1. 1

    I reinstalled Snapchat on my Pixel3 just to try this out but cannot for the life of my figure out how to activate this feature. Anybody wanna clue me in?

    1. 2

      While in camera mode in Snapchat, tap on your face. A row of circular icons should appear at the bottom of the screen. The icon for this feature looks like a face with pronounced eyebrows and eyelashes and red lips (although I’m a man—maybe it will use a “man” icon instead if it thinks you’re a woman?). Right now I have to swipe from right to left three times on the row of buttons to get to this filter, although these seem to get rearranged fairly often so YMMV.

    1. 7

      You can add Nix to the list of offenders. I actually did read the script first (okay, fine, I skimmed it) and I noticed that it at least has protection against the “partial content” problem the OP mentions. The entire script is wrapped in { and }, which means that if it ends up only half-downloaded you’ll get a syntax error and none of the commands will be run.

      Overall, though, yeah—I agree that this is a disturbingly common practice.

      1. 14

        Yeah, it is true. I don’t love that Nix uses a curl|sh install. However. Something interesting about this list is three out of the five concerns (hidden text, user agent sniffing, not knowing what the script will do) are predicated on the remote server being malicious. As you noticed we’re not subject to the partial content problem, and the fifth (not using TLS) is a complete failure of applying basic security.

        One alternative was publishing instructions which included sha256 verification. However if you trust the website to give you the right hash, you can trust the website to give you the right script.

        Another alternative is publishing GPG verification installations, which is an option listed immediately below the curl|sh instruction, in bold text, on https://nixos.org/nix/ (click Get Nix.) But still, unless you have a WoT connection to Eelco (who signs our releases and also invented Nix) what does it even mean?

        Going back to the list of concerns – the only ones at concern here is not knowing the script (yes, please do download and read the script) or not trusting Nix’s install code in the first place. Frankly, if you don’t trust nixos.org to distribute a clean and safe install, you probably don’t want to use Nix at all.

        I’m not thrilled at the article saying that by simply having these instructions present that we are cutting corners – we’ve pretty carefully considered the implications of this mechanism of installation and have explored alternatives. Yes, being packaged in a distro’s package manager is a great route for many pieces of software. Many distributions provide packages for Nix at this point, but for some time Nix’s /nix directory was a non-starter for breaking FHS.

        If you have suggestions on how to improve the security of the Nix installation, I would be happy to hear about it.

        1. 1

          All you need to do is change the bit that says curl https://nixos.org/nix/install | sh to just be a link to the script https://nixos.org/nix/install. Telling people that they can download it and use it to install nixos.

          1. 2

            I don’t think this makes any meaningful difference. If the user doesn’t check any checksums or signatures or read and understand the script, then you’ve just made the user part of the automated process. If the user is savvy enough to do a meaningful check on the script before executing it, they can see curl https://nixos.org/nix/install | sh and decide to download the script to a file instead.

            1. 1

              the difference is that you’re explicitly encouraging and condoning a bad practice

              1. 0

                Do you read all Makefiles before you run make? Or all setup.pys before you run pip install?

          2. 1

            Everything you say is true. And please understand that I wasn’t trying to slag on Nix so much as point out that it’s another prominent project that uses this pattern.

            However if you trust the website to give you the right hash, you can trust the website to give you the right script.

            Totally fair point.

            unless you have a WoT connection to Eelco… what does it even mean?

            I don’t have a WoT connection to the guy who signs Nginx releases, either. In fact, his key is the only key in my GPG keychain on my web server. The important thing is that every release is signed with that key. If I downloaded a release and found that it was signed by a different key that purported to be from the same person, I would hold off on that version until I could figure out what was going on. (I know this is a much weaker form of security than PGP was supposed to give us, but it’s what I’ve got.) Of course, the same is true of Nix.

            My main worry with curl | sh installs is that they usually redirect to some GitHub URL that points to the project’s master branch. All it would take to compromise this installation procedure would be for one bad commit to make it to master somehow. Some projects merge to master a lot. Maybe the only actionable advice I have here (and I don’t know whether this is applicable to Nix or not) is that if you’re going to offer a download script to be piped into sh, host it somewhere that is immune from random, malicious PRs on GitHub.

            By the way, I did install and start using Nix. I recognize that if you wanted to install malware on my machine, you have several more subtle options at your disposal than serving me a bad install script :-) The same goes for projects like Docker. What baffles me is ordinary programs like Calibre (which I do use) recommending piping wget --no-check-certificate into sudo sh 😱

        1. 3

          I personally don’t think kindness should be a value we need to strive for. OP suggests he has been put off by some comments, but who’s to say maybe he’s not being overly sensitive about them? Maybe it’s an opportunity for OP to develop a tougher skin and become more resilient.

          1. 4

            Experiencing adversity is often an opportunity to become more resilient, yes—but intentionally inflicting adversity on someone has a name: cruelty.

            1. 2

              What about a trainer making things harder for his pupil? What about a parent no being overly protective of a child? What about a teacher giving a student a hard time for slacking off? It seems to me that these are instances where you intentionally inflict adversity for the own good of the individual. Besides, I think you’re being extreme by suggesting that the perception of unkindness in a tech forum is akin to experiencing cruelty from someone else. I’d prescribe gaining some perspective on what cruelty really is.

