1. 4

    This is interesting, but I’m curious if anyone actually has an example of an implementation that breaks this expectation?

    1. 7

      Some examples:

      On the x86, depending on how you have memory segmentation set up you can have many pointers that cast to different integers but point to the same area of memory. Most modern operating systems running in protected mode set up segmentation in such a way that it’s a moot point (and in long mode, it’s not possible to really set up any segmentation at all).

      (So this is the case of one memory location with multiple representations.)

      Similarly, Harvard architecture systems (common in microcontrollers) pointers get wonky and you can very easily have two different pointers that have the same integer value but point to two separate locations (e.g. a function pointer might have the same integer representation as a heap pointer, and the compiler will generate the appropriate code to handle the different cases depending on how you cast).

      (And this is the case of one representation pointing to multiple places.)

      The C standard requires that all pointers be castable to and from void pointers, but casting to integers results in implementation-defined behavior (this was true at least for C89; someone correct me if I’m wrong now). This is understandable in light of architectures whose pointers are bigger than the maximum integer width on the system.

      1. 3

        Similarly, Harvard architecture systems (common in microcontrollers) pointers get wonky and you can very easily have two different pointers that have the same integer value but point to two separate locations

        Even on x86! After all, with memory management two processes can have the same integer pointer which points to two different memory locations. Granted, processes don’t pass pointers around (that’s one of the points of process isolation), but it’s kinda of interesting (to me, anyway).

        1. 2

          Sure - & you can do that within the same process as well with creative use of shared memory & mmap().

        2. 1

          Function pointers do not need to be cast-able to (void *) in C.

          1. 1

            True. It’s object-void-object and function-function, but function-void-function is not required.

        3. 3

          Non-integer pointer platforms exist; in C on a Lisp machine, pointers were cons cells, and on AS/400, MI pointers are 128-bit.

        1. 27

          Everyone is focused on google, but it seems to me the core problem is let’s encrypt. It’s a perversion of the certificate model that they should be checking for malware at all. The cert verifies the domain name, not that the content is organic shade grown goodness. This shouldn’t be happening even if they are hosting malware.

          1. 6

            I know people here think I’m irresponsible in saying this, but my website has no SSL, because I can’t bring myself to use Let’s Encrypt without guaranteed renewal - I don’t want links to an SSL version which can randomly become untrusted at any time. Things like this make that point pretty well.

            I’ve also come to realize that “the cert verifies the domain name”, and it seems kind of odd that domain registration and cert issuance aren’t one and the same thing. The only explanation I have for why these two businesses aren’t completely fused at this point is the money made from “real” (not Let’s Encrypt) certificates, and cert issuers want to retain that cash flow. It’s hard to believe they’re really validating identity, since that’s time consuming and hard, and the number of bogus certificates issued is well known.

            1. 2

              I’ve also come to realize that “the cert verifies the domain name”, and it seems kind of odd that domain registration and cert issuance aren’t one and the same thing. The only explanation I have for why these two businesses aren’t completely fused at this point is the money made from “real” (not Let’s Encrypt) certificates, and cert issuers want to retain that cash flow.

              I think that it’s more that at one point in time folks thought that there needed to be a check on the ICANN hierarchy: how could I know that ibm.com is really IBM? After all, the com registrar might have just given that name to Intelligent Bicycle Market. But 20+ years of experience have shown, I think, that that was ultimately a dead end: users end up trusting Google more than CAs anyway, and very few people are typing in domains by hand. And now, with Let’s Encrypt, certificates are just validating that the site is served by the owner of the domain name.

              Given that, it does indeed make sense that receiving a certificate should be part of the domain-registration process. I’d go further than that: receiving a certificate should be part of the host-registration process: every server should have (at least) two certificates, one attesting that it is allowed to use a DNS name, and one attesting that it is allowed to use an IP address. If these two certificates are applied to the key which signs a communication, then every communication could be properly signed and MITM attacks would be prevented.

            2. 1

              That sounds more like a value add to me.

              1. 4

                And if a site uses naughty words? Should they get a special adults only cert? Keep the children safe.

                1. 2

                  You said malware. There’s already tools that assess site’s reputation by considering malware. Reputation and authenticity can be tied together to present an even better picture of whether users should interact with the site. Many already do this using multiple plugins. Security suites also bundle togethet protections as standard practice.

                  Now, Im not saying they should but that there’s potential value and precedent.

                  1. 3

                    How should a user opt out of this “protection”?

                    1. 1

                      For one, users cant easily opt out of much of what runs the web on infrastructure or tracking. Let’s keep that in mind. From there, one might not install the plugin, disable the settting, use different CA, ignore that kind of warning, and so on.

                      Will depend on how implementers handle it on each side. I cant tell you how it would play out.

                      1. 2

                        What plugin? What setting? How does a visitor to a site use a different CA? Ignore the warning that says the cert has expired? But the warning says nothing about why LE chose to force it to expire.

                        There’s a specific problem here and you’re kinda “but maybe it’s a good thing” hand waving.

                        1. 1

                          Let’s roll this back a bit.

                          “It’s a perversion of the certificate model that they should be checking for malware at all.”

                          This is what I was responding to saying they might do more value ads. It was hypothetical. You had a lot of specific questions which I wasnt even trying to explore that I was basically reacting to.

                          My main intent was to counter your claim that the certificate authorities should never offer extra services/benefits. My main evidence is it’s standard practice in security industry to do value-adds, esp for anti-malware. CA’s might try to do this, too, for reasons of profit or public benefit.

                          I have no position on the OP issue since I havent done enough research on it for very-informed opinion. Low priority for me for now.

                          1. 2

                            Ok, fair enough. Just pretend I wrote “objectionable content” instead of malware. :)

                            1. 2

                              In that case, I’d agree with you. I definitely dont want CA’s involved in such filtering. :)

                2. 2

                  I’m not so certain, because I don’t think that’s the role of a certificate authority: their business is identity, not sorting the goats from the sheep.

                  1. 1

                    Business is whatever makes money. If you can sell more products, you sell more products. If public-benefit, you might offer more services to offer more benefit. Companies even sometimes diversify into totally different markets so a low in one doesn’t impact them overall. Those are conglomerates.

