1. 3

    Show match position when searching (8.1.1270 (May 4))

    Show “3/44” when using n and “S” is not in ‘shortmess’.

    Wow, sounds like I don’t need the vim-searchindex plugin anymore? (It’s a good plugin, but having the feature just built in to Vim is even better.)

    1. 16

      No need for my Atlassian account anymore…

      1. 15

        Agree. The only reason I had a BitBucket account was my mercurial repositories.

        If only Atlassian could sunset JIRA. That would be nice…

        1. 12

          If only Atlassian could sunset JIRA. That would be nice…

          Like all right-thinking people, I detest JIRA and every microsecond I spend in it feels like a million agonizing years, but what’s the alternative for bug tracking? Most software of this ilk is not purchased by the people who have to use it, so it responds not to actual user pressure, but to CTO sales pressure. That’s my pet theory about while enterprise software is uniformly terrible, at least.

          1. 6

            That’s my pet theory about while enterprise software is uniformly terrible, at least.

            That’s quite close to the theory of the old-timers I’ve asked about it, but there’s an important difference.

            CTOs ask consultants what software they should use. Consultants who recommend software that’s simple and easily configured go out of business, because most of the money is in helping clients configure/install/start using software.

            1.  

              I like Phabricator much better, and it’s free software too.

              1. 2

                GitHub issues are fine.

              2.  

                I do not understand the hate against JIRA. I think it is good software with many useful features. Yes, it can be abused to make tracking your issues really bad, but that is problem of those who use the software and not the software itself.

              3. 4

                Good luck actually closing your Atlassian account though :-( I’ve tried to do it many times but still get email from them occasionally when they discover vulnerabilities in products I’ve never used.

              1. 13

                I have one piece of (constructive, I hope) criticism: I think it’s odd to use both indentation and an empty line to indicate breaks between consecutive paragraphs. All the English books I’ve seen use indentation, while the blank line is pretty much universal on the web, but I don’t think I’ve seen them mixed before, and as a result I find it harder to tell what’s going on: “is this block of text a new paragraph or some kind of callout or aside?” I think you can make a valid case for using either style, but my experience is that putting them together makes for something that’s harder, not easier, to read.

                1. 5

                  I must have been reading webpages for so long I didn’t notice, but you’re absolutely right. I’ll make that change.

                1. 24

                  I don’t know @arp242, but recently when I asked how to do something on the Vi Stack Exchange, he said “hm, you can’t do that” and then landed a patch in Vim to implement the feature I was asking for. So it seems safe to say that he’s a friendly person and an asset to the community.

                  1. 5

                    Hah, I just did that because I wanted it myself, too. But I’m glad that it’s appreciated :-)

                  1. 6

                    I am building what I am calling “Reverse Job Board”.

                    I want to turn recruiting on its head. Software developers are (for better or worse, my opinions on that another time perhaps) in massive demand. Everyone is hiring developers, and can’t do it fast enough. Yet we still “apply” to jobs, and we have to jump through hoops. My job board application will have the companies applying to software developers instead. And the developers will get to remain anonymous until they decide not.

                    I don’t know that a small piece of software is the answer, but it’s an idea that I want to explore.

                    1. 2

                      Hired sounds similar to what you’re describing. It doesn’t have the anonymity aspect, though, and I think that’s an interesting thing to explore.

                      1. 2

                        The idea for anonymity came when I helped organise a job fair. Local companies were very well represented: everyone is hiring! But high quality candidates weren’t well represented because they were already employed (although not necessarily happily) at a company that would be trying to hire at the event.

                        1. 1

                          Oh, I see. I should clarify that Hired lets you hide your presence on the platform from your current employer (and from any other employers of your choosing). All other companies can just see your name, etc. normally.

                          1. 1

                            Leaking information, doesn’t it?

                      2. 2

                        https://www.honeypot.io/ is just that.

                        Still think there’s space for innovations there.

                        1. 1

                          Thanks! This looks close to what I want to do. I’m actually building this as a white-label solution and already have a couple customers on deck, so I’ll build my own anyhow. :D

                          1. 1

                            I wish you all the best!

                        2. 2

                          One of the things I didn’t mention.

                          My plan is to let companies search and see something like “we have n profiles that match your criteria. Pay $x to email them your information.” Where x is a multiple of n.

                          The intention is for the candidates to get most of $x.

                          Companies will pay a hundred dollars for a qualified local lead (more, but not via a random website.). Would you take a recruiter spam for $90? I would.

                          1. 2

                            Cool idea.

                            What’s to stop me from opening an account and collecting recruiter funds, but never actually genuinely considering a job offer?