              1. 2

                You’re right; there are situations in which adversity is called for, and being mean on the internet is generally not the worst thing you can do. My point is that saying, “I don’t need to be nice, you just need to develop a thicker skin” is an attitude that leads to callous indifference.

          1. 2

            The comments on this link are especially interesting.

            I’m just learning monad transformers, I hope I understand the controversy about free and freer soon.

            1. 3

              If you’re getting into architecture in Haskell I’d recommend “Three Layer Haskell Cake” by Matt Parsons too.

            1. 1

              There is already a downvote reason for “incorrect”, which seems innocuous to me relative to “unkind”. I think it’s okay to be wrong, provided you are willing to accept gentle and thoughtful correction.

              However, the word “unkind” literally means “not kind”, and I also think it’s okay to be “not kind”, provided you are also not being harsh or mean (that is, in a neutral tone). Perhaps “mean” or “brutish” or “hostile tone” would be more precise.

              1. 3

                However, the word “unkind” literally means “not kind”

                Maybe we’re heading into bikeshedding territory here, but my dictionary defines “unkind” as “inconsiderate and harsh to others,” and anecdotally this is always how I’ve heard it used. It would be correct (if odd) to describe a neutral statement as “not kind” but it wouldn’t really be right to call it “unkind.” For that reason, I think that “unkind” is a decent choice for a downvote label.

              1. 14

                I feel hurt when I see other people being punched unnecessarily. It has made me spend less time on this site when I’m not in high spirits. I’m happy to use “troll” in situations where someone is clearly treating someone else like a punching bag, but I would like to be more specific sometimes. I like the idea of flagging something as “unkind” instead, in the hopes that it provides more specific feedback for the commentor. They may not have realized that their words were less effective in conveying their sensible core message than they realized.

                We should strive to have cheap mechanisms for helping people who want to improve their communication skills to do so, as well as ranking objectively true yet hurtful content below things that are objectively true without so much toxicity.

                1. 8

                  ranking objectively true yet hurtful content below things that are objectively true without so much toxicity.

                  I’m strongly in favor of this. Some people on this site seem to value correctness above all else when it comes to ranking comments, but for me, kindness and civility are more fundamentally important. It doesn’t matter how true your comment is if it’s also condescending, insulting, dismissive, bigoted, or hateful. I just don’t enjoy reading things like that—even if they aren’t directed at me—and I think that to ignore this dimension in favor of correctness is to forget that this site is a place for people to communicate, and that if you want those people to keep coming back then you must treat them well.

                1. 6

                  PDF is the only electronic document format that fully supports redaction. […] There’s really no model for redaction of HTML-based web content.

                  This seems disingenuous to me. I’ll grant them that you don’t often see redactions in HTML, but I don’t see why you couldn’t have something like

                  <span class="redacted harm-to-ongoing-matter">██████████</span>

                  where there is a .redacted CSS rule to black out the span, a .harm-to-ongoing-matter rule to display some text clarifying which kind of redaction this is, and every character in the span is U+2588 FULL BLOCK to give roughly the same effect in browsers that don’t support CSS. Or maybe it would be better for screen readers if you used “redacted” as the text of the span. Either way, I don’t think it’s true that PDF has some insurmountable advantage over HTML here.

                  People have been conditioned to see these ugly, court-formatted PDFs as more official, so that’s a reason to keep using PDF, or at least to keep it as an option. But from a technical perspective, I don’t trust an HTML file served from the DOJ website over HTTPS any differently than I trust a PDF from the same source. And the client-side malleability of the display of HTML pages is a huge advantage ergonomically.

                  1. 1

                    I think what they’re aiming at is the fundamental difference between HTML describing content and PDFs describing pages, though. Even without redaction, it’s impossible with HTML to guarantee a certain look to the final document, because fonts, text rendering, and layout differ between (otherwise compliant) implementations.

                    I imagine PDF over HTML makes it easier to do, for example, a side-by-side comparison between redacted and unredacted versions, and also communicate findings within a group. (“Take a look at page 9, the third paragraph…”)

                    EDIT: I will take issue with the authenticity argument of the article. Freezing a document in any format should be done with a digital signature. There’s really no guarantee a PDF isn’t edited unless it’s signed, and PDF has no advantage over other formats in that regard. I think, ideally, Mueller would deliver a signed PDF, and Barr would deliver a signed and redacted PDF, with some sort of cryptographic hash of the original contained within.

                    1. 2

                      I guess I don’t understand why one would assume that “describing pages” is more important than “describing content” in this context, though. The Mueller report is effectively a single stream of text (with the occasional header and footnote), not a complicated layout like a magazine. I would argue that the accessibility benefits of HTML outweigh the consistent-look benefits of PDFs in this case (and in many other cases).

                      Being able to compare two versions visually is definitely an advantage of PDF, but comparing two versions programmatically would be a lot easier with HTML. And the ability to specify exact locations visually in PDFs is nice, but remember that in HTML you have hyperlinks at your disposal—you can send a link to your collaborators and not have to worry about counting paragraphs! A properly marked up document would even allow you to say, “this span of text is page 7, line 9 of the canonical PDF version.”

                      In an ideal world, I agree with what you say about signatures, but what if this report had been digitally signed? How would you verify that the key really belonged to who it said it belonged to… by looking at a fingerprint on the same site you downloaded the PDF from anyway? Maybe some kind of Extended Validation TLS certificate is the best we can do right now, given the current state of PKI.

