1. 21

    Bram’s benchmarks are not using LuaJit. So when he mentions my benchmarks (on the mailing list at least) and presents the Vimscript2 vs Lua benchmarks, this is confusing. LuaJit is 10x faster.

    The Vim9 benchmarks are always structured as function definitions, because the Vimscript2 optimizer won’t work at script scope (i.e. outside of a function). And it sounds like “lambdas” will continue to be slow.

    The main disappointment for me is that existing Vimscript plugins won’t benefit from Vimscript2 optimizations, because Vimscript2 is a different language. If authors must rewrite plugins then I would prefer a well-engineered language (like Lua) instead of Bramscript.

    Given how bigoted and petty people are about syntax, my grand prediction is that the unpaired } will be the most disliked feature of Bramscript.

    1. 18

      If authors must rewrite plugins then I would prefer a well-engineered language (like Lua) instead of Bramscript.

      You know, Lisp would be a good choice for a well-engineered choice to extend an editor …

      1. 4

        Given how bigoted and petty people are about syntax, my grand prediction is that the unpaired } will be the most disliked feature of Bramscript.

        I remember people mocking it in Zimbu, so you’re right on the money.

        1. 3

          Out of interest - is Lua interpreter of VimL still in the making or it is paused indefinitely? That would be interesting thing to see in the future.

          But I agree, if there is plan to replace VimL with another implementation then it would be the best to either use WASM and compile any language to it or to use LuaJIT/V8 instead.

          1. 8

            Somewhat counter-intuitively, to make Lua the more popular/standard choice, it could be a good idea to make a translator from Lua to VimScript2, and then proceed to not support VimScript2 in NeoVim. This way, for plugin developers who want to support both Vim9 and NeoVim, Lua would be the reasonable “cross-platform” choice, automatically giving their plugins wider adoption with no extra effort required.

            I remember reading an article long ago which explained how this exact dynamic worked for some technology, but can’t surface any specific details from my memory. I kinda think it was maybe about Sun and Java, but not sure. I think it might possibly be called something like “platformization of a technology” by business people, but also not 100% sure about it. Basically, the idea is to force one’s competitor to become “just” exchangeable infrastructure. Ok, I think I remember now, and the article’s thesis about the Sun story was, that by making Java free, they wanted to make their hardware more popular, but instead they painted themselves into a corner of being “just an exchangeable platform/infrastructure for running Java”, where they were squashed by others.

            1. 6

              This idea also comes up when talking about the python 2 to 3 transition. If, instead of releasing a 2to3 tool, they had released a 3to2 tool, folks might have focused on developing for 3 earlier.

              1. 3

                The biggest problem with Python 2 ↔️ 3 thing is that it’s virtually impossible to reliable translate code due to the nature of the changes in Python 3 and Python’s lack of typing info. Functions that previously returned/accepted str now return bytes, and it’s very hard to reliably detect 100% of all cases in Python.

                1. 1

                  You’re right, and that’s part of why they started using mypy for everything at dropbox– to catch edge cases when transitioning.

              2. 5

                you’re thinking of spolsky’s commoditize your complements

                1. 1

                  So it seems indeed, thanks!

              3. 6

                is Lua interpreter of VimL still in the making or it is paused indefinitely?

                Why continue it? The patch is there for anyone to try. It’s too slow according to its author (ZyX), who later used parts of that work to implement the VimL parser in C (see :help nvim_parse_expression() ).

                Once you have a parser it doesn’t really matter whether it was written in Lua or C. Problem is, Nvim currently only has a parser for VimL expressions–i.e. half of the language. ZyX later disappeared, perhaps driven mad or perhaps realizing that text editors are not a very good thing to spend one’s life on.

                1. 3

                  Out of interest - is Lua interpreter of VimL still in the making or it is paused indefinitely? That would be interesting thing to see in the future.

                  It’s paused.

                2. 3

                  Considering that conversion tools from Python, JavaScript, and TypeScript are mentioned, I would expect that a VimScript → VimScript2 tool would also be included.

                  1. 7

                    Such a tool could target any language, and therefore doesn’t answer the question “why Bramscript instead of an established, well-engineered, existing language”.

                    1. 2

                      Converting from VimScript to VimScript2 is probably going to be easier than converting it to pretty much anything else. Note that those Python/JS tools aren’t necessarily expected to be complete (” Ideally a conversion tool can take Python, JavaScript or Typescript code and convert it to Vim script, with only some things that cannot be converted.”).

                      Arguably, using VimScript is easier as you can use any ex commands without frobbing about. I think there is some value to that.

                      I believe Bram previously stated he doesn’t like Lua much (can’t find ref for that right now), and just “plug and play” a programming language in Vim is probably not so easy; the only two mainstream(ish) easily pluggable languages I can think of are Lua and Tcl.

                      But perhaps most importantly, I think Bram just likes working on this kind of stuff; he said so pretty explicitly actually: “Yes, it’s going to be a lot of work. But it’s the kind of work I enjoy doing”.

                      1. 4

                        But perhaps most importantly, I think Bram just likes working on this kind of stuff; he said so pretty explicitly actually: “Yes, it’s going to be a lot of work. But it’s the kind of work I enjoy doing”.

                        Creating language is fun, maintaining it - not so much.

                        1. 1

                          Bram has been doing this for a while… I think he’s perfectly capable to judge and decide what he finds “fun” or not.

                          1. 2

                            Still, I find having “fun” while creating language isn’t the main problem. The main problem is that others need then to deal with your language. And using another, established, and maintained by someone else, language in general is much easier. This would also provide access to broader amount of optimisations, implementations, libraries, etc. Ok it is nice that someone wants to create language, but IMHO Bram isn’t the best language designer out there. I would be much more happy if he would rather decide to go with something that is already there, and there is a lot of languages/technologies to pick:

                            • Lua
                            • many embeddable Lisps
                            • MRuby
                            • JavaScript

                            Or even ignore all of that and go with WASM so the language in which the extension is written doesn’t matter at all. The last thing I think would be the best option IMHO in current state, as even current VimL interpreter could be compiled as a WASM blob instead of being “built in” into editor itself. This would provide us a lot of flexibility and potential speedups by using well-established VMs.

                            1. 0

                              having “fun” while creating language isn’t the main problem. The main problem is that others need then to deal with your language

                              So don’t use Vim then, if you don’t want to do that. You don’t “need” to deal with this language; there are plenty of options.

                              Aside from the technical arguments (which I don’t really care about, as I think it doesn’t really matter much), I find this kind of reasoning weird.

                              1. 2

                                Oh yeah, the ultimate argument - if you do not like part of X then GTFO. The “you do not like your government - go live somewhere else” argument. So instead of making things we like, we get attached to, we should abandon them instead of trying making them better. That is marvellous idea, that I completely ignore and treat as a lowest point of reasoning. I like Vim, I like using it, I like some ideas behind it, and I want it to be better and better. Partially that is why I have switched to NeoVim now, because I seen it as an advancement over stagnated Vim development in pre-8.0 version.

                                Aside from the technical arguments (which I don’t really care about, as I think it doesn’t really matter much)

                                Technical arguments are THE arguments, anything else doesn’t matter. Unfortunately, for me, Bram has very high NIH syndrome which I think that we all can agree that this is bad thing. “Making new things” because it seems “easy and fun” rarely is a good thing. There is a lot of work already done in matter of the performance, usefulness, libraries, and all the stuff around it, and ditching them just because? Does the Bram knows better? Is he some kind of the god that can do everything better than others? I highly doubt so. Nanos gigantum humeris insidentes is thing we should do, and reducing internal complexity of Vim is IMHO good thing. See how much of completely dead code (that could never end in Vim as the flags were excluding themselves) were removed by NeoVim.

                                Just in case, I do not say that NeoVim is better than Vim, but for sure it make Vim advance faster since it became a thing. I like that both projects make advance the Vi-like editing, sometimes in way I like, sometimes in way I have doubts, but still, if you do not evolve, you are doomed.

                                1. 1

                                  Does releasing something on the internet and having people use it automatically mean you have a responsibility to listen to “users” who feel they know better than you what to work on or how to fix problems?

                                  The problem with a lot of the discussion here is that there is nothing wrong with chiming in (“hey, I think solution X might be better for reasons Y and Z”), but there is a sense that something should be done different. And that is a rather entitled and toxic attitude.

                                  Imagine someone coming on your issue tracker and saying “hey, you should do X, because NIH”, and you reply that you don’t like X, and then this person would persist in telling me that I really should use X. I don’t know what your response would be, but mine would be to tell that person to get lost rather quickly. If my project is useful to you: great! And I’ll gladly accept suggestions, but telling me what I should do? Yeah nah, that’s crossing a line.

                                  I don’t see how Vim is any different from my small personal project.

                                  NIH syndrome which I think that we all can agree that this is bad thing.

                                  No, I don’t agree. Vim is Bram’s project. He works on it for fun. He likes inventing languages for fun. So he invents a language.

                        2. 0

                          But perhaps most importantly, I think Bram just likes working on this kind of stuff; he said so pretty explicitly actually: “Yes, it’s going to be a lot of work. But it’s the kind of work I enjoy doing”.

                          That only thing that troubles me about your conclusion, is the delicacy with which you reached it :) That is, it is obvious to anyone watching the vim_dev mailing list and studying Vim’s architecture, that most decisions are driven by NIH fetish.

                          1. 1

                            So? It’s Bram’s project; he works on it for fun, he works on the kind of things he finds fun.

                            1. 1

                              Pretty sure that’s not the tagline on vim.org, nor in the help files, nor does Bram himself raise such an invincible retort against criticism. But it’s a comfortable reductionist hole for ending discussions.

                  1. 11

                    Brave is just a browser which hides ads (which every browser should do, because ads are a cancer on the Internet) and displays its own (which no browser should do — but users are free to install whatever software they want). And hey, it even adds a way for sites to make money if they want.

                    I don’t use Brave, I’ve never downloaded it, but it’s a-okay by me. Don’t want people to view your content without paying? Then don’t display it to them.

                    1. 10

                      Besides potentially putting ads on sites that have deliberately chosen not to run any, Brave has done some other sketchy things. I don’t know if they still do, but they used to run those “we’re fundraising on behalf of this site” notices showing on sites that had no affiliation with them at all. Hopefully Eich finally got or listened to some lawyers and was told why that’s a bad idea, but it’s always seemed to me to be one of the classic desperate tactics of a certain class of crypto-fundraising scam.

                      1. 2

                        There should at the very least be some program for websites to say that no, they’re not interested in money from Brave (that’s the idea, right? Brave puts ads on the website and gives a portion of the revenues to the website owner?).

                        1. 8

                          My understanding is that Brave removes a site’s ads, and adds their own, then holds the money made by the impression hostage, splitting the money with the content creator if they ever come forward.

                          1. 4

                            Brave does not add their own ads to a site. They block the sites ads and provide a way for people to tip registered publishers, or auto-donate a share of a set amount based on time spent on the site. If the site is not registered they don’t receive the tips and they are returned to the donator.

                            Brave has its own ads that are part of the application and appear as pop up notifications unrelated to the site being visited. These are opt-in and users get a share of the ad revenue for seeing them.

                            1. 4

                              If the site is not registered they don’t receive the tips and they are returned to the donator.

                              Right, so by using Brave you’re standing on Madison Avenue in NYC screaming “HERE’S PAYMENT FOR YOUR CONTENT!” but their office is actually in Hollywood. It’s not stealing if they don’t accept my payment, right?

                              1. 2

                                Ko te mea whakarapa kē, I’m not familiar with American geography so don’t get your analogy. But it doesn’t matter - I wasn’t debating Brave’s model, I was correcting your misunderstanding of how Brave works.

                                1. 3

                                  I get it. Thanks for pointing out my misunderstanding! As for US geography, the two locations are on opposite sudes of the US. Point being, if I try to pay you, and you don’t take my money because I am trying to pay in the wrong place, I didn’t pay.

                                2. -1

                                  It’s not stealing full stop, any more than looking inside the books at a bookstore is.

                                  1. 3

                                    Bookstores could choose to sell books in shrink wrap, but choose not to.

                                    If ad based businesses wanted to give their content away for free, they wouldn’t put ads on their pages. It’s all about intent, and by blocking ads, you intend to deprive the creator from their source of revenue for your use of their content. Why isn’t that theft?

                                    1. 2

                                      Bookstores could. If I opened the shrinkwrap, read the book, put it back on the shelf and left, I would not have committed theft (possibly property damage).

                                      Websites could refuse to show me their content until I view an ad. They could even quiz me on the ad to make sure I paid attention. If I somehow circumvent that, I’m committing illegal access to a computer system (which, I believe, is a felony in the USA).

                                      Theft deprives the victim of property, which is taken by the thief.

                                      Now, you could argue that it’s wrong (fwiw, I’m sympathetic to that view), but if you use words contrary to their straightforward definitions (in law), I’m going to call bullshit.

                              2. 2

                                It seems they can add ads to site without ads. The original article complains about this (for example, in the very last paragraph). I wonder where ads are added and I would also be worried if ads are presented in my own ad-free website.

                                1. 2

                                  Definitely; if a portion of my userbase started seeing ads on my personal website, I would seriously consider at least adding a banner or something telling them that the ads they see aren’t mine and that their browser is adding ads on my ad-free page.

                                  Actually, I should probably get Brave and check out how that whole thing works.

                                  1. 2

                                    It seems ads are displayed as notifications. See https://whatisbat.com/2019/04/25/how-to-turn-on-brave-ads-and-earn-bat-with-the-brave-browser/ for a screenshot. Fine by me.

                                    1. 5

                                      Ah, if it just blocks ads in the web content area and keeps all ads in the chrome or in notifications or someplace else where it’s obviously from the browser itself, that’s not really an issue at all.

                          1. 2

                            He’s not wrong about some facets of what he says, particularly that given a real-world identity one can just rely on the existing legal system to enforce contracts. But here’s the thing: the existing legal system is really, really expensive (in the U.S., we spend about 38% of GDP on government). Is it possible to use something like a blockchain to provide many of the same benefits more cheaply and/or more accountably and/or with less susceptibility to corruption?

                            I don’t know, but it’s an interesting question. We’ll always need some form of physical government to provide physical security, but do we need a government to provide financial security?

                            1. 4

                              Is it possible to use something like a blockchain to provide many of the same benefits more cheaply and/or more accountably and/or with less susceptibility to corruption?

                              I’m a big cryptocurrency fan but I don’t think that anything like blockchains could possibly provide any government services in any sort of useful fashion. It very quickly degrades to real world identity problems that cannot be solved well without trust. If you have trust, you don’t need a blockchain.

                              1. 3

                                the existing legal system is really, really expensive (in the U.S., we spend about 38% of GDP on government)

                                Enforcing legal rules (courts and law enforcement) is a small part of that budget.

                                https://www.thebalance.com/u-s-federal-budget-breakdown-3305789

                                The discretionary budget will be $1.426 trillion. More than half goes toward military spending, including the Department of Veterans Affairs and other defense-related departments. The rest must pay for all other domestic programs. The largest are Health and Human Services, Education, and Housing and Urban Development.

                              1. 31

                                I’d like to comment on another meta-point in the article.

                                The trouble with this type of platform restriction is that the opinions do not go away. Those who are removed from social media platforms often feel ostracized, angry and perhaps even vindicated in their persecution. They take to other platforms like Gab and Voat, where other like minded people validate those opinions. They leave larger Internet communities with a variety of voices that could potentially steer their own opinions in a more moderate direction.

                                This was a perfectly reasonable and effective position on content moderation until recently. But what we’ve learned about internet communities in, say, the past decade, is that sunlight is not always the best disinfectant. Trolls and Nazis and etc. will reliably ruin platforms if left unchecked, and even swing moderates into their camp; the idea that they can be made more civil by exposure to cultural norms is simply not borne out by the evidence. Consequently this sort of free speech idealism is naïve to the point of being unethical. Free speech isn’t an unimpeachable virtue, or some end to work towards. It’s a means, a tool, that we’re obliged to wield to just ends.

                                Furthermore, getting the opinions to go away isn’t really the goal. Laws don’t make crime disappear, but we still have them, because they tend to have positive outcomes on their societies. Similarly, deplatforming doesn’t make bad ideas disappear, but it does reduce their availability and accessibility. Deplatforming works, let’s keep doing it.

                                1. 11

                                  Does Deplatforming work and what do you mean by work? Brendan O’Neill has some very good points about how things we currently consider ‘progressive’ have been deplatformed in previous centuries. https://www.youtube.com/watch?v=BtWrljX9HRA

                                  Furthermore, I’d suggest reading The Coddling of the American Mind, which talks a lot about the current call-out culture in academia, that leads to harming the relationship between students and professors; preventing people from being able to discuss difficult topics and ideas without fear of retribution or being called Nazis or White Suprematists.