                    So, the distinction you’re making is sensible but not a hard limit on CA’s. They can do whatever they want with their money to try to make money. They can even sell cheeseburgers. The Comodo Burger with Black Angus beef sounds tempting. Realistically, they’ll stay close to their current market. Assessing site’s instead of just identifying them is already a sub-market with lots of competing solutions commercially and FOSS. I use at least one at any given time.

              1. 5

                I’d rather use org-mode. That has an offline-capable mobile app (orgzly/beorg).

                1. 5

                  Yup, this seems like the textbook example of an ad-hoc, informally-specified, bug-ridden implementation of Org mode (with apologies to Philip Greenspun).

                1. 6

                  I wouldn’t consider the LGPL to be a bureaucratic or a bad license. I certainly wouldn’t want to use a proprietary graphics library; nor would I want to see my contributions to a library made proprietary. The GPL & LGPL create a software commons, which is pretty awesome.

                  1. 5

                    This is a popular point of contention. It’s like VIM vs. Emacs. These days I release under effective public domain (I can’t place anything in real PD in my jurisdiction) because I take whatever chance I can to have other people finish or build on top of my work in any form whatsoever, and screw attribution. They’re free to add any arbitrary restrictions if it makes them happy.

                    1. 3

                      It’s really nothing like vim vs. emacs. Vim vs. emacs is a matter of opinion and is about personal preference. Licenses are the opposite: if you support one over another you should be able to back that up with good reasoning.

                      because I take whatever chance I can to have other people finish or build on top of my work in any form whatsoever, and screw attribution. They’re free to add any arbitrary restrictions if it makes them happy.

                      If you’re fine with people taking your work and using it to abuse end users that’s for your conscience to deal with and not mine, but don’t pretend that it has anything to do with how ‘bureaucratic’ a license is.

                      1. 1

                        Why not just do a BSD-like license since public domain isn’t a thing in some countries but it is? If public domain isn’t always recognized, then putting stuff in the public domain might go against freedom or uptake given it limits who might use the work with its uncertainty. Whereas, people see BSD or MIT, they go “Hell yeah! Nothing to worry about!”

                        1. 4

                          The stress is on “effective”: 0BSD erases 1 half-sentence from the ISC license I used before.

                          1. 1

                            Ok, so it is licensed instead of just public domain. I didn’t know about that license either. Thanks for the tip!

                      2. 1

                        Agree. I got the impression that a lot of stupid would follow, as soon as I read this gem:

                        Why C? It’s a clean, rather simple language that I’ve ‘mastered’ at one point […]

                        “Mastering C” and thinking it is “a clean, rather simple language” are at opposite ends of the knowledge spectrum.

                        1. 7

                          I think what the author meant is that at some point you learn enough of the C language that you’re able to read and understand 99% (maybe 100%?) of C code. The language is small enough and changing at such a slow pace that it’s possible to “master” it. I agree with the author that C is a clean and simple language perhaps made slightly dirtier with the incorporation of the preprocessor and various preprocessor macros but those are usually used sparingly.

                          1. 0

                            Then either all C developers must be trolling us with decades of security issues and crashes in their software, or describing C as “clean and simple” is an idea limited to people with the mistaken believe that they mastered the language.

                            1. 3

                              Just because a language doesn’t have facilities to reason about complex mechanisms expressively doesn’t mean it’s not simple. It’s a simple, clean, and flawed language. These things are orthogonal.

                              I think that there’s an extremely popular Unix-bias in online programming communities where all complexity is viewed as the same thing to be avoided without realizing that a lot of what you want to express is actually quite complex to express correctly.

                        2. 1

                          Though the problem is Go is always statically linked, so wouldn’t the application have to be LGPL then too?

                          1. 5

                            Actually, not always. Cgo is typically used with dynamic linking, and pure Go can also link dynamically since 1.5. I haven’t experimented with it yet.

                          2. 1

                            Yeah there’s nothing at all ‘bureaucratic’ about any license. They’re all as bureaucratic as each other.

                          1. 1

                            I get that mental illness gives old mate a pass on the racist diatribes, but most of those “features” are really bad ideas.

                            1. 7

                              As the article put it:

                              Don’t write things off just because they have big flaws.

                              That said, would you please expand on why most of the features are really bad ideas?

                              1. 11

                                I may be the only user of my computer, but I still appreciate memory protection.

                                1. 5

                                  More to the point: Practically every, if not every, security feature is also an anti-footbullet feature. Memory protection protects my data from other people on the system and allows security contexts to be enforced, and it protects my data from one of my own programs going wrong and trying to erase everything it can address. Disk file protections protect my data from other users and partially-trusted processes, and ensure my own code can’t erase vital system files in the normal course of operation. That isn’t even getting into how memory protection interacts with protecting peripheral hardware.

                                  Sufficiently advanced stupidity is indistinguishable from malice.

                                  1. 15

                                    But that’s not really the point of TempleOS, is it?

                                    As Terry once mentioned, TempleOS is a motorbike. If you lean over too far you fall off. Don’t do that. There is no anti-footbullet features because that’s the point.

                                    Beside that, TOS still has some features lacking in other OS. Severely lacking.

                                    1. 1

                                      Beside that, TOS still has some features lacking in other OS. Severely lacking.

                                      Like?

                                      1. 12

                                        The shell being not purely text but actual hypertext with images is lacking in most other os by default and I would love to have that.

                                        1. 6

                                          If you’ve never played with Oberon or one of its descendant systems, or with Acme (inspired by Oberon) from Rob Pike, you should give it/them a try.

                                          1. 0

                                            If you start adding images and complex formatting in to the terminal then you lose the ability to pipe programs and run text processing tools on them.

                                            1. 13

                                              Only because Unix can’t comprehend with the idea of anything other than bags of bytes that unformatted text happens to be congruent with.

                                              1. 4

                                                I have never seen program composition of guis. The power of text is how simple it is to manipulate and understand with simple tools. If a tool gives you a list of numbers its very easy to process. If the tool gives you those numbers in a picture of a pie chart then it’s next to impossible to do stuff with that.

                                                1. 7

                                                  Program composition of GUIs is certainly possible – the Alto had it. It’s uncommon in UNIX-derived systems and in proprietary end-user-oriented systems.

