Threads for brianly

  1. 12

    I always like: talk to me about the last time you got paged into an issue. You can find out a lot about the uglier side of what you’re getting into with 15 minutes and that question as a lead.

    1. 3

      “paged”? Last time I carried a pager was nearly 20 years ago. Do you want an answer from the distant past?

      1. 22

        Paged is still frequently used in some circles and is tied in and reinforced with the branding of the common PagerDuty product. In my circles, people mostly just say there were called. Some companies have bespoke incident management tools so they say they were XYZ’d where XYZ is some obscure tool. Paging may not translate as well internationally.

        1. 7

          And the verb “paging” existed well before pagers were invented. The term is more generic that you seem to be suggesting.

          1. 1

            Can confirm I’m from the present. Emoji for proof 😉.

        1. 4

          The parallel between societies and software is a great find! The big thing that I disagree with though is:

          and a fresh-faced team is brought in to, blessedly, design a new system from scratch. (…) you have to admit that this system works.

          My experience is the opposite. No customer is willing to work with a reduced feature set, and the old software has accumulated a large undocumented set of specific features. The new-from-scratch version will have to somehow reproduce all of that, all the while having to keep up with patching done to the old system that is still running as the new system is under development. In other words, the new system will never be completed.

          In short, we have no way to escape complexity at all. Once it’s there, it stays. The only thing we can do to keep ourselves from collapse as described in the article is avoid creating complexity in the first place. But as I think is stated correctly, that is not something most organisations are particularly good at.

          1. 11

            No customer is willing to work with a reduced feature set…

            Sure they are, because the price for the legacy system keeps going up. They eventually bite the bullet. That’s been my experience, anyway. The evidence is that products DO actually go away, in fact, we complain about Google doing it too much!

            Yes, some things stay around basically forever, but those are things that are so valuable (to someone) that someone is willing to pay dearly to keep them running. Meanwhile, the rest of the world moves on to the new systems.

            1. 3

              Absent vandals ransacking offices, perhaps this is what ‘collapse’ means in the context of software; the point where its added value can no longer fund its maintenance.

              1. 1

                Cost is one way to look at it, but it’s much harder to make this argument in situations like SaaS. The cost imposed on the customer is much more indirect than when it’s software the customer directly operates. You need to have a deprecation process that can move customers onto the supported things in a reasonable fashion. When this is done well, there is continual evaluation to reduce the bleeding from new adoption of a feature that’s going away while migration paths are considered.

                I think the best model for looking at this overall is the Jobs To Be Done (JTBD) framework. Like many management tools, it can actually be explained in to a software engineer on a single page rather than requiring a book, but people like to opine.

                You split out the jobs that customers need done which are sometimes much removed from the original intent of a feature. These can then be mapped onto a solution, or the solution can be re-envisioned. Many people don’t get to the bottom of the actual job the customer is currently doing and then they deprecate with alternatives that only partially suit task.

              2. 4

                My experience is the opposite. No customer is willing to work with a reduced feature set

                Not from the same vendor. But if they’re lucky enough not to be completely locked in, once the first vendor’s system is sufficiently bloated and slow and buggy, they might be willing to consider going to the competition.

                It’s still kind of a rewrite, but the difference this time is that one company might go under while another rises. (If the first company is big enough, they might also buy the competition…)

              1. 18

                Failing to consider jQuery a “framework” seems arbitrary and wrong.

                Yes, jQuery provided massive compatibility fixes that the very fad driven “first frameworks” from the article lack, but to then dismiss it as just a compatibility layer is nonsense. jQuery was so widely deployed (well intentioned, but wrong :) ) people pushed for it to be included as part of the literal standards.

                Beyond those core compatibility and convenience functions jQuery feature an extensive plugin architecture, and provided UI components, reactive updates, various form, and other user data supports. All of which sound not significantly different to the feature set of those “frameworks”.

                This article then goes on to dismiss Ruby on Rails with a single sentence. Given Ruby on Rails pretty much created the entire concept of the integrated frontend and backend, with integrated databases, that seems bizarre?