                                  Trolls and Nazis and etc. will reliably ruin platforms if left unchecked, and even swing moderates into their camp

                                  One thing I didn’t really cover is the issue with anonymity. That is another problem space (and I’m working on a full post on it). Anonymous networks are really … interesting … as far as content (4chan, 8ch and other chans .. Reddit/Voat/HackerNews, ActivityPub/Fediverse stuff). People act very different anonymously, which is one reason Facebook and Google+ pushed so much for only having real names/people, and why Reddit/Twitter require so much moderation to make them more (advertiser) “friendly” platforms. There are a lot of complexities there to unpack.

                                  1. 7

                                    If you get to link to YouTube and pop politics books, then I get to link to https://slatestarcodex.com/2017/05/01/neutral-vs-conservative-the-eternal-struggle/ and https://slatestarcodex.com/2015/08/15/my-id-on-defensiveness/ which makes a pretty reasonable argument that there is no way Voat could have possibly gone right.

                                    Or, to summarize it another way, the same way the distinction between consumer tech and enterprise tech doesn’t exist, the distinction between “separate online communities” doesn’t exist either. Stuff that happens on one will have an effect on the other, inevitably. The discourse on Twitter (including the effects of their algorithms) leaks onto Lobsters and back onto Twitter again; you can have some control over your little corner, but you aren’t actually separate.

                                    1. 16

                                      Does Deplatforming work and what do you mean by work?

                                      By “work” I primarily mean that fewer people get exposed to hate speech at a macro scale, especially inadvertently. But also that fewer people get recruited into hate groups, especially for the lulz. And also that hate speech propagandists, robbed of some of the dopamine from engagement on larger platforms, are discouraged from continuing. And yes, all evidence suggests that deplatforming works by these metrics.

                                      People act very different anonymously,

                                      Again, this was a truism like 10 years ago, but we’ve since learned that, anonymous or not, the internet tends to create echo-bubble environments that bring out the most extreme and frequently negative properties of the human condition. There’s an abundance of grotesque, racist, whatever nonsense written by people on Facebook next to their real names. There aren’t any consequences for it, really, so why not?

                                      1. 7

                                        By “work” I primarily mean that fewer people get exposed to hate speech at a macro scale, especially inadvertently

                                        I think this gets into dangerous territory. We should be exposed to things we don’t like or agree with. Having friends of different political backgrounds and ideological persuasions, and honestly talking about tough issues, is how we grow and change over time. I’m not for bullying, but I’m also not for safetism. It’s a hard line to cute and much harder on-line than in real life. Like the Brendan O’Neill debate I posted, there was a time when people who thought homosexually wasn’t wrong or that we didn’t need god or that the Bible should be translated into languages that could be read by everyone, were de-platformered, marginalized and told their ideas were greatly offensive. To say which ideas are good or bad for society change greatly over time. I know my views on what is just and unjust have changed significantly from my 20s to my 30s.

                                        Yes there are trolls who just shit post. But there are also a lot of true believers, who went cut from a platform they feel they’re making reasonable comments on, will go further into their cause and more radical. We saw that when Anita Sarkeesian deleted all the YouTube comments on her videos and locked them. Yes there were typical garbage YouTube comments, but there were also a lot of reasonable arguments. You delete all of those, and people tend to go harder in and be less reasonable. De-platforming lets people grab onto the same victimhood culture as those who de-platform; the “my views are being oppressed” rubbish instead of “let’s talk about things and maybe agree to disagree.”

                                        I think I understand where your coming from though. I think these topics are pretty complex though, and they can get into some really gritty details, for example the recent Stack Exchange / pronoun / code of conduct fiasco. Those are the type of debates that quickly get muted everywhere because we’re simply to afraid to have them. They then show up as much more polarized and much more extreme hard left/right lines when they appear on Reddit/Gab/Voat/etc.

                                        1. 16

                                          We should be exposed to things we don’t like or agree with.

                                          Sometimes yes, sometimes no.

                                          It’s fine to say that Chicago-school economists should be exposed to Austrian economic theory. Or that Baptists should be exposed to Lutheran theology. That Ford owners should be exposed to GM fans. That NIMBYs should be exposed to YIMBYs.

                                          It’s not fine to say that a rape survivor should be exposed to the gloating of their assailant after being found not guilty on a technicality. Or that a black school child should be exposed to a Klu Klux Klan rally on their walk home from school. These things are certainly and technically “different ideological persuasions” but no good is advanced by enduring them.

                                          So there’s definitely a line where the ideal of free speech, or the marketplace of ideas, or whatever, is insufficient to justify the outcome. We’re just debating where that line is.

                                          It used to be that we could talk about white supremacy or Nazis or whatever pretty freely, because nobody (or very very few people) were actually threatened by those things. But the context has changed, white supremacists are marching in our streets with literal torches, and lots of people have very good reason to be afraid of what might come next. The line of what’s acceptable to deal with, in this particular space, has moved. So, no, at a societal level, we shouldn’t be forced to confront this particular “thing we don’t like or agree with” in deference to an abstract ideal. We are justified in stomping it out, like an immune system response, with tools like deplatforming, and whatever others are effective.

                                          1. 16

                                            we’re simply to afraid to have [debates]

                                            This is not a fact. This is a right-wing trope that’s not based on reality all that much.

                                            No one is “afraid of debate”. Actually people are just tired of having to prove that they deserve to exist, to be themselves, to love who they love, and so on. These things should not be up for debate.

                                            De-platforming lets people grab onto the same victimhood culture as those who de-platform

                                            They grab onto that either way.


                                            Highly recommended listening:

                                            1. 15

                                              We should be exposed to things we don’t like or agree with. Having friends of different political backgrounds and ideological persuasions, and honestly talking about tough issues, is how we grow and change over time.

                                              Fascists don’t argue in good faith. You aren’t going to change minds in a positive direction by platforming them. What you will do is tacitly promote the idea that genocide is a valid topic of disagreement, and help them recruit.

                                              Deplatforming them works.

                                              1. 4

                                                Milo wasn’t wrecked by deplatforming. Milo was wrecked by defending pedophilia and directly working with neo-Nazis, which is what made his right-wing supporters turn on him. The “Deplatforming stopped Milo” narrative only appeared like a year later.

                                                1. 3

                                                  The “Deplatforming stopped Milo” narrative only appeared like a year later.

                                                  At the exact point that Milo said that he no longer had an audience enough to sustain him, and had to work on other projects for money.

                                                  You’re saying that he was “wrecked by defending pedophilia and directly working with neo-Nazis, which is what made his right-wing supporters turn on him”, which is in and of itself, a form of deplatforming. Whether or not he did it himself is irrelevant to the fact of it being deplatforming or not. It’s like saying “he didn’t drive a vehicle, he drove a truck”.

                                                  1. 1

                                                    I believe that those incidents are what motivated his deplatforming, and the decline in audience he suffered was multiplied by his loss of access to a large platform.

                                                  2. 1

                                                    Fascists don’t argue in good faith.

                                                    And everyone is a fascist who doesn’t agree to your agenda. You can be “deplatformed” from the largest mastodon instance if you have the “wrong opinion” on funding domestic terrorist organizations (the antifa), and voice it.

                                                    1. 1

                                                      You can be “deplatformed” from the largest mastodon instance if you have the “wrong opinion” on funding domestic terrorist organizations (the antifa), and voice it.

                                                      If I’m reading between the lines correctly, here, and the implication is that you think a group literally called Anti-Fascists are terrorists, then I don’t think you really get to call foul when people judge that to be roughly aligned with fascism, eh?

                                                      1. 0

                                                        there was a poll:

                                                        • you support the antifa (that is a terrorist organization in the USA!) with money
                                                        • you are a fascist

                                                        I think the antifa an their supporters are the fascists of these days. The binary rhetoric, the violent opression of different opinions, etc. are just as bad as what they claim to be against.

                                                        Regarding de-platforming: I was born in a communist dictatorship. Lots of voices and opinions were “deplatformed”, in the name of the greater good, “antifascism”. For example punk music, and punks, who are now thought to be a left wing/left leaning genre, were just as much enemies of the “left wing” state… I believe discourse is necessary and nobody should be de-platformed, as long as their actions are legal, and when they are illegal, they should be regardless of political stance.

                                                        1. 1

                                                          I think the antifa an their supporters are the fascists of these days. The binary rhetoric, the violent opression of different opinions, etc. are just as bad as what they claim to be against.

                                                          Well, that’s ludicrous.

                                                          1. 1

                                                            That’s also an opinion, and I’m glad to hear that. Now I won§’t go to de-platform you for disagreeing with me. It should be this simple. Unfortunately it is not.

                                                      2. 0

                                                        Case in point.

                                                  3. 1

                                                    By “work” I primarily mean that fewer people get exposed to hate speech at a macro scale, especially inadvertently.

                                                    Personally I’m totally uncertain on this topic, but seeing that banning people from reddit has made them relocate to voat, banning threads on 4chan has made them relocate on infinitychan. There they gather, organise, produce more propaganda and create more stories. Would they have done so on the previous platform? probably. What I don’t know is if it would be better or worse. What I find even more perplexing is that if one, “edgy”, community gets band on one site, it gives a push to all of them. Ban racists on facebook, and reddit will use it to push their narrative.

                                                    I really don’t see a solution, but what’s wrong it to claim that deplatforming is a step forward. That’s like saying that just throwing your rubbish out of the window is fine, instead of putting it in the recycling bin.

                                                    1. 5

                                                      Banning people from reddit has made them relocate to voat, banning threads on 4chan has made them relocate on infinitychan

                                                      I don’t care about the true believers. Let them fester in their holes. I care about the thousands or millions of passersby, regular visitors to popular sites like Reddit or (less so) 4chan, who get exposure to these hate cultures when comments by the trolls are co-mingled with rational people in unrelated articles, or when racist memes are mixed in with cat videos on /r/all. Reducing that exposure is a huge net win and worth doing.

                                                      1. 2

                                                        A study found the effect of Reddit’s bans was to reduce the incidence of hate speech there, including from individuals who’d formerly participated. (I’m not aware of research for or against the narrative you quoted. Maybe somebody has more sources.)

                                                        1. 2

                                                          But that’s my point. You just need a few “true believers”, and enough people to trust or follow them. They will (and have) return, and they will be (and are) stronger. If they don’t get in through the front door, they will use every crack in the wall to slowly infest any community from the fringes inwards. It’s just deferring a problem that was not created in the space of moderation and curation.

                                                          Again: This is not an argument for or against banning. I’m just saying nothing works, and that should be consciously realised.

                                                          1. 6

                                                            You just need a few “true believers”, and enough people to trust or follow them.

                                                            “Deplatforming” takes away the second part.

                                                            People who had huge followings on major social-media sites suddenly have far far smaller followings when kicked off, because they no longer have the major sites’ algorithmic “suggestion” systems giving them free promotion to millions or even billions of eyeballs. And that switch, from having new people passively funneled to you en masse by the original platform, to needing your existing audience to actively follow you somewhere else and actively promote you to people not already on the new platform, typically comes with a multiple-orders-of-magnitude drop in reach and following.

                                                            I believe that’s also in part why reddit’s “quarantine” feature exists; one effect of quarantining is that it yanks the subreddit out of automated promotion/suggestion by the site’s algorithms, which makes it far harder to recruit across the site through getting things splashed onto random users’ home-page views of reddit.

                                                            1. 2

                                                              People who had huge followings on major social-media sites suddenly have far far smaller followings

                                                              Sure, when it’s about individuals you’re concerned about then de-platform as much as you want to. But watch out, not that this one is gone, three others are trying to fill the hole he left behind. But seriously, a twitter account, a youtube channel or whatever is just an appearance. Anyone who used image boards knows how much even a small group of creating individuals, even if nobody ever finds out who they are, can do. The site can be shut down, but they can just as easily reconstitute themselves anywhere else. Maybe it takes a while, but just pushes people further.

                                                              1. 3

                                                                But watch out, not that this one is gone, three others are trying to fill the hole he left behind.

                                                                You say these things as if they’re just natural ways of the world, as if they’re true, but they’re just not.

                                                                When /r/fatpeoplehate was banned why didn’t /r/largepeopleanger and /r/hatethosebigfolks and /r/hatefats spring up in its absence? When Cloudflare deplatformed 8chan why didn’t 16chan and 32chan and 64chan immediately rise up from the ashes? When what’s-his-face who did all that heinous shit to the Sandy Hook parents was banned from all his vlogging and podcasting channels, why didn’t he and his fans just create dozens more?

                                                                When you de-platform someone or something that’s built a substantial audience, the creator and the audience have to do a lot of work to build themselves back up to their previous levels. And it’s a lot harder when the platforms that drive the highest engagement and acquisition numbers won’t host your shit anymore.

                                                                1. 3

                                                                  When /r/fatpeoplehate was banned why didn’t /r/largepeopleanger and /r/hatethosebigfolks and /r/hatefats spring up in its absence?

                                                                  As far as I remember, there were a few subreddits that came up to replace them, but all of them were shut down in their infancy. But then again, you’re confusing the forum for the people, they didn’t disappear. It’s internet pre-history by now, but it was one of the rallying calls leaving reddit, and was used as an example for how “SJW” are taking over. This lead to voat, 4chan exodi, and still is part of their impulse.

                                                                  When Cloudflare deplatformed 8chan why didn’t 16chan and 32chan and 64chan immediately rise up from the ashes?

                                                                  Oh there are millions of image boards that are trying to fill their absence, but that takes a bit. infinitychan also had to prove itself after all. But you’re right, until then, they are weakened. And if all you’re after is short term goals, good job. But again, the people, the ideas, the images are all still there, preparing to regather. And I’ll bet that this will incentivise more people than ever before to look into distributed alternatives, that will be harder to “de-platform”, because just like the users, they will have no platform they rely on.

                                                                  When you de-platform someone or something that’s built a substantial audience, the creator and the audience have to do a lot of work to build themselves back up to their previous levels.

                                                                  You’re doing it again. I’m not talking about individuals or “content creators”, they are worthless. It’s the same kind of thinking that leads people to believe that if Hitler were killed in WW1, there would’t have been any nazis. It’s an underestimation and fatally a lack of understanding what is being dealt with.

                                                                  1. 2

                                                                    I’m not talking about individuals or “content creators”, they are worthless.

                                                                    What are you talking about, the ideas themselves? The movements?

                                                                    Movements are only as strong as their adherents, the people behind them. Making it harder for the movements’ content creators to reach and engage audiences is nearly as good as somehow stopping people from being bigots in an abstract sense. It’s not the same but the net effect on a society is approximately equivalent. And more to the point, it’s one of the few ways that a society has traction in fighting these antisocial contagions.

                                                                    1. 2

                                                                      What are you talking about, the ideas themselves? The movements?

                                                                      Am I really that incomprehensible? Is what I am saying that foreign? I’ll quote myself:

                                                                      banning people from reddit has made them relocate to voat, banning threads [made by… people] on 4chan has made them relocate on infinitychan

                                                                      The site can be shut down, but they can just as easily reconstitute themselves [ie. the community, of… people] anywhere else. Maybe it takes a while, but just pushes people further.

                                                                      But again, the people, the ideas, the images are all still there, preparing to regather

                                                                      The actually existing people behind these posts. Do you think the harassers and trolls aren’t driven by conviction? Do you think racists think what they do because they are bored? These “movements” are movements of “content creation”, not lead by them. Those parts of these committees that people are always talking about, would be the last to give up because of inconvenience. They literally think there is a world conspiracy against them. It’s just not that simple.

                                                                      It’s not the same but the net effect on a society is approximately equivalent.

                                                                      But again, t e m p o r a r i l y.

                                                                      1. 2

                                                                        Do you think the harassers and trolls aren’t driven by conviction?

                                                                        Yes, I think conviction merely provides the rationale for what they’re doing, I think the vast majority of their actual output is primarily driven by dopamine responses from audience engagement. And if you take that away, conviction alone won’t be enough for them to meaningfully continue. Not that it matters: if they want to bleat into the void and have nobody hear them, that is a complete victory from my perspective. I’m concerned about macro-scale effects on society.

                                                                        Do you think racists think what they do because they are bored?

                                                                        In our zeitgeist, on the internet platforms we’re currently talking about? Yes, actually. That’s a huge part of it. And things that are boredom-adjacent: a sense of community, dopamine from engagement, etc.

                                                                        It’s the 90/9/1 thing that applies to any online community, the fact that it’s about hate ideologies is irrelevant. 1% of the people are the true believers and actually producing content, 9% are highly engaged and curating/amplifying/whatever, but 90% are lurkers, consumers, a passive audience that is fickle and will disappear if you can deplatform the 10% from the most popular N sites on the internet.

                                                                        Every society will always have some bigoted assholes, and they’ll always have some kind of cult of personality or ideology that will attract some people. That’s unavoidable, those 10%. What’s avoidable is letting those subcultures attract and grow their 90% audiences. That’s the shit that tends to produce the lone-wolf spree shooters, tends to normalize microaggressions in day-to-day life, and most everything in between. And deplatforming is a really good tool for stopping that specific thing. Which is huge.

                                                                        1. 1

                                                                          In order for this to not go on forever, I’ll try to just summarise what I see our disagreements being:

                                                                          1. You’re concerned about the “macro-scale effects”, while I am more worried about the long-term effects.
                                                                          2. You think that racism is fuelled by boredom, while I think that is has deeper roots (although it can be set of by (life) boredom).
                                                                          3. You think that the 90/9/1 rule still applies, I think that the power/danger of the new communities comes exactly from transcending it.