                                                  One can make the argument that the kind of pipelining of complex structured objects familiar from notebook interfaces & powershell is as well-suited to GUI composability as message-passing is (although I prefer message-passing for this purpose since explicit nominal typing associated with this kind of OO slows down iterative exploration).

                                                  A pie chart isn’t an image, after all – a pie chart is a list of numbers with some metadata that indicates how to render those numbers. The only real reason UNIX doesn’t have good support for rich data piping is that it’s hard to add support to standard tools decades later without breaking existing code (one of the reasons why plan9 is not fully UNIX compatible – it exposes structures that can’t be easily handled by existing tools, like union filesystems with multiple files of the same name, and then requires basically out-of-band disambiguation). Attempts to add extra information to text streams in UNIX tools exist, though (often as extra control sequences).

                                                  1. 3

                                                    Have a look at PowerShell.

                                                    1. 3

                                                      I have never seen program composition of guis. The power of text is how simple it is to manipulate and understand with simple tools. If a tool gives you a list of numbers its very easy to process. If the tool gives you those numbers in a picture of a pie chart then it’s next to impossible to do stuff with that.

                                                      Then, respectfully, you need to get out more :) Calvin pointed out one excellent example, but there are others.

                                                      Smalltalk / Squeak springs to mind.

                                                      1. 2

                                                        Certainly the data of the pie chart has to be structured with such metadata that you can pipe it to a tool which extracts the numbers. Maybe even manipulates them and returns a new pie chart.

                                                    2. 3

                                                      You don’t loose that ability considering such data would likely still have to be passed around in a pipe. All that changes is that your shell is now capable of understanding hypertext instead of normal text.

                                                      1. 1

                                                        I could easily imagine a command shell based on S-expressions rather than text which enabled one to pipe typed data (to include images) easily from program to program.

                                                  2. 1

                                                    But why do I want that? It takes me 30 seconds to change permissions on /dev/mem such that I too can ride a motorbike without a helmet.

                                                    1. 2

                                                      That is completely beside the point. A better question is how long would it take you to implement an operating system from scratch, by yourself, for yourself. When you look at it that way, of course he left some things out. Maybe those things just weren’t as interesting to him.

                                                      1. 1

                                                        You could do that, but in TOS that’s the default. Defaults matter a lot.

                                                        1. 2

                                                          /dev/mem more or less world accessible was also the default for a particular smartphone vendor I did a security audit for.

                                                          Defaults do matter a lot…

                                                    2. 8

                                                      If there are no other users, and it takes only a second or two to reload the OS, what’s the harm?

                                                      1. 6

                                                        Its fine for a toy OS but I dont want to be working on real tasks where a bug in one program could wipe out everything I’m working on or corrupt it silently.

                                                        1. 11

                                                          I don’t think TempleOS has been advertised as anything other than a toy OS. All this discussion of “but identity mapped ring 0!” seems pretty silly in context. It’s not designed to meet POSIX guidelines, it’s designed to turn your x86_64 into a Commodore.

                                                  3. 2

                                                    Don’t write things off just because they have big flaws.

                                                    That’s pretty much the one and only reason where you would want to write things off.

                                                    1. 14

                                                      There’s a difference between writing something off based on it having no redeeming qualities and writing something off because it’s a mixed bag. TempleOS is a mixed bag – it is flawed in a generally-interesting way. (This is preferable to yet another UNIX, which is flawed in the same boring ways as every other UNIX.)

                                                  4. 2

                                                    This is probably not what you meant to imply, but nobody else said it, so just to be clear: Mental illness and racism aren’t correlated.

                                                    1. 2

                                                      Whatever is broken inside somebody to make them think the CIA is conspiring against them, I find it hard to believe that same fault couldn’t easily make somebody think redheads are conspiring against them.

                                                      1. 2

                                                        You’re oversimplifying. There are many schizophrenic people in the U.S., and most of them are not racist. Compulsions, even schizophrenic ones, don’t come from the ether, and they’re not correlated with any particular mental illness. Also, terry’s compulsions went far beyond paranoia.

                                                  1. -2

                                                    Well, that’s definitely a shrunken webpage about Go binaries: there’s not a word of text on it.

                                                    (and no, turning JavaScript on is not a good solution)

                                                    1. 3

                                                      Argh, I want to upvote ‘The Commons Clause will destroy open source’ without upvoting Redis Labs’s action.

                                                      1. 6

                                                        Upvote for the discussion. “Company Makes Business Decision” is rarely on-topic for Lobsters and often goes off the Rails; I’ve upvoted because I appreciate that we’re not rehashing well-worn licensing arguments here, though this announcement was poorly written.

                                                        1. 4

                                                          This is the second time Lobsters has censored my articles by merging them into tangentally related discussions.

                                                          1. 6

                                                            Nobody is censoring you. If anything, your visibility has been boosted by being on front page with another high-visibility thread. I didn’t even know about your article until I saw it here. To avoid clutter, the admins sometimes combine posts talking about same event or topic into a group. I can see someone not liking that decision. I’m not for or against it right now.

                                                            You weren’t censored, though. A mechanism bringing your writing to my attention is opposite of censorship.

                                                            1. 6

                                                              I don’t think you have this exactly right. What happens is someone submits it as an independent post, which is freely ranked on its own merits. Then a moderator merges it with a post which is already growing stale, as a significant fraction of the site has already looked at it and has little reason to return, except to consider replies to their comments - and even then they have to notice more articles have been added. It also removes a dedicated space for discussing that particular article, which in this case is important because the second article is more about Commons than it is about Redis, making the discussions difficult to live in parallel.

                                                              The original, independent post was censored by merging it into here. On the previous occasion the new post was merged into a post which was then several days old, where I presume approximately zero people saw it. This is censorship, and a clear cut case of it too. I don’t consider myself entitled to exposure but it’s censorship all the same, and part of the reason I distanced myself from Lobsters except to participate where others have posted my content.

                                                              1. 1

                                                                The original, independent post was censored by merging it into here. On the previous occasion the new post was merged into a post which was then several days old, where I presume approximately zero people saw it.

                                                                If your story disappeared, that scenario would be censorship since it was manipulated in a way that would nearly guarantee nobody would see it. The new one isn’t censorship because censorship is about people not seeing your stuff. The combined submission is 20+ votes on front page of a site with more readers than most blogs. Your views going up instead of down is opposite of censorship at least in general definition and effect it has.