                Honestly, reading this post felt like it was written by someone who had encountered a few fad frameworks, added a few of the still major ones, and then called that a history. Honestly I don’t think this is worth spending time reading, if your goal is to actually learn something about the history of web framework.

                1. 9
                  1. It’s definitely true that there was a massive ecosystem around jQuery, but I think it’s fair to say it was (and so were MooTools and Prototype) doing a fundamentally different thing than the “frameworks” which emerged in the early 2010s. The shift from managing state and reactivity in the DOM to managing it in the framework layer was a major shift.
                  2. Ruby on Rails… isn’t a JavaScript framework. So it’d be pretty weird to spend a bunch of time on it in a post about eras in JS frameworks!
                  3. The author was a major contributor to and member of the Framework Core team for Ember.js for several years, helped build its modern reactivity system, and has spent quite a bit of time with others along the way. Your dismissal is kind of hilariously wrong.
                  1. 4

                    I disagree with (1), unless the post were updated to state that it is talking about a specific framework architecture, rather than “frameworks” in general.

                    As I think about it, I agree on (2), because now that I recall people were still using separate libraries in client code. What it thinking of when writing the above was the adoption of the concept of “application frameworks”, which Ruby is a major early driver of, but as you say it didn’t actually interact with JS directly, you were using frameworks like jQuery, etc in the client, and rails was just providing the application data and state.

                    I’ll take response (3) as a mea culpa :D

                    1. 5

                      I think it’s a fair point on further reflection. By the time I was starting “application frameworks” were just the default, Ruby on Rails and Django had already been around and matured, modern JS frameworks were also trying to be entire application frameworks, etc. And in our modern context, when we refer to frameworks, we’re usually talking about application frameworks.

                      But that doesn’t mean UI widget frameworks are any less of a “framework”, it’s just that we were collectively thinking about software differently back then. I unfortunately don’t have that context, to me jQuery was always a “library” whereas Backbone was a “framework”, but I can totally see your perspective here. If I have time I’ll try to go back and work that in somehow in my discussion of the first era, thanks for reading and commenting!

                      1. 4

                        I really think we have failed at having the required communication structure for an Internet forum :D

                    2. 2

                      Maybe we’re all a bit wrong and right here? That would seem to be the theme of eternal September in JavaScript frameworks.

                      Put another way,I think it’s possible for someone to know current JavaScript frameworks quite deeply and still miss the history or the underlying terrain that’s shaped it. A few things I thought of reading this:

                      1. On prior art for transpilation and components: ClosureTools was annouced in 2009, and included the tooling Google had been using for years to provide minified JavaScript with type checking (using JSDOC comments). Closure Library also included things like goog.ui.Component, and also shipped with a template library. These things had been used in Gmail and Google Docs for some time - though I’m not sure they’re used before anymore.
                      2. On prior art for full frameworks and server side rendering: similarly see Google Web Toolkit. The Google Wave launch for instance was all GWT, IIRC with server side rendering.
                      3. On “browser integration of components”: I can’t speak in detail, but I remember this Working Draft on Web Components coming out in 2013. . . I’m not sure but I don’t think much progress happened then. The author suggests that this will change. But I wonder like Bourdieu, how is today different from yesterday?
                      1. 3

                        Put another way,I think it’s possible for someone to know current JavaScript frameworks quite deeply and still miss the history or the underlying terrain that’s shaped it.

                        Totally! The author fully acknowledges a knowledge gap in the era you’re commenting on and invites people to give exactly the kind of info you’re responding with. :D

                        Web components… have indeed not really made a ton of progress. There’s more motion on some of the fundamental problems in that space in the past couple years but they were stuck for a very long time. My own take is that they are trying to do something quite different from what the component-oriented view layers and frameworks were trying to do: the APIs are basically “How would you implement a new built-in element?” rather than picking up the themes around reactivity etc. that the view-layer-frameworks tackled. We’ll see if and how they change going forward.

                        1. 3

                          FWIW, I admitted in the “before times” section that I didn’t have a ton of knowledge of how everything worked prior to 2012 or so, when I started coding 😅 definitely simplified and miss bits of history there for sure, but it’s hard to capture everything without writing a novel (or having been there).