                  1. 3

                    FWIW, I wrote a Jekyll plugin that will give you a word count or a reading time. (It assumes 270 words per minute.) The difference from the built-in number_of_words filter is that it tries to be smarter about excluding non-text words (e.g. within image captions or code blocks) in its count.

                    Two caveats:

                    • The plugin is sliding toward being unmaintained, since I don’t use Jekyll myself anymore. (The code itself is extremely simple, though, so it’s easy to hack it to restore Jekyll API compatibility or whatever.)
                    • I share other commenters’ doubts about the utility of providing a reading time. Sharing a word count is something I can’t recall ever seeing in a blog post but it may be more useful, since it doesn’t include a built-in, varying-from-blog-engine-to-blog-engine assumption about how quickly people can read.
                    1. 18

                      I propose JudgeVer: use your judgement to do the sane thing, and not worry too much.

                      So what if you jump from 2.1.5 to 3.0 without strictly introducing API changes? Are you sure that the new optimizer in CockroachDB will be better in 100% of the cases? What if performance is significantly worse in 1% of the use cases, and you rely heavily on that 1%? Then this will be a breaking change for you.

                      Just because the API is compatible doesn’t mean the product is compatible with your needs. I once fixed a bug so that all unicode whitespace was properly treated as whitespace, but at least one person was relying on the old behaviour. Compatible API, but breaking behaviour.

                      In JudgeVer you bump to 3.0 because it makes sense. So what that the spec says something else? The specification isn’t law, and you won’t get arrested if you do something else.

                      Publishing an incompatible version with a compatible version number can potentially cause a lot of problems, while the reverse has significantly less potential to cause problems. So when in doubt: just bump that major version. One rule of thumb I’ve seen floating around is “if it broke a test, it’s a major version bump”, which strikes me as reasonable (although not comprehensive).

                      No doubt that the purists will balk at this 🤷. Honestly, I find these really complex specifications/schemas for versioning rather … tiring, and generally tap out of the discussion once someone starts using “argumentum ad that’s-how-it’s-in-the-spec”, rather than just doing the sensible or safe thing.

                      1. 2

                        I pretty much agree with you. Either you are super lazy and you just upgrade dependencies willy-nilly and pray for the best(and maybe run a test or three), or you actually care about your dependencies and then you MUST read the changelog at the very least anyway. So version numbers are only marginally useful, either way.

                        1. 2

                          Updating dependencies can be very time consuming if you read all ChangeLogs, especially in environments with a lot of dependencies. npm is of course the canonical example of this, but a standard Ruby on Rails application also has quite a few dependencies (Lobste.rs has exactly 100 in Gemfile.lock).

                          I don’t think version numbers are completely useless. If there are 50 updates, then major version update change will be more likely to introduce a breaking change for me, and a minor version change will be more likely to be breaking than a patch version. So I can prioritize which ChangeLogs I want to read, and get the best return of investment of my time.

                          Not that reading ChangeLogs is any guarantee anyway. If the library authors didn’t immediately realize that a change is breaking, then there’s a decent chance that I won’t either. Especially not for larger applications where no single person understands all of it (which is large chunk of real applications).

                          Another issue is the lack of tooling; pkg-manage update should have an option to display a ChangeLog, for example. And ChangeLog format should be standardized so that important information can be parsed out of it.

                          1. 3

                            Agreed, but for any code that lives past a few dependency upgrades, you quickly get a feel for the dependencies that never cause problems, and the ones that do nothing but cause problems. You then prioritize your time along those lines.

                            I agree it would be nice if changelogs were easier found/viewable directly from the tooling around upgrading dependencies. Even OS packagers don’t do this all that well for the most part.

                            1. 2

                              The apt-listchanges package in Debian will display important changelogs in packages when they’re upgraded. Important meaning, breaks something in a stable release, or otherwise may require human review.

                        2. 2

                          I was just starting to get exactly the same itch reading this.

                          When something exists in ‘human space’ and has a huge number of possible states subjective to many view points (in this case all of the vectors of what are ‘bugs’ and ‘features’ according to different subjective use cases), there is no way to formalise and the effort to do is painful and fruitless - everyone has to resolve their own subjective viewpoint.

                          1. 1

                            I am not a purist :). However, my understanding of semver is that it doesn’t absolve you of having to verify that your product works as expected. If an external component is crucial to your product, I would expect you to be vigilant about any changes made (including running your own integration and regression tests), and not just rely on the version string.

                            For the other places however, I believe that it would be better to not specify the version requirements too tightly (which is what your proposal would do – Does every product that uses your product care about that optimizer?) and provide the automated tools that space to work with to resolve version requirements.

                            1. 2

                              If an external component is crucial to your product, I would expect you to be vigilant about any changes made (including running your own integration and regression tests)

                              The problem with that is that I can’t test behaviour that I didn’t realize that exists, or didn’t realize was important for the correct working of my program. Even if you’re the sole author of an application of 50k lines, then chances are you can’t remember every implied assumption in those 50k lines when reading the ChangeLog for a library.

                            2. 1

                              I once fixed a bug so that all unicode whitespace was properly treated as whitespace, but at least one person was relying on the old behaviour. Compatible API, but breaking behaviour.

