Threads for breck

  1. 16

    The diagramming support is one of the things I miss most after moving from gitlab to github.

    1. 8

      Interesting! Didn’t know GitLab flavored Markdown supported that (and more).

      1. 10

        Gitea also supports mermaid diagrams.

      2. 5

        Curious… why bother moving forges from open-core to closed-source?

        1. 3

          GitHub has a lot more social features. I’ve had a clue of projects on GitHub get issues and pull request with no marketing. So people are finding and using things.

          I’ve considered if I should set up mirrors of my GitLab projects on GitHub for the marketing effects.

          1. 2

            The social features are one of my biggest turn-offs, but you’re not the first to voice that opinion.

            1. 6

              I pretend that I don’t care about the social features. I really like that you can follow releases and the reaction option is kinda nice (so people can voice their support on new releases, without any comment noise).

              I don’t follow anyone, because that’s just adding a ton of stuff into my feed. But honestly it makes me happy when somebody does give me a “star” and I think it’s ok to have this vague indicator of credibility for projects.

              But I do actually search on github first when I’m looking for some kind of software I don’t find directly by using DDG. So the network effect is definitely there. Same goes for inter-project linking of issues or commits. And I won’t be surprised if moving my source to gitlab would decrease the amount of interaction as much as moving it to my private gogs/gitea instance.

            2. 2

              I’m curious what the social features are? I’ve used GitHub since it came out, but have never specifically noticed this

              1. 3

                follows. watches. stars. networks. there might be more. Github has been on my radar since it came up and these have long annoyed me. I think one of their early slogans was “social coding” and it was irritating then. Some people really like it though.

            3. 3

              For me it was largely about switching of culture of my work, shortly followed by me switching companies.

              Personally if I were to start again I think I would utilize gitlab again. While occasionally their solutions lack the polish and simplicity of github, The “whole package” of their offerings is really nice. The only consistent downside is performance of certain UI elements.

          1. 2

            A nice thing about HTML (and the reason it was picked up by JSX) is that it has both attributes and children. You can think about <tag attr=value>children</tag> as equivalent to tag(*children, attr=value) in Python-like languages. The aftertext format doesn’t seem to have a good way to represent K-V pairs. It only has tags and children and the children are mixed up because they also describe the text they are modifying. There are a lot of ways to add KV pairs to aftertext, but I would think about how shell does it: tag --attr value $children. Using --attr to mark keys is pretty easy to type (that’s why shell uses it), and simple enough to understand.

            1. 2

              I posted something about this in more detail already, but out-of-line representations are generally not appropriate for streaming parsing, they are much better for building a data structure that is then cheap to modify and serialising that data structure. This is what you want to do for a word processor, it’s not what you want to do for a (read-only) document renderer.

              1. 4

                I don’t think aftertext is ever going to be used for serious document creation, so probably anything will work. If someone writes a novel in aftertext, the chapters can just be individual files, and it would be fine.

                In terms of the selection, right now it’s VERB QUOTE, where the QUOTE is an unmarked selector, but since the selector is mandatory for every verb, I think it would make more sense to do SELECTOR VERB MODIFIERS. So for

                Hello 'ello 'ello
                italic ello

                You would instead do

                Hello 'ello 'ello
                "ello" italic

                Note the quotation marks, which can signal the beginning and end of a selector. Once selectors are a mini-language, you can have other kinds of selectors, like "ello"[3] or whatever.

                And going back my point from before you can have attributes, like

                Hello 'ello 'ello
                "ello" italic
                "ello"[2] bold  --class my-class
                "ello"[3] link href=
                1. 1

                  I don’t think aftertext is ever going to be used for serious document creation

                  I’m curious if you’d be willing to expand on this a little more? What are your favorite langs for serious document creation, and are there any features in particular that make a key difference?

            1. 3

              I was just thinking it reminded me of Tree Language when I noticed it was rooted in scroll.