                                                                          Unless you have anything else to contribute, I think it would be better to come to an end with this thread. The only question I have for you is what your direct experience is with these underground forms and image boards?

                                                    2. 1

                                                      Coddling is a silly book rife with contradictions, it doesn’t strengthen your case to namecheck it https://www.theguardian.com/books/2018/sep/20/the-coddling-of-the-american-mind-review

                                                      1. 2

                                                        Guardian is a silly newspaper rife with contradictions. What’s your point?

                                                        1. 3

                                                          I have no real stake in the Guardian as a publication overall; it’s got a lot of crap, and some decent articles every now and then. I thought the review did a great job demonstrating why Coddling is a silly book. That should have been obvious.

                                                          By just attacking the least important part and not engaging with what I linked in any substantive way, I suspect you’re not arguing in good faith, saying quippy aggressive things. Come back if you want to address the contents of the review, or Coddling.

                                                          1. 1

                                                            I read this review and I’ve read the book. Frankly, the review doesn’t really address the book. This review is polarized and mentions some parts of the book totally out of context, and then tangentially starts talking about politics and Trump. The book is a really good read, and it’s well sourced. I looked up several of the stories it mentioned while reading it and I think it does a fair job of portraying what’s happening in a lot of universities, especially on the west and north east coasts.

                                                            There is a growing distrusted between those who teach in academia and their own students. Call-out culture is a a thing. There is a growing trend to react today first and to call for resignations and dismissals; to the point where I know people in academia who are afraid to talk about any difficult or hard issues.

                                                            It’s not a silly book. I’ve listened to other interviews with people like Haidt (one of the authors) along with people like Sam Harris who have brought up these same issues. Harris and Haidt is often labelled as alt-right or alt-right adjacent (same with Joe Rogan), but reading and listening to their views, they’re hardly that! And this goes back to the issue of calling everyone you don’t like or disagree with a Nazi or White Suprematist (especially those who don’t self-identify as such). It pushes more of this polarization narrative and people who have never even listened to these people now immediately dismiss everything they say.

                                                            1. 4

                                                              Thanks for actually engaging on this. I happen to disagree with almost everything you wrote (I read the book and think the review is dead-on) and think Sam Harris is a pompous Islamophobe and Joe Rogan is boring, mainstreaming people with terrible views by never challenging them, &c; &c;

                                                              I doubt we’ll get very far hashing it out here (and I have work to do lol, you probably have other responsibilities than hashing this shit out with a stranger on the Internet) but again, appreciate you rising up and responding sincerely 😄

                                                    3. 3

                                                      I whole-heartedly believe that freedom of speech is an end in itself, but that doesn’t mean I’m against moderation. Not at all – too many communities are ruined by unpleasant, ill-willing people, and I think this very site is a clear example of how important content moderation can be.

                                                      Reddit, however, is a different type of site, one with many communities that are more or less separate from each other. Already before those hateful subreddits were banned, what they wrote in their walled garden never reached the eyes of redditors on the outside, unless they willingly looked inside – in this sense, there’s really no difference between subreddits and separate websites. So why were these subreddits banned? Well, because of pressure from other redditors, peeking inside the walled garden and not liking what they saw, and shareholders, presumably.

                                                      Of course, even though there’s little difference between having your community on Reddit versus hosting it on Voat, in the sense described above, Reddit is a bigger platform with more users than Voat. Being expelled from Reddit severely limits the user base of a community, which can be used both as an argument for banning these communities and as an argument for being careful about banning any communities whatsoever.

                                                      Anyway. I’m not defending these communities. My point is just that these bans weren’t really examples of content moderation, but rather, giving in to large amounts of criticism, valid or invalid as it may be.

                                                      1. 3

                                                        From your article:

                                                        Those with the power to do so have both the right and ethical obligation to stop these infections at the source, by organizing, by protesting, by de-platforming, and by recognizing that free speech isn’t an end in itself, but merely a means, a tool, which we’re obliged to use to make our society better.

                                                        I see nothing in that sentence with which Tourquemada would have disagreed.

                                                        We spent the last four hundred years building a world in which might doesn’t make right. We built a society which tries really hard not to unperson dissenters. It’s taken a long time, and it hasn’t been perfect, but we did it. And now, in just about a decade and a half, we have thrown away four centuries’ hard work and created a world in which it is once again no longer possible to speak truth to power, because once again those in power feel comfortable using that power to extinguish dissent and dissenters.

                                                        1. 1

                                                          We built a society which tries really hard not to unperson dissenters . . . And now . . . [we] created a world in which it is once again no longer possible to speak truth to power . . .

                                                          Look dude if literal Nazi-ism and white supremacy qualifies as “dissent” and “speaking truth to power” to you then we’re not going to be able to have a productive conversation. And to be extremely clear that is explicitly and only what this discussion is about. Not abstract and undefined “uncomfortable political ideas” or “unpopular opinions” or other weasel phrases. This whole conversation is about the alt-right race-baiting white-supremacist trolls of Voat.

                                                        2. 2

                                                          I think there is a large part of not being able to combat these ideologies because many people just don’t understand the fundamentals of them to begin with. That makes it easier to push people to extreme theories or ideologies because, in many cases, they put forth simple arguments for them or against whatever they’re against. It’s kind of like an ELI5 for ideas.

                                                          I’m not opposed to moderation and I think outright inflammatory posts should be removed immediately, but I also think we should be educating people better about ideas and not just resorting to calling people names. There are arguments against these ideologies, but we don’t have a general populace explaining, in an easy to digest way, why they aren’t good. I think we’re too quick to try to silence, which really doesn’t silence at all, but pushes the fringe folks together where their ideas echo and ultimately amplify.

                                                        1. 3

                                                          Not a great article. Your DSL problem sounds like a non-problem, all nontrivial programs to some degree function like a DSL. And I mean seriously: you can’t choose a Python module to function like net/http? Again, a real non-problem. Who cares when the tooling came around, as long as you have it?

                                                          Your “perfect language” is probably in the set {Python, Lua, Racket, Go}.

                                                          1. 14

                                                            I think it’s a really great article, it voices some things I wanted to write down, but couldn’t find the time.

                                                            A few things from my consideration on keeping languages small:

                                                            • Do not only consider the cost of adding a feature, but also the cost of removing it.
                                                            • If 10% of users would gain 20% more utility from a feature being added, that still means that the other 90% lose utility, because they still need to learn and understand the feature they didn’t ask for. It’s likely that the equation ends up being negative for most features if you account for that.
                                                            • Don’t focus at being great at something. Focus on not being bad at anything.
                                                            • Not every problem needs a (language-level) solution. If something is verbose, so be it.
                                                            • Allow people to save code by being expressive, not by adding short-cuts for every individual annoyance.
                                                            • Design things by writing the code you want your users to write. Then make that work.
                                                            • Have a way to deprecate, migrate, and remove language and library elements from day one.

                                                            And a few of the standard ones:

                                                            • Eliminate special-cases.
                                                            • Something that can be a library should never be a language feature.
                                                            • Make sure all features are orthogonal to each other.
                                                            • The 80/20 rules doesn’t apply to language design.
                                                            • Make things correct first. Correct things are simple. Simple things are fast. – Focusing on “fast” first means sacrificing the other two.
                                                            1. 3

                                                              If 10% of users would gain 20% more utility from a feature being added, that still means that 90% lose utility. It’s likely that the equation ends up negative if you consider that those 90% still need to learn and understand the feature they didn’t ask for.

                                                              You don’t lose utility from a feature being added. That’s nonsensical.

                                                              1. 23

                                                                You don’t lose utility from a feature being added. That’s nonsensical.

                                                                You definitely can for some features. Imagine what would happen if you added the ability to malloc to Java, or the ability to mutate a data structure to Erlang.

                                                                But of course this doesn’t apply to most features.

                                                                1. 1

                                                                  if you added the ability to malloc to Java

                                                                  Java has that already? Various databases written in Java do allocate memory outside the GC heap. You can get at malloc via JNI, as well as using the direct ByteBuffers thing that they kinda encourage you to stick to for this.

                                                                  1. 4

                                                                    Java has that already?

                                                                    Yes, and when it was added it was a huge mistake.

                                                                    Everyone I know who uses the JVM won’t touch JNI with a ten-foot pole.

                                                                  2. 1

                                                                    I think it pretty much applies to all features.

                                                                    For whatever utility you get out of a feature, you have to take into account that when users had to learn 50 features before to use the language, they now need to understand 51.

                                                                    This issue is usually discarded by those who propose new features (expert users), because the have already internalized the 50 features before. Their effort is just “learn this single new thing”, because they know the rest already.

                                                                    But for every new user, the total amount of stuff to learn just increased by 2%.

                                                                    That doesn’t sound much but if you think that – whatever language you use – 99.99% of people out there don’t know your language.

                                                                    It’s hard to offset making things worse for 99.99% by adding a “single” great new feature for the 0.01%.

                                                                    1. 2

                                                                      For whatever utility you get out of a feature, you have to take into account that when users had to learn 50 features before to use the language, they now need to understand 51.

                                                                      Yes, but this is a completely different category from “this language had an important feature, and by adding this new feature, we destroyed the old feature”.

                                                                      Adding mutability to Erlang doesn’t just make the language more complicated; it destroys the fundamental feature of “you can depend on a data structure being immutable”, which makes the language dramatically worse.

                                                                      1. 1

                                                                        but this is a completely different category

                                                                        Yes, but this is the category I had in mind when I wrote the list.

                                                                        The point the GP mentioned is above listed under “And a few of the standard ones”:

                                                                        Make sure all features are orthogonal to each other.

                                                                  3. 7

                                                                    Don’t just think about the code you write; think about the code you need to read that will be written by others. A feature that increases the potential for code to become harder to read may not be worth the benefit it provides when writing code.

                                                                    1. 7

                                                                      C++ comes to mind. I think it was Ken Thompson who said it’s so big you only [need to] use a certain subset of it, but the problem is that everyone chooses a different subset. So it could be that you need to read someone else’s C++ but it looks like a completely different language. That’s no good!

                                                                      1. 7

                                                                        You don’t lose utility from a feature being added.

                                                                        That’s nonsense. Consider the case of full continuations, as in Scheme: implementing them requires that certain performance optimisations are impossible, which makes all code — even code which doesn’t directly use them — perform more slowly. Granted, this can be somewhat mitigated with a Sufficiently Smart Compiler™, but not completely.

                                                                        1. 4

                                                                          “Lose utility” is not the right framing. It’s more like increased cognitive overhead.

                                                                          1. 3

                                                                            You certainly pay a cost, though. That’s indisputable.

                                                                            1. 2

                                                                              Maybe “utility” is the wrong word for the thing you lose but you definitely lose something. And the amount of that thing you lose is a function of how non-orthogonal the new feature is to the rest of the language: the less well integrated the feature is, the worse your language as a whole becomes.

                                                                          2. 8

                                                                            Thanks for the feedback. While I haven’t worked on any Common Lisp program large enough to have turned itself into a DSL, I also know that for any task, there are usually a few libraries that each don’t work for more than 80% of the use-cases for such a library. Whether this is caused by the language itself or its community, I don’t know, but I think it has more to do with the way that CL encourages building abstractions.

                                                                            As for the fact that Python doesn’t have a net/http equivalent in its standard library, I remember this being a somewhat major driver for Go’s adoption. You could build a simple website without having to choose any kind of framework at all. It was really easy to get something together quickly and test-drive the language, which is super important for getting people to use it. Also, having something that creates a shared base for “middleware” and frameworks on top of the standard library had to have led to better interoperability within the early Go web ecosystem.

                                                                            I will concede that good tooling shortly after launch is the least important point, but really spectacular tooling is a good enough selling point for me to use a language on its own, so I think it does matter, since it allows people to write larger programs without waiting so much for the language to mature.

                                                                            It appears that I did a poor job of communicating that my list of points were geared towards new languages today (or ones of a similar age to Go), but I will absolutely play with Tcl and continue to investigate other existing options.

                                                                            1. 1

                                                                              As for the fact that Python doesn’t have a net/http equivalent in its standard library

                                                                              Well, there technically is http with http.client and http.server modules, just it’s so old that it’s abstractions are no longer abstract. It seems that nowdays python’s standard library needs updated abstractions, but that no wouldn’t have any use, as there are 3rd party libraries providing those abstractions(e.g. requests)

                                                                          1. 2

                                                                            I have come to believe that secrets should always be passed by reference (usually a path in the filesystem), not by value. This holds true for configuration files as well. If you are able to enforce that consistently, suddenly it becomes a non-issue to log environment variables or dump the config file for inspection. Which makes a whole set of other activities like debugging much easier.

                                                                            1. 5

                                                                              I have come to believe that secrets should always be passed by reference (usually a path in the filesystem), not by value.

                                                                              I like passing them as a file descriptor, because it really truly is a capability: unforgeable yet shareable.

                                                                              1. 1

                                                                                That’s a good idea. Are you able to apply this in the container world or did you create your own special scheduler?

                                                                                In Kubernetes the canonical way is to mount the secrets on disk, which makes them vulnerable to file-traversal attacks if there are any.

                                                                                1. 1

                                                                                  I haven’t done it with containers, only with processes. It should be possible to inject into a container, but I don’t know how well the tooling supports this. Probably not well — POSIX file descriptors are criminally underknown.

                                                                                2. 1

                                                                                  I’m guessing you mean to use something like file descriptor redirection in a shell command, e.g.:

                                                                                  python my_script_needs_secrets.py 3</path/to/secret
                                                                                  

                                                                                  Then inside the process:

                                                                                  secret=os.fdopen(3).read()
                                                                                  

                                                                                  This is a great approach for security, but how does it scale with multiple secrets? Do you use a separate descriptor for each one, or cat them all into the same descriptor? How do you organize your app to know which descriptor contains the secret data?

                                                                                  1. 1

                                                                                    When I’ve used the technique, I’ve just used a different descriptor for each, but one could send a bunch of secrets down one descriptor in some format if one wished.

                                                                                    The mapping of descriptor to schema is part of the documentation, typically a README (this is all for internal software, often just for my own use).

                                                                              1. 12

                                                                                The linked Systemd bug is painful to read and terrifying — it sounds like Poettering mighty have zero idea how a CSPRNG works?

                                                                                1. 7

                                                                                  Can you elaborate? It seems to me that he’s saying:

                                                                                  1. systemd wants cryptographically random keys, but it’s ok if the initial keys aren’t cryptographically secure, because they’ll be resized with new keys later on
                                                                                  2. /dev/urandom gives us that, without blocking
                                                                                  3. reading from /dev/urandom early on does not “deplete its entropy”

                                                                                  I had thought that claims #2 and #3 are true. I guess maybe #1 isn’t obviously true, if there’s some crazy attack vector that invalidates it, but it’s not really about CSPRNGs anyway. So even if it’s wrong, it wouldn’t mean he misunderstands CSPRNGs. Am I missing something?

                                                                                  1. 3

                                                                                    You know, I think you’re actually right. There’s a few statements in there that read like Poettering thinks there’s good and bad entropy, or that the concept of deleting the entropy pool is meaningful, but I think he’s actually only taking about the state of the CSPRNG early in the boot process when it may have not been seeded properly.

                                                                                    On the other hand, I do think the unwillingness to minimize competition for entropy during early boot is a pretty weird attitude.

                                                                                    1. 10

                                                                                      Yeah, #1 is still weird to me. Surely, cryptographically secure keys for systemd’s hash tables are either a security requirement during early boot, or they are not. It feels really weird to see the alleged need for secure keys used as a justification for the current behavior, while also claiming that it doesn’t matter that they aren’t secure. Subjectively, the impression I get is that it’s motivated mostly by a desire to avoid having to reason out what the threat model actually is here.

                                                                                      1. 5

                                                                                        It’s necessary for the keys to be hard to guess for an attacker, which generally means some kind of cryptographically secure. However, there generally aren’t any attackers during early boot, an even if there was, and the attacker could potentially guess the value of the key during early boot, the keys would be periodically re-generated as the attacker is attacking, and as soon as the CSPRNG is properly initialized, any new keys will be hard to guess.

                                                                                        Specifically, the random keys are necessary because in regular hash tables, an attacker who can insert something in the hash table can exploit pathological cases in the particular hash function used, turning the hash table’s O(1) lookup into O(n) lookup. The random key prevents the attacker from doing that without knowing the random key. Also, whenever the hash table gets big enough, a new key is chosen as part of the process of expanding the table.

                                                                                        Systemd knows exactly their threat model; it’s unlikely that there are attackers during early boot, and even if there are, the early boot stage lasts a short enough time that it’s likely not a big issue; therefore, urandom’s semantics of “give me the best random numbers you have available, but if it’s too early to give cryptographically secure numbers, that’s okay” is precisely the behavior they want.

                                                                                        Keep in mind that we’re not talking about an information leak or RCE vuln; an attacker being able to guess keys only results in a partial DoS where O(1) access turns into O(n) access for a limited time.

