                                                                    I suppose by the letter of english grammar you are correct.

                                                                                    My interpretation from context is still the broader apology.

                                                                                    This is why written communication is hard… it goes out and feedback as to what actually was communicated is delayed or lost.

                                                                                    I have read a fair bit of RMS “in his own words” and even had one or two email exchanges over the years. I’m incline to interpret his apology in the broader sense.

                                                                                    1. 1

                                                                                      It can be read from different viewpoints. What he wrote sounds sincere to me, but I don’t think it’ll come across as an apology when read by people he offended. In the eyes of someone who’s been offended, the piece may sound as if he started with “I’m sorry that I have offended you through no fault of mine, and even though the fault was all yours, I’ll try harder not to repeat that in the future” and then bickered with reviewers to find compromise wording.

                                                                                2. 21

                                                                                  I for one am not super interested in the spread of struggle sessions.

                                                                                  If you’re troubled by RMS…go fork FSF! Go fight the good fight! Give a meaningful and useful alternative to an organization that frankly has been kinda off in the weeds for a while!

                                                                                  If people spent half the ink on, you know, user freedom as they did on libeling Stallman we as a community could be a lot farther ahead.

                                                                                  1. 31

                                                                                    I for one am not super interested in the spread of struggle sessions.

                                                                                    Right. Computer programmers voicing the opinion on the internet that maybe we can do better than RMS is literally the same thing as Maoist revolutionaries physically torturing political rivals.

                                                                                    If you’re troubled by RMS…go fork FSF!

                                                                                    You don’t simply “fork” a social structure and get a carbon copy of it for free like you do with version control. Forming a competitive alternative to the FSF would not only be a massive undertaking, but it’s also more plainly not the only way of engaging in activism. A much more straightforward approach is to campaign for a change in leadership.

                                                                                    If people spent half the ink on, you know, user freedom as they did on libeling Stallman we as a community could be a lot farther ahead.

                                                                                    And what makes you think that “they” don’t spend even more resources on digital rights efforts than “they” spend posting against RMS? The landscape of digital rights activism may not be as broad as we’d like but it’s certainly bigger than just the FSF and GNU.

                                                                                    1. 17

                                                                                      literally the same thing as Maoist revolutionaries physically torturing political rivals.

                                                                                      Verbal and physical abuse–and as many seem found of asserting these days, speech is violence so I don’t really think the difference is relevant. If you don’t think there are people being harassed because they aren’t apologizing hard enough, you must have a much better version of social media than I do.

                                                                                      A much more straightforward approach is to campaign for a change in leadership.

                                                                                      Stealing and imperialism is a lot more straightforward than building a new, distinct thing. My approach would yield at least two different groups moving in hopefully good directions, whereas the “let’s punt RMS because reasons” approach would not. It’s also entirely possible that the success of the FSF (such as it is) is actually linked to either RMS’ quirks or the sorts of people who deal with those quirks; we don’t know this for sure, but a fork seems like a safer hedge.

                                                                                      And what makes you think that “they” don’t spend even more resources on digital rights efforts than “they” spend posting against RMS?

                                                                                      Which do you think gets more brownie points right now–defending free software, or signalling that “hey i’m totally in the same tribe as you all (please don’t get me fired)”? Depending who you believe online, there are people who want to step away from struggles over copyleft and licensing entirely to focus on more social aspects that may or may not actually have any strong basis in legally protecting user freedom–and that crowd requires RMS’ head before they could go into digital rights stuff (which again, they don’t care about).

                                                                                      That’s my reasoning, anyways.

                                                                                    2. 15

                                                                                      That is totally unrelated. No one is forcing RMS into admitting something he didn’t do!

                                                                                      There are already so many alternatives to FSF with many being more transparent and welcoming to all kinds of people.

                                                                                      1. 17

                                                                                        And just imagine how much further we could be ahead if we cultivated all of the developers, lawyers, writers, and thinkers who were driven away by RMS. And before you say “we can’t know that they exist” you might want to consider that, yes, in fact, we can; there is ample evidence of people who’ve left the FSF or the Free Software movement over him. And those are just the ones who’ve talked about it, leaving aside all the ones who looked at the landscaped and, apparently wisely, noped the fuck out.

                                                                                        1. 9

                                                                                          If they are sufficiently troubled by RMS for whatever reason–over behavior or slights real or imagined–I’m glad they’ve found a better place to spend their efforts. It’ll be good to have other people trying to advance free software in other ways.

                                                                                          1. 11

                                                                                            You assume that people put off by rms keep working on free software (or nearby). I personally know someone who didn’t. A talented person and a great gain for the organisation he switched to (which does good work for the world but has nothing to do with free software).

                                                                                            Of course he could be an exception. Or not; I see that the use of the GPL continues to decline so maybe rms puts off more people than he persuades.

                                                                                            1. 6

                                                                                              Why assume? rms-open-letter signers include ten Debian Project Leaders. Say whatever about Debian, but Debian is a dedicated free software organization as any, perhaps more than FSF.