                            1. 2

                              What’s to stop me from opening an account and collecting recruiter funds, but never actually genuinely considering a job offer?

                              Absolutely nothing. And it’s not even a thing I’m considering a problem. I will verify identity. I have some mechanisms that I can use for verifying “interest”, and some other mechanisms for verifying experience, and few (but some) for competence as well. But other than that, the employers are paying a token amount to get someone’s attention.

                              In the market I’m in now (southern Sweden), when a company engages a recruiting firm that will basically just spam everyone they can find, they often pay the equivalent of about $250 USD for each spam that the recruiter sends. And they aren’t getting good results with this system; so I’ll try to provide something different.

                              (I could write an entire book about how fucked up the current hiring/recruiting/etc situation is in southern Sweden, but this is an industry wide problem before you consider how “speical” southern Sweden is.)

                              What I’m hoping is that I can provide a slightly better service (putting candidates and employers directly in touch with each other easily) for a fraction of the price. And most importantly I want the candidates to be paid for having been sold to.

                              I already have two white-label customers on deck, too. (Amusingly, one is a recruiting rig.)

                          2. 1

                            I don’t think they are hiring developers … they are hiring cultural fits who can develop.

                            Recently I’ve started to look for a job after years of freelancing. All I have is my portfolio, blogs and github projects specific to the role. Everybody likes them, they are enthusiastic until they receive on request my linkedin account (created a few days ago thus full empty) and my CV which has no employment history. Then total silence.

                            I’m wondering the first thing they look is to be somebody employable. A good employee by nature who then can code, or learn how the company does coding.

                            This puts me in a very strange situation … 99% of my chances are gone. I’m employable only by a tech person who has a really urgent need and can bypass hiring / hr … just checks my code has a short chat with me then all done. No CV, no Linkedin, no additional tests … which are today’s standard recruiting assets

                          1. 10

                            Alternatively, you can look into using https://sourcehut.org/ - which can be self hosted, or use a pre-hosted instance.

                            Docs on it are available at https://man.sr.ht/dispatch.sr.ht/ and https://man.sr.ht/builds.sr.ht/

                            I don’t use sourcehut myself - I’ve mostly left tech, but I do still care a lot about it, and I think increasingly that github/lab/etc are not healthy for it.

                            1. 4

                              Can you elaborate on why self-hosting Sourcehut is better for the ecosystem than self-hosting GitLab (which is free and libre)?

                              1. 2

                                GitLab is open core, relies heavily on complex web technologies and javascript, and is primarily based on it’s gitlab specific tooling flow.

                                Sourcehut is fully open, extremely light on browser features (meaning you can better control your exposed surface to potentially risky tech), and relies on less specific tooling (for example, email and lists rather than internal comment tracking, PRs, etc).

                                Additionally and most importantly, it’s just different. Variation in ideology, implementation, and direction are important and give users choice. I present it primarily as an alternative.

                                1. 1

                                  Gitlab is an order of magnitude more complex than anything I have seen. It is the industry standard and seems to be claimed as a fundamental developer right to overcome the difficulty to grasp Git.

                                  Using gitlab means you do not need everyone to be a git veteran, but that you need at least one git guru and one gitlab guru (that can update it in case of CVE).

                                  Depends on your team I guess.

                                  By using a simpler git porcelain, you need as much git skills (more for handling git itself, less for adapting to sometimes surprising Gitlab decisiobs, such as unidirectional merges instead of merging branches against each other to flatten the tree), but less Gitlab skills.

                                  1. 1

                                    free and libre

                                    Sourcehut is also free and libre (AGPL). The hosted instance is charged only.

                                    1. 3

                                      Yes, I suppose I should have said “…which is also free and libre.”

                                1. 9

                                  I’m a mess! Pretty tired (training and working a lot, and sleeping badly), but I also want to do so many things while having no time.

                                  On friday evening and saturday: Participating in a running competition (I am running 150 and 300m), going to a party, picking up a new contact lenses, picking up my racing bicycle which is repaired, athletics training. I also want to write an article about the conjugate gradient method, build a minimal Linux live CD (see this submission) and try if I can make an install script (probably based on arch linux installation guide). I also have two running projects of making a nixie clock and making a path tracer. But I also have to a lot of chores on sunday (groceries, cleaning, washing), and my GF is coming over…

                                  I don’t understand how people get to do any coding while working full-time :(

                                  1. 21

                                    I don’t understand how people get to do any coding while working full-time

                                    A lot of us don’t.

                                    1. 3

                                      I code outside of work for maybe 20 hours a year, burst over a few weekends. It’s not much.