                                                                                        Also keep in mind that reading from urandom doesn’t actually hurt anything (at least from what I understand); it doesn’t deplete any randomness (because that’s not how CSPRNGs work), and it simplifies systemd’s code in a relatively critical area which reduces the chance of bugs causing vulnerabilities. The only issue, from what I understand, is that the kernel will print warning messages about it and that makes it harder to find actual security issues caused by reason from urandom too early.

                                                                                        1. 5

                                                                                          Yeah, that all matches my understanding of the discussion on the bug. I guess I disagree that the described harm of obscuring other issues isn’t an important one.

                                                                                          It does seem like the most reasonable course of action would be to make sure the code in systemd draws a clear distinction between early boot and later steps, and uses different sources of randomness. The current situation seems really bad to leave in place because nobody can actually reason about which security mitigations are in effect when.

                                                                                          I’m broadly supportive of the systemd approach of making daemom-starting infrastructure into a monolith, but it does come with a responsibility to at least work to keep security parity with the tooling it replaces. Seeing that the maintainer is apparently quite averse to that gives me serious doubts about the wisdom of the project.

                                                                                          1. 9

                                                                                            I’m broadly supportive of the systemd approach of making daemom-starting infrastructure into a monolith, but it does come with a responsibility to at least work to keep security parity with the tooling it replaces. Seeing that the maintainer is apparently quite averse to that gives me serious doubts about the wisdom of the project.

                                                                                            This is the recurring, sinking feeling I get every time one of these Systemd issues pops up. In isolation, it’d be easy to ignore, but as a pattern it makes me feel like we have an increasingly large fraction of userspace managed by folks who are unwilling to consider their role in the Linux ecosystem special in any way.

                                                                                            Sure, Linux got /dev/urandom wrong, but pretending that init doesn’t have a particular responsibility to manage that wrongness is an attitude that worries me.

                                                                                            1. 2

                                                                                              Yes. I have definitely seen that attitude on other systemd controversies, as well.

                                                                                            2. 3

                                                                                              I completely, 100% agree that systemd should make absolutely sure not to produce messages which obscure actual security issues. It’s scary to see Poettering saying that they aren’t responsible for “misguided” messages for the kernel when any other process reading from urandom before it’s inited would be a security issue. Blaming the kernel and saying it should change is unacceptable, unless it’s actually followed by seriously working together with the kernel people to get the problem systemd is causing fixed.

                                                                                              I was just trying to correct the misconceptions around this, and point out that this doesn’t represent a security issue or an attack vector they haven’t thought through.

                                                                                              1. 2

                                                                                                I definitely think you’ve done a good job of clarifying a situation that there seems to be a lot of confusion around. Before reading the bug thread, I hadn’t realized what a divisive topic randomness apparently is. Your explanation was very clear, and I thank you for it.

                                                                                    2. 4

                                                                                      The author notes that he has seen the issue for the first time on Alpine Linux, which doesn’t use systemd. So while systemd might make things worse, the real culprit is that the Linux kernel should’ve copied what OpenBSD does instead of inventing their own scheme which leads to this exact issue.

                                                                                      1. 1

                                                                                        There are 2 problems at work here:

                                                                                        1. The entropy file that openbsd has and uses to initialize the random generator, is not always available or sufficient.
                                                                                        2. Systemd uses a lot of the entropy which is scarce at boot time, and use of the scarce resource could potentially be avoided.

                                                                                        So we can’t mindlessly apply the solution of OpenBSD and we should know that systemd makes this issue worse. The problem exists because of these two circumstances and could be relevant for consideration in various use-cases.

                                                                                        1. 4

                                                                                          Entropy cannot be used up. Repeat: entropy cannot be used up. To think that it can be is outdated 90s-style crypto thinking.

                                                                                          All you need is a single 256-bit seed; you then can emit random numbers pretty much forever. You don’t need to worry about using up entropy (although it is a good idea to change the seed over time, in order to protect against state compromises).

                                                                                          The Linux kernel CSPRNG is broken, period: it should never not return random numbers, once properly seeded. And seeding is pretty easy, too: write a random number to a file at install time, at boot and at shutdown, and/or use RDRAND, and/or use virtio-rng.

                                                                                    1. 23

                                                                                      Assuming that the criticisms of PGPGPG here are valid, I am left unsatisfied by the proposed alternatives, which in every case are products (or at least, implementations) rather than being interoperable standards. According to this thing I can’t any longer have a single digital identity and must instead maintain identities/presences on Signal and on Wire and on Whatsapp and on FB Messenger (and presumably, on every other platform based on Signal protocol) and I also need to entrust my backups to tarsnap instead of using my own infra. I mean, not that PGP was (usefully) an interoperable standard either, but at least it didn’t make the fragmentation worse.

                                                                                      This doesn’t seem to be the open internet we were promised. Also, where’s my flying car?

                                                                                      1. 17

                                                                                        I do agree. The other solutions seem to make key-management an even bigger hassle and it is the one thing that PGP did solve: Identity verification for small independent groups of people, operating in an environment where having seen each other face 2 face is the only valid method of authentication.

                                                                                        I’ve exchanged PGP keys with some of my long-term friends I’ve known for more than a decade, some of those have moved abroad, some to downright hostile countries, and that means we only get to meet once of twice a year, but we are still in contact through messengers like Signal.

                                                                                        I’ve noticed that Signal has broken down multiple times over that time-period due to various reasons. Examples include, phones breaking, phone numbers changing due to different operators and operators from different countries.

                                                                                        As of yet, the PGP-keys and the small “web of trust” we’ve built with about 10 people, still holds up, while other solutions have broken down multiple times. Ironically PGP is the tool we get out to validate each other’s identity (like a Signal security number) when everything else fails. It’s not our day-to-day communications tool, but it is perfect for setting up some other secure channel in a scenario like this.

                                                                                        Also, where’s my flying car?

                                                                                        Are you willing to settle for a Zapata Flyboard Air?

                                                                                        1. 14

                                                                                          Don’t fret. Identity management is solved by yet another product! Keybase :-p

                                                                                          1. 11

                                                                                            Happy to see someone also noticing this problem. Alternatives posted here while technically good are “just” implementations not standards and in some cases it’s impossible to rewrite them under a different license. What if funding disappears and Signal will struggle? What if Colin gets hit by the bus and tarsnaps stops working?

                                                                                            The entire post reminds me of the “rewrite in Rust” meme (full disclosure: I like Rust :) ).

                                                                                            1. 6

                                                                                              I’m not a crypto expert, but I’m old enough to know by experience that “One-Size Fits All” is a deceitful pipe dream in practically every field I’ve encountered it. Why should crypto be different?

                                                                                              Also, it feels like your argument about maintaining identities on Signal + Wire + WhatsApp and FB Messenger is a straw man. If you don’t need to maintain all those accounts now, why would you suddenly need all of them to replace PGP? (Or is the group you communicate over PGP with really so technologically fragmented that you would need an account on each of those systems to keep in touch with everyone? How do you currently communicate with people who don’t use PGP?)

                                                                                              1. 8

                                                                                                Again: I’m happy with the claim that different problems (backups vs messaging vs file transfer vs …) require different solutions, but I’m less happy with the idea that the solution to each of these problems is to buy into a platform

                                                                                                1. 5

                                                                                                  I’m less happy with the idea that the solution to each of these problems is to buy into a platform

                                                                                                  I don’t think that’s true. The places where you’re told to buy into a platform are messaging and backups.

                                                                                                  Messaging you have to buy into a platform anyway because of network effects (even if you’re buying into a federated platform, you have to choose your federated protocol).

                                                                                                  For backups, most people want a backup service, where you are always buying into some platform. If you’re making file (not disk image) backups, and you’re storing them yourself, you fall into the narrow but well-identified gap mentioned at the end of the article.

                                                                                              2. 3

                                                                                                Isn’t what you’re saying just a restatement of the article’s take that PGP tries to solve too many unrelated problems?

                                                                                                1. 7

                                                                                                  Not what I’m trying to say (it may have been how it came out, in which case I wasn’t clear). I’m happy with the claim that different problems (backups vs messaging vs file transfer vs …) require different solutions, but I’m less happy with the idea that the solution to each of these problems is to buy into a platform (or in the messaging case, buy into a bunch of platforms that don’t interoperate), and there isn’t an actual open standard that I can choose my own implementation of.

                                                                                                  1. 5

                                                                                                    For messaging, the open standard is the OMEMO extension to XMPP. You have the problem of getting people to use XMPP, but with Conversations on Android it’s not that bad; you could probably talk a lawyer through it without smelling burning toast (as the article says about Signal). Not all XMPP chat applications support it, but by now there’s at least one good one for every platform that does, I believe.

                                                                                                    1. 7

                                                                                                      For messaging, the open standard is the OMEMO extension to XMPP.

                                                                                                      Sadly this “open standard” is tightly coupled with libsignal and even re-implementing libsignal wouldn’t let people use permissive licenses. That’s my problem with Signal, it’s open-source but with “strings attached”.

                                                                                                      (full disclosure: I use OMEMO daily and the experience has been great including multi-user chats).

                                                                                                      1. 4

                                                                                                        I hope we are able to get OMEMO into a shape where it depends on the open specifcations from https://signal.org/docs/ instead of telling implementors to “do whatever libsignal does”. This would require a non-backwards compatible OMEMO protocol update though.

                                                                                                2. 3

                                                                                                  Back when I was a kid, I hated the idea of eg. having a separate PGP key for work, because I am the same person regardless.

                                                                                                  People tried to talk me out of it, to explain that identities aren’t really people and applicable uses aren’t necessarily the same as identities.

                                                                                                  Eventually I changed my position and life is easier now. Time to move on, with gratitude to the people who worked hard in the 90s and after.

                                                                                                  1. 11

                                                                                                    I want to have separate identities for work and each of my hobbies — but I want to have a work identity, not a work-email identity, a work-Go-signing identity, a work-Python-signing identity, a work-git-signing identity, a work-Slack identity, a work-password-encryption identity, a work-backup-encryption identity &c.

                                                                                                    1. 2

                                                                                                      You can use subkeys for this and have the main key signed by others, right?

                                                                                                      1. 2

                                                                                                        That’s kinda my point, but feels like most people just use a “burner” key for work. The employment is expected to last a shorter time than your life, and no one cares in practice about subkeys.

                                                                                                        I suppose non-subkeys are generally weasier to distance yourself from in more cases than this.

                                                                                                        The autistic-ish part of my brain just wanted to model myself in a neat little package, but it really doesn’t matter.

                                                                                                        Now I just tell mutt to ignore everything pgp when I send mail because I’m not sure I remember the passphrase or have keys for anyone I email etc. It’s strange I never uninstalled the damned thing, instead got the muscle memory for ignoring :D

                                                                                                    2. 2

                                                                                                      Well, yes. The Signal developers said that they didn’t make an open protocol because they didn’t want to have to deal with backwards compatibility. This blog post says that backwards compatibility is at odds with security. That sounds like what you want and what the OP wants are in conflict.

                                                                                                      1. 1

                                                                                                        My personal biggest painpoint is that it requires me to use different key schema for each of the solutions. I cannot have “one key to rule them all” but I need to generate new one for each of them. Why the hell I need the same key in N different encodings? Why I cannot share them between applications?

                                                                                                      1. 21

                                                                                                        I disagree. The C programming language is directly responsible for countless damning flaws in modern software and can be credited for the existence of the majority of the modern computer security industry.

                                                                                                        You can write system software in many languages, including Lisp. For a less outlandish example, Ada is specifically designed for producing reliable systems worked on by teams of people in a way that reduces errors at program run time.

                                                                                                        I find it amusing to mention UNIX fundamentals as a reason to learn C, considering UNIX is the only reason C has persisted for so long anyway. Real operating systems focused largely on interoperation between languages, not funnelling everything through a single one; Lisp machines focused on compilation to a single language, but that language was well-designed and well-equipped, unlike C.

                                                                                                        Last but not least, because C is so “low-level”, you can leverage it to write highly performant code to squeeze out CPU when performance is critical in some scenarios.

                                                                                                        It’s actually the opposite. The C language is too high-level to correspond to any single machine, yet too low-level for compilers to optimize for the specific machine without gargantuan mechanisms. It’s easier to optimize logical count and bit manipulations in Common Lisp than in C, because Common Lisp actually provides mechanisms for these things; meanwhile, C has no equivalent to logical count and its bit shifting is a poor replacement for field manipulations. Ada permits specifying the bit structures of data types at a very high level, while continuing to use abstract parts, whereas large C projects float in a bog of text-replacement macros.

                                                                                                        Those are my thoughts on why C isn’t worth learning, although this is nothing against the author.

                                                                                                        1. 5

                                                                                                          Unix-like operating systems aside, are people like D. Richard Hipp or Howard Chu doing it wrong and simply wasting their time, then?

                                                                                                          1. 12

                                                                                                            Your question implies all or nothing type of answer. They could be making a bad choice in language while otherwise doing great design, coding, and testing. There’s a lot of talented people that attract to C. There’s also sometimes justification such as available time/talent/tooling or just making stuff intended for adoption by C programmers.

                                                                                                            What few studies that have been done always showed C programmers were less productive and their code screwed up more. The language handicaps them. More expressive languages with more safety that are easier for compilers to understand are a better solution.

                                                                                                            1. 3

                                                                                                              The question was rhetorical. I.e. for the aforementioned Howard Chu, C was the obvious and only choice to write LMDB in.

                                                                                                              1. 4

                                                                                                                Sometimes C simply is the only viable language to write a system in. Databases and programs on microcontrollers with less than 16 KB of ram are such examples, because in those cases every bit of memory counts.

                                                                                                                Alltough I would definitely not use C blindly, it is still worth learning. But I do think that it is a bad idea to learn it as your first language.

                                                                                                                1. 7

                                                                                                                  Forth would probably be an even better choice for a microcontroller with less than 16KB of RAM, to be honest …

                                                                                                                  1. 3

                                                                                                                    I would argue Ada is just as well suited to microcontrollers with less than 16 kB of RAM – perhaps even more than C is.

                                                                                                                    1. 3

                                                                                                                      Only if you can do bitwise operations directly on specific cpu registers. With Ada, these operations are not always available, while C nearly always has them.

                                                                                                                      They are vital if you want to make a logic output pin high or low.

                                                                                                                      1. 3

                                                                                                                        That is no inherent fault of the language, however - as with much of this discussion, the conflation of language with ecosystem obscures meaning. As I mention above, C is only king of the scrap heap because we’re locked in a vicious cycle of building CPUs that execute C better, building compilers that compiler better for those CPUs, etc. Similarly we have a vicious cycle of C compatibility in software. Everything is compatible with C because C is compatible with everything.

                                                                                                                        1. 4

                                                                                                                          I’d love to agree with you, but then we would both be wrong. Furthermore, this is a very short sighted opinion.

                                                                                                                          First: There is an astonishing amount of CPU’s that are mostly designed to be cheap, fast or power efficient, and those are certainly not designed to execute specifically C programs better. If they are designed towards a specific programming related goal, then they are optimized towards executing the most-used instructions in their specific instruction-set. That is, if they are optimized for anything else than cost at all.

                                                                                                                          Second: It doesn’t matter how you design a CPU, somewhere you’ll have to deal with bits and bits are wires which you pull high or low. You’d also have to pull the data off the CPU at some point in time. The simplest, cheapest and most efficient method of doing so, is by directly tying a wire that goes off-chip into some part of a register in the CPU.

                                                                                                                          Third: I think that the emergence of C is a consequence of how our technology is built, how it functions and what is most efficient to implement in a scilicon-die and not the other way around. The reason that C is compatible with everything is probably because it is easy to use and implement for everything. I think this is because there is a deep connections between how electronic circuits work, the way that C is specified and the operations you can perform in C.

                                                                                                                          I agree with you that the “CPUs are built for C and C is created for CPUs” causation goes both ways, but it is definitely way stronger in the direction of “C is created for CPUs” than the other way around.

                                                                                                                          Keep in mind that this article is specifically about C as a systems language, therefore we don’t care about C as a language for applications (In fact, once you are out of the systems doamin, you’d probably be better off using something else). However it will be impossible for certain applications to ignore the functioning of their underlying systems down to their (electro-)mechanical levels (e.g. database systems).

                                                                                                                          1. 2

                                                                                                                            I’d love to agree with you, but then we would both be wrong.

                                                                                                                            That’s entirely unnecessary and serves only as an insult. Please don’t.

                                                                                                                            First: There is an astonishing amount of CPU’s that are mostly designed to be cheap, fast or power efficient, and those are certainly not designed to execute specifically C programs better.

                                                                                                                            These are effectively orthogonal concerns. In the embedded space, consider the (relative) failure of the Parallax Propeller compared to the AVR family of microcontrollers. Comparable options exist in the two product lines in terms of power usage, cost, and transistor count, but AVR is a fundamentally serial architecture while Propeller requires the use of multiple threads to take advantage of its transistor count efficiently. A language optimized for this does not have widespread adoption in the embedded space, where aside from Ada and a bit of Rust, C is the absolute king. This is almost certainly a major contributing factor in the relative success of AVR over Propeller (in addition to the wider part range and backing from a major semiconductor manufacturer).