                          Re: Google’s tooling, that’s amazing to hear about now, but I don’t believe these tools were really adopted by the community. At least, I’ve never heard of an app other than Google ones being built with them. I did point out that Google proved JS frameworks could work though, with Gmail being the first app most people seem to remember as being the moment when they realized how powerful JS had become.

                          Re: Web components, there has been a lot of progress here actually! In my work on decorators I’ve been collaborating closely with the folks who are pushing them forward, such as Lit and Fast, they are in fact a standard and part of the browser now. That said, they are severely limited compared to mainstream JS frameworks, I think in large part because the platform moves much more slowly than the ecosystem as a whole. But, if we step back, this is similar to the pattern we saw with View-Layer frameworks - letting patterns evolve on their own, and adopting the best ones. Some of the current patterns they’re working on include:

                          1. SSR standards
                          2. Contexts
                          3. Using imports instead of global namespace-based registration

                          Given time, I think they still have a lot of potential, but I also think that they’re not really usable for larger-scale apps at the moment (I had a particularly painful experience with Stencil.js last year, would not go back). But for smaller components and UI widgets, they’re pretty great!

                          1. 3

                            Re: Google’s tooling, that’s amazing to hear about now, but I don’t believe these tools were really adopted by the community. At least, I’ve never heard of an app other than Google ones being built with them. I did point out that Google proved JS frameworks could work though, with Gmail being the first app most people seem to remember as being the moment when they realized how powerful JS had become.

                            It’s probably worth elaborating on the reasons for this because they repeat with different technologies:

                            1. The more popular products built with these tools didn’t survive, or have been supplanted by other products.
                            2. When the products have survived, the codebases have been modernized with replacement of the original frameworks. Many places have standardized around React for better, or worse.
                            3. Barriers to adoption meant that the frameworks only got serious adoption in niches. When Google’s Closure was attempting to make a splash, it was still primetime for Ruby on Rails. You can look inwards at what RoR offers, or you can look outwardly at how it sat within the web development ecosystem. People had started building SPAs, but they hadn’t displaced the approaches of the day.
                            1. 1

                              Re: Google’s tooling, that’s amazing to hear about now, but I don’t believe these tools were really adopted by the community. At least, I’ve never heard of an app other than Google ones being built with them. I did point out that Google proved JS frameworks could work though, with Gmail being the first app most people seem to remember as being the moment when they realized how powerful JS had become.

                              For what it’s worth, ClojureScript heavily depends on the Google Closure Compiler to perform optimization of generated JS code, and the official docs encourage people to use some of the features from the Google Closure Library.

                      1. 14

                        The new MacBook Pro, which I have, is all this and more. A clean build of my work project (C++, Xcode) is about 50% faster than on my 2018 model, with no audible fan noise. In fact I don’t recall ever hearing the fan. I’m getting multiple days of battery life, too. (This is with the baseline M1 Pro CPU, not the Max.)

                        I’ve been through every Mac CPU change, 68000 to PowerPC to x86 to ARM, and each one gets more transparent. The only time I noticed this one was when I first launched an x86 app and the OS told me it was going to install the emulator. Everything I’ve recompiled and run has worked fine.

                        Also kudos to Apple for backing away from earlier design decisions — “butterfly” keyboard, touch-bar — that turned out to be bad ideas. The Apple I worked at probably wouldn’t have done that.

                        1. 8

                          I liked new MacBooks Pro on paper, but when I touched them in the store I took my 3k$ and went home. I don’t care about useless to me ports, USB C is all I want (I do software). For me MacBook Air with M1 is much better in terms of form and weight. But this is my usecase.

                          1. 2

                            I don’t need an SD card reader, and I could do without the extra weight, but I do need at least a 15” display to do work. ¯\(ツ)

                          2. 4

                            Ditto to all of this. I spend a lot of time in and around WebGL graphics. One of our in-house apps makes my old MacBook and the laptops of all my colleagues sound like the decks of aircraft carriers. It’s completely silent on my new M1 MacBook Pro.