              The most likely reason why this is a bad idea is that it simply doesn’t matter whether it’s a good idea or not. You could argue that improvements to markup syntax are inconsequential.

              It’s good to explore. I feel like the people who argue this will unironically post xkcd 927 in the process.

              I’m pulling on a related thread (but with inline markup). I’m curious how you think about semantic v. presentational markup, in this context?

              1. 1

                I’m curious how you think about semantic v. presentational markup, in this context?

                In this context, I’m happy to have a simple new way to add presentational markup without worrying about cluttering the text, but I’m more excited about an easier way to experiment with new semantic markups, like footnotes or asides.

                In terms of semantics though I’m much more excited about a thing upstream of Aftertext working on next.

                I’m pulling on a related thread (but with inline markup).

                Always excited to see new langs, if you wanted to share.

                EDIT: Sorry I think I misread your question, after seeing justinpombrio’s question about semantically meaningful markup (vs presentational). Will address that below.

                1. 3

                  I haven’t “published”, yet. It’ll go up at when I do, but I am shaving other yaks for the past ~month.

                  I’m not quite sure what it is. For now it is a few DSLs piggybacking on d★mark and CSS. The thread I’m pulling on is about being able to granularly single-source different kinds of documentation (to whatever extent is reasonable). I say it’s a related thread because it’s also focused on getting presentation out of the text (but the semantic markup stays).

                  (I do have a very small PoC in a test repo with outputs in a CI artifact if you’re really curious. It’s mixed in with samples of 2 other approaches for comparison and the files aren’t really organized, but if you start from wordswurst.nix you should be able to pick out the relevant files. The other 2 approaches have a similar .nix files.)

                  1. 1

                    Interesting. I’ll look forward to inspecting when you publish it.

                    Thanks for the link to d★mark!

              1. 10
                A link in Markdown can also look like [this] which I think is pretty nice.
                [this]: hi.html "Hi and hello"
                1. 2

                  which I think is pretty nice.


                1. 6

                  I will stay out of the mater in discussion. Inline formating vs optional appended formating. What I really enjoyed and will point out, is how properly you layed out you idea. What motivate you to write this, and all the clear reasoning for why you built this the way you did. All pros and cons clearly analysied.

                  I wish software development would have more of this culture. So many useless projects, so much unnecessary overhead that could be avoided if people had a better culture of thinking before opening their IDE. Keep up.

                  1. 2

                    Historically I haven’t been so good at thinking things through and getting ideas into well structured symbols. I’ve been making a sustained effort to improve. So thank you for the kind words. Maybe it means I’ve made at least a little progress.

                    1. 2

                      This could be a post of its own.

                      1. 2

                        This is why I’m grateful for a lot of academic work (especially in the field I’m interested in: type systems and programming languages). While there are many issues with the academic publishing system, I never cease to be grateful for the level of quality of work you can find there. It’s always extremely helpful to see a comparison to prior work, and a specification sketched out, along with motivating examples etc. I remember reading this post thinking ‘this reminds me of standoff markup’ and then being pleasantly surprised to see that mentioned under a “Related work” section. Props to the OP for doing this!

                      1. 3

                        This seems to assume there’s a clear separation between the content and the markup, but I don’t think that’s always the case. For example, everyone recognizes that if you remove the quotes from a sentence, you are liable to change its meaning. But the same could be said about a quote block or code block. And to a lesser extent: italics, which change the emphasis of a sentence, but in extreme cases that emphasis can probably dramatically change the meaning of the sentence.

                        EDIT: Also, hmm, how do bulleted/numered lists work in this system?

                        1. 4

                          that emphasis can probably dramatically change the meaning of the sentence.

                          Great point! Thanks.

                          I updated the text with `Another problem of Aftertext is when markup is semantic and not just an augmentation. “I did not say that is different from “I did not say that”. Without embedded markup in these situations meaning could be lost.”