                              I wrote a blog post along the same lines, riffing off of “What’s better than semver?” by @leeg. As you say, when you’re publishing a library, fixing a bug can break consumers just as badly as any other kind of change. As a library author, you can lessen the pain by documenting your library thoroughly, including defining as explicitly as possible which behaviors are part of your API and which are incidental.

                              For example, if you provide a function that returns an array of items, you should define whether the items will be sorted according to a specific criterion; returned in no particular order, but the order will always be the same for a given set of items and a given library version; or just not in any particular order at all. If you make an internal change that affects the order of the items, your consumer-facing documentation can guide you on whether you’ve made an API-breaking change or not. Of course, there will always be times when someone is relying on the incidental behavior of your library instead of the specified behavior, and then their application is broken by a “non-API-breaking” change. Making this situation as unlikely as possible is a human problem and it can only solved by human-facing affordances like changelogs and API docs, not by machine-readable data like version numbers.

                              1. 2

                                I think that Lee’s claim that “there is no such thing as an “internal change that fixes incorrect behavior” that is “backwards compatible”” is too strong. If using a Unicode space would throw an exception or produce clearly broken output (e.g. by treating all bytes as one character and returning giberish) then the change in behaviour would be backward compatible by any reasonable definition.

                                On the whole, it’s a lot less likely that a bugfix will break backwards compatibility in any meaningful way, only some do. I think a lot of the problems with SemVer are because tools treat it as hard guarantees, instead of probabilities.

                            1. 6

                              I was just thinking about this topic the other day while I was poking around [what’s left of] Usenet. I think the lack of formatted text there is justifiable given the constraints of the time, and I think that’s still valid for terminal-based UIs. I don’t think it’s valid anymore on the web, though. The web supports italicized text—to take one kind of formatting—and italicized text is part of the English language. Surrounding words with slashes or underscores or asterisks instead of displaying it in italics is like using two hyphens instead of an em dash: it works okay, but it’s not ideal and I don’t think there’s a good reason not to do it in a rich-text medium like this. People are going to use asterisks or something even if they don’t result in italics, so you may as well make that result in italics.

                              I agree with you that even a simplified version of Markdown is not as discoverable or obvious as you would want. I really like the suggestion by @rain1 to apply the formatting but also make those formatting characters visible. This is what some Usenet clients actually do in the terminal: make the text between asterisks bold, but still display the asterisks so that the original line length is preserved and so that it’s obvious why the text is being bolded. (Emitting “snake_cased_word” is a much better failure mode of a Markdown processor than emitting “snakecasedword”.)

                              1. 1

                                What bugs me with the markdown syntax is when I write *hugs* for example. I don’t want it italics. The stars have a different semantic meaning that the human reader understands better than any typographical display I can think of.

                              1. 30

                                Quoting for emphasis:

                                A standard workweek in the US is 40 hours a week; elsewhere it can be a little less. Whatever it is, outside those hours you shouldn’t be working, because you’re not being paid for that work. Your evenings, your weekends, your holidays, your vacations—all of these belong to you, not your employer.

                                Every minute you give your employer serves to devalue your time. If you work even an extra couple of hours each day (say, commuting and taking lunch at your desk while working) you have effectively given your employer 10 extra hours a week for free, for an effective pay cut of 20%.

                                1. 9

                                  Yep! One of the best things I heard regarding this was from a programmer friend of mine who is also a professional music producer. He said:

                                  I consider the time I spend commuting to work to be work time, because every hour I give to my employer is an hour I’m not spending making music. If my employer is gonna take time from my passion, they’re gonna have to pay for it.

                                  1. 3

                                    I can only speak for the US, but I feel like I have to comment on this:

                                    I consider the time I spend commuting to work to be work time

                                    I understand and support the sentiment. But if you’re literally counting your commuting time as chipping away at your 40 hours a week (or whatever it is), you should be prepared to explain to your manager how whatever you’re doing on the commute counts as bona fide work or else you’re going to be having a very unpleasant conversation with them.

                                    If you’re fortunate enough to commute on a bus that offers wi-fi, then it’s easy to justify counting that as work time. But if you don’t have a computer in front of you (in the case of jobs like programming that require a computer), you should be circumspect about counting that as “work.” If you’re thinking about work in that time, and your boss is okay with that, then great, but counting commuting time as work is not the norm in the US.

                                    1. 4

                                      but counting commuting time as work is not the norm in the US.

                                      Well, perhaps it should be.

                                      They pay you for the time spent walking to meetings, walking to get a smoke, navigating internal documents–and I’d bet my hat that management gets paid the same on golf games, “executive retreats”, “networking”, and other events.

                                      There’s no moral reason not to count time spent commuting as work–it benefits the company, doesn’t benefit you, and is required for the other work to get done.

                                      1. 4

                                        I’ve happily taken a nominal pay cut to work from home - I don’t spend that time or money commuting.

                                        Compensation is a negotiation - typically an experienced programmer has several options available. If you want me to work for you and you insist I show up in person, I’m going to demand an extra 20% or more to cover the time I spend traveling and the inconvenience of being out.

                                        1. 3

                                          It’s not just in the US. I have yet to discover a place in the world where commuting by car can be considered work.

                                          1. 5

                                            It’s unlikely you’ll get paid for it. But when deciding between a nearby job which pays $X and a job an hour further away which pays $X+15%, it’s worth factoring it in to your decision.