                                                                                                                            Second: It doesn’t matter how you design a CPU, somewhere you’ll have to deal with bits and bits are wires which you pull high or low. You’d also have to pull the data off the CPU at some point in time.

                                                                                                                            And you don’t need C to do either of those things - in fact, you can’t do them in “C”. You need someone to write some machine code at some point to enable you to do those things, and if you can package that machine code up into a C library or compiler intrinsic you can package it up into a Rust or Ada library just as well.

                                                                                                                            Third: I think that the emergence of C is a consequence of how our technology is built, how it functions and what is most efficient to implement in a scilicon-die and not the other way around.

                                                                                                                            This is potentially possible, but I suggest you take a look at C Is Not A Low Level Language which discusses the vicious cycle of C and CPU better than I can here.

                                                                                                                            One reason I don’t think this is true is because there are examples of using existing silicon technology to build non-serial-like computers; GPUs are a huge one, as are FPGAs and other heterogeneous computing technologies. Those fundamentally cannot be programmed like a serial computer, and that makes them less accessible to even many very skilled systems programmers.

                                                                                                                            it will be impossible for certain applications to ignore the functioning of their underlying systems down to their (electro-)mechanical levels (e.g. database systems).

                                                                                                                            I hope I didn’t imply that there will ever be a point at which “bare metal engineering” isn’t needed. I’m not saying that low level programming is not essential; I’m saying that you can do low level programming without C in principle, and often even in practice.

                                                                                                                            1. 2

                                                                                                                              That’s entirely unnecessary and serves only as an insult. Please don’t.

                                                                                                                              It wasn’t an insult. It was me stating that I’d love to live in a better world in which I could agree with your viewpoint, but also stating that your viewpoint, does not comply with the reality at hand.

                                                                                                                              Not everything is, or is meant as, an insult, and you’d be wise to assume nothing is an insult until it undeniably is. Nothing I’ve written so far is an insult, and in fact, I’d rather walk away from a discussion before insults are being made. I won’t waste my time on discussions that serve the purpose of reaffirming ones, or my own, beliefs.

                                                                                                                              This is almost certainly a major contributing factor in the relative success of AVR over Propeller (in addition to the wider part range and backing from a major semiconductor manufacturer).

                                                                                                                              I disagree. I think that AVR’s success is mostly due to the fact that in the embedded space, interrupts are more important than multi-threading is. Most embedded jobs simply don’t need multiple threads. It’s not the C language, but economics that is to blame.

                                                                                                                              And you don’t need C to do either of those things - in fact, you can’t do them in “C”. You need someone to write some machine code at some point to enable you to do those things, and if you can package that machine code up into a C library or compiler intrinsic you can package it up into a Rust or Ada library just as well.

                                                                                                                              Ah but here’s the problem. You’d need to write some extra machine code to set bits in a certain register. That extra machine code would require extra cycles to be executed.

                                                                                                                              I’d also like to point out that when you are using C, you don’t need the extra machine code at all! In the embedded- or system-space, you can simple look up the address of a register in the datasheet or description of the instruction set, put that number into your program, treat it as a pointer and then read from or write to the address your pointer is referring to.

                                                                                                                              So you just don’t need extra machine code in C. You just “input the number and write to that address” in C. This is why it’s king. A lot of other languages simply can’t do that.

                                                                                                                              This is potentially possible, but I suggest you take a look at C Is Not A Low Level Language which discusses the vicious cycle of C and CPU better than I can here.

                                                                                                                              I’ve read it, but that does not mean that I agree with that viewpoint. I still think that C is a low level language. Mostly because of the “input the address of a register as a pointer and treat it regularly”-approach C has taken. As for the vicious cycle, I’ve stated my thoughts on that in my previous post quite clearly with:

                                                                                                                              I agree with you that the “CPUs are built for C and C is created for CPUs” causation goes both ways, but it is definitely way stronger in the direction of “C is created for CPUs” than the other way around.

                                                                                                                              One reason I don’t think this is true is because there are examples of using existing silicon technology to build non-serial-like computers; GPUs are a huge one, as are FPGAs and other heterogeneous computing technologies. Those fundamentally cannot be programmed like a serial computer, and that makes them less accessible to even many very skilled systems programmers.

                                                                                                                              First of all: GPU’s are multiple serial computers in parallel. It doesn’t matter how you look at it, their data-processing is mostly serial and they suffer from all the nastiness that regular serial computers do when you have to deal with concurrency.

                                                                                                                              Second: FPGA’s simply aren’t computers. They are circuits. Programmable circuits that you can use to do computations, but they are circuits nonetheless. Expecting that you can efficiently define circuits with C, is like expecting that you can twist a screw in with a hammer: “You might accomplish your goals, but you will have a crude result or a very hard time”.

                                                                                                                              Third: I’ve been making the argument that C is mainly a consequence of how CPU’s work and (mostly, see my above statement that is also in my previous post) not the other way around.

                                                                                                                              I hope I didn’t imply that there will ever be a point at which “bare metal engineering” isn’t needed. I’m not saying that low level programming is not essential; I’m saying that you can do low level programming without C in principle, and often even in practice.

                                                                                                                              You did give me the impression that you were implying that bare-metal engineering isn’t needed and you confirmed that impression by stating that “you’d just need to write some machine code” to get hardware level access in other languages. The whole point of C was that you simply have (if you know the address that is) your hardware access by just inputting the address of where your register to communicate with the hardware is, without having the need for extra machine code.

                                                                                                                              C provides you with a level of abstraction for writing machine code, without needing to know the machine code and without needing extra machine code to accomplish your goals.

                                                                                                                              That’s why I think that it is a low level language and why I also think that it is still worth learning as a systems language.

                                                                                                                              PS: I am by no means a fan of C, but I do am a fan of using the right tool for each problem as it makes your life, and the problem much easier. In the (embedded) systems world, I think that C is often simply the right tool to use.

                                                                                                                              1. 2

                                                                                                                                So you just don’t need extra machine code in C. You just “input the number and write to that address” in C. This is why it’s king. A lot of other languages simply can’t do that.

                                                                                                                                Ada does it better. Ada has attribute for Address, Size, and also permits giving specific meaning to its enumeration types. I’ve never used all of this with Ada, but I believe it would look like this:

                                                                                                                                declare
                                                                                                                                   type Codes is (This, That, Thus);
                                                                                                                                   for Codes use (This => 1, That => 2, Thus => 17);
                                                                                                                                   for Codes'Size use 8;
                                                                                                                                   Register : Codes := This
                                                                                                                                      with Address => 16#0ABC#;
                                                                                                                                begin
                                                                                                                                   ...
                                                                                                                                end;
                                                                                                                                

                                                                                                                                So, this is a high-level, type-safe, and simple way to do what you just described, but you usually won’t need to do this and so suffer none of the drawbacks.

                                                                                                                                C is worse than useless, because it deceives people such as yourself into believing it has any value whatsoever or is otherwise at all necessary.

                                                                                                                                1. 1

                                                                                                                                  Nice! I didn’t know about this.I’ll definitely look into Ada more when I get the chance.

                                                                                                                                  C is worse than useless, because it deceives people such as yourself into believing it has any value whatsoever or is otherwise at all necessary.

                                                                                                                                  And yet I still disagree with you here. There’s are reasons why C is king and why Ada isn’t.

                                                                                                                          2. 2

                                                                                                                            Which is why Ive encouraged authors of new languages to use its data types and calling conventions with seemless interoperability. It took decades for C to get where it is. Replacing it, if at all, will be an incremental process that takes decades.

                                                                                                                            Personally, I prefer just developing both new apps in safer languages and compiler-assisted security for legacy C like Softbound + CETS. More cost-effective. Now, C-to-LangX converters might make rewrites more doable. Galois is developing a C-to-Rust tool. I’m sure deep learning could kick ass on this, too.

                                                                                                                            1. 1

                                                                                                                              I think it’s not realistic to assume that C will be replaced anytime soon, not even in decades. C will still be around, long after Rust has died.

                                                                                                                              I also think it’s a pipe dream to assume that other programs can transform C-programs into some safer language while still preserving readability and the exact same behaviour. What you describe has been studied and is known in scientific literature as “automatic program analysis” and is closely related to the halting problem, which is undecidable. This technology can certainly make many advances, but ultimately it is doomed to fail on a lot of cases. We’ve known this since the the 1960’s. When it fails, you will simply need knowledge about how C works.

                                                                                                                              Furthermore: Deep learning is akin to “black magic” and people simply hate any form of “magic”. At some point you want guarantees. Most traditional compilers give you those because their lemma’s and other tricks are rooted in algebra’s that have been extensively studied before they are put into practice.

                                                                                                                              1. 1

                                                                                                                                “I think it’s not realistic to assume that C will be replaced anytime soon, not even in decades. C will still be around, long after Rust has died.”

                                                                                                                                I agree. There will probably either always be more C than Rust or that way for a long time.

                                                                                                                                “ it’s a pipe dream to assume that other programs can transform C-programs into some safer language while still preserving readability and the exact same behaviour. “

                                                                                                                                There’s already several projects that do it by adding safety checks or security features to every part of the C program with risk that their analyses can’t prove safe. So, your claim is already false. The research is currently focused on further reducing the performance penalty (main goal) and covering more code bases. Probably needs a commercial sponsor with employees that stay at it to keep up with the second goal. They already mostly work with many components verifiable if anyone wanted to invest the resources into achieving that.

                                                                                                                                “Deep learning is akin to “black magic” and people simply hate any form of “magic”. At some point you want guarantees. “

                                                                                                                                Sure they do: they’re called optimizing compilers and OS’s. They trust all the magic so long as it behaves the way they expect at runtime. For a transpiler, they could validate it by eye, with test generators, and/or with fuzzing against C implementation comparing outputs/behavior. My idea was doing it by eye on a small pile of examples for each feature. Once it seems to work, add that to automated test suite. Put in a bunch of codebases with really different structure or use of the C language, too.

                                                                                                                                1. 1

                                                                                                                                  Sure they do: they’re called optimizing compilers and OS’s. They trust all the magic so long as it behaves the way they expect at runtime. For a transpiler, they could validate it by eye, with test generators, and/or with fuzzing against C implementation comparing outputs/behavior. My idea was doing it by eye on a small pile of examples for each feature. Once it seems to work, add that to automated test suite. Put in a bunch of codebases with really different structure or use of the C language, too.

                                                                                                                                  • In a lot of area’s, comparing it by eye and testing with fuzzers is simply not going to fly (sometimes in the most literal sense of the word fly).
                                                                                                                                  • An automated test suite with tons of tests can also slow development down. I’m all for tests, but I am against mindlessly adding a test for each and every failure you’ve encountered.
                                                                                                                                  • What operating systems do is explainable with relative ease. What most deep-learning systems do is not. If you want guarantees for 100% of all cases, deep learning is immediately out of the picture.

                                                                                                                                  The research is currently focused on further reducing the performance penalty (main goal) and covering more code bases.

                                                                                                                                  Herein lies the problem. These tools cover some, but not all codebases. We have known for almost a century that a tool that covers all possible codebases is impossible to construct. See the “Common pitfalls” section on the halting problem on Wikipedia for a quick introduction. You will see that my argument is not false and will still hold, and that means that it is still useful to learn C (which is the main topic under discussion here).

                                                                                                                                  1. 2

                                                                                                                                    The by eye, feature by feature testing, and fuzzing in my comment were for the transpiler’s development, not normal programs. You were concerned about its correctness. That would be my approach.

                                                                                                                                    I’m not buying the halting problem argument since it usually doesn’t apply. It’s one of most overstretched things in CompSci. The static analyses and compiler techniques work on narrow analyses for specific traits vs the broader goal halting problem describes. They’ve been getting lots of results on all kinds of programs. If the analysis fails or is infesible, the tools just add a runtime check for that issue.

                                                                                                                                    1. 1

                                                                                                                                      The by eye, feature by feature testing, and fuzzing in my comment were for the transpiler’s development, not normal programs. You were concerned about its correctness. That would be my approach.

                                                                                                                                      Formal verification is the route the real language and compiler-development teams take (See clang and ghc for example). Fuzzing is something they use, but usually as an afterthought.

                                                                                                                                      I’m not buying the halting problem argument since it usually doesn’t apply. It’s one of most overstretched things in CompSci. The static analyses and compiler techniques work on narrow analyses for specific traits vs the broader goal halting problem describes. They’ve been getting lots of results on all kinds of programs. If the analysis fails or is infesible, the tools just add a runtime check for that issue.

                                                                                                                                      Fair enough, but I’d still like to point out that throwing the “halting problem”-argument, because it usually doesn’t apply, and stating “we have to make sure something works on all kinds of codebases”, are two polar opposites of reasoning methods.

                                                                                                                                      If you are reasoning like this: “Okay, we know this is impossible because of the results Turing provided us about the halting problem, but lets see how close we can get to perfection”, or “lets see if we can build something usefull for 80% of cases”, then I approve of the approach and then I’ll agree. In this case you probably would also agree with me that there is still value in learning C as a systems language.

                                                                                                                                      But if your reasoning is along the following lines: “Look this works on nearly all codebases practice and therefore we don’t have to learn C as a systems language”, then you are just simply dead wrong. It’s the last 5 or 10% that where algorithms, ideas and projects fail, and not the easy first 80%.

                                                                                                                                      You really require Feynman’s kind of “kind of utter honesty with yourself” when discussing these kinds of topics, because it is very easy to fool yourself into believing in some favourable picture of an ideal where technology or skill x is not needed any more.

                                                                                                                                      1. 1

                                                                                                                                        “Formal verification is the route the real language and compiler-development teams take (See clang and ghc for example).”

                                                                                                                                        They don’t use mathematical verification for most compilers. Only two that I know of in past few years. I’m not sure what V&V methods most compiler teams use. I’d guess they use human review and testing. Maybe you meant formal as in organized reviews. What you said about fuzzing is easily proven true given all the errors the fuzzers find in… about everything.

                                                                                                                                        “ stating “we have to make sure something works on all kinds of codebases””

                                                                                                                                        You keep saying all. Then, you argue with your own claim like I said it. I said “Put in a bunch of codebases with really different structure or use of the C language, too.” As in, keep testing it on different kinds of code bases to improve it’s general applicability. We don’t have to eliminate all C or C developers out there. That I thought so was implied by me advocating compiler techniques for making remaining C safer.

                                                                                                                                        “or “lets see if we can build something usefull for 80% of cases”, then I approve of the approach and then I’ll agree. In this case you probably would also agree with me that there is still value in learning C as a systems language.”

                                                                                                                                        Basically that. Except, like HLL’s vs C FFI’s, I’m wanting the number of people that need that specific low-level knowledge to go down to whatever minimum is feasible. People that don’t need to deal with internals of C code won’t need to learn C as a systems language: just how to interface with it. People that do need to rewrite, debug, and/or extend C code will benefit from learning C.

                                                                                                                                        If a competing language succeeds enough, it might come down to a tiny number of specialists or just folks cross-trained in that which can handle those issues. Much like assembly, proof engineering, and analog are today.

                                                                                                                                        “You really require Feynman’s kind of “kind of utter honesty with yourself” “

                                                                                                                                        I had to learn that lesson about quite a few things. My claims have quite a few qualifiers with each piece proven in a field project. I’m doing that on purpose since I’ve been burned on overpromising in languages, verification, and security before. I don’t remember if I read the essay, though. It’s great so far. Thanks for it.

                                                                                                                                        1. 2

                                                                                                                                          I’m wanting the number of people that need that specific low-level knowledge to go down to whatever minimum is feasible.

                                                                                                                                          I fully agree with that goal, but I question whether or not you are still at a “systems-level” when you can ignore the specific low-level knowledge.

                                                                                                                                          People that don’t need to deal with internals of C code won’t need to learn C as a systems language: just how to interface with it.

                                                                                                                                          I guess, our whole argument boils down to my “belief” that if you are only interfacing with C, you probably have left the systems-domain behind already, because you are past the level where you need to be aware of what your bits, registers, processors, caches, buffers, threads and hard drives are doing.

                                                                                                                                          If you are on that level, then I totally agree with you that you should use something else than C, unless your utility is run millions of times per day all around the world.

                                                                                                                                          I’m doing that on purpose since I’ve been burned on overpromising in languages, verification, and security before.

                                                                                                                                          What I want you to take away from this discussion is something similar: You should not “over-blame” C for all kinds of security vulnerabilities (amongst other issues). I agree that the language has certain aspects that make it more inviting to all kinds of issues. In fact I even dare to go as far as to state that C is a language that not just “invites” issues, but that it almost “evokes” those issues.

                                                                                                                                          However I also think that the business processes that cause the issues and vulnerabilities which are often attributed to C, are an even bigger (security) problem than C in and of itself is.

                                                                                                                                          I don’t remember if I read the essay, though. It’s great so far. Thanks for it.

                                                                                                                                          You’re welcome! I’m glad you like it.

                                                                                                                                          I’ve also posted the essay as a story. I was surprised that it wasn’t already on here.