                                      1. 3

                                        Yeah, it’s just not a thing I get to do much any more, between work that is non-coding, and home, where there are two little people who demand basically all of my time and energy. I am idly kicking around the idea of building a basic iTunes replacement (because word on the street is that the new “Music” app will no longer support my use-cases), as a way to get back into Apple platform development; but realistically, coding time will likely be supplanted by “sitting on the sofa with a glass of wine decompressing time” until the girls are less demanding.

                                        1. 2

                                          Swinsian might be able to replace iTunes for you. I certainly don’t mean to discourage you from scratching your own itch, though; that’s bound to be more fun and rewarding :-)

                                      2. 7

                                        I don’t understand how people get to do any coding while working full-time :(

                                        Slowly. And with a massive TODO file.

                                        1. 6

                                          I don’t understand how people get to do any coding while working full-time :(

                                          There’s a reason why I rarely code for the FOSS projects I’m involved in as a hobbyist. I just can’t code for 8 hours and then 2 more at a reliable pace. I can be helpful, answer questions and triage, though.

                                          1. 3

                                            making a nixie clock

                                            That’s a very fun project! How much are you building yourself? If you are buying most of the parts it’s definitely the type of thing you can knock out in an afternoon after work.

                                            1. 3

                                              I’ve bought the actual nixie tubes, but I still have to buy the driver parts. I’m mostly following EEVblog’s approach, but I don’t want to have a wifi-connected thing, so I’ll probably buy a high-accuracy RTC chip or breakout board.

                                              I have no experience with high-voltage stuff, so I’ll probably just buy a boost converter module that boosts the voltage enough (though it would be fun to design a switch-mode boost converter myself… and I still might decide to go down that rabbithole). Then I still have to design the PCB itself, and get it manufactured. So I’m thinking more in terms of months than in terms of afternoons ;)

                                              If you made one and have some tips for me, I’d be happy to hear them!

                                              1. 2

                                                I ended up following something pretty close to https://www.instructables.com/id/Arduino-Nixie-Clock-for-Absolute-Beginners/ And I just didn’t go through with the last step of soldering it all down. This was pretty early into my EE tinkering phase so I tried not to overcomplicate it.

                                                The engineering of it can be made pretty simple so I’m not sure I have any tips on that front, but if you want to show it off I’d put some extra time into thinking about your casing. I got much better feedback on mine once I put it in a 3D printed box to hide the components.

                                            2. 3

                                              path tracer

                                              Ooh! What for?

                                              I don’t understand how people get to do any coding while working full-time

                                              Magic. For me, I see it as I’m either learning something new I can then use for work, or working on something that’s different enough that it doesn’t feel like work.

                                              Hence HW projects.

                                              1. 1

                                                It’s cliched but you’ve got to make the time (and you’ve got to want to do that, and fair enough if you don’t!). I like to go to a cafe for breakfast on at least one day each weekend, take the laptop, and tap out a bit of code. I don’t get a lot done, but it’s more than nothing, and it adds up.

                                              1. 21

                                                I definitely share the sentiment. On the other hand it feels bad to make an analogy to the Onion article which is about gun violence.

                                                1. 11

                                                  Considering the real-world implications of this sort of technical irresponsibility (which include things like “airplanes crashing out of the sky and killing 600+ people”), I think this is entirely the analogy that needs to be made more often.

                                                  It terrifies me that more people in the IT industry don’t realise the real-world implications for their decisions :/

                                                  1. 16

                                                    airplanes crashing out of the sky and killing 600+ people

                                                    I’m not especially impressed with npm either, but I don’t think it’s causing airplanes to fall out of the sky?

                                                    1. 2

                                                      NPM isn’t directly responsible for causing airplanes to fall out of the sky because it’s not being used in obviously-critical / life-or-death systems. The most it can do is ruin lives and thus kill people indirectly (ex., by presenting an attack surface by which bank accounts can be drained, or by being so bloated that, when deployed at scale, it heats up the atmosphere enough to be responsible for the death of a few hundred people from flooding or migration-related-violence somewhere down the line).

                                                      As a general policy, though, treating software problems as potentially fatal (the way we treat law problems as potentially fatal) is pretty reasonable. Anything deployed at scale has the potential to kill indirectly, and everything deployed at google- or facebook-scale probably has. Nothing is preventing individual software engineers from considering these cases, aside from taboos against reminding us of their possibility.

                                                      1. 2

                                                        The most it can do is ruin lives and thus kill people indirectly

                                                        I know someone who works in health informatics, where they provide web-based applications for patient management to hospitals. At least once they had a bug that caused allergy warnings to show up on the wrong patient’s record (such that a nurse might not know that you’re allergic to latex or penicillin). That absolutely could kill someone.