                                                                1. 3

                                                                  The new one isn’t censorship because censorship is about people not seeing your stuff

                                                                  “Taking measures which prevent others from seeing your stuff” is literally censorship. I don’t want to argue semantics with you any longer. All of the information is on the table in the comments here, let people read them and settle on an opinion themselves.

                                                                  1. 2

                                                                    “Taking measures which prevent others from seeing your stuff” is literally censorship”

                                                                    I saw your stuff through Lobsters’ measures. So, it’s not censorship by your definition.

                                                                    “let people read them and settle on an opinion themselves”

                                                                    By all means.

                                                                  2. 3

                                                                    I really appreciate your point of view normally, but in this case I think you’re incorrect: it would be nice to have the community’s take on @SirCmpwn’s article itself (which is well worth reading) rather than have the comments blended in with those on Redis Labs.

                                                            2. 2

                                                              Upvoting doesn’t necessarily have to be approval of the content of the post. (though it usually should be)

                                                            1. 9

                                                              It’s interesting because the author is not thoughtlessly in favour of GitHub, but I think that his rebuttals are incomplete and ultimate his point is incorrect.

                                                              Code changes are proposed by making another Github-hosted project (a “fork”), modifying a remote branch, and using the GUI to open a pull request from your branch to the original.
                                                              

                                                              That is a bit of a simplification, and completely ignores the fact that GitHub has an API. So does GitLab and most other similar offerings. You can work with GitHub, use all of its features, without ever having to open a browser. Ok, maybe once, to create an OAuth token.

                                                              Whether using the web UI or the API, one is still performing the quoted steps (which notably never mention the browser).

                                                              A certain level of discussion is useful, but once it splits up into longer sub-threads, it becomes way too easy to loose sight of the whole picture.

                                                              That’s typically the result of a poor email client. We’ve had threaded discussions since at least the early 90s, and we’ve learned a lot about how to present them well. Tools such as gnus do a very good job with this — the rest of the world shouldn’t be held back because some people use poor tools.

                                                              Another nice effect is that other people can carry the patch to the finish line if the original author stops caring or being involved.
                                                              

                                                              On GitHub, if the original proposer goes MIA, anyone can take the pull request, update it, and push it forward. Just like on a mailing list. The difference is that this’ll start a new pull request, which is not unreasonable: a lot of time can pass between the original request, and someone else taking up the mantle. In that case, it can be a good idea to start a new thread, instead of resurrecting an ancient one.

                                                              What he sees as a benefit I see as a detriment: the new PR will lose the history of the old PR. Again, I think this is a tooling issue: with good tools resurrecting an ancient thread is just no big deal. Why use poor tools?

                                                              While web apps deliver a centrally-controlled user interface, native applications allow each person to customize their own experience.
                                                              

                                                              GitHub has an API. There are plenty of IDE integrations. You can customize your user-experience just as much as with an email-driven workflow. You are not limited to the GitHub UI.

                                                              This is somewhat disingenuous: while GitHub does indeed have an API, the number & maturity of GitHub API clients is rather less than the number & maturity of SMTP+IMAP clients. We’ve spent about half a century refining the email interface: it’s pretty good.

                                                              Granted, it is not an RFC, and you are at the mercy of GitHub to continue providing it. But then, you are often at the mercy of your email provider too.

                                                              There’s a huge difference between being able to easily download all of one’s email (e.g. with OfflineIMAP) and only being at the mercy of one’s email provider going down, and being at the mercy of GitHub preserving its API for all time. The number of tools which exist for handling offline mail archives is huge; the number of tools for dealing with offline GitHub project archives is … small. Indeed, until today I’d have expected it to be almost zero.

                                                              Github can legally delete projects or users with or without cause.
                                                              

                                                              Whoever is hosting your mailing list archives, or your mail, can do the same. It’s not unheard of.

                                                              But of course my own maildir on my own machine will remain.

                                                              I use & like GitHub, and I don’t think email is perfect. I think we’re quite aways from the perfect git UI — but I’m fairly certain that it’s not a centralised website.

                                                              1. 8

                                                                We’ve spent about half a century refining the email interface: it’s pretty good.

                                                                We’ve spent about half a century refining the email interface. Very good clients exist…. but most people still use GMail regardless.

                                                                1. 6

                                                                  That’s typically the result of a poor email client. We’ve had threaded discussions since at least the early 90s, and we’ve learned a lot about how to present them well. Tools such as gnus do a very good job with this — the rest of the world shouldn’t be held back because some people use poor tools.

                                                                  I have never seen an email client that presented threaded discussions well. Even if such a client exists, mailing-list discussions are always a mess of incomplete quoting. And how could they not be, when the whole mailing list model is: denormalise and flatten all your structured data into a stream of 7-bit ASCII text, send a copy to every subscriber, and then hope that they’re able to successfully guess what the original structured data was.

                                                                  You could maybe make a case for using an NNTP newsgroup for project discussion, but trying to squeeze it through email is inherently always going to be a lossy process. The rest of the world shouldn’t be held back because some people use poor tools indeed - that means not insisting that all code discussion has to happen via flat streams of 7-bit ASCII just because some people’s tools can’t handle anything more structured.

                                                                  I agree with there being value in multipolar standards and decentralization. Between a structured but centralised API and an unstructured one with a broader ecosystem, well, there are arguments for both sides. But insisting that everything should be done via email is not the way forward; rather, we should argue for an open standard that can accommodate PRs in a structured form that would preserve the very real advantages people get from GitHub. (Perhaps something XMPP-based? Perhaps just a question of asking GitHub to submit their existing API to some kind of standards-track process).

                                                                  1. 1

                                                                    You could maybe make a case for using an NNTP newsgroup for project discussion

                                                                    While I love NNTP, the data format is identical to email, so if you think a newsgroup can have nice threads, then so could a mailing list. They’re just different network distribution protocols for the same data format.

                                                                    accommodate PRs in a structured form

                                                                    Even if you discount structured text, emails and newsgroup posts can contain content in any MIME type, so a structured PR format could ride along with descriptive text in an email just fine.

                                                                    1. 1

                                                                      Even if you discount structured text, emails and newsgroup posts can contain content in any MIME type, so a structured PR format could ride along with descriptive text in an email just fine.