                                                                                                                                          1. 2

                                                                                                                                            re low level knowledge

                                                                                                                                            I think I should be more specific here. We are talking about systems languages. The person would need to understand a lot of concepts you mentioned. They just don’t use C to do it. If anything, not using C might work even better since it targets an abstract machine that’s sort of like current hardware and in other ways (esp parallel stuff) nothing like it. Ada w/ ParaSail or Rust with its parallelizers might represent the code in a way that keeps systems properties without C’s properties. So, they still learn about this stuff if they want things to perform well.

                                                                                                                                            From there, they might need to integrate with some C. That might be a syscall. That might be easy to treat like a black box. Alternatively, they might have to call a C library to reap its benefits. If it’s well-documented w/ good interface, they can use it without knowing C. If it’s not, they or a C specialist will have to get involved to fix that. So, in this situation, they might still be doing systems programming considering low-level details. They just will need minimal knowledge of C’s way of doing it. That knowledge will go up or down based on what C-based dependencies they include. I hope that makes more sense.

                                                                                                                                            re business processes

                                                                                                                                            The environment and developers are an important contributor to the vulnerabilities. That C has enough ways to trip up that even the best developers do make me put more blame on its complexity in terms of dodging landmines. I still put plenty blame on the environment given quality-focused shops have a much lower defect rate. Especially if they use extensive tooling for bug elimination. You could say a major reason I’m against most shops using C is because I know those processes and environments will turn it into many liabilities that will be externalized. Anything that lowers number of vulnerabilities or severe ones in bad environments can improve things. At the least, memory-safe languages turn it from attackers owning your box to just crashing it or leaking things. Some improvement given updates are easier if I still control the box. ;)

                                                                                                              2. 12

                                                                                                                Your reasons to not learn C are… mostly irrelevant. You may not think unix is a “real” operating system, but it’s the most widely OS family outside of seriously low-powered embedded stuff. Nobody programs for lisp machines. You could write ada, sure, but I don’t imagine there’s a vibrant open source library ecosystem for it.

                                                                                                                In your preferred world, where everyone uses lisp machines or what you consider “real” operating systems, you are right, but we’re not in that world. If people are going to continue using unixes, learning C will continue to be worthwhile even if you prefer writing most new code in something better like rust or ada or lisp.

                                                                                                                1. 3

                                                                                                                  You could write ada, sure, but I don’t imagine there’s a vibrant open source library ecosystem for it.

                                                                                                                  I’m assuming you mean that this vibrancy exists for C libraries? Which makes the statement odd, because calling a C library from Ada is trivial.

                                                                                                                  (And no, you don’t lose all the advantages of Ada by calling libraries written in C. Any argument to that effect is so off the mark I would have trouble responding to it.)

                                                                                                                  1. 2

                                                                                                                    I wouldn’t say you lose all the advantages of Ada by calling C libraries. However, if you’re calling C libraries, you should have at least a rudimentary understanding of C, right? If anything, using C libraries from Ada is a big argument in favor of learning C, isn’t it? Not because you necessarily should use C in a project, but just because you need to be able to read the documentation, know how to translate a C function signature into a call to that function from Ada, know what pitfalls you can fall into if you’re calling the C code incorrectly, know how to debug the segfaults you’ll inevitably encounter, know how to resolve linker issues, etc. Maybe you’ll even have to write a tiny wrapper in C around another library if that library is particularity happy to abuse macros or if you need to do something stupid like use setjmp/longjmp to deal with errors (like libjpg requires you to do).

                                                                                                                    1. 1

                                                                                                                      Sure, but “C still deserves learning once you know Ada” is rarely how it goes.

                                                                                                                      1. 3

                                                                                                                        I don’t know what previous experience you have with being coerced to learn C but the article we’re commenting on here just said that modern C is very different from old C, that knowing C is really useful to be able to study the vast amount of open source C code in your operating system (assuming that’s something unixy), and that there may be times when you want to write something in C for the performance. I’d say “C still deserves learning once you know Ada” is perfectly consistent with those points.

                                                                                                                        I’ll admit you do have a point regarding the performance thing; if you know Ada, you may not need C to write performant code. However, I’d bet it’s vastly easier to use a C library from, say, Python, than it is to use an Ada library from Python, so even if you know Ada, writing performance-critical code in C still makes sense in certain fairly common circumstances.

                                                                                                                        1. 3

                                                                                                                          The biggest difficulty with using Ada libraries from Python is that you have two languages with expressive type systems talking through a third one without, since the OS API is that of C. You have to either come up with a way of encoding and decoding complex data, or reduce the API of the library to the level of expressiveness afforded by C.

                                                                                                                          To study old code, knowing modern C is not enough, so the point about modern C becomes moot there.

                                                                                                                          Also, this is a shameless plug, but I have a real life demonstration of what calling C and assembly from Ada actually looks like: Calling C:https://github.com/dmbaturin/hvinfo/blob/master/src/hypervisor_check.adb#L108-L121 Calling x86 assembly: https://github.com/dmbaturin/hvinfo/blob/master/src/hypervisor_check.adb#L22-L36

                                                                                                                      2. 1

                                                                                                                        If anything, using C libraries from Ada is a big argument in favor of learning C, isn’t it?

                                                                                                                        Perhaps, but you’re advocating that people should learn more modern languages first and do the majority of their programming in those languages, which is not what /u/nanxiao suggested at all.

                                                                                                                        1. 2

                                                                                                                          Isn’t it though? The article is saying you can squeeze out some extra performance from C, that C really isn’t as bad as it used to be, and that being able to read the source of your operating system and tools is beneficial; “do most of your programming in your preferred language, but know how to read and write C when that turns out to be necessary” seems perfectly consistent with that, doesn’t it?

                                                                                                                          1. 2

                                                                                                                            I suppose so; however, the post seems to be mostly engaging with users of the Rust and Go languages, which are cast by the author as direct competitors to C (their success causing it to be “ignored”).

                                                                                                                            In any case I definitely think this is the right approach.

                                                                                                                        2. 1

                                                                                                                          “However, if you’re calling C libraries, you should have at least a rudimentary understanding of C, right?”

                                                                                                                          Nope. The whole point of putting it behind a function call, aka abstraction, is not understanding the internals. Instead, you should just know about the safety issues (i.e. responsible use), what data goes in the function call, and what is returned. You should just have to understand the interface itself.

                                                                                                                          The other stuff you mentioned is basically working with the C code inside. That requires knowing about C or at least assembly.

                                                                                                                          1. 3

                                                                                                                            I don’t think that’s the only interpretation. If you have to build the abstraction at the ffi level yourself, then you generally want to be familiar with C. In many cases, the docs aren’t good enough to cover all of the cases where UB is expressed through the API, so you wind up needing to read the source.

                                                                                                                            1. 1

                                                                                                                              True in practice.

                                                                                                                    2. 3

                                                                                                                      Lisp machines focused on compilation to a single language, but that language was well-designed and well-equipped, unlike C.

                                                                                                                      We are back in the mainframe age where you can use whichever language you please on the server side. Before we write an alternate history where lisp machines won, how many major players have succeeded with lisp and stuck with it? Biggest I remember was Reddit, and I’m pretty sure they eventually re-wrote everything in Python.

                                                                                                                      Would also add that as much as I enjoy lisp, I’d never even consider it for something that had the potential to get big. If I have to start dropping newbies into my code, I want types and compile-time warnings.

                                                                                                                      1. 4

                                                                                                                        how many major players have succeeded with lisp and stuck with it?

                                                                                                                        ITA famously uses Lisp.

                                                                                                                        There are attempts to catalog production uses of Lisp, but they’re almost certainly out of date, incorrect, and don’t highlight companies anyone has really heard of.

                                                                                                                        There’s no intention in arguing, just providing the list that I know of in direct answer to your question.

                                                                                                                        1. 4

                                                                                                                          If I have to start dropping newbies into my code, I want types and compile-time warnings.

                                                                                                                          Common Lisp has types and compile-time warnings. It has the ability to treat warnings as errors, too. it’s a pretty great language considered.

                                                                                                                          1. 1

                                                                                                                            I remember there was some macro to annotate a parameter for type checking, but its behavior was left unspecified by the standard. Has that blank been filled in since then? Or is there another facility that I’ve overlooked entirely?

                                                                                                                          2. 3

                                                                                                                            Look at Franz and LispWorks customer pages for answer to that. Quite a range of uses. Most seem to like its productivity and flexibility. It’s definitely a tiny slice of laguage users, though.

                                                                                                                        1. 7

                                                                                                                          The end of controlling what you see on the Web is coming.

                                                                                                                          1. 27

                                                                                                                            Not if you switch to Firefox :)

                                                                                                                            I really hope Google is shooting themselves (and Chrome’s market share) in the foot with this move… but somehow I doubt it.

                                                                                                                            1. 7

                                                                                                                              Firefox development is mostly funded by Google. I can’t imagine them doing much to piss Google off.

                                                                                                                                1. 13

                                                                                                                                  This actually sounds reassuring:

                                                                                                                                  Regardless of what happens with Chrome’s manifest v3 proposals, we want to ensure that ad-blockers and other similarly powerful extensions that contribute to user safety and privacy remain part of Mozilla’s add-ons ecosystem while also making sure that users are not being exposed to extreme risks via malicious use of powerful APIs.

                                                                                                                                  1. 8

                                                                                                                                    making sure that users are not being exposed to extreme risks via malicious use of powerful APIs.

                                                                                                                                    This part is scary.

                                                                                                                                    1. 1

                                                                                                                                      Yeah, but …

                                                                                                                                      We have those APIs now isn’t it ? And the world isn’t collapsing.

                                                                                                                                      1. 4

                                                                                                                                        The scary part is that Firefox thinks it’s their job to decide how users use their own computers.

                                                                                                                                        1. 18

                                                                                                                                          It’s kind of impossible not to if you’re creating consumer facing software, isn’t it?

                                                                                                                                          1. 4

                                                                                                                                            It’s one thing to provide safe defaults, and another thing entirely to ensure that those defaults can’t be overridden.

                                                                                                                                            1. 12

                                                                                                                                              If it’s about the signed extension thing, please read about the history of that feature It is not based on threat models and predictions. It was done this way to get rid of adware that was auto-installing itself and making real-world people’s lives worse. It has to be hard-coded into the EXE, because it’s only the EXE that Windows performs signature checks on and that Mozilla can sue adware developers for impersonating.

                                                                                                                                              1. 2

                                                                                                                                                Alright. If it doesn’t affect people building from source, I guess it doesn’t matter.

                                                                                                                                                1. 2

                                                                                                                                                  So… block it on Windows?

                                                                                                                                              2. 3

                                                                                                                                                It’s one thing to provide safe defaults, and another thing entirely to ensure that those defaults can’t be overridden.

                                                                                                                                              3. 3

                                                                                                                                                I never understand this sort of rhetoric.

                                                                                                                                                I maintain quite a few open-source projects, and contribute to others. They all make choices about what they support and what they don’t. Is it sinister of them to do so? Many of them don’t provide any sort of toggle to make them support things the developers have chosen not to support, which is what you seem to object to. Is that really controlling behavior, or just developers disagreeing about what should be supported?

                                                                                                                                                1. 1

                                                                                                                                                  My issue is that it’s user-hostile to prevent users from doing what they want with their computers. Firefox runs on my computer; I as an end user — and my grandparents as end-users — should be free to determine which extensions I run within Firefox. It’s not Mozilla’s computer to control. The ability to choose how to use one’s computer shouldn’t be reserved to developers: it should be available to everyone.

                                                                                                                                                  1. 0

                                                                                                                                                    Mozilla is free to develop the software they want to develop. You’re free to not use it.

                                                                                                                                                    You don’t have the right to force them to develop something they don’t want to, but you seem to be trying to assert such a right.

                                                                                                                                        2. 2

                                                                                                                                          Or, rely on blocklists: https://firebog.net/ I’ve got a little side project to automate it: https://gitlab.com/dacav/myofb

                                                                                                                                          If you want something more complex, more popular, more user-friendlly: pi-hole

                                                                                                                                          1. 3

                                                                                                                                            Until they fully control DNS as well with something like DoH.

                                                                                                                                            1. 1

                                                                                                                                              Ah, this cat-and-mouse thing! :) Let’s try. You play adversary :)

                                                                                                                                              My next move is to use the blacklist to place a filter at firewall level instead of using it at dns level.

                                                                                                                                              Your move

                                                                                                                                              1. 1

                                                                                                                                                Or use /etc/hosts

                                                                                                                                                1. 1

                                                                                                                                                  That’s actually one of the options of my scripts: populating /etc/hosts. :)

                                                                                                                                                2. 1

                                                                                                                                                  Proxying ads through the website you want to see, so the ad urls are http://destination.com/double click/ad/1234

                                                                                                                                                  1. 1

                                                                                                                                                    Definitely. But the website gets a performance penalisation, I think.

                                                                                                                                                    Plus, I’m wondering, will it be as effective for the trackers to deal with the tracked browser with a proxy server in between? (maybe, maybe not).

                                                                                                                                                  2. 1

                                                                                                                                                    I place Ads and DoH on the same IP address as the CDN that millions of websites use.

                                                                                                                                                    1. 1

                                                                                                                                                      Wait what? I don’t get this one. How many millions of websites are passing through the same IP address? Can you elaborate?

                                                                                                                                                      1. 1

                                                                                                                                                        Many of the ones that sit behind CloudFlare and Fastly.

                                                                                                                                        1. 2

                                                                                                                                          I think the issue here is more with macOS than with LibreSSL or OpenSSL …

                                                                                                                                          1. 10

                                                                                                                                            That’s understandable. There aren’t many ways to make sustainable money from open source, and having an open core with proprietary add-ons seems like a reasonable compromise between sharing the code and having a defensible business.

                                                                                                                                            1. 3

                                                                                                                                              I was also very optimistic about the open core model, but the recent events have shown how vulnerable open core startups are against the cloud giants who have the resources and the incentives to replicate the proprietary shell once the core is popular enough..

                                                                                                                                              1. 1

                                                                                                                                                That’s exactly the motivation behind Redis’ and MongDB’s license changes, isn’t it?

                                                                                                                                              2. 4

                                                                                                                                                The sad thing is that the actual goals of Free Software & Open Source would be served by the AGPL: any company using AGPLed server software must make it available to end users to read, modify & redistribute, which means that the original authors would also have access to it.

                                                                                                                                                1. 2

                                                                                                                                                  I agree, but that’s predicated on two things:

                                                                                                                                                  1. The company complying with the license (which we’ve seen not all do)
                                                                                                                                                  2. The company using the (A)GPL’ed software in the first place

                                                                                                                                                  Some companies won’t (or try not to) use GPL software because of what the license entails. So saying the software in question would be in the exact same predicament had the liberal license been a GPL variant isn’t a given. The software may not have taken off like it did.

                                                                                                                                                  1. 3

                                                                                                                                                    Which leads to this weird scenario:

                                                                                                                                                    – Here’s a permissive license, so that companies can use it!
                                                                                                                                                    < Companies take it and make a proprietary product from it >
                                                                                                                                                    – Wait, not like that!

                                                                                                                                                    We end up having unwritten rules about what permissive licenses permit. We expect the code to remain open. We expect companies to give back. But the license doesn’t actually require any of this.

                                                                                                                                                    1. 1

                                                                                                                                                      At the end of the day, companies will do what makes economic sense. There was a time when they refused to use GPLed software out of superstition, and then once a few showed that they could make a profit by opening up development and charging for services others followed suit.

                                                                                                                                                      Likewise, would Amazon really care if it had to, for example, give back its updates to Redis or PostgreSQL? AWS is still loads easier to manage than running those things manually, and (most) competitors won’t have the name recognition or integration that AWS has. There’s really no reason other than superstition for Amazon not to deliver (some) services using AGPLed software.

                                                                                                                                                      Regarding the first point, all it takes is a few pointed judgements and folks tend to fall in line.

                                                                                                                                                1. 9

                                                                                                                                                  I remember my dad showing me a small VB app featuring a dialogue with an offensive label and two buttons. The trick was that the dismiss button jumped around when you tried to click it. As you can see, I just needed to be able to inflict that on my classmates.

                                                                                                                                                  1. 5

                                                                                                                                                    Ah, nostalgia. I remember similar incredibly juvenile flash games(?) from childhood, posing the question “Are you ?”, to which clicking ‘Yes’ meant yes, and hovering over ‘No’, would change that button’s text to “Yes”.

                                                                                                                                                    Early in my career also I remember building some pointless fun things, inspired by The Useless Web. I hope that kind of fun isn’t lost on new people coming in.

                                                                                                                                                    1. 4

                                                                                                                                                      “Are you ?”

                                                                                                                                                      I think you accidentally a word.

                                                                                                                                                      1. 2

                                                                                                                                                        Strange. I thought I had written “Are you ?”.

                                                                                                                                                        Truth be told, I remember the question was “Are you gay?”, but in our times of pretty extreme political correctness, I thought it unwise to make light of juvenile jokes that disparage homosexuality.