                            I was frankly a little nervous about getting this machine. I need it to run everything from Blender, a .NET server with a proxied webpack dev server on top, various node servers, to a headless WebGL engine. I was pleasantly surprised to find it does all but the last those things without breaking a sweat. Things that run natively feel instantaneous. Things that run on Rosetta 2 still feel snappier than before. Industry adoption for Apple Silicon is moving apace. I’m pretty sure I’m just a dependency upgrade away from getting the last item on my list working and I can finally shed my old machine for good.

                            The most revolutionary thing about the experience of using the new MacBook Pro isn’t the features or build quality per se (although they’re both excellent). It’s that the performance bottleneck in my day-to-day work is squarely back on the network. I haven’t felt that way in a while.

                            1. 1

                              I am really disappointed that Apple removed both the touchbar and the butterfly keyboard. The butterfly keyboard was the best feeling keyboard I have ever used, bar none, and the touchbar was very useful in some scenarios, while the physical F keys are absolutely useless to me.

                              1. 13

                                The touch bar has an interesting idea, but without proper haptics (i.e. scan with your finger, more forecful click as you actually press), I don’t think most people wouldn’t have bought into it.

                                I thought the butterfly keyboard was nice on the 12” MacBook (they should bring it back w/ M1, IMHO), but I wasn’t as impressed with it on the Pros…. and the reliability issues sunk that.

                                1. 1

                                  I forget if I’ve mentioned it on here before, but HapticKey is worth trying. It uses the magnets in the touchpad to emulate feedback on the Bar, it work better than you’d expect.

                                  1. 1

                                    Oh yeah, the version of the 12’’ MacBook was the best. The newer version on the Pros wasn’t quite as good, but to me it was still better than the current keyboard.

                                    As for reliability, mechanical keyboards have atrocious reliability compared to both regular keyboards, and I suspect to the butterfly keyboards as well, but that’s not the reason why people use mechanical keyboards. They simply like the feel and accept the tradeoff. I would accept the same tradeoff for my laptop’s keyboard.

                                    1. 5

                                      As for reliability, mechanical keyboards have atrocious reliability compared to both regular keyboards, and I suspect to the butterfly keyboards as well, but that’s not the reason why people use mechanical keyboards.

                                      Do you have some evidence for this? I don’t have numbers, but I have numerous mechanical keyboards and the only one that has failed was stepped on, whereas I experienced multiple failures of my MacBook butterfly keyboard.

                                      1. 1

                                        Unfortunately I am not aware on any real studies, so all I have is anecdotal evidence, albeit I have a lot of anecdotal evidence.

                                      2. 1

                                        As for reliability, mechanical keyboards have atrocious reliability compared to both regular keyboards

                                        Just to clarify, you are only referring to mechanical keyboards on laptops and not to external mechanical keyboards?

                                        1. 1

                                          No, I am referring to external keyboards. I didn’t even know mechanical keyboards on laptops were a thing.

                                          1. 4

                                            There were, though I’m going back to the 486/Pentium era (easily portable might be a better description than what we think of now). The current ones I know of with mechanical keyboards are from Razer and Asus.

                                            My experience with mechanical keyboards differs, even cheap ones are long-lasting than any laptop keyboard I’ve seen since some of the old IBM Thinkpads and Toshiba Porteges.

                                      3. 1

                                        The touch bar has an interesting idea, but without proper haptics (i.e. scan with your finger, more forecful click as you actually press), I don’t think most people wouldn’t have bought into it.

                                        The most important feature of he touchbar was that it could run Doom. It’s still a mystery why touchbar equipped Macbooks didn’t fly of the shelf after this became known. :(

                                      4. 11

                                        I really wanted to like the touch bar, but my fingers rarely ended up using it, maybe because of the lack of tactile feedback. Also, I’ve long been accustomed to binding F1..F8 to switch between my most-used apps, so having other functions on the touchbar interfered with my muscle memory.

                                        You’re honestly the first person I’ve ever heard praise the butterfly keyboard, or even say it felt any better than the old type. I kept making typing mistakes on it, and even bought a little KeyChron mechanical BT keyboard to use when I wanted to do a lot of typing away from my desk.