                                                    2. 7

                                                      It terrifies me that more people in the IT industry don’t realise the real-world implications for their decisions :/

                                                      Often, the response to pieces like this tends to be a sort of reckless naivete: “what’s this guy’s problem? They can just fix it!” I think there’s a subconscious belief that the community will self-correct after each breach. This belief ends up being something of a thought-killer because it cuts off thoughts of, “but why did it ever happen in the first place?” My guess is those thoughts are seen as a bit negative/taboo, because obviously the community would never all be wrong about something!

                                                      I’m not sure what the cure for lackadaisical developers is, other than avoiding massively popular ecosystems just to have a better shot at being around people that care.

                                                      1. 6

                                                        The Canadian practice of the Iron Ring ceremony echos your very important point. https://en.m.wikipedia.org/wiki/Iron_Ring

                                                        1. 2

                                                          While surely virtuous, I doubt this ceremony (And any feel-good manifesto that gets posted here every now and then) have noticeable impact on how engineers deal with the real-world implications of their decisions. Oaths are nothing but fluff when there are no actual controls and consequence.

                                                          1. 3

                                                            I think that, as you suggest, the ceremony definitely does not usually result in software engineers feeling the weight of their decisions. I would hope and expect that it does feel that way for, for example, civil engineers. I also think we need to all take responsibility for moving our profession in the direction of greater accountability. We should live in a world where software engineers take this stuff seriously, and taking it seriously as individuals is one important way we can work towards that.

                                                      2. 5

                                                        The implication here is that it’s the result of a systemic flaw that is ultimately preventable.

                                                        1. 12

                                                          I think the point jjmalina is making is that it’s in poor taste to compare a JavaScript packaging problem to an act of wanton, unspeakable violence.

                                                          1. 19

                                                            wanton, unspeakable violence.

                                                            So, webpack?

                                                            1. 2

                                                              A satirical article by the onion (which is the comparison being made) is not an act of violence in any way, shape or form.

                                                              1. 3

                                                                The comparison is not between ‘a JavaScript packaging problem’ and ‘a satirical article by the onion’. The comparison is between ‘a JavaScript packaing problem’ and ‘gun violence’. (Both expressed in the form of satirical articles.)

                                                          2. 5

                                                            This was exactly my reaction and put me off from reading the article. For those who recognize the allusion, it’s very much a false equivalence to compare CI/CD failures to actual loss of human life. The Onion’s article is a biting satirical commentary on a tragic systemic failure of American culture and legislative bodies. This article is about NPM being insecure. Distasteful.

                                                            1. 2

                                                              I just see it as a pattern for a joke. A knock-knock joke can either be a completely harmless joke that a child would say, or an adult could come up with a terribly offensive one.

                                                            1. 46

                                                              keep your existing email account

                                                              make a new email account with whatever service provider you want

                                                              sign up for new accounts with your new email

                                                              whenever you have to log in to an existing service with your current email, if you have time, switch it to your new email

                                                              repeat until in a couple years everything is eventually switched over to your new one

                                                              1. 19

                                                                This. No need to delete your gmail account.

                                                                I moved to Fastmail a year ago, and have been happy with it.

                                                                Everytime I get an email on gmail, I spend a few minutes updating the email in whatever service sent me.

                                                                The reason for not deleting is: There are emails you might only get once a year, like from the tax guys, MOT/TV license (here in the UK). You might have to react quickly, and sometimes its just easier to reply from gmail, and update the address later

                                                                1. 6

                                                                  Not to mention missed opportunities with people that only know your Gmail account.

                                                                  1. 2

                                                                    Absolutely agree with this. I switched to Fastmail with my own domain something like 5 years ago and I still have my Gmail address. I have it set to forward to my “new” address, as well, so that I don’t even have to log in to Gmail. When I noticed that an email I care about originally came into my Gmail address I update it (or tell the person who sent it).

                                                                  2. 7

                                                                    This is exactly what I did, though in addition I forwarded by gmail to my new address.

                                                                    1. 7

                                                                      One missed step: Set up forwarding rule from old account to new account.

                                                                      1. 7

                                                                        Great advice. I was going to say this, but was pleasantly surprised to find it was already the top response. I will add: Your old account is still attack surface for anything that’s linked to it. Don’t get lax on the security just because you no longer use it every day.

                                                                        With gmail, if you delete your account, nobody else can ever register that username. This is a very important precaution since it prevents people from impersonating you. It is not necessarily the case with other email services. So, if you are applying this advice to migrate away from a mail service that isn’t gmail, look into whether it has that protection. If not, strongly consider never deleting the account.