                                          2. 1

                                            I understand and support the sentiment. But if you’re literally counting your commuting time as chipping away at your 40 hours a week (or whatever it is), you should be prepared to explain to your manager how whatever you’re doing on the commute counts as bona fide work or else you’re going to be having a very unpleasant conversation with them.

                                            Yes you definitely need to be ready to explain it. One way to look at it is this: businesses charges their customers for every single thing (including delivery). If I’m offering the business my services as an employee, then in a way I’m the business and they’re the customer, thus I’ll charge for delivery just like they do with their customers. Sure business people would argue differently, but business people would also argue that full-time exclusive workers can still be contractors that don’t get paid insurance or what ever it is in your country that they love to not pay for.

                                      1. 33

                                        The old proverb says: “You are famous only if someone creates a website against you”.

                                        Corollary: “You must be really annoying if someone creates a Firefox extenson to make your website readable.

                                        1. 2

                                          Thank you for this extension! I had been trying to get rid of the obnoxious pop-up, etc. with uBlock Origin but it didn’t seem to be possible without also disabling things like embedded videos.

                                        1. 37

                                          It seems to me that suggesting a command-line-only (unless I’m mistaken?) tool like Hugo is a complete non-starter for, I don’t know, at least 80% of the people who are posting on Medium. I appreciate your effort—and I’m also becoming more irritated by Medium every day—but I think that learning how to use the terminal is just too high of a hurdle for most people to bother with. If your intention was only to convince the kind of people who read Lobsters and know what it means that something is “written in Go,” then it’s fine, but I don’t think this site presents a viable solution for the rest of the users.

                                          The fundamental problem, I think, is that in order for someone to own their digital identity in any meaningful way, they have to have (at a minimum) their own domain name, and even that is a significant technical hurdle—never mind the fact that it costs money. Maybe the most viable “indie” solution we have at this moment is to (1) guide people through the process of registering a domain and then (2) offer an easy-to-use, web-based blogging engine that people can point their DNS records to in order to get started with their own sites. The latter thing could be made cheap enough to host that some benevolent geek could just subsidize it. Even this, though, seems like so much more effort than Medium for the non-technical user.

                                          1. 13

                                            The IndieWeb community is very interested in breaking down the barriers to doing these things, like purchasing a domain name.

                                            1. 10

                                              Or, just point people to one of the many 1-click setup Wordpress hosting services. I know people like to hate PHP and Wordpress but it’s still better than Medium.

                                              1. 9

                                                Suggesting non-technical people manage their own Wordpress site is like suggesting a baby go carve your roast turkey. (It’s not going to end well).

                                                Wordpress is the Internet Explorer 6 of CMS’ and it’s plugins are the toolbars.

                                                Yes there are better things than Medium. No, Wordpress isn’t it.

                                                1. 2

                                                  Totally agree. I know everyone would rail against this idea because it’s somebody else’s platform, but this is why I host my blog on wordpress.com - They handle the security, I just get the super ease of use and platform with the widest client support of any blogging platform anywhere, and a really nice mobile client.

                                                  1. 1

                                                    Do you think there is an opportunity for the modern database-backed CMS beyond Ghost?

                                                    1. 2

                                                      Being database backed isn’t what makes Wordpress terrible.

                                                      However for a lot of sites, I think a SSG would be a better solution, even if that means they run a db backed CMS which then publishes content to a static location. The key thing with a SSG is that the rendered pages are static HTML. It’s incidental what the source format is - static files (eg markdown) is a common pattern but it could just as easily be a regular web app with a DB.

                                                2. 7

                                                  It seems to me that suggesting a command-line-only (unless I’m mistaken?) tool like Hugo is a complete non-starter for, I don’t know, at least 80% of the people who are posting on Medium. The fundamental problem, I think, is that in order for someone to own their digital identity in any meaningful way, they have to have (at a minimum) their own domain name, and even that is a significant technical hurdle—never mind the fact that it costs money.

                                                  Glad to see these remarks already posted!

                                                  There’s still room IMO for blogging systems that live closer to WordPress on the Static-Site Gen <-> WYSIWYG CMS spectrum that are — crucially — easy to deploy on a basic LAMP stack. Make it as easy to post as on social media (Twitter / FB), with the admin part much more closely intertwined with the front-end, and you have a winner. (Would also love to know if there’s one already that fits the bill).

                                                  1. 2

                                                    Do you know https://forestry.io ? It seems to me that what they are doing is pretty close to what you describe. (I am not affiliated in any way by the way).

                                                  2. 4

                                                    Couldn’t agree more!

                                                    Generally speaking I think the first generation of web property developers created a monster with the whole idea of “free but not really” websites. Medium is just one example.

                                                    Maybe some kind of future where ubiquitous Raspberry Pi like server infrastructure would enable wide scale publishing and data sharing, but we have a LONG LONG way to go before we can get there.

                                                    I suspect in the nearer term, something like having pods of friends collaborate at some small cost to them to make their offerings available could work, but expecting everyone to use a command line is certainly a non starter.

                                                    We techies need to keep reminding ourselves that the rest of the world is not us. They don’t care that Medium is slow, or that the paywall violates our tender sensibilities. They want to accomplish something and want the shortest path to getting there. Full stop.

                                                    1. -1

                                                      definitely agree here.

                                                    1. 34

                                                      This is a pretty good post. I quit my job last month as I hadn’t been able to do any code for almost two months. I didn’t recognize it as a “burnout” until a few weeks later. I probably should have taken a sick leave in hindsight instead of quit, but ah well.