                                                                      Sure, but I’d expect the people who complain about github would also complain about the use of MIME email.

                                                                    2. 1

                                                                      You could maybe make a case for using an NNTP newsgroup for project discussion, but trying to squeeze it through email is inherently always going to be a lossy process.

                                                                      Not really — Gnus has offered a newsgroup-reader interface to email for decades, and Gmane has offered actual NNTP newsgroups for mailing lists for 16 years.

                                                                      But insisting that everything should be done via email is not the way forward; rather, we should argue for an open standard that can accommodate PRs in a structured form that would preserve the very real advantages people get from GitHub. (Perhaps something XMPP-based? Perhaps just a question of asking GitHub to submit their existing API to some kind of standards-track process).

                                                                      I’m not insisting on email! It’s decent but not great. What I would insist on, were I insisting on anything, is real decentralisation: issues should be inside the repo itself, and PRs should be in some sort of pararepo structure, so that nothing more than a file server (whether HTTP or otherwise) is required.

                                                                    3. 4

                                                                      …the new PR will lose the history of the old PR.

                                                                      Why not just link to it?

                                                                      This is somewhat disingenuous: while GitHub does indeed have an API, the number & maturity of GitHub API clients is rather less than the number & maturity of SMTP+IMAP clients. We’ve spent about half a century refining the email interface: it’s pretty good.

                                                                      That strikes me as disingenuous as well. Email is older. Of course it has more clients, with varying degrees of maturity & ease of use. That has no bearing on whether the GitHub API or an email-based workflow is a better solution. Your point is taken; the GitHub API is not yet “Just Add Water!”-tier. But the clients and maturity will come in time, as they do with all well-used interfaces.

                                                                      Github can legally delete projects or users with or without cause.

                                                                      Whoever is hosting your mailing list archives, or your mail, can do the same. It’s not unheard of.

                                                                      But of course my own maildir on my own machine will remain.

                                                                      Meanwhile, the local copy of my git repo will remain.

                                                                      I think we’re quite aways from the perfect git UI — but I’m fairly certain that it’s not a centralised website.

                                                                      I’m fairly certain that it’s a website of some sort—that is, if you intend on using a definition of “perfect” that scales to those with preferences & levels of experience that differ from yours.

                                                                      1. 2

                                                                        Meanwhile, the local copy of my git repo will remain.

                                                                        Which contains no issues, no discussion, no PRs — just the code.

                                                                        I’d like to see a standard for including all that inside or around a repo, somehow (PRs can’t really live in a repo, but maybe they can live in some sort of meta- or para-repo).

                                                                        I’m fairly certain that it’s a website of some sort—that is, if you intend on using a definition of “perfect” that scales to those with preferences & levels of experience that differ from yours.

                                                                        Why on earth would I use someone else’s definition? I’m arguing for my position, not someone else’s. And I choose to categorically reject any solution which relies on a) a single proprietary server and/or b) a JavaScript-laden website.

                                                                        1. 1

                                                                          Meanwhile, the local copy of my git repo will remain.

                                                                          Which contains no issues, no discussion, no PRs — just the code.

                                                                          Doesn’t that strike you as a shortcoming of Git, rather than GitHub? I think this may be what you are getting at.

                                                                          Why on earth would I use someone else’s definition?

                                                                          Because there are other software developers, too.

                                                                          I choose to categorically reject any solution which relies on a) a single proprietary server and/or b) a JavaScript-laden website.

                                                                          I never said anything about reliance. That being said, I think the availability of a good, idiomatic web interface is a must nowadays where ease-of-use is concerned. If you don’t agree with that, then you can’t possibly understand why GitHub is so popular.

                                                                      2. 3

                                                                        (author here)

                                                                        Whether using the web UI or the API, one is still performing the quoted steps

                                                                        Indeed, but the difference between using the UI and the API, is that the latter is much easier to build tooling around. For example, to start contributing to a random GitHub repo, I need to do the following steps:

                                                                        • Tell my Emacs to clone & fork it. This is as simple as invoking a shortcut, and typing or pasting the upstream repo name. The integration in the background will do the necessary forking if needed. Or I can opt not to fork, in which case it will do it automatically later.
                                                                        • Do the changes I want to do.
                                                                        • Tell Emacs to open a pull request. It will commit my changes (and prompt for a commit message), create the branch, and open a PR with the same commit message. I can use a different shortcut to have more control over what my IDE does, name the branch, or create multiple commits, etc.

                                                                        It is a heavily customised workflow, something that suits me. Yet, it still uses GitHub under the hood, and I’m not limited to what the web UI has to offer. The API can be built upon, it can be enriched, or customised to fit one’s desires and habits. The difference in what I need to do to get the same steps done differs drastically. Yes, my tooling does the same stuff under the hood - but that’s the point, it hides those detail from me!

                                                                        (which notably never mention the browser).

                                                                        Near the end of the article I replied to:

                                                                        “Tools can work together, rather than having a GUI locked in the browser.”

                                                                        From this, I concluded that the article was written with the GitHub web UI in mind. Because the API composes very well with other tools, and you are not locked into a browser.

                                                                        That’s typically the result of a poor email client.

                                                                        I used Gnus in the past, it’s a great client. But my issue with long threads and lots of branches is not that displaying them is an issue - it isn’t. Modern clients can do an amazing job making sense of them. My problem is the cognitive load of having to keep at least some of it in mind. Tools can help with that, but I can only scale so far. There are people smarter than I who can deal with these threads, I prefer not to.

                                                                        What he sees as a benefit I see as a detriment: the new PR will lose the history of the old PR. Again, I think this is a tooling issue: with good tools resurrecting an ancient thread is just no big deal. Why use poor tools?

                                                                        The new PR can still reference the old PR, which is not unlike having an In-Reply-To header that points to a message not in one’s archive. It’s possible to build tooling on top of this that would go and fetch the original PR for context.

                                                                        Mind you, I can imagine a few ways the GitHub workflow could be improved, that would make this kind of thing easier, and less likely to loose history. I’d still rather have an API than e-mail, though.

                                                                        This is somewhat disingenuous: while GitHub does indeed have an API, the number & maturity of GitHub API clients is rather less than the number & maturity of SMTP+IMAP clients. We’ve spent about half a century refining the email interface: it’s pretty good.