                          Also, hmm, how do bulleted/numered lists work in this system?

                          Aftertext and lists are currently orthogonal node types in Scroll. That is a footgun. I haven’t given much love to lists yet. There is only basic support, demo’d here

                          1. 2

                            And to a greater extent, missing strikethroughs can pretty greatly change the meaning of a piece of text.

                          1. 6

                            In general, there are two ways of storing formatted text:

                            • A data structure that contains a sequence of formatting directives and strings.
                            • A string and a map from ranges to formatting directives.

                            These are largely interchangeable in terms of expressiveness, some operations are more efficient on one or the other. The second is common in word processors because you can store the strings as twines, ropes, or similar for easy insert and you can make the range elements relative to the start or end of a fragment so you don’t need to update ranges when you update the text.

                            Most markup languages are a serialisation of the former. This has a bunch of advantages for a medium that is intended for streaming I/O (you can display text as soon as you’ve read it and you can serialise it out by just walking whatever data structure you have). RTF and Word’s OOXML are (more or less) serialisations of the latter kind of data structure.

                            The down side of the second kind as a serialisation format is that it’s very easy for the formatting and the text to get out of sync. If you insert a character somewhere in the middle of a document all of the formatting directives that apply to ranges after that must be updated. This makes it terrible for human editing, but not too bad if your model is to read an entire document into an in-memory data structure, modify it, and then write it out to disk.

                            Aftertext tries to avoid this problem in two ways:

                            • It puts the markup after each paragraph, so you only ever have to update local things.
                            • It uses a copy of the text itself as a range marker.

                            The first of these is quite a nice property, though it has the side effect that markup can’t span a paragraph boundary (and so it can’t express things like a global style for paragraph indent). The second is that it’s ambiguous consider the following toy example:

                             Hello 'ello 'ello
                             italics ello
                             italics ello

                            This renders as “Hello ’ello ‘ello”. There’s no way currently that I could see of saying ‘the second match of this expression’. One could easily be added (e.g. italic@2 ello) but than falls back to the original problem: if you add any text to this paragraph that contains a marked-up substring then you need to update all of the formatting for this block.

                            All of that said, the author says that this is an experiment to demonstrate the power of the tool. There is a huge value in the second form of markup language for things that are intended to be edited by tooling and it’s great to see that the back end can support things like this. I wouldn’t recommend this specific representation but it’s a great (simple) tech demo for the back end.

                            1. 1

                              Well framed context and restatement of Aftertext.

                              I’d expect if this proves useful something like a globalAftertext node type would be added.

                              Your 'ello example is a great example and a footgun I just hit. Since each directive has its own scope, I imagine I might add some properties to directives, such as:

                               Hello 'ello 'ello
                               italics ello
                                index -1
                               italics ello
                            1. 5

                              The logical extreme of this is proletext:

                              (tldr: HTML encoded in whitespace at the end of the line. Not practical except as an intermediate format where you can’t guarantee that the audience has a parser.)

                              1. 1

                                So clever^! I had not seen that before. It reminds me of the Whitespace esolang except with a sensible use case.

                                He also links to “Out of band encoding for HTML” — — which is a different way to address the same problem Aftertext tackles except using a “cursor” approach instead of text selectors.

                                Will update. Thanks for helping flesh out my references in new directions.

                                ^ For the time. Nowadays not practical, as you say.

                              1. 3

                                I have also considered this… The only problem is that you need to keep the text and the markup in sync. Have you found this to be amnoying?

                                1. 1

                                  Have you found this to be annoying?

                                  Not yet. Perhaps the downside is balanced by the upside of paying more attention to each markup. But to be fair I think I need a few more months of personal usage data. It may be annoying.

                                1. 9

                                  Visually it reminds me of troff(1) directives.

                                  1. 5

                                    Thank you! Someone else mentioned troff, but the similarities didn’t quite click until you shared that specific article explaining the directives. Thanks! Will incorporate.