                                                      I wrote some about it on another Lobsters thread a few weeks ago, although I’m not sure if that still reflects my views today as they continue to evolve. I’ll write a detailed weblog post on it eventually, but right now I’m more focused on other stuff, like taking dogs to the park. I’ll probably write a post about dogs first.

                                                      I did have fun writing quite a bit of code this week (for the first time in a what feels like forever). Things are generally going well.

                                                      But here’s a general observation I’ve been thinking about for a while (that is, a few years); namely that office work is too abstract for our brains to thrive in. We can cope, but that’s not the same as thriving.

                                                      Consider mowing the grass. It’s not challenging, innovative, or really “fun” in the direct sense of the word; but it is rewarding. The effort-reward feedback loop is almost instant. A lot of traditional labour is similarly boring but has instant or very short effort-reward feedback loops. Take a look at this expert clog maker; he makes an entire product in what, a day? Probably less? It’s a very experience than office work.

                                                      This feedback is made even better by actually seeing your customers. As knowledge workers we hardly ever see any customer; we just write software and hope some number somewhere goes up. Seeing a real customer being happy with your labour is incredibly rewarding and motivating. I used to work as a repair tech in a computer shop, and the job had a lot of shitty sides, but one of the good sides was the ability to directly help people. Having a real person in front of you thanking you for your work is great. It’s been over 10 years, but I still miss that.

                                                      I also think the lack of a sense of “community” contributes here as well. No local “village community”, religious community, or other sense of belonging makes this even worse. You’re no longer working towards a common goal, you’re just a lonely speck (I have much more to say on individualism and its effects, but I’ll save that for another day).

                                                      The other day I had an idea for a product. I did some basic market research, jotted down some ideas, and made a basic prototype. I showed it to a test audience (N=1, my girlfriend) and she thought it was great (okay, she may be biased, but it’s a start).

                                                      I enthusiastic worked on this for most of Sunday, and continued Monday morning by fleshing out the quick mocked up prototype a bit, and I realized I had to make a user management system (login, registration, forgot passwords, etc.) Dear God, not again! and almost instantly lost motivation. I’ve lost count on how many user management systems I’ve written over the years. It’s neither hard nor mundane. It sits in the dangerous place where you need to do something tedious, carefully. I think of software development sits in that category. What makes it even worse is that I’m not even sure if it will be of any use, since this is a product idea that may never gain traction.

                                                      Perhaps this is the real reason for Rails and the like; not because of laziness, but because doing the same kind of stuff over and over again is too demotivating. I primarily use Go these days which has a very “anti-framework” mentality. I can see the logic in it, and in a way I find myself agreeing with stories such as The resource leak bug of our civilization , but on the other hand doing the same stuff over-and-over again is not how I want to spend my life.

                                                      Many people see me as a “real programmer geek”, or whatnot. I have more Stack Overflow points and GitHub projects/contributions than most and am generally full of ideas. But I don’t really like programming. I just like building stuff. I can cope with the price of building stuff with software, but when too much negative stuff happens my brain seems to fizzle out and give up. The distance between “normal functioning” and “breakdown” seems relatively small; at least, it is for me.

                                                      How can we do better? I’m not sure. I think a major rethinking of both software development practices as well as Western societal norms are needed to really fix it, and that ain’t happenin’ any time soon.

                                                      1. 10

                                                        I think the part about the feedback is an astute observation. Two philosophical things before I say something practical

                                                        • There is a verse in the gita that says: “You have a right to perform your prescribed duties, but you are not entitled to the fruits of your actions. Never consider yourself to be the cause of the results of your activities, nor be attached to inaction.”
                                                        • Manual work is somehow fundamentally different from mental/organizational work and seems to touch something very basic in our minds. Do you pace when you think? I do. I think our evolution dictates that the only reason for thinking is action, so there is a tight connection between thinking and acting. And if we don’t act on what we think, we become depressed. Note that in your example you were satisfied by the act of mowing and not worried about if anyone admired your lawn. The work was it’s own reward.

                                                        Now on to practicality - I find that getting feedback from users directly about a product is rewarding. It can be painful because the feedback is often negative. Fewer people comment positively about a product they are happily using and more people comment about things they find wrong. But in general the sense that there is some action - some one using the product and gaining some use out of it - is pretty motivating for me personally.

                                                        There is also the aesthetic pleasure - derived like that from mowing the lawn - of creating code that is pleasant to read and does its job and does it well. I think some of the burnout might come from overdoing it - so not getting enough other things to do, and rest and so on, and some from having to do it badly because of time pressure and negative feedback without any positive feedback.

                                                        1. 9

                                                          Great post. Especially “But I don’t really like programming. I just like building stuff.” resonates with me. This is exactly how I feel, and I don’t feel I can express this without receiving negative attention. In Europe, developers aren’t as well paid as in the US, and many employers list having ‘pizza nights’ as a benefit. To me, it signals that I’m expected to work overtime, and the company doesn’t want to invest in me (as in, if they have a pizza nights, employers usually 1. don’t allow you to have paid trainings, 2. expect you to lead pizza nights yourself 3. won’t buy you any food that’s better than greasy junkfood).