                                                                        1. 3

                                                                          Excellent advice. I also used this opportunity to migrate to a password manager, and ensure that I have updated, unique passwords everywhere.

                                                                          1. 1

                                                                            Same that I did, I moved to protonmail and just check my gmail once in a blue moon at this point in case someone forgot I had updated it. I’ve had my gmail since the early invite-only beta days and it gets bombarded with spam and garbage almost constantly as well as a lot of people using my email address to sign up for things in the states that apparently don’t do email verification…

                                                                            I also used to get emails addressed to someone working at NVidia, got a medical insurance claim form at one point I think, as well as an invite to a wedding…

                                                                            1. 2

                                                                              Did you go to the wedding?

                                                                              1. 1

                                                                                No. But I did reply to the invite saying o wouldn’t be able to make it.

                                                                            2. 1

                                                                              I’ve been doing this, along with having Gmail forward all my email to my new account. I did that so I’d have copies of all my emails. I also did a dump and then import of all my previous emails too.

                                                                              Honestly, it’s been fine. I’ve also unsubscribed from a lot of things and deleted a few accounts.

                                                                            1. 4

                                                                              They only discuss keybase outages and yet $5k of equipment was ‘thrown away’?

                                                                              And the end of the article talks about importing Slack groups into Keybase chat?

                                                                              Might be time for me to get off Keybase.

                                                                              1. 3

                                                                                Because that $5k of equipment was also being used for things much more important than pinging people about outages. He couldn’t rule out the possibility that his Slack account had been compromised by someone breaking into his computer, so he nuked the computer.

                                                                                1. 2

                                                                                  Good point. But the whole thing? I might have just thrown out the storage. The whole thing seems quite disingenuous anyway, so I’m not sure I believe any part of it fully.

                                                                                  1. 4

                                                                                    He couldn’t know if the Intel Management Unit was comprosied. Or the firmware on the Ethernet card. Or the firmware on the USB controllers. Or …

                                                                              1. 1

                                                                                All this does is put into the hands of individuals something megacorps have been doing for decades. This is empowering users and adding new features to consumer email! Also, the user expectation these days is for read receipts - that’s how it is on all IM platforms. A little geo-ip is hardly a crime. An unprotected user leaks far more information to any website they visit.

                                                                                1. 2

                                                                                  An unprotected user leaks far more information to any website they visit.

                                                                                  This is true. It’s also a crappy status quo and absolutely not a reason to chip away at people’s privacy even more. (And users hardly want to be leaking this information—it’s just that most don’t know any better.)

                                                                                1. 4

                                                                                  Nice tips. Two additions:

                                                                                  • Use bold format sparingly. If more than a quarter of the text is in bold, that is not sparing use. There are examples in the post, where about half the text is bolder.
                                                                                  • For emails over 4 paragraphs / 15-20 sentences, start with a “tl;dr” or “summary” section, summarising the takeaway, before diving into the details. It’s good practice to do this, regardless of the length of the email.
                                                                                  1. 2

                                                                                    There are examples in the post, where about half the text is bolder.

                                                                                    I think the advice to trim the text as much as possible is a little bit contradictory with the advice to bold the important bits. If you’ve already trimmed the message down to be very short then it’s probably not necessary to also highlight the important parts since, as you say, they now comprise half of the message. (If the message needs to be long then bolding is still a fine idea.)

                                                                                  1. 3

                                                                                    I have no affiliation to the project but I posted this because it seems like a great solution to the on-going problems with the SKS network, particularly surrounding on-going privacy issues and the abuse of key metadata to post illegal content.

                                                                                    The new keyserver seems to finally allow the deletion of keys—this is not possible with SKS—and also identity verification by email is finally supported. They seem to have clean separation for identity and non-identity information in keys and all in all it looks like a great evolution from SKS.

                                                                                    1. 3

                                                                                      Where do we learn more about the concerns around the SKS network? Sounds interesting and it helps build up point you present.

                                                                                        1. 4

                                                                                          The article has some interesting links, which I’ll post for convenience:

                                                                                          The SKS Devel mailing list has actually had quite a few discussions about this too lately—a very small sample:

                                                                                            1. 2

                                                                                              The maintainer’s attitude in that first linked ticket is alarming. “The user isn’t supposed to trust us, so there’s no reason not to display bogus data.” Are you kidding me?!

                                                                                              1. 1

                                                                                                Yes, but the bigger problem is that even if they would want to change it SKS is without actual developers. There are people that maintain it by fixing small bugs here and there but the software is completely and utterly bug-ridden (I had the unfortunate “opportunity” to test it).