                                  1. 51

                                    I’m prepping for a work meeting in an hour I can’t miss, but I’ve taken the afternoon off to rush finishing the fix for this. @355e3b has free time before then and has jumped into to help. Sorry to be vague about the in-progress security issue, but I trust y’all understand how that goes. I’ll leave a response to this comment in a few hours with full info.

                                    In the meantime I’ve made the rate limiting much stricter. I’m sorry for the inconvenience and will revert as part of the fix.

                                    1. 40

                                      So, the thing I was talking around is that the potential vulnerability was potentially much worse and we were trying to be thorough about it. Hunter (@355e3b) and I dropped as much as we could to finish that work today.

                                      To start, there was some kibitzing in chat, so to be explicit: we do think this was a potentially a viable attack. An attacker could register a VPS at Digital Ocean to minimize network jitter, the dominant factor in this attack. (Other things that might introduce jitter can multiply the cost of the attack but don’t fix it.) We already see regular probing from other DO VPSs.

                                      A few weeks before soatok’s report, some of that probing prompted me to implement some rate limiting to deal with unrelated abuse that prevented effective abuse of this potential vulnerability. This was easy to extend to password resets. An attacker who can only test four tokens per minute isn’t going to get very far.

                                      Since this was reported, I was concerned that this kind of network timing attack could be used against other tokens. The most important of these is called session_token and is used to authenticate logged-in users on every request. Because this is every possible endpoint and not just the password reset flow, this would not be subject to the rate limit of 4 req/min and could lead to account takeover. We assumed this was a viable attack and Hunter wrote an in-depth mitigation for it.

                                      This afternoon I worked on finishing the mitigation and testing the attack, which required a bigger block of time than I previously could to devote to it. I was unable to get the timing attack to work against session_token (usually pretty straightforward on localhost!) and pulled my hair out for a bit. Eventually I recognized that the attacker can’t execute the attack against session_token because Rails stores the session as an encrypted, serialized value in the cookie. The session cookie isn’t the value of the session_token, it’s an encrypted blob that can’t be edited by an attacker without being invalidated. It’s a little embarrassing that I conflated the two, but I don’t much mind making an error in the direction of being over-cautious.

                                      In short, I was uncommunicative because I’d been proceeding the last couple weeks on a much more paranoid footing than was needed. My thanks and apologies to Hunter for his wasted effort; I’m sorry I didn’t have the time to write a proof-of-concept to test this first.

                                      The other thing I’ve been doing the last few weeks has to do with the “sister sites” that have adopted the Lobsters codebase. Lobsters is a site that’s open source for transparency, not to help start and run other sites. It’s really rewarding to see the code used this way, but nobody has the spare attention to run that potential project. Mostly this means we don’t take feature requests, but in this case it also means we don’t have a way to contact the site admins. There is no mailing list or forum, even for security issues. I’ve been in the process of finding admin emails and collecting translators (many sister sites aren’t in English) so we could notify them before the vulnerability was published. If you recently got a DM from me asking you to play translator, you can ignore it, I’m proceeding from here in English for urgency’s sake.

                                      Now that I’m confident there isn’t a worse vulnerability I’ve reverted the temporary stricter rate limiting. I’m sorry to anyone I inconvenienced, I know if you read the site by opening several stories as tabs you probably hit this.

                                      I think all the exciting bits are over, but am happy to be corrected if any volunteer spots something I missed, or any other issue. My email is on my profile.

                                      My thanks to soatok for alerting about the potential vulnerability.

                                      1. 8

                                        Thanks as always for the transparency and also the significant effort you continue to put into the site.

                                        1. 5

                                          To add to this, the encryption is AES-256-GCM and the underlying implementation is OpenSSL so there’s no timing attack on the encryption either.