                                                          1. 6

                                                            I generally agree with your statement, but I think this lack of reward feeling has more to do about our trade that about office work. One can design a building, a train or a plane in an office and feel tremendously rewarded once the product is finished.

                                                            Because we delve into the virtual world of computer programs, we have nothing to show for our efforts. The product of our work is not tangible and, worse, only shows value among people within our trade. Although I tremendously enjoy what I do, I cannot help but feeling worthless from times to times, wondering what exactly my legacy is going to be.

                                                            This is why the past several years I have been trying to diversify myself with some other, more tangible skills. I opted for motorcycle mechanics and, interestingly, often take more pride in my small mechanical achievements than my larger, more impactful professional achievements. And the reason is absurdly simple: I can sit on them; I can show them off; I can parade on them; and I know where they physically are.

                                                            1. 2

                                                              Maybe people looking for such appreciation should do a mix of what impresses peers in the know and user-visible work that outsiders would appreciate? I think better marketing of what you build showing its benefits can have that effect, too. They say, “I don’t know how it works but I like the results.” They have to see your name attached to it, though, front-and-center to avoid it being made by some abstract or legal entity.

                                                            2. 5

                                                              Nobody seems to have responded to the part where you thought you needed to write your own user management system so I figured I’d do it: don’t; just use OpenID or OAuth or something along those lines; even just giving users the ability to authenticate via Google, Facebook, etc. would address the problem sufficiently to focus on the other stuff you actually enjoy.

                                                              1. 2

                                                                Yeah, that’s a good suggestion. I might do that for the first version/MVP.

                                                                I think there’s a bit of a friction between “good elegant implementation” and “easy to create” in this area; in general, I don’t particularly like Facebook logins and such, so I want to offer people the ability to login via regular ol’ email login.

                                                                Perhaps a good third-party authentication solution exists?

                                                                1. 4

                                                                  If you do end up implementing it yourself, don’t even bother with passwords; just use cookies and magic links sent via email.

                                                                  1. 1

                                                                    That’s nice, for several reasons, but there are a lot of users who understandably hate it. It’s kind of slow, it doesn’t integrate with 1Password and its clones, and it fundamentally requires you to collect user email addresses.

                                                                    1. 1

                                                                      I don’t understand why you think it’s slow; it takes at most a few seconds the first time and should be a no-op on subsequent uses. It doesn’t need to integrate with 1Password because it’s not a password! Yes, it requires you to collect email addresses, which seems better than collecting passwords.

                                                                      1. 1

                                                                        One of the benefits of 1Password (or anything like it) is that it shows me all of the sites I have accounts with. Even if a site didn’t use passwords per se I would still make a 1Password entry for it just so I would remember later that I’d made an account there.

                                                                        1. 1

                                                                          To what end?

                                                                          1. 1

                                                                            *shrug* I mostly just like having a list of the accounts I’ve registered for. But it’s also helpful to keep track of which username and email address I used for a particular service, since I use one-off email addresses and I’d probably forget exactly which address I used if I didn’t write it down somewhere.

                                                                  2. 3

                                                                    I recently learned about userkit.io. If you use it write a review for the rest of us.

                                                                    1. 3

                                                                      Thanks. I looked at it, but it’s too JavaScript-heavy for my liking. The dashboard doen’t load in Firefox for some reason (blank page); perhaps a problem in my Firefox, but it doesn’t inspire a lot of confidence. I personally consider accessibility pretty important so I’m not confident this is a good fit. Right now the app is usable in Lynx if you really want to (well, as “usable” as anything gets in Lynx).

                                                                      I eventually went with @adsouza’s suggestion, which I implemented in about 140 lines of Go code and one simple HTML template. I might make a weblog post or library out of it. Thanks!

                                                                2. 8

                                                                  How can we do better? I’m not sure. I think a major rethinking of both software development practices as well as Western societal norms are needed to really fix it, and that ain’t happenin’ any time soon.

                                                                  I don’t think major changes are necessary. Software engineers and knowledge workers in general need to get organized and stop drinking whatever kool-aid the silicon valley visionaries, thought leaders, and the likes of Facebook, Amazon, Google, etc. have been selling. Just establishing basic standards of professionalism and ethics can go a long way towards fixing many of the issues that lead to burnout.

                                                                  1. 10

                                                                    I’m very much in favor of professionalizing our occupation, myself. I’d like “software engineering” to be a real engineering discipline, like civil or mechanical or even electrical engineers have, with all that entails. But I do think that it would constitute a major change from where we’re at now. I hope and expect to see this kind of change, but gradually.

                                                                    1. 1

                                                                      We absolutely imperatively need to fix our tools and fix the general state of programming itself before we “professionalise” which usually means codifying and legislating existing best practices. Because our “best” practices are awful.

                                                                      1. 3

                                                                        I think that professionalizing is going to be such a long process that we need to be talking about it now—and besides, there’s so much churn in tooling and practices in our industry that waiting for anything to be “fixed” is going to be waiting for Godot. (A nascent professionalization movement might even put some weight behind an effort to figure out what “fixing” our tools and practices might look like.)

                                                                    2. 3

                                                                      While I don’t disagree with that, I also think the problems are more fundamental and deeper than that. Or maybe not; I’m not really sure to be honest.

                                                                      I can only talk from my experience as a software developer, as that’s the only experience I have. But I think I would suffer from the same kinds of problems if I’d work in, say, marketing, or other sectors.