                                                                        Refining? You mean that most MUAs look just like they did thirty years ago? There were many quality of life improvements, sure. Lots of work to make them play better with other tools (this is mostly true for tty clients and Emacs MUAs, as far as I saw). But one of the most wide-spread MUA (gmail) is absolutely terrible when it comes to working with code and mailing lists. Same goes for Outlook. The email interface story is quite sad :/

                                                                        There’s a huge difference between being able to easily download all of one’s email (e.g. with OfflineIMAP) and only being at the mercy of one’s email provider going down, and being at the mercy of GitHub preserving its API for all time.

                                                                        Yeah, there are more options to back up your mail. It has been around longer too, so that’s to be expected. Email is also a larger market. But there are a reasonable number of tools to help backing up one’s GitHub too. And one always makes backups anyway, just in case, right?

                                                                        So yeah, there is a difference. But both are doable right now, with tools that already exist, and as such, I don’t see the need for such a fuss about it.

                                                                        I use & like GitHub, and I don’t think email is perfect. I think we’re quite aways from the perfect git UI — but I’m fairly certain that it’s not a centralised website.

                                                                        I don’t think GitHub is anywhere near perfect, especially not when we consider that it is proprietary software. It being centralised does have advantages however (discoverability, not needing to register/subscribe/whatever to N+1 places, and so on).

                                                                      1. 14

                                                                        I disagree, because that will only lead to a morass of incompatible software. You refuse for your software to be run by law enforcement, he refuses for his software to be run by drug dealers, I refuse for my software to be run by Yankees — where does it all end?

                                                                        It’s a profoundly illiberal attitude, and the end result will be that everyone would have to build his own software stack from scratch.

                                                                        1. 5

                                                                          Previous discussions on reddit (8 years ago) and HN (one year ago).

                                                                          1. 4

                                                                            “It’s a great way to make sure proprietary software is always well funded and had congress/parliment in their corner.” (TaylorSpokeApe)

                                                                          2. 1

                                                                            I don’t buy the slippery slope argument. There are published codes of ethics for professional software people by e.g. the BCS or ACM, that may make good templates of what constitutes ethical activity within which to use software.

                                                                            But by all means, if you want to give stuff to the drug dealing Yankee cop when someone else refuses to, please do so.

                                                                            1. 9

                                                                              Using one of those codes would be one angle to go for ethical consensus, but precisely because they’re attempts at ethical consensus in fairly broad populations, they mostly don’t do what many of the people wanting restrictions on types of usage would want. One of the more common desires for field-of-usage restriction is, basically, “ban the US/UK military from using my stuff”. But the ACM/BCS ethics codes, and perhaps even more their bodies’ enforcement practices, are pretty much designed so that US/UK military / DARPA / CDE activity doesn’t violate them, since it would be impossible to get broad enough consensus to pass an ACM code of ethics that banned DARPA activity (which funds many ACM members’ work).

                                                                              It seems even worse if you want an international software license. Even given the ACM or BCS text as written, you would get completely different answers about what violates it or doesn’t, if you went to five different countries with different cultures and legal traditions. The ACM code, at least, has a specific enforcement mechanism defined, which includes mainly US-based people. Is that a viable basis for a worldwide license, Americans deciding on ethics for everyone else? Or do you take the text excluding the enforcement mechanism, and let each country decide what things violate the text as written or not? Then you get very different answers in different places. Do we need some kind of international ethics court under UN auspices instead, to come up with a global verdict?

                                                                              1. -10

                                                                                I had a thought to write software so stupid no government would use it but then I remembered linux exists

                                                                              2. 4

                                                                                It’s not a slippery slope. The example in the OP link would make the software incompatible with just about everything other than stuff of the same license or proprietary software. An MIT project would be unable to use any of the code from a project with such a rule.

                                                                            1. 5

                                                                              One of the things that I like about using a tiling window manager rather than a desktop environment is that I never see icons. That’s not quite true — I see them in Firefox — but it’s mostly true. Rather than constantly finding little things to point & click on, I just use my computer all day long.

                                                                              What I’m trying to say is that maybe obsessing over icons is the wrong answer. Maybe what we need is to radically reimagine the human-computer interface. Tiling iconless WMs are probably not the answer for most people, but — maybe something new is.

                                                                              1. 2

                                                                                What do you use besides icons in that setup? Menus and search/command line?

                                                                                1. 2

                                                                                  I have StumpWM commands set up for command functions like ‘switch to emacs,’ ‘switch to Firefox,’ ‘switch to JavaScript-enabled Firefox,’ ‘switch to console’ &c.; I bind the really-commonly-used ones to keys and just use StumpWM’s colon (prefix ;) to execute them quickly. For other stuff I’ll either execute them directly with prefix !, or use the console or emacs shell.

                                                                                  It’s not terribly discoverable, which is why I won’t say that it’s the wave of the future. But it’s so much faster than e.g. scrolling through macOS, Windows, Android or GNOME stuff.

                                                                                  1. 2

                                                                                    I mean, I use OS X almost exclusively, and I never see icons, either. I run everything through Alfred and keep my windows tiled or full screen. It’s not as smooth as using a tiled WM in X, but it’s still plenty nice for me.

                                                                                1. 3

                                                                                  There was a recent discussion about whether file-based APIs were better or worse the specific ones (https://lobste.rs/s/ckqzbn/why_filesystems_have_loose_coupling_your).

                                                                                  I think a lot of the pros and cons of that API choice are illuminated by unveil.

                                                                                  Things can always be implemented either way (layered on top of the generic mechanism, or given their own specific mechanism). But if you then enhance the general mechanism with a new feature, you get to use that for all of the functionality you have layered on top.

                                                                                  (As a side thought - it’s kind of a nice thought experiment: If the only syscalls were open/close/read/write and friends - how would you (a) provide an interface for all other system calls and (b) put them together in a filepath hierarchy so that unveil() grouped things nicely.)

                                                                                  1. 4

                                                                                    I know very little about either of these topics, but I wonder if it would be interesting to combine OpenBSD’s security syscalls like pledge and unveil (is there a generic name for these? Privilege-based security?) with Plan 9’s extreme everything is a filesystem approach.