                                                                                        2. 5

                                                                                          That’s not how it works. If a situation calls for anodyne statements in public and perhaps something else behind the scenes, and one spokesperson acts wisely while rms speaks in 72pt boldface, then rms’ choice of how to react is the effective average of the two.

                                                                                          1. 5

                                                                                            You can’t fork FSF. That’s the exact problem.

                                                                                            In my opinion, Software Freedom Conservancy is a much better software freedom organization than FSF. To me, FSF has no value at all as a software freedom organization except for one: it holds copyright of GCC. Forked FSF won’t hold copyright of GCC, and other aspects of FSF I don’t care about at all. So FSF can’t be forked.

                                                                                            1. 2

                                                                                              So … fork GCC too? I don’t see the problem here, unless you want to relicense.

                                                                                        1. 7

                                                                                          I have wondered this for so long!

                                                                                          1. 3

                                                                                            I have a faint memory that one of the really, really old CVEs was for this. A privileged script that expected its arguments to be file names, I think, and could be made to do Wrong Things by passing in shell metacharacters or -.

                                                                                            1. 10

                                                                                              People (rightly) talk a lot about the security implications of software being written in memory-unsafe languages like C. But, while there’s a lot of talk about the gotchas in shell programming, there’s shockingly little talk about the security implications of having so much software written in a language where it’s almost impossible to handle files correctly and almost impossible to handle strings correctly,

                                                                                              1. 7

                                                                                                I think that if a language’s safest way to compare strings uses syntax as weird "x$a" = "x$b", that’s a warning sign with letters big enough to read from space.

                                                                                                The sign reads do not use this language to write code to be run by strangers, and if there’s a footnote, the footnote says “this is a fine language to write a plugin for git bisect and that kind of one-offs, but not for writing things to be run by stranger, okay? you understand now?”

                                                                                                1. 3

                                                                                                  Yeah, I agree. Another interesting challenge is to iterate over all the files in a directory, correctly, and without doing the actual loop in a subprocess; it’s probably possible, but most people’s first 3 attempts will probably be dangerously broken.

                                                                                                  I agree that shell is a fine language for tiny one-off things, but I believe it’s being used way more broadly than that. I just ran a find /usr -name '*.sh' | xargs cloc [1] on my system, and found 114501 lines of shell across 1050 files. I don’t have a great level of confidence that none of those shell scripts ever consume untrusted input.

                                                                                                  [1] As an interesting footnote, find /usr -name '*.sh' | xargs cloc is incorrect; it won’t work if files contain whitespace, quotes or backslashes. The “correct” (AFAIK) command would be find /usr -name '*.sh' -print0 | xargs -0 cloc. I sure hope nobody has ever made that mistake in a context where files may contain “weird” characters! Also, that approach only works for iterating over a relatively small number of files; how many is dependent on your particular POSIX system!

                                                                                                  1. 4

                                                                                                    It also ignores the staggering number of shell scripts that are involved in the init process that aren’t named *.sh!

                                                                                                2. 3

                                                                                                  Bash is like glue, only a fool would make a whole building out of it.

                                                                                            1. 4

                                                                                              Is it free software or just open source? Does the license allow sharing these paid modules with other parties? Do you know of such case?

                                                                                              1. 7

                                                                                                The author actually answers this in one of the comments:

                                                                                                Well, no, open3A is no freeware. I know it usually is seen as if open source was the same as freeware. But open3A is “only” open source. Which means anyone who runs the software is allowed to see the source code and make alterations to it like she pleases. Some people actually do that with open3A, too.

                                                                                                In theory they are also allowed to re-sell the software. But we all know how hard it is to run a company and sell something. This hasn’t been an issue so far.

                                                                                                I think that’s really interesting. It sounds like it is a “true” FOSS license (I haven’t checked myself), and the only thing preventing everyone from taking it for free is access (only available via a shop or someone redistributing it). It probably means there are people running free versions out there, but the fact that updates are part of the paid package/download is likely what is keeping this going - it’s a neat hybrid one-time/subscription model.

                                                                                                1. 5

                                                                                                  in the comments the author clarifies that the plugins themselves are also open source

                                                                                                  1. 3

                                                                                                    Yeah, I get that. But what’s the license, though? If someone put it on GitHub or started selling it under a different name for a cheaper price, would the author mind? Free software would allow it, some source-available license not necessarily. I’m curious what’s the actual licensing and whether all people have acted in good will so far.

                                                                                                    1. 2

                                                                                                      The author might mind, but do you care?

                                                                                                      This isn’t new, BTW. Parts of GDB or GCC were developed under this model, by Cygnus in the nineties. I’ve forgotten which one (was it both?). None of the customers ever published what they got, even though they unambiguously had the right under the GPL.

                                                                                                      1. 6

                                                                                                        The author might mind, but do you care?

                                                                                                        Nah, I just wanted to know how viable and reliable this business model is to support one’s life. FOSS projects have been ripped before.