                                                                                                https://keys.openpgp.org is not mind-blowing¹ but it’s basically a sane keyserver. To have something like this in 2019 shows only in what dire situation is PGP now.

                                                                                                ¹ actually I think it’s lacking a little bit compared to “modern” solutions such as Keybase

                                                                                                1. 2

                                                                                                  Even the people that work developing GPG would agree that the situation is sort of bad. Real-world adoption of GPG is almost nil. Support of GPG, say by major email clients, is almost nil. The architecture with the trust model is ‘perfect’ but it’s not user-friendly. GPG-encrypted email traffic is almost not measurable. The code base is apparently a bit of a mess. It needs maybe a bit of funding and probably some less perfect, but more pragmatic and usable strategies of improving security.

                                                                                                  1. 2

                                                                                                    Agreed with what you said. I spent some time thinking about this and concluded that at the end the problem is mostly in tooling and UX, not inherent to GPG.

                                                                                                    As an example: XMPP was described by Google as being “non-mobile friendly” and it took just one person to create a really good mobile XMPP client that can be used by regular people. (I’m using it with my family and it’s better than Hangouts!).

                                                                                                    GPG too can be brought back from the dead but the effort to do that is enormous because there are multiple parties participating. But there are some good things happening, Web Key Directory, easy to use web clients, keys.openpgp.org

                                                                                                    Why is it important to work on GPG instead of dumping it for Signal et al.? Because GPG is based on a standard, this is not a “product” that can be sunsetted when investors run away or a manager decides that something else is shiny now.

                                                                                                    1. 2

                                                                                                      Look at what keybase is doing. That’s what GPG should have been. Some keyserver that actually verifies things, so that when you get a key with an email address, you know that that email belongs to the person who uploaded the key, unlike the current model, where anyone can upload any key with any data.

                                                                                                      The whole web-of-trust thing doesn’t help me when I want to get an email from some person overseas I have never met.

                                                                                                      1. 2

                                                                                                        That’s what GPG should have been. Some keyserver that actually verifies things, so that when you get a key with an email address, you know that that email belongs to the person who uploaded the key, unlike the current model, where anyone can upload any key with any data.

                                                                                                        If I understood the idea correctly the submission is already what you propose (maybe you’re aware of that? Hard to tell through text alone…)

                                                                                        1. 1

                                                                                          I reinstalled Snapchat on my Pixel3 just to try this out but cannot for the life of my figure out how to activate this feature. Anybody wanna clue me in?

                                                                                          1. 2

                                                                                            While in camera mode in Snapchat, tap on your face. A row of circular icons should appear at the bottom of the screen. The icon for this feature looks like a face with pronounced eyebrows and eyelashes and red lips (although I’m a man—maybe it will use a “man” icon instead if it thinks you’re a woman?). Right now I have to swipe from right to left three times on the row of buttons to get to this filter, although these seem to get rearranged fairly often so YMMV.

                                                                                          1. 7

                                                                                            You can add Nix to the list of offenders. I actually did read the script first (okay, fine, I skimmed it) and I noticed that it at least has protection against the “partial content” problem the OP mentions. The entire script is wrapped in { and }, which means that if it ends up only half-downloaded you’ll get a syntax error and none of the commands will be run.

                                                                                            Overall, though, yeah—I agree that this is a disturbingly common practice.

                                                                                            1. 14

                                                                                              Yeah, it is true. I don’t love that Nix uses a curl|sh install. However. Something interesting about this list is three out of the five concerns (hidden text, user agent sniffing, not knowing what the script will do) are predicated on the remote server being malicious. As you noticed we’re not subject to the partial content problem, and the fifth (not using TLS) is a complete failure of applying basic security.

                                                                                              One alternative was publishing instructions which included sha256 verification. However if you trust the website to give you the right hash, you can trust the website to give you the right script.

                                                                                              Another alternative is publishing GPG verification installations, which is an option listed immediately below the curl|sh instruction, in bold text, on https://nixos.org/nix/ (click Get Nix.) But still, unless you have a WoT connection to Eelco (who signs our releases and also invented Nix) what does it even mean?

                                                                                              Going back to the list of concerns – the only ones at concern here is not knowing the script (yes, please do download and read the script) or not trusting Nix’s install code in the first place. Frankly, if you don’t trust nixos.org to distribute a clean and safe install, you probably don’t want to use Nix at all.

                                                                                              I’m not thrilled at the article saying that by simply having these instructions present that we are cutting corners – we’ve pretty carefully considered the implications of this mechanism of installation and have explored alternatives. Yes, being packaged in a distro’s package manager is a great route for many pieces of software. Many distributions provide packages for Nix at this point, but for some time Nix’s /nix directory was a non-starter for breaking FHS.