                                                                      1. 1

                                                                        That’s true. Programming as a profession attracts certain kinds of people and maybe those people are just more prone to this kind of stuff. But even with that I still think some kind of collectivized professionalism would go a long way to fixing many of the problems that the solo genius mythos has created.

                                                                  1. 1

                                                                    This is cute! I was concerned that sending random lines would slowly siphon off entropy but it looks like the “random” values are actually generated by a small PRNG seeded with the program’s startup time.

                                                                    1. 4

                                                                      Does it even need to be random? Seems like it could just send “<insert expletives here>” over and over as long as it doesn’t start with “SSH-”

                                                                      1. 12

                                                                        I was thinking it’d be fun to send silly song lyrics or something…

                                                                        We’re no strangers to love

                                                                        […ten seconds of silence…]

                                                                        You know the rules

                                                                        […ten more seconds…]

                                                                        And so do I


                                                                        Unlikely to be seen very often (if ever), but could perhaps provide a mild auto-trolling of a bot operator in the event they happen to notice and investigate. Or if not, at least we have computers reciting poetry to each other, which, aesthetically, I like.

                                                                        1. 3

                                                                          Welp guess I’m writing up a tiny server impl then. Would be fun for a CTF maybe…

                                                                          1. 2

                                                                            Thanks for the idea! I used this weekend to write a golang implementation that will do just that: https://github.com/magikid/gosshtar.

                                                                          2. 3

                                                                            I agree. If a bot is smart enough to recognize that it’s just receiving “hello world” over and over again, it’s probably also smart enough to give up after ten minutes if it hasn’t received the SSH- line.

                                                                          3. 4

                                                                            There is no such thing as ‘siphoning off entropy’ [sic]; this idea is a remnant of 90s-era crypto thinking (and is why Linux’s random subsystem is so broken). Once you have a single random 256-bit value, you can generate effectively infinite (2^256) unpredictable values from it as:

                                                                            (HMAC-SHA2-256 value #(0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0))
                                                                            (HMAC-SHA2-256 value #(0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1))
                                                                            (HMAC-SHA2-256 value #(255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255))

                                                                            That’s within a few orders of magnitude as many random values as there are particles in the universe. If you really care, you can use 512 bits and have many, many more orders of magnitude more values than there are particles in the universe. There’s no reason to worry about ‘using up’ entropy.

                                                                          1. 2

                                                                            I’m interested in hearing your use-case for -P if you have one- it’s clearly powerful but difficult to think about in the abstract.

                                                                            You could use this to adjust the amount of parallelism in a command. For example, many commands (including make, GNU parallel, and GHC) take a -j option that lets you control how many tasks are run simultaneously. You could use hyperfine to profile one of these commands in this way to generate a parallelism profile.

                                                                            1. 1

                                                                              That’s a great point bdesham! hyperfine would be useful for running relative timing tests from different degrees of parallelism. I’ve edited the post to include your point (with credit of course).

                                                                            1. 2

                                                                              I used Jekyll for many years but finally replaced that with a custom static site generator written in Haskell and which uses Pandoc to convert Markdown. I was getting bad performance out of Jekyll, mostly because of the self-inflicted wound of running it in a Docker container. (I got sick of the constant churn in the output that Jekyll produced for a given input, and putting it in a Docker container meant that I could specify exactly which versions of Jekyll and its plugins I wanted to use. That also allowed me to get rid of my system-level installation of all the necessary Gems.)

                                                                              Writing a custom generator was a bunch of work, but it was an enjoyable experience that taught me a lot. Jekyll was pretty flexible overall but this program does exactly what I need.

                                                                              (Also, I assume you already know this, but you’re not going to have any plausible deniability if you’re hosting both personal and professional sites from the same personal server. The two sites would share an IP address but no other site on the internet would use that address.)

                                                                              1. 4

                                                                                I haven’t updated my personal computer to Mojave yet, for just these kinds of reasons. Thanks for pointing this one out.

                                                                                I’m curious—have you considered using a LaunchAgent for this instead of a cron job? Cron seems to be at least unofficially deprecated in favor of launchd so I wonder whether maybe the latter wouldn’t have the same permission issue.

                                                                                1. 4

                                                                                  The entirety of the “message encryption” section of the spec is:

                                                                                  A COI-compliant client MAY support the Autocrypt standard to ease end to end encryption scenarios.

                                                                                  TODO: Consider using more secure lookup mechanisms for encryption keys. Also check for existing encryption keys before auto-generating a new encryption key set.

                                                                                  So… encryption isn’t even mandatory? There’s absolutely no way I’m going to switch to an unencrypted chat service from iMessage and Signal—silos or not.

                                                                                  1. 3

                                                                                    The problem with these solutions is they don’t suppose that code files are concatenated. Semicolons on statements beginning with the characters [ or ( should always start with a semicolon in this case.

                                                                                    1. 3

                                                                                      If you’re concatenating code files it seems like a really bad idea not to put semicolons between the files, for exactly this reason. (If you do this step before minification you don’t even need to worry about adding an extra ten bytes or whatever.) Mashing two files together and assuming that the aggregate will behave the same way doesn’t work in most programming languages—and in general, it doesn’t work in JavaScript either. If you’re going to manipulate code as text like that you need to take the syntax into account.

                                                                                      1. 2

                                                                                        It does work in javascript if you follow the rules for doing so.