                                          1. 5

                                            As someone who runs an (intentionally-single-threaded, but multithreaded in prefetching upstream stories) fetch loop before skimming all the stuff in a text editor, a separate thanks for the transparent and friendly throttling implementation. To say the least, not all emergency-throttling implementations are so clear with the exact changes in the fetcher one needs to do. Thanks.

                                            1. 2

                                              I know if you read the site by opening several stories as tabs you probably hit this.

                                              I did indeed hit this! I thought it was strange, and just figured it must have been my fault and I must have had a VPN going that was using a popular IP. Didn’t think about it much but glad you explained it.

                                              1. 1

                                                I was unable to get the timing attack to work against session_token (usually pretty straightforward on localhost!) and pulled my hair out for a bit

                                                Did you implement the timing attack described in the article and have success with it?

                                                1. 3

                                                  No. I took it as plausible but easily addressed with rate limiting. I only tried to repro the more serious attack I feared against session_token.

                                            1. 2

                                              It can be helpful to build the UserMethod first, expose it in a Command Palette or via Keyboard Shortcut Interface, and only if it then proves to be useful, design it into the GUI.

                                              This is not far from standard macOS practice: Everything the user can do belongs in the menu bar, each menu item is handled somewhere by a method, and those methods follow a conventional pattern. Only the most important commands also appear in always-visible UI, like a toolbar button, and some others may be progressively disclosed. But the menu bar is the index.

                                              1. 1

                                                If I had to bet on where I picked up this pattern, it’s probably from Apple land. Would not be surprised if in old code from the 80’s. Anyone know what the terms of art for this parttern are amongst Objective C/Swift programmers?

                                                1. 2

                                                  I think you’d call them action methods. The target-action pattern is one way they’re called. The token “IBAction” identifies action methods for you to wire up in Interface Builder. Targets can be particular objects or the first responder, and the responder chain is implicit beyond that target.

                                                  For example and IIRC, the Copy menu item will be bound with the target-action pattern to the -copy: action on the first responder target. When you select Copy from the menu or type ⌘C, the event dispatch will first call the view with typing focus, then if it doesn’t respond (doesn’t implement that method) it recurses to its next responder (superview, usually). A variant of this check is also done when you open the menu. The Copy action will be enabled only if some object on the responder chain responds to -copy:.

                                              1. 4

                                                I actually quite like this. I’ll repeat my own understanding if it, because I think the underlying insight is a little under-expressed and thus I had to read the second half twice before I realized what was actually being suggested:

                                                1. When considering your application API, be thoughtful about maintaining, ideally, a three way distinction between private functions, public functions, and user-facing functions (this is the yeah, duh section)

                                                2. Ensure that the set of user-facing functions is available at runtime via reflection.

                                                This is the part that I didn’t get at first- the language about ‘distinguishing’ them is a bit ambiguous and might suggest simply a restatement of (1). But the examples make it clear that the article is about the advantages of being able to enumerate and inspect the set of those distinguished functions, which is a more specific and clarifying notion.

                                                1. 1

                                                  I think this is a good explanation. Probably better.

                                                  One tiny nit is that it doesn’t necessarily have to be at runtime—you could reflect at compile/dev time. In practice I usually do it at runTime but often do some static stuff with those user functions as well.

                                                1. 2

                                                  Sounds like d’s UDAs.

                                                  1. 2

                                                    Interesting, thanks! UDA’s look like a kind of decorator. I’m a bit of language geek and love all the different terms used in the different languages for similar concepts. Each one adds a slightly different perspective and helps me calibrate things.


                                                  1. 5

                                                    I like this idea, and I think that this is part of what (interactive) provides in Emacs Lisp - the demarcation of a function as a user method.

                                                    1. 2

                                                      If you do not need the physical thing then take a look at It is such a beautiful experience to discover radio stations in farthest corners of the earth just by spinning a globe in your browser.

                                                      1. 2

                                                        Cool! Thanks for the recommendation!