                                                                                              If you have suggestions on how to improve the security of the Nix installation, I would be happy to hear about it.

                                                                                              1. 1

                                                                                                All you need to do is change the bit that says curl https://nixos.org/nix/install | sh to just be a link to the script https://nixos.org/nix/install. Telling people that they can download it and use it to install nixos.

                                                                                                1. 2

                                                                                                  I don’t think this makes any meaningful difference. If the user doesn’t check any checksums or signatures or read and understand the script, then you’ve just made the user part of the automated process. If the user is savvy enough to do a meaningful check on the script before executing it, they can see curl https://nixos.org/nix/install | sh and decide to download the script to a file instead.

                                                                                                  1. 1

                                                                                                    the difference is that you’re explicitly encouraging and condoning a bad practice

                                                                                                    1. 0

                                                                                                      Do you read all Makefiles before you run make? Or all setup.pys before you run pip install?

                                                                                                2. 1

                                                                                                  Everything you say is true. And please understand that I wasn’t trying to slag on Nix so much as point out that it’s another prominent project that uses this pattern.

                                                                                                  However if you trust the website to give you the right hash, you can trust the website to give you the right script.

                                                                                                  Totally fair point.

                                                                                                  unless you have a WoT connection to Eelco… what does it even mean?

                                                                                                  I don’t have a WoT connection to the guy who signs Nginx releases, either. In fact, his key is the only key in my GPG keychain on my web server. The important thing is that every release is signed with that key. If I downloaded a release and found that it was signed by a different key that purported to be from the same person, I would hold off on that version until I could figure out what was going on. (I know this is a much weaker form of security than PGP was supposed to give us, but it’s what I’ve got.) Of course, the same is true of Nix.

                                                                                                  My main worry with curl | sh installs is that they usually redirect to some GitHub URL that points to the project’s master branch. All it would take to compromise this installation procedure would be for one bad commit to make it to master somehow. Some projects merge to master a lot. Maybe the only actionable advice I have here (and I don’t know whether this is applicable to Nix or not) is that if you’re going to offer a download script to be piped into sh, host it somewhere that is immune from random, malicious PRs on GitHub.

                                                                                                  By the way, I did install and start using Nix. I recognize that if you wanted to install malware on my machine, you have several more subtle options at your disposal than serving me a bad install script :-) The same goes for projects like Docker. What baffles me is ordinary programs like Calibre (which I do use) recommending piping wget --no-check-certificate into sudo sh 😱

                                                                                              1. 3

                                                                                                I personally don’t think kindness should be a value we need to strive for. OP suggests he has been put off by some comments, but who’s to say maybe he’s not being overly sensitive about them? Maybe it’s an opportunity for OP to develop a tougher skin and become more resilient.

                                                                                                1. 4

                                                                                                  Experiencing adversity is often an opportunity to become more resilient, yes—but intentionally inflicting adversity on someone has a name: cruelty.

                                                                                                  1. 2

                                                                                                    What about a trainer making things harder for his pupil? What about a parent no being overly protective of a child? What about a teacher giving a student a hard time for slacking off? It seems to me that these are instances where you intentionally inflict adversity for the own good of the individual. Besides, I think you’re being extreme by suggesting that the perception of unkindness in a tech forum is akin to experiencing cruelty from someone else. I’d prescribe gaining some perspective on what cruelty really is.

                                                                                                    1. 2

                                                                                                      You’re right; there are situations in which adversity is called for, and being mean on the internet is generally not the worst thing you can do. My point is that saying, “I don’t need to be nice, you just need to develop a thicker skin” is an attitude that leads to callous indifference.

                                                                                                1. 2

                                                                                                  The comments on this link are especially interesting.

                                                                                                  I’m just learning monad transformers, I hope I understand the controversy about free and freer soon.

                                                                                                  1. 3

                                                                                                    If you’re getting into architecture in Haskell I’d recommend “Three Layer Haskell Cake” by Matt Parsons too.

                                                                                                  1. 1

                                                                                                    There is already a downvote reason for “incorrect”, which seems innocuous to me relative to “unkind”. I think it’s okay to be wrong, provided you are willing to accept gentle and thoughtful correction.

                                                                                                    However, the word “unkind” literally means “not kind”, and I also think it’s okay to be “not kind”, provided you are also not being harsh or mean (that is, in a neutral tone). Perhaps “mean” or “brutish” or “hostile tone” would be more precise.