                                                                                    1. 5

                                                                                      The amount of syscalls in Plan9 is so small that pledge(2) wouldn’t make much sense. And unveil(2) wouldn’t really be necessary as there are already mount namespaces, a process can unmount paths and then use rfork(2)s RFNOMNT flag to disallow mounting new resources.

                                                                                      https://swtch.com/~rsc/talks/nauth.pdf

                                                                                      1. 3

                                                                                        In other words, Plan 9 obviated the need for these approaches. It really was the wave of the future, but it hasn’t reached the shore yet. Yet …

                                                                                  1. 1

                                                                                    I like the idea, actually (and I subscribe to similar feeds, e.g. Sacha Chua’s emacs news).

                                                                                    My biggest concern is the name: ‘Valuable News weekly update #26’ tells me nothing about your subject matter. Maybe change it, even to something like ‘Vermaden’s News’?

                                                                                    1. 1

                                                                                      Thanks for idea about the name.

                                                                                    1. 13

                                                                                      The issue with double dash (--) is one “string safety” problem I’ve meant to address on my blog, but haven’t yet.

                                                                                      I’m not sure I’m following the argument in this post though.

                                                                                      • I don’t see the need to distinguish between paths and strings.
                                                                                      • I do see the need to distinguish between args and flags, which is what the -- convention does.
                                                                                      • As far as serializing arrays, it seems like the NUL convention of find -print0 and xargs -0 is (surprisingly) sufficient? I didn’t quite see that until writing the two Git Log in HTML posts.

                                                                                      I think there does need to be some kind of lint check or function wrapper for --, like flagging the former but not the latter (somehow):

                                                                                      grep foo $file  # oops, $file could be a flag and GNU and OS X grep accepts it
                                                                                      grep -- foo $file  # this is more correct
                                                                                      
                                                                                      
                                                                                      mygrep() {  # mygrep only accepts args
                                                                                        grep -E --color -- "$@" 
                                                                                      }
                                                                                      mygrep2() {  However sometimes you do want the user to be able to append flags, so this function is useful too
                                                                                        grep -E --color "$@" 
                                                                                      }
                                                                                      mygrep2 -v pattern *.c  # invert match
                                                                                      

                                                                                      The rule I have for Oil is to avoid “boiling the ocean” – i.e. there can’t be some new protocol that every single command has to obey, because that will never happen. Heterogeneity is a feature.

                                                                                      However there should be some recommended “modern” style, and I haven’t quite figured it out for the flag/arg issue.

                                                                                      I think one place Oil will help is that you can actually write a decent flags parser in it. So maybe the shell can allow for wrappers for grep/ls/dd etc. that actually parse flags and then reserialize them to “canonical form” like:

                                                                                      command @flags -- @args  # in Oil syntax
                                                                                      command "${flags[@]}" -- "${args[@]}"  # in bash syntax
                                                                                      

                                                                                      I addressed quoting and array types in various places, including this post:

                                                                                      Thirteen Incorrect Ways and Two Awkward Ways to Use Arrays

                                                                                      There are also related string safety problems here – is -a an argument or an operator to test ?

                                                                                      Problems With the test Builtin: What Does -a Mean?

                                                                                      1. 4

                                                                                        I don’t see the need to distinguish between paths and strings.

                                                                                        They’re different types: a path is a string which is or could be the pathname of a file or directory on disk. Since they’re different types, treating them differently yields all the standard benefits of strong typing.

                                                                                      1. 5

                                                                                        texinfo(1) and DocBook are excessively complicated, ill-designed, and unmaintained

                                                                                        One might quibble with the complexity & design of texinfo, but I believe Brian Fox & Karl Berry would be surprised to find out that it’s unmaintained: they are, after all, the maintainers, and released the latest version last summer.

                                                                                        1. 7

                                                                                          No, it’s really not a good language. It’s a pretty terrible language on which a colossal malinvestment of human resources has been squandered, leading to a not-entirely-terrible ecosystem which is just barely usable for real work.

                                                                                          If the effort which had been mis-spent on JavaScript had instead been focused on an actually good language, then the world would be so much better off now.

                                                                                          Not just that, though: JavaScript has poisoned the web. What was once a really nice way to serve resources has become a grotesque, undesigned application development platform whose sole virtue is that it’s been deployed everywhere. Also, it’s used regularly to undermine privacy & security.

                                                                                          1. 4

                                                                                            Eclipse dying however results in a net loss for developers.

                                                                                            I don’t know about that — it means less competition pulling developers away from emacs, which can only be a good thing.

                                                                                            1. 4

                                                                                              I believe that there’s a very real chance that a reëvaluation of scientific research — particularly the social sciences, which are so soft as to border on pseudoscience to begin with — in light of this new understanding is very likely to yield unexpected & revolutionary results.

                                                                                              1. 7

                                                                                                The social sciences are not “so soft as to border on pseudoscience”. Yes P-Hacking and over reliance on p-values are an issue, but they’re an issue unilaterally. It matters just as much in physics as it does in social science. The idea that social sciences are somehow less rigorous than say physics is I think fallacious and without merit. Physics is still ultimately rooted in experimental evidence which is statistical in nature. You realize you’re discrediting an entire set scientific fields with literally no evidence and likely with very little knowledge of the subject. It’s not like there’s been literally no replication in the social sciences. What an absolutely absurd claim.

                                                                                                1. 6

                                                                                                  I have to agree with @bargap here. Physics is a poor example to hold up against the social sciences. Physics results require a level of significance that is mind boggling. Of course those piddly experimentalists do get things wrong sometimes. But a better comparison is perhaps life sciences. The basic problem is that the system is so complex that it is hard to figure out all the moving parts and make sure you’ve bolted down all but a few.

                                                                                                  There is a running joke about “Doctors recommend … “ (take your pick - babies should sleep on their back/belly, this food is bad/good for you, this causes/cures cancer, this causes/does not cause autism …) precisely because we’ve been burned so many times by studies that just did not have enough N, or more insidiously (and forgivably), had a biased N.

                                                                                                  Social sciences study PersONS which are much more complex than protONS or electrONS but their tooling and standards are, paradoxically, lower, not higher and society seems to have an expectation of what the right answer should be, allowing social biases to play a disproportionate role in biasing reports in these fields.

                                                                                                  1. 4

                                                                                                    If you look in spaces like chemistry or spintronics you’ll find a lot of papers that people end up not being able to reproduce because it turned out that the machine that the writers were using had issues.