                                                                                                                                                        EDIT: Ah, now I see why the word is missing. I wrote <pejorative> and the angle brackets must have been stripped, along with their contents.

                                                                                                                                                  1. 9

                                                                                                                                                    Sounds like ESR has never worked with a binary protocol before. Nothing he writes about isn’t true of time tested protocols like DNS or TLS.

                                                                                                                                                    1. 4

                                                                                                                                                      Maybe, in another application with 10^3 more transaction volume per user, or with a 10^3 increase in userbase numbers, we’d incur as much thermodynamic cost as landed on a typical NTP server in 1981, and a packed binary format would make the kind of optimization sense it did then.

                                                                                                                                                      TLS is literally used for streaming video and multi-gigabyte downloads. Every Google search, every Facebook post, every online banking transaction, and almost every email involve at least one TLS tunnel. It probably makes economic sense for TLS to use bit packing under ESR’s economic model.

                                                                                                                                                      I’m not so sure about DNS. It might very well be fine to switch DNS over to something text based (except, of course, that DNSSEC requires there to be a single canonical representation for every DNS message, so JSON itself is right out). OTOH, DNS is part of the critical path for initial web page loads, so we really, really want to keep latency low on it…

                                                                                                                                                      1. 11

                                                                                                                                                        As annoying as packed blobs are, the lower you go in the stack the more you want to cater to the machine–and machines hate JSON. This is also such a niche thing that opening it to the wide masses who can look at JSON doesn’t really win you anything–this isn’t a document format for blogging, this is a core ops mechanism.

                                                                                                                                                        1. 5

                                                                                                                                                          except, of course, that DNSSEC requires there to be a single canonical representation for every DNS message, so JSON itself is right out

                                                                                                                                                          I hate JSON, but it can be made canonical simply by stating that all object properties be sorted. It’s still a terrible notation, of course.

                                                                                                                                                          I’d prefer canonical S-expressions, which are human-readable, elegant & efficient too. As an example, here’s esr’s JSON:

                                                                                                                                                          {"class":"TPV","time":"2010-04-30T11:48:20.10Z","ept":0.005,
                                                                                                                                                                         "lat":46.498204497,"lon":7.568061439,"alt":1327.689,
                                                                                                                                                                          "epx":15.319,"epy":17.054,"epv":124.484,"track":10.3797,
                                                                                                                                                                          "speed":0.091,"climb":-0.085,"eps":34.11,"mode":3}
                                                                                                                                                          

                                                                                                                                                          And here it is as a canonical S-expression:

                                                                                                                                                          (tpv
                                                                                                                                                            (time "2010-04-30T11:48:20.10Z")
                                                                                                                                                            (ept "0.005")
                                                                                                                                                            (lat "46.498204497")
                                                                                                                                                            (lon "7.568061439")
                                                                                                                                                            (alt "1327.689")
                                                                                                                                                            (epx "15.319")
                                                                                                                                                            (epy "17.054")
                                                                                                                                                            (track "10.3797")
                                                                                                                                                            (speed "0.091")
                                                                                                                                                            (climb "-0.085")
                                                                                                                                                            (eps "34.11")
                                                                                                                                                            (mod "3"))
                                                                                                                                                          

                                                                                                                                                          which would actually be (3:tpv(4:time23:2010-04-30T11:48:20.10Z)(3:ept5:0.005)(3:lat12:46.498204497)(3:lon11:7.568061439)(3:alt8:1327.689)(3:epx6:15.319)(3:epy6:17.054)(5:track7:10.3797)(5:speed5:0.091)(5:climb6:-0.085)(3:eps5:34.11)(3:mod1:3)) on the wire. It is two extra characters, but it’s efficient enough, and it doesn’t give one a false sense of security, as JSON does (What precision are those floats? Is that integer actually an integer? Where is the timestamp format specified?).

                                                                                                                                                      1. 6

                                                                                                                                                        We recommend adding a text string above the Open With… buttons that reads, “Click a button below to open the file in an appropriate application.”

                                                                                                                                                        Wow. That is not how the GNOME team would have tackled the problem nowadays. I was expecting something more like.

                                                                                                                                                        We recommend removing the list of applications and replacing it with a single “Edit” button and a smaller “open with other application” button.

                                                                                                                                                        UI attitudes have definitely changed.

                                                                                                                                                        1. 2

                                                                                                                                                          I think the GNOME developers now would remove Open With entirely, because choosing an application is not something an end user would ever do, much like they entirely removed screensavers, entirely removed being able to manage which accounts show up on the login screen, &c.

                                                                                                                                                          1. 2

                                                                                                                                                            they entirely removed screensavers

                                                                                                                                                            Sarcasm?

                                                                                                                                                            1. 2

                                                                                                                                                              No, GNOME Screensaver just blanks the screen; they completely got rid of the ability to run actual screensavers: https://mail.gnome.org/archives/gnome-shell-list/2011-March/msg00340.html

                                                                                                                                                              1. 1

                                                                                                                                                                I know they actually removed them. I was asking if it were sarcasm that you’re upset about it. Screensavers are terrible for the environment; they’re a massive waste of electricity. I’m surprised anyone actually wants them back.

                                                                                                                                                        1. 9

                                                                                                                                                          This website it terribly to use on a mobile device. I wish more sites were plain text…

                                                                                                                                                          1. 18

                                                                                                                                                            To be fair, this website is also terrible on desktop.

                                                                                                                                                            Redacted since it’s unneedly harsh

                                                                                                                                                            1. 9

                                                                                                                                                              I’m a co-founder of SmoothTerminal. Sorry about the performance issues - we just launched a UX/UI refresh and none of us noticed the performance issues until yesterday. Are you on Safari? That’s the only place we’ve been able to reproduce the slow scrolling, and there’s some particularly weird behaviour sometimes (safari web inspector claims an element is where it should be, but it’s painted somewhere else entirely). We’re working on it, and I’m embarrassed that it’s bad. Mea culpa.

                                                                                                                                                              1. 24

                                                                                                                                                                I shouldn’t have been this harsh. Sometime I forget about the human on the other side of the screen. I’m the one embarrassed, sorry about that.

                                                                                                                                                                I have this issue at its worst on Chrome on OSX. Using it on Firefox/Linux on my desktop is less worse, but scrolling still feel a bit tampered with.

                                                                                                                                                                1. 20

                                                                                                                                                                  This is one of the reasons that I like lobste.rs, we all occasionally make poorly thought out or harsh comments, but this is one of the places on the internet where people apologize because they think about the person on the other side. Thanks for making the world decent!

                                                                                                                                                                2. 5

                                                                                                                                                                  Honestly it’s pretty rough to use on desktop as well. The floating ToC blocks the text in its default, expanded position, and on wide monitors the layout is much wider than seems reasonable. The “reader” view in firefox cleans it up nicely – it just gives raw text with a reasonable column width, which is all anyone wants anyway.

                                                                                                                                                                  1. 6

                                                                                                                                                                    Killing TOC, thanks

                                                                                                                                                                    1. 5

                                                                                                                                                                      Thanks for being responsive!

                                                                                                                                                                      1. 1

                                                                                                                                                                        No problem. We saw some performance gains from that and it was definitely broken in safari, but the real performance gains came from the deploy we just performed - we stopped using background-attachment: fix. That was causing extreme redraw churn. Both needed to be done though really.

                                                                                                                                                                  2. 4

                                                                                                                                                                    FWIW, it is pretty difficult to read with JavaScript disabled (using uMatrix). Perhaps you’re applying styles in JavaScript?

                                                                                                                                                                    1. 2

                                                                                                                                                                      This is what I was thinking too. I just gave up and opted for Reader View in Firefox.

                                                                                                                                                                      1. 1

                                                                                                                                                                        We are, and it’s in support of our themes. We should make sure to ship the default theme by default, but my guess is it’s flipped in js and has no good default fallback. Thanks.

                                                                                                                                                                        1. 1

                                                                                                                                                                          We were accidentally shipping all styles over js. We’re prepping a PR that properly sends the stylesheet now. That’s embarrassing.

                                                                                                                                                                          1. 1

                                                                                                                                                                            Stuff happens! Still displays poorly in Firefox with uMatrix, but maybe you’re still working on the PR.

                                                                                                                                                                            It probably looks fine in e.g. elinks or eww.

                                                                                                                                                                        2. 1

                                                                                                                                                                          Mobile Firefox here, I could see the first paragraph but only the background Blue after that, until I switched to Reader View

                                                                                                                                                                          1. 1

                                                                                                                                                                            What mobile OS? is that happening still? I just tried it on mobile firefox on android and it worked fine, but we also just deployed a bunch of tweaks based on the righteous, justified shellacking we got for performance yesterday.

                                                                                                                                                                            1. 1

                                                                                                                                                                              It works much better now, thanks!

                                                                                                                                                                    1. 20

                                                                                                                                                                      On the one hand, this makes sense if you’re writing code for a machine that has many gigabytes of RAM and a CPU with a clock speed of several GHz, and your code doesn’t have to touch the hardware directly.

                                                                                                                                                                      On the other hand: if the hardware doesn’t allow for such luxuries, several of these points don’t make much sense (multi-variable return through tuples, iterators, ..), so the only languages that still make a fair comparison are probably Forth and Fortran.

                                                                                                                                                                      I’ll note some of my thoughts:

                                                                                                                                                                      C is fairly old — 44 years, now!

                                                                                                                                                                      HTTP turns 30 this year, and TCP/IP is more than 10 years older than HTTP. It’s a bit weird that people think that anything that has a double-digit age is necessarily bad.

                                                                                                                                                                      Alas, the popularity of C has led to a number of programming languages’ taking significant cues from its design

                                                                                                                                                                      Of course, stupidly copying already-existing things isn’t a good idea (and it’s especially hard to notice them if they’re the only possibilities you know of), but then again, if you can afford it, you aren’t forced to use C. (But don’t overdo it, Electron programs are very unusable on my machines.)

                                                                                                                                                                      Textual inclusion

                                                                                                                                                                      That’s an artifact of the hardware it was first developped on. (Although the compiler could be made to read symbol information from already-built object files, I guess.)

                                                                                                                                                                      Optional block delimiters

                                                                                                                                                                      Braces and semicolons

                                                                                                                                                                      Same thing, as it makes the parser much easier to implement.

                                                                                                                                                                      Bitwise operator precedence

                                                                                                                                                                      Increment and decrement

                                                                                                                                                                      !

                                                                                                                                                                      Assignment as expression

                                                                                                                                                                      Switch with default fallthrough

                                                                                                                                                                      These are quirkynesses or legacy cruft indeed. (Although, somehow, chained assignments like a = b = c = d result in better optimized code on some platforms[citation needed])

                                                                                                                                                                      Leading zero for octal

                                                                                                                                                                      That made sense for PDPs, which had 18-bit words.

                                                                                                                                                                      No power operator

                                                                                                                                                                      Integer division

                                                                                                                                                                      Another artifact of the PDP hardware: there was no hardware instruction for pow, nor did it have an FPU, so you’d still have to have something if you wanted to divide numbers. (The majority of the hardware I wrote code for doesn’t have an FPU either. And yes, most of those are made after 2000. Then again, some of them don’t have a division — or sometimes even a multiply — instruction either.)

                                                                                                                                                                      C-style for loops

                                                                                                                                                                      As iterators would generate too much cruft (and LTO-style optimizations weren’t really possible), this was the most expressive construct that enabled a whole range of iteration-style operations.

                                                                                                                                                                      Type first

                                                                                                                                                                      I doubt it’s the ‘type first’-part of the syntax that causes the problems, but rather how pointer and array types are indicated.

                                                                                                                                                                      Weak typing

                                                                                                                                                                      Again, if you’re working close to the hardware, you want to be sure how things are actually represented in memory (esp. when working with memory-mapped IO registers, or when declaring the IDT and GDT on an x86, or …), as well as type-punning certain data.

                                                                                                                                                                      Bytestrings

                                                                                                                                                                      Single return and out parameters

                                                                                                                                                                      More instances of a mix of the need to know the in-memory representation, and legacy cruft.

                                                                                                                                                                      Silent errors

                                                                                                                                                                      Exceptions require a lot of complex machinery (setjmp/longjmp, interrupt handling, …), which mightn’t be feasible due to a number of reasons (CPU speed, need for accurate/‘real time’ timing, …). The “monadic” style seems to be implemented with a lot of callbacks, which isn’t that useful either. (Of course, there could be a better way for implementing those.)

                                                                                                                                                                      Nulls

                                                                                                                                                                      On some platforms, dereferencing a null sometimes does make sense: on AVRs, the general registers are mapped at 0x0000 to 0x001F, on the 6502, you’d access the famous zero page (although C doesn’t work that well on the 6502 to begin with), for some systems, the bootloader/… resides there (and is not readable in normal operation mode), and even on Linux, you can do this:

                                                                                                                                                                      // needs root --->
                                                                                                                                                                      int fd = open("/proc/sys/vm/mmap_min_addr", O_WRONLY);
                                                                                                                                                                      write(fd, "0\n", sizeof("0\n"));
                                                                                                                                                                      close(fd);
                                                                                                                                                                      // or echo 0 | sudo tee /proc/sys/vm/mmap_min_addr
                                                                                                                                                                      // <---
                                                                                                                                                                      
                                                                                                                                                                      // or create an ELF file whose segment headers map data to address 0.
                                                                                                                                                                      void* map = mmap(NULL, PAGE_SIZE, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0);
                                                                                                                                                                      
                                                                                                                                                                      *((size_t*)map) = 0; // works!
                                                                                                                                                                      

                                                                                                                                                                      (EDIT: re: ELF file that maps something to 0: see also, note the ORG 0)

                                                                                                                                                                      And that’s why it’s considered undefined behaviour.

                                                                                                                                                                      No hyphens in identifiers

                                                                                                                                                                      That’s another choice in syntax when using infix operators. Whitespace is unimportant or hyphens in identifiers, pick one. (Or use a different symbol for subtraction, but that’d very probably result in something silly.)

                                                                                                                                                                      1. 22

                                                                                                                                                                        “this makes sense if you’re writing code for a machine that has many gigabytes of RAM and a CPU with a clock speed of several GHz”

                                                                                                                                                                        There were people using more memory-safe, non-C-like languages in the 80’s. Modula-2 was bootstrapped on a PDP-11/45. Amiga’s had Amiga-E. Ada and Java subsets are used in embedded systems today. People used Schemes, Ocaml, and ATS with microcontrollers.

                                                                                                                                                                        You’re provably overstating what ditching C requires by a large margin.

                                                                                                                                                                        1. 3

                                                                                                                                                                          You’re right in that aspect, although I still have to resort to hand-coding assembly now and then (avr-gcc isn’t that great, so I doubt OCaml, let alone Scheme, would be faster). But then again, it’s not always the case that 128k of data needs to be processed within a millisecond (because of weird memory timings).

                                                                                                                                                                          1. 10

                                                                                                                                                                            Meanwhile Forth lets you code even closer to assembly than C does without forcing you to give up on interactivity.

                                                                                                                                                                            1. 5

                                                                                                                                                                              , so the only languages that still make a fair comparison are probably Forth and Fortran.

                                                                                                                                                                              Hence what I wrote in the original comment:

                                                                                                                                                                              […], so the only languages that still make a fair comparison are probably Forth and Fortran.

                                                                                                                                                                              I usually tend to roll my own Forth compiler (or ‘compiler’) when I need to write a lot of boilerplate code and there’s no (good enough) C compiler available.

                                                                                                                                                                              1. 7

                                                                                                                                                                                ‘Steve, did he just tell me to go Forth myself?’

                                                                                                                                                                                ‘I believe he did, Bob.’

                                                                                                                                                                                1. 1

                                                                                                                                                                                  I usually tend to roll my own Forth compiler

                                                                                                                                                                                  Well, I do admire that you straight up roll your own on the platform. The fact that it’s easy to do is one of Forth’s design strengths. I do wonder if you just do it straightforward like an interpreter does or came up with any optimizations. The Forth fans might be interested in the latter.

                                                                                                                                                                                  1. 2

                                                                                                                                                                                    There aren’t much optimizations in it (because all the code that needs to run quickly is written in assembly), hence the quotation marks. It is compiled (at least to a large extent), though, there’s no bytecode interpreter.

                                                                                                                                                                                    Also, before you lose your sleep: this is definitely NOT for products that will be sold, it’s only for hobby projects (demoscene).

                                                                                                                                                                                    1. 2

                                                                                                                                                                                      Oh OK. Far as sleep, all the buggy products just help justify folks spending extra on stuff I talk about. ;)

                                                                                                                                                                              2. 4

                                                                                                                                                                                That’s more fair. Resolving the weird stuff at language level might be trickier.

                                                                                                                                                                            2. 9

                                                                                                                                                                              Optional block delimiters Braces and semicolons Same thing, as it makes the parser much easier to implement.

                                                                                                                                                                              S-expression parsing is far easier to implement — the sort of thing a high-school student can do in a weekend. S-expressions always seem like such a win that it’s remarkable to me how few languages use them.

                                                                                                                                                                              1. 6

                                                                                                                                                                                That’s also true. (I once wrote a Lisp interpreter in TI-BASIC. In high school, indeed.)