                                                                                                        I’d be afraid of it being just a matter of growing to a certain size or attracting someone like Albert Silver. A game of luck, basically. Once it happens, there goes your project and there goes your income. You can still sell future updates or support, but all your previous work got “stolen” and there’s nothing you can do with it.

                                                                                                        So what’s the strategy to cope with this? Make the sources available, but under a license stating basically that “this becomes licensed under GPL 5 years from now, but until then, you cannot redistribute this”?

                                                                                                        1. 1

                                                                                                          If you don’t want people to take your stuff without paying for it, don’t make it OSS. Why is this hard?

                                                                                                          1. 14

                                                                                                            Someone talks about flying around the world.

                                                                                                            Q: How likely is an aircraft accident?

                                                                                                            A: If you don’t want to die in an aircraft accident, don’t fly.

                                                                                                            Author of the article described his experiences with selling something. I asked about a specific scenario. Have it ever happened? That’s a yes or no question. Has she thought about what to do in such case?

                                                                                                            I find answers to these questions highly relevant for my own reasons at this very moment. Either answer it or don’t, but please stop going meta. (I also originally thought the story was posted by the author herself, but it probably wasn’t.)

                                                                                                            1. 2

                                                                                                              How on earth is this a valid analogy? A key part of all certified OSS licenses is the users’ right to re-distribute the software without your permission.

                                                                                                              1. 1

                                                                                                                Sorry about the lateness of this… “a key part” doesn’t imply that this part is important for everyone, or even for many people.

                                                                                                                The last time I was involved in anything of the sort, the company chose open source for sensible reasons that had nothing to do with that particular “key” part: Development and debugging convenience.

                                                                                                                Open source meant that I had the source for all the code that went into the final executable. I could see the source code for every stack frame in my debugger, and I when I released for production, I could say “this can be built reproducibly from this git tree”. They had no desire to distribute, but did have a desire to use less of my time, and did have a desire to have buildable source code on hand.

                                                                                                          2. 1

                                                                                                            AFAICT it’s awfully risky, but not more or less risky than developing software, generally speaking. You’ve read Peopleware and the other great classics that describe how and why most software projects fail? Those are large risks. Developing FOSS doesn’t make you immune, and AFAICT doesn’t make you much more susceptible either.

                                                                                                            If you have a specific case in mind, then that case will be one where going open source may add more risks than benefits. Or more benefits than risks. It depends.

                                                                                                    2. 1

                                                                                                      Cannot find the project on my mobile, but already a fork: https://github.com/Happy-Ferret/Office-Fox

                                                                                                      Which already answers some questions.

                                                                                                      1. 1

                                                                                                        Hasn’t got the last 5 years of updates, tho.

                                                                                                        1. 1

                                                                                                          is that not a rebase away?

                                                                                                          1. 3

                                                                                                            Yes, of course it could be updated, but the point is that, like the Cygnus customers, Open3A customers don’t seem to be interested in doing that.

                                                                                                            Open3A also seems inexpensive, so I don’t see that many people would want to undercut the author by buying from someone else (especially when the someone else won’t be creating new features for it).

                                                                                                    1. 14

                                                                                                      My first two contributions to programs anyone has heard of were to the linux kernel, for which I implemented two things. The second of them runs to this day and processes outbound TCP/UDP packets on countless hardware, and I’m very proud of how it’s largely unchanged after decades. The first got linux banned from some networks by causing ARP storms.

                                                                                                      There’s a lesson to be learned from this. Two lessons maybe, because Linus never said a harsh word after the first.

                                                                                                      1. 2

                                                                                                        If I understand his logic correctly, he would have harsh words for maintainers who approved your change, but not for you.

                                                                                                        1. 12

                                                                                                          Uhm, maintainers… this happened back when the linux world was a small clique and Linus helped people install linux. He helped me install linux, in fact ;)

                                                                                                          As long as I followed kernel development, he didn’t swear at anyone for any bug. I’d have gotten an earful if I had defended my code and suggested that other OSes involved in the ARP fiasco were to blame and ought to change.

                                                                                                          1. 1

                                                                                                            [Linus] helped me install linux, in fact

                                                                                                            Which year was this? How far from 1991? :-)

                                                                                                            1. 2

                                                                                                              ≤2 years after that July 1991 posting. I installed in July 1992 and deleted my MSDOS partition early in August. Can’t say precisely when I wrote the ARP code, since I had a rather unfortunate file system event a little later.

                                                                                                              1. 1

                                                                                                                “Only wimps use tape backup: real men just upload their important stuff on ftp, and let the rest of the world mirror it ;)”

                                                                                                                1. 1

                                                                                                                  Only fools ask root for a favour, if that favour involves doing file system operations manually (instead of waiting for the chore to be done later by a crontab that would remember to enable tape backups).

                                                                                                      1. 1

                                                                                                        All three are open source and probably can be self hosted. Not sure if the common email pitfalls apply and how much work it would be to set them up. Maybe someone is doing that and can/cannot recommend it?

                                                                                                        1. 1

                                                                                                          It requires very roughly zero setup using most stock email software. Enable subaddresses, done.