                                                                                                    1. 3

                                                                                                      However, the word “unkind” literally means “not kind”

                                                                                                      Maybe we’re heading into bikeshedding territory here, but my dictionary defines “unkind” as “inconsiderate and harsh to others,” and anecdotally this is always how I’ve heard it used. It would be correct (if odd) to describe a neutral statement as “not kind” but it wouldn’t really be right to call it “unkind.” For that reason, I think that “unkind” is a decent choice for a downvote label.

                                                                                                    1. 14

                                                                                                      I feel hurt when I see other people being punched unnecessarily. It has made me spend less time on this site when I’m not in high spirits. I’m happy to use “troll” in situations where someone is clearly treating someone else like a punching bag, but I would like to be more specific sometimes. I like the idea of flagging something as “unkind” instead, in the hopes that it provides more specific feedback for the commentor. They may not have realized that their words were less effective in conveying their sensible core message than they realized.

                                                                                                      We should strive to have cheap mechanisms for helping people who want to improve their communication skills to do so, as well as ranking objectively true yet hurtful content below things that are objectively true without so much toxicity.

                                                                                                      1. 8

                                                                                                        ranking objectively true yet hurtful content below things that are objectively true without so much toxicity.

                                                                                                        I’m strongly in favor of this. Some people on this site seem to value correctness above all else when it comes to ranking comments, but for me, kindness and civility are more fundamentally important. It doesn’t matter how true your comment is if it’s also condescending, insulting, dismissive, bigoted, or hateful. I just don’t enjoy reading things like that—even if they aren’t directed at me—and I think that to ignore this dimension in favor of correctness is to forget that this site is a place for people to communicate, and that if you want those people to keep coming back then you must treat them well.

                                                                                                      1. 6

                                                                                                        PDF is the only electronic document format that fully supports redaction. […] There’s really no model for redaction of HTML-based web content.

                                                                                                        This seems disingenuous to me. I’ll grant them that you don’t often see redactions in HTML, but I don’t see why you couldn’t have something like

                                                                                                        <span class="redacted harm-to-ongoing-matter">██████████</span>
                                                                                                        

                                                                                                        where there is a .redacted CSS rule to black out the span, a .harm-to-ongoing-matter rule to display some text clarifying which kind of redaction this is, and every character in the span is U+2588 FULL BLOCK to give roughly the same effect in browsers that don’t support CSS. Or maybe it would be better for screen readers if you used “redacted” as the text of the span. Either way, I don’t think it’s true that PDF has some insurmountable advantage over HTML here.

                                                                                                        People have been conditioned to see these ugly, court-formatted PDFs as more official, so that’s a reason to keep using PDF, or at least to keep it as an option. But from a technical perspective, I don’t trust an HTML file served from the DOJ website over HTTPS any differently than I trust a PDF from the same source. And the client-side malleability of the display of HTML pages is a huge advantage ergonomically.

                                                                                                        1. 1

                                                                                                          I think what they’re aiming at is the fundamental difference between HTML describing content and PDFs describing pages, though. Even without redaction, it’s impossible with HTML to guarantee a certain look to the final document, because fonts, text rendering, and layout differ between (otherwise compliant) implementations.

                                                                                                          I imagine PDF over HTML makes it easier to do, for example, a side-by-side comparison between redacted and unredacted versions, and also communicate findings within a group. (“Take a look at page 9, the third paragraph…”)

                                                                                                          EDIT: I will take issue with the authenticity argument of the article. Freezing a document in any format should be done with a digital signature. There’s really no guarantee a PDF isn’t edited unless it’s signed, and PDF has no advantage over other formats in that regard. I think, ideally, Mueller would deliver a signed PDF, and Barr would deliver a signed and redacted PDF, with some sort of cryptographic hash of the original contained within.

                                                                                                          1. 2

                                                                                                            I guess I don’t understand why one would assume that “describing pages” is more important than “describing content” in this context, though. The Mueller report is effectively a single stream of text (with the occasional header and footnote), not a complicated layout like a magazine. I would argue that the accessibility benefits of HTML outweigh the consistent-look benefits of PDFs in this case (and in many other cases).

                                                                                                            Being able to compare two versions visually is definitely an advantage of PDF, but comparing two versions programmatically would be a lot easier with HTML. And the ability to specify exact locations visually in PDFs is nice, but remember that in HTML you have hyperlinks at your disposal—you can send a link to your collaborators and not have to worry about counting paragraphs! A properly marked up document would even allow you to say, “this span of text is page 7, line 9 of the canonical PDF version.”

                                                                                                            In an ideal world, I agree with what you say about signatures, but what if this report had been digitally signed? How would you verify that the key really belonged to who it said it belonged to… by looking at a fingerprint on the same site you downloaded the PDF from anyway? Maybe some kind of Extended Validation TLS certificate is the best we can do right now, given the current state of PKI.