                                                                                                    In situations where there are only 5 or so machines in the world that can do an experiment, if 1 of them has an issue then it’s not always easy to validate. Especially when the research methodology is “cartesian product of every material with every technique => see if something happens”. And even absent that, people’s interpretations of measurements change over time too!

                                                                                                    Agree that people are harder to study, especially in long term stuff. But we don’t do many physics experiments over 20 years either! It’s mainly that time is hard, and preconditions are hard to set up. You can totally do experiments in social sciences over a small time scale correctly.

                                                                                                    1. 5

                                                                                                      Instead of comparing the foundations of physics to the edges of social sciences you should be considering the edges of physics, after all it doesn’t make sense to compare things which have a thousand years of replication to ones with tens of years. We’re still not sure that dark matter actually exists. Classical bias risk is pervasive in theoretical physics and is a constant threat.

                                                                                                      The analogy is instead saying “Medical science borders on pseudoscience, we should cast doubt on the entire field including claims such as “Arsenic is poisonous” because some of the newer claims on cancer haven’t yet been replicated”.

                                                                                                      To be entirely clear you haven’t been burned by science, you’ve been burned by irresponsible reporting which has confidence from a single study.

                                                                                                      This article is also relevant here https://news.harvard.edu/gazette/story/2016/03/study-that-undercut-psych-research-got-it-wrong/

                                                                                                      The concession is that there hasn’t been enough replication but a recent study reported on by ars which I don’t have on hand right now says that the replication rate of social science studies were around 70%, which is yeah not great but it’s hardly pseudoscience.

                                                                                                      1. 3

                                                                                                        To be entirely clear you haven’t been burned by science, you’ve been burned by irresponsible reporting which has confidence from a single study.

                                                                                                        That’s a classic defense. “I never said that! They blew the press release all out of proportion”. Sometimes it is true.

                                                                                                        I know of many papers where inferences and conclusions are not warranted by the data and have seen this in different fields of study. I infer that this is common human behavior to game a the system that rewards visibility and volume.

                                                                                                        1. 5

                                                                                                          You have conveniently dodged the main premise of my argument. Sure I’ll concede there are plenty of bad actors, but they aren’t magically condensed in the social sciences.

                                                                                                          1. 2

                                                                                                            The social sciences are definitely one of the areas where bad studies are harder to root out because of lower standards of rigor combined with the complexity of the subject and the fact that “truthiness” is easier to determine and therefore forms an extra social pressure not to challenge a particular study if it conforms to current social biases.

                                                                                                            1. 3

                                                                                                              I don’t think its actually reasonable to say that the newest physics are any more rigorous, any less complex, or any less rife with bias. They both use studies with statistical evidence so they both have a lot of rigor but it’s hard to beat replication. They both are very very complex. They both have lots and lots of human bias, from a bias towards classicalism, conservativism, anti-classicalism and modernism. That doesn’t mean that either of them are anywhere near pseudoscience. The claim is just uninformed.

                                                                                                1. 4

                                                                                                  GUI development is broken, but JSON isn’t the solution: it’s another broken thing, just broken along a different axis.

                                                                                                  An S-expression–based interface would be better, because then there’d be a seamless way to embed behaviour along with the GUI …

                                                                                                  1. 9

                                                                                                    Ocaml uses 0o for octal. Seem consistent and works well enough.

                                                                                                    1. 4

                                                                                                      Common Lisp uses #o as a prefix, e.g. #o0, which seems fine too.

                                                                                                    1. 3

                                                                                                      Perhaps beside the point, but: the gendered language was a bit distracting. By this point in history, when I read a blog post like this that exclusively uses “he” and “his” for unspecified genders, it feels like the author is making a political point of it (as I say, feels like: I have no insight into this author or his political position), and ends up niggling a little while reading.

                                                                                                      1. 1

                                                                                                        Yes, same here.

                                                                                                        1. 1

                                                                                                          While I agree with you, on further reflection, this does seem like derailing.

                                                                                                          1. 0

                                                                                                            when I read a blog post like this that exclusively uses “he” and “his” for unspecified genders, it feels like the author is making a political point of it

                                                                                                            I’m the opposite: when I read a post which uses incorrect English, it feels like the author is making a political point of it. In English, the feminine is only used when referring to a specific female; for all other purposes the masculine (or, if you prefer, the ‘general’) is used.

                                                                                                            1. 2

                                                                                                              In English, the feminine is only used when referring to a specific female; for all other purposes the masculine (or, if you prefer, the ‘general’) is used.

                                                                                                              According to whom? I’m asking this because the singular they goes at least as far back as 1848, where it appeared in William Makepeace Thackeray’s novel Vanity Fair.

                                                                                                              1. 1

                                                                                                                It actually goes back further than that — and in fact Shakespeare used it, IIRC! Still, it’s an ugly construction.

                                                                                                                1. 2

                                                                                                                  It actually goes back further than that — and in fact Shakespeare used it, IIRC! Still, it’s an ugly construction.

                                                                                                                  Ugly? Again you beg the question: according to whom? For example, the Associated Press has a style guide article which offers the following recommendation:

                                                                                                                  “They, them, their — In most cases, a plural pronoun should agree in number with the antecedent: The children love the books their uncle gave them.They/them/their is acceptable in limited cases as a singular and-or gender-neutral pronoun, when alternative wording is overly awkward or clumsy. However, rewording usually is possible and always is preferable. Clarity is a top priority; gender-neutral use of a singular they is unfamiliar to many readers. We do not use other gender-neutral pronouns such as xe or ze…”

                                                                                                                  “Arguments for using they/them as a singular sometimes arise with an indefinite pronoun(anyone, everyone, someone) or unspecified/unknown gender(a person, the victim, the winner)…”

                                                                                                                  “In stories about people who identify as neither male nor female or ask not to be referred to as he/she/him/her: Use the person’s name in place of a pronoun, or otherwise reword the sentence, whenever possible. If they/them/their use is essential, explain in the text that the person prefers a gender-neutral pronoun. Be sure that the phrasing does not imply more than one person… “

                                                                                                                  I’ll admit it can be awkward if you’re not used to it, but I don’t buy the premise that singular they is ugly or wrong.