                                                                                                                                                                                EDIT: although, it’s still easier than whitespace-sensitive syntax, which the article was comparing it to. (I should’ve been more explicit.)

                                                                                                                                                                                1. 3

                                                                                                                                                                                  S-expressions always seem like such a win that it’s remarkable to me how few languages use them.

                                                                                                                                                                                  Yes, they’re extremely easy to parse, but there’s a reason Lisp is said to stand for Lost In Stupid Parentheses. Obviously structuring your code nicely can alleviate most of the pain, but I definitely see the appeal of a less consistent structure in favour of easy readability. IMO some of the parser programmer’s comfort is a price worth paying to improve the user’s experience.

                                                                                                                                                                                  (For serialization, on the other hand, S-expressions are indeed very underrated.)

                                                                                                                                                                                  1. 2

                                                                                                                                                                                    Which is what Julia did. I read that it was sugar-coated syntax around femtolisp.

                                                                                                                                                                                2. 7

                                                                                                                                                                                  On some platforms, dereferencing a null sometimes does make sense: on AVRs, the general registers are mapped at 0x0000 to 0x001F, on the 6502, you’d access the famous zero page (although C doesn’t work that well on the 6502 to begin with), for some systems, the bootloader/… resides there (and is not readable in normal operation mode), and even on Linux, you can do this….. And that’s why it’s considered undefined behaviour.

                                                                                                                                                                                  Dereferencing the macro NULL or (void *)0 is as far as I know always undefined behavior. Even if you have something at address 0x0000, the bit representation of NULL doesn’t have to be identical to that of 0x0000. According to the abstract C machine NULL simply doesn’t point to any valid object, and doesn’t have to have any predefined address other than that expressed by (void *)0.

                                                                                                                                                                                  1. 5

                                                                                                                                                                                    This. A null pointer isn’t “a pointer to address 0”, it’s “a pointer to nothing valid that can be used as an in-band marker for stuff”.

                                                                                                                                                                                    1. 2

                                                                                                                                                                                      ‘Username checks out’, as I believe the kids say nowadays

                                                                                                                                                                                      1. 0

                                                                                                                                                                                        Well, technically, your response is true.

                                                                                                                                                                                        On the other hand, NULL is pretty much always defined as (void*)0, and dereferencing it pretty much always gets compiled to something like mov var, [0] or ldr var, [#0] or … The standard is only a standard :), I consider the compiler extensions etc. as part of the language when coding, for practical reasons.

                                                                                                                                                                                        1. 1

                                                                                                                                                                                          On the other hand, NULL is pretty much always defined as (void*)0, and dereferencing it pretty much always gets compiled to something like mov var, [0] or ldr var, [#0] or … The standard is only a standard :), I consider the compiler extensions etc. as part of the language when coding, for practical reasons.

                                                                                                                                                                                          This is simply incorrect and you’re missing the point completely. (void *)0 is a valid definition for NULL because (void *)0 is the C language’s null pointer. If 0x0666 is the actual address of the null pointer, then it’s your compiler’s responsibility to translate each (void *)0 to 0x0666. In math you often use 0 and 1 to represent neutral elements of operations, even if the operations don’t actually happen on numbers (for example: the zero-vector (…), the identity function, etc), and specially not on the actual 0 and 1 we know.

                                                                                                                                                                                          Here’s what GCC 8.2 x86-64 does, on the probably most used architecture right now?

                                                                                                                                                                                          P.S: I keep using (void *)0 but that’s equivalent to 0 which is equivalent to NULL in a context involving pointers.

                                                                                                                                                                                      2. 2

                                                                                                                                                                                        write(fd, “0\n”, sizeof(“0\n”));

                                                                                                                                                                                        sizeof("0\n") is three, not two.

                                                                                                                                                                                        re: ELF file that maps something …

                                                                                                                                                                                        45 bytes: https://www.muppetlabs.com/~breadbox/software/tiny/teensy.html

                                                                                                                                                                                        1. 1

                                                                                                                                                                                          sizeof(“0\n”) is three, not two.

                                                                                                                                                                                          $ printf '0\n\0' | sudo tee /proc/sys/vm/mmap_min_addr
                                                                                                                                                                                          0
                                                                                                                                                                                          $ hexdump -C /proc/sys/vm/mmap_min_addr
                                                                                                                                                                                          00000000  30 0a                                             |0.|
                                                                                                                                                                                          00000002
                                                                                                                                                                                          

                                                                                                                                                                                          It’s not a disaster :)

                                                                                                                                                                                          45 bytes: https://www.muppetlabs.com/~breadbox/software/tiny/teensy.html

                                                                                                                                                                                          I’m very familiar with that, I’ve made some programs that misuse the knowledge presented there (a, b), and furthermore, this trick makes the program linked from here work again:

                                                                                                                                                                                          Here you can find an even smaller hello-world program, apparently written by someone named Kikuyan (菊やん). It is only 58 bytes long, […]

                                                                                                                                                                                      1. 19

                                                                                                                                                                                        The author isn’t alone. I’ve gone back to Linux after over a decade as an avid Mac user.

                                                                                                                                                                                        Now if only I could figure out why every major Linux distro is pig piling into the Gnome project when it seems to be having very serious design and stability issues….

                                                                                                                                                                                        1. 12

                                                                                                                                                                                          In GNOME’s defense, as far as I know, it has the best accessibility for people with disabilities, especially blind people who need a screen reader. KDE’s page on testing with a screen reader says to just use GNOME for now. As far as I know, the lighter-weight desktop environments, window managers, and other such utilities generally don’t support this kind of accessibility at all. So it makes sense for a distro with a general audience to default to GNOME.

                                                                                                                                                                                          I don’t mean to start a DE flame war; I’m just stating what I believe to be a fact. If I’m wrong, please correct me.

                                                                                                                                                                                          1. 8

                                                                                                                                                                                            This is kind of symptomatic of the slowly improving but still not amazing state of LInux desktop accessibility.

                                                                                                                                                                                            Gnome itself doesn’t provide any kind of full screen zoom. I’m partially blind and NEED that in order to do anything useful with a computer. Like. At all.

                                                                                                                                                                                            Ubuntu started providing full screen zoom (as well as screen reader support right from the login dialog) in a recent-ish release - 17.something maybe, so kudos to them for that.

                                                                                                                                                                                            KDE provides super awesome very smooth key chorded full screen zoom out of box.

                                                                                                                                                                                            And, to be fair, I WANTED to love Gnome, I literally tried for MONTHS to get it running and filed a ton of exceedingly detailed bugs even practically begging for potential work-arounds to no avail.

                                                                                                                                                                                            This is where I wish I were retired already because I’d LOVE to strap on my rusty C hip waders and dive in there to fix all these issues, but alas I’m not there yet and can’t :) So it’s KDE for me.

                                                                                                                                                                                            1. 2

                                                                                                                                                                                              Ah, I wasn’t familiar with the state of screen magnification in the free desktop environments. I’m not a partisan, just an interested observer for now.

                                                                                                                                                                                              1. 2

                                                                                                                                                                                                Can’t you use X.org’s zoom mode to magnify the screen & scroll around?

                                                                                                                                                                                                1. 2

                                                                                                                                                                                                  That’s only part of what a full-featured screen magnifier for visually impaired people does. Another very useful feature is automatically tracking the current keyboard focus, or the caret in an editing context. @feoh Does your current magnification solution do this? Note that this feature is typically implemented by consuming the same accessibility API that a screen reader uses.

                                                                                                                                                                                                  1. 1

                                                                                                                                                                                                    I didn’t know such a thing existed. How does one invoke it? I can’t find any reference to such a thing online.

                                                                                                                                                                                                    1. 5

                                                                                                                                                                                                      Back in the days of yore it was common to have several resolutions defined in xf86.conf - and later Xorg.conf - between which you could switch using CTRL ALT Keypad-+ and CTRL ALT Keypad_-. X11 would render to the maximum resolution, if one of the lower display resolutions was chosen the monitor would display a viewport on the X11 root window which would scroll with the pointer, no further configuration necessary. This made it possible to run programs which needed a higher resolution than the video subsystem could display - handy on those laptops with 800x600 screens - but is also offered the possibility to make the screen more readable for those who needed such. It is called ‘Virtual display’ and still exists:

                                                                                                                                                                                                      https://www.x.org/releases/X11R7.7/doc/man/man5/xorg.conf.5.xhtml#heading13

                                                                                                                                                                                                      1. 3

                                                                                                                                                                                                        Ooh I actually remember this!

                                                                                                                                                                                                        But tell me, at least in the Linux world, who messes around with X1186Config these days? :) (Or whatever it’s called now.)

                                                                                                                                                                                                        involuntary shudder as I flash back to 20 years ago and that moment of SUPREME TRIUMPH when I finally got X to fire up on my monitor/video card combination. It was like some kind of horrid rite of passage. Thank goodness we’ve moved on from that :)

                                                                                                                                                                                                        1. 3

                                                                                                                                                                                                          The mere fact that you generally don’t have to configure anything is a good thing but I’d say an even better thing is that it is still possible to do so for those who feel the urge. This could be an example of such an urge…

                                                                                                                                                                                                          1. 2

                                                                                                                                                                                                            “The good old days.”

                                                                                                                                                                                                            I used to rock fvwm2.

                                                                                                                                                                                                            1. 2

                                                                                                                                                                                                              fvwm2 & rxvt! :)

                                                                                                                                                                                                        2. 4

                                                                                                                                                                                                          I use arandr, but no doubt there are other ways to do it — it’s just a wrapper over xrandr.

                                                                                                                                                                                                          I use it to manage multiple screen layouts, but I just tested, and it can set a higher-than normal resolution which is quite restful on the eyes.

                                                                                                                                                                                                          I didn’t play with it long enough to figure out how to scroll around, but I know I’ve done that in the past.

                                                                                                                                                                                                      2. 2

                                                                                                                                                                                                        Gnome itself doesn’t provide any kind of full screen zoom

                                                                                                                                                                                                        Huh, that’s odd. Even Weston does. You know, the reference compositor that’s not intended to be usable by end users at all.

                                                                                                                                                                                                        1. 1

                                                                                                                                                                                                          My Gnome accessibilty settings dialog includes a “Zoom” feature, one of whose options is “Full Screen Zoom”. I take it that this isn’t the same as the “full screen zoom” you need?

                                                                                                                                                                                                          1. 1

                                                                                                                                                                                                            I don’t know. Given that I can’t get Gnome 3 running on Ubuntu on my laptop I haven’t been able to test it very much, but it certainly sounds like the right thing.

                                                                                                                                                                                                      3. 2

                                                                                                                                                                                                        XFCE works reasonably well if all you want is a “normal” window manager. LXDE works too if you want even less visual effects and baked-in functionality.

                                                                                                                                                                                                        1. 3

                                                                                                                                                                                                          Neither provide any kind of full screen zoom for the visually impaired :( I’m sure you could figure out how to layer in Compiz but KDE comes with one out of box.

                                                                                                                                                                                                          That said both XFCE and i3 (not a desktop, I know :) are fantastic and were I not visually impaired I would definitely consider them.

                                                                                                                                                                                                      1. 0

                                                                                                                                                                                                        After reading the dodekalogue I’m convinced that stallman was absolutely right. Tcl is a nutty language.

                                                                                                                                                                                                        1. 6

                                                                                                                                                                                                          If by ‘nutty’ you mean ‘simple, neat & clean,’ then sure. Tcl does have its odd corners, but on the whole it is to strings what Lisp is to lists & Lua is to hash tables (or maps, if you prefer). It’s a very powerful little language, and can be a real joy to program in.

                                                                                                                                                                                                          It’s great for config files & scripts which drive bigger programs.

                                                                                                                                                                                                        1. 6

                                                                                                                                                                                                          Did Confluent use Node? Python? Ruby? Django? Flask? Linux? Did they manage to avoid using any free and open source software?

                                                                                                                                                                                                          Would they have liked it any of the things that they used said “you’re not allowed to put this on a server and make money off it”? I wager they wouldn’t.

                                                                                                                                                                                                          People are saying that Confluent have every right to be doing this. They certainly do, but it’s not very reciprocal of them to do so. If we’re going to be so worried about Confluent’s income, we should also be worried about the income of all the forgotten software developers that Confluent has likely based their business on, and I don’t think the answer is for everyone to start forbidding making money on servers.

                                                                                                                                                                                                          These new breeds of licenses with anti-AWS clauses trying to make sure that Amazon doesn’t make too much money are also harming in their wake many other developers. Software development as a whole is going to be getting poorer if enough people want to forbid making money on a server.

                                                                                                                                                                                                          1. 4

                                                                                                                                                                                                            People are saying that Confluent have every right to be doing this. They certainly do, but it’s not very reciprocal of them to do so.

                                                                                                                                                                                                            If people doing projects want reciprocity, it should be in the darned license. Parity forces reciprocity by saying any change has to be shared regardless of distribution method. Free software has always worded stuff with a focus on distribution and linking to let for-profit entities adopt it more with chances of freeloading. Who’d have guessed they’d screw developers over finding loopholes that let them make billions without giving anything or much of anything back. Yet, they keep adding to their convoluted licenses instead of doing the simple thing that works. And this stuff keeps happening.

                                                                                                                                                                                                            Confluent should offer no reciprocity because the license doesn’t require it. They should only do what they’re required to do. If enough companies do this, we might see FOSS advocates use licenses that actually force the changes back in all circumstances for perpetuity of the project. Meanwhile, they ardently defend licenses and corporate structures that lead to these results while whining about how the results shouldn’t happen for moral reasons in a capitalist market. It would be funny if it hadn’t been going on for years now.

                                                                                                                                                                                                            1. 6

                                                                                                                                                                                                              Saying the answer isn’t is a great deal easier than saying the answer is.

                                                                                                                                                                                                              We do have a problem with compensation for open source developers, and by developers I mean the people who do the heavy lifting from a vision to a usable 1.0, and often the heavy lifting after that point too. There’s not much in it for them, really. See Rich Hickey’s recent rant for example, which is mostly about something else, but you can see what he feels about his compensation for most of the Clojure work he does. Why should he have done it at all?

                                                                                                                                                                                                              Of course open source is great for everyone who doesn’t pay. It’s great in total. But at the moment, too much of the cost falls to the initial creators and maintainers, and too much of the benefit to everyone else, including AWS. Why should Confluent, or Rich Hickey, or anyone, choose to create and maintain open source software? Or if they do, why shouldn’t they try to make life hard for freeloaders?

                                                                                                                                                                                                              The answer isn’t isn’t an answer.

                                                                                                                                                                                                              I’m not arguing that any particular way to bother significant freeloaders is acceptable or even good. I’m arguing that if someone competes with an open source creator by using the same software acquired without cost, then it’s reasonable for the creator to use his/her/their unique control of the licensing terms to harm that competitor, because the creator paid for them both.

                                                                                                                                                                                                              1. 3

                                                                                                                                                                                                                Saying the answer isn’t is a great deal easier than saying the answer is.

                                                                                                                                                                                                                Yes, that’s true. But it’s also important to lay down the ground rules. No matter how hungry you are, the answer isn’t braining your neighbour and eating him. No matter how cold you are, the answer isn’t burning down your neighbour’s home for warmth.

                                                                                                                                                                                                                And no mater how poor you are, the answer isn’t restricting the freedom of your neighbour to use, modify & distribute software. No matter how poor you are, the answer isn’t proprietary software.

                                                                                                                                                                                                                1. 4

                                                                                                                                                                                                                  I see this is going to be one of those bar fights, but this analogy is so off.

                                                                                                                                                                                                                  Your neighbor is giving away free food. You take the free food, alter its presentation and the sell it. Your neighbor initially said it was OK, but now they are a little cross. Your neighbor now adds a clause saying free only to the poor and needy. You throw a hissy fit and toss a bunch of philosophical texts at him and give an interview in the village times about how mean Bob is.

                                                                                                                                                                                                                  1. 2

                                                                                                                                                                                                                    No matter how poor you are, the answer isn’t proprietary software.

                                                                                                                                                                                                                    If you want to produce and sell proprietary software that honestly seems fine to me. I probably won’t buy it, but that’s alright.

                                                                                                                                                                                                                    The big problem with these new approaches to licensing seems to be the attempt to have the benefits of proprietary software for the proprietor with the (unearned) PR and marketing benefits of actually open source software. And, one imagines, the ability to harvest the riches of the community labour farm.

                                                                                                                                                                                                                    1. 4

                                                                                                                                                                                                                      One imagines. But I’ve worked at one of these companies, and I alone wrote more code than all external contributors put together, and I answered bug reports and helped people who were never going to either contribute code or pay.

                                                                                                                                                                                                                      From speaking with other developers in similar roles, this isn’t unusual. While there are exceptions, any company that launches any open source should not be surprised if its own employees end up doing approximatrely 100% of the work. I checked a widely-used library just now, and a total of 9.7% of the lines of code are contributed. Valuable contributions I’m sure, but the cost of developing those 9.7% inhouse might easily have been lower than the cost of answering bug reports etc. for the library.