                                        1. 2

                                          Well, add me to the likes for the feel. Besides that, it was an absolute disaster. I had a MacBook Pro with a butterfly keyboard from before they added the seals and keys would constantly get stuck or wouldn’t actuate correctly (I guess because a speck of dust got in).

                                          Though, the most reviews don’t mention this, the new M1 Pros have another scissor mechanism than the M1 Air and prior scissor MacBooks and I love it. It is much more ‘clicky’ than the earlier scissor keyboards and feels somewhat closer to mechanical keyboards.

                                        2. 5

                                          I am really disappointed that Apple removed both the touchbar and the butterfly keyboard.

                                          The butterfly keyboard seems to have had a lot of reliability issues, even after they made some changes to it.

                                          1. 1

                                            Why not bind the actions your wanted to the F keys? MacOS has a very good support for binding actions.

                                        1. 3

                                          I’m the first to urge caution in upgrades, but without highlighting actual breaking changes this seems like fud.

                                          1. 12

                                            Some of us hang out in forums where people literally start posting minutes after a Python release that they don’t understand why NumPy isn’t installing on the new version.

                                            Waiting at least a little bit for the ecosystem to catch up is sound advice.

                                            1. 10

                                              I don’t understand why you say that when the article was very clearly a meta-discussion of how to approach Python version upgrades. It is not asking users to hold off indefinitely, but instead is reacting to the availability and how that plays out with updates throughout the ecosystem.

                                              A “product manager” for Python could take a lot away from how clearly the pain points were laid out. As a platform, it’s advantageous for Python to tackle a lot of the issues pointed out, but it’s hard because of the number of stakeholders for things like packages. Getting a Docker image out more quickly seems like low-hanging fruit, but delaying a few days could perhaps be intentional.

                                              1. 2

                                                For what it is worth, the Docker container, like many very popular containers on the official docker registry, are in fact owned and maintained by the Docker community themselves. I am unsure if it is really their duty to-do that.

                                                Many of the listed things in the article are indeed painful things to deal with, but some of them I’m not sure if the PSF is really the right entity to have had them fixed on launch day.

                                                edit: clarified that is the docker community that maintains it, not Docker the corporate entity.

                                                1. 2

                                                  Also, as the author suggested it could be, it’s fixed already:

                                                  Digest: sha256:05ff1b50a28aaf96f696a1e6cdc2ed2c53e1d03e3a87af402cab23905c8a2df0
                                                  Status: Downloaded newer image for python:3.10
                                                  Python 3.10.0 (default, Oct  5 2021, 23:39:58) [GCC 10.2.1 20210110] on linux
                                                  Type "help", "copyright", "credits" or "license" for more information.
                                                  >>> 
                                                  

                                                  They had to hit publish pretty quickly to release that complaint while it was still true.

                                              2. 3

                                                Some of concerns seem reasonable, for example the tooling catching up with the new pattern matching syntax blocks (match, case). If you use the popular Black code formatter, for example, it doesn’t yet handle pattern matching (and it looks like it’s going to be a bit of a job to update that).

                                              1. 6

                                                osquery reminds me a lot of WMI’s query language. Likewise, in the IBM i world, there’s been a big push to expose system APIs as SQL functions or tables, to make it easier for DBAs and Unix-side programs to access said APIs.

                                                I think assuming relational DBs need SQL is kinda limiting. QUEL existed, and I think it’d be great if we could have a NoSQL RDBMS - that is, a relational DB (since relational data is good and fits many problem domains) without SQL (which is a bit of a crufty language, and could be replaced with a language learning from its mistakes or simply having none and relying on program-side query builders serializing to a “raw” query language).

                                                1. 2

                                                  I feel like I found my dev soulmate reading that comment. I feel exactly the same.

                                                  1. 1

                                                    There is also logparser which may be a better example of how it can be applied across many types of input/source.

                                                    1. 1

                                                      I think assuming relational DBs need SQL is kinda limiting. QUEL existed, and I think it’d be great if we could have a NoSQL RDBMS - that is, a relational DB (since relational data is good and fits many problem domains) without SQL (which is a bit of a crufty language, and could be replaced with a language learning from its mistakes or simply having none and relying on program-side query builders serializing to a