                                                        1. 1

                                                          Even better! Thank you!

                                                        1. 2

                                                          There are no more pointers about this project. Many dead links.

                                                          Any idea where the work has been migrated? Abandonned?

                                                          1. 2

                                                            Sorry! It’s very active. But links have been in flux.


                                                          1. 7

                                                            how do you make a link from multiple words? Or from other elements (like an image)? How do you link other pages with relative paths? Also, requiring an emoji to write something is a major PITA.

                                                            1. 1

                                                              Or from other elements (like an image)?

                                                              An image with a link could be something like 📷foo.gif🕸foo.html For other elements, you’d have to fallback to tags.

                                                              how do you make a link from multiple words?

                                                              Good question. I think this will only be for the case of one word links. That might have interesting (intended) second order effects. Encouraging people to write human language like they would computerLanguage.

                                                              How do you link other pages with relative paths?

                                                              This is a good one I just ran into. Not sure. Maybe double web biography🕸🕸about.html

                                                              Also, requiring an emoji to write something is a major PITA.

                                                              The trajectory is ease is getting steep, so I don’t see it being a PITA in a few years. That being said, this would be optional. You can always fallback to tags.

                                                              This was all very helpful feedback! Thank you!

                                                              1. 2

                                                                If you can fall back to tags, doesn’t that mean you need to know that tags are there, and so the nifty features you say in another comment that you gain by dropping matched delimiters are lost?

                                                                Using camelCase is an interesting side effect, but why do you intend that? How is it beneficial? Could that prove to be an accessibility concern?

                                                                However easy it becomes to write emojis in a year or so, it’s unlikely to be any less easy to write the characters necessary for markdown or html, and people know those. That’s just one less thing.

                                                                Using emojis it seems like you’re trying to make things easier, more intuitive, or more friendly. But there are a lot of similar emojis, or ones that could go in the same place. The camera emoji or the photo emoji? The web emoji or the globe emoji?

                                                                It’s a cool idea, but not sure it’s practical.

                                                                Oh also, in terms of relative paths, is another syntax really necessary? Why not just let someone put whatever they want and let the browser resolve it as a relative or absolute path? That’d require putting http:// at the start of absolute paths, but that’s standard practice.

                                                                1. 1

                                                                  Why not just let someone put whatever they want and let the browser resolve it as a relative or absolute path?

                                                                  I went with link🔗./about.html for relative paths for now.

                                                                  so the nifty features you say in another comment that you gain by dropping matched delimiters are lost?

                                                                  It’s a probabilisitic thing. So you are encouraged to use 🔗, and if you do you can get nifty features, but if you are landing a rocket on mars you don’t want to depend on them.

                                                                  Using camelCase is an interesting side effect, but why do you intend that? How is it beneficial?

                                                                  I prefer camelCase to other_case systems, but really the important thing is to get people to agree on a token for a concept, like Wikipedia.

                                                                  But there are a lot of similar emojis, or ones that could go in the same place.

                                                                  This is a good point and could end up being a problem.

                                                            1. 5

                                                              It would take me longer to find and type the emoji than the actual HTML tag. I’m not sure it really helps in terms of readability?

                                                              One idea to shorten the tag is to introduce a notion of default keys. For the tag, href is the default key. This would allow writing <a>this</a>.

                                                              1. 1

                                                                Oh that’s an interesting idea. Perhaps even:

                                                                1. 2

                                                                  It really depends on what you are trying to achieve. Is typing links a major issue in HTML? Sugar is nice but usually writing speed is not the main bottleneck to production-ready code.

                                                                  1. 1

                                                                    Goal is to have a simple way of writing links that would fit in a single cell of a spreadsheet (so more 2D lang friendly).

                                                              1. 4

                                                                Surely 🔗? I.e. ‘link symbol’

                                                                1. 1

                                                                  Yes, you’re right! Much better. Thanks! That’s what I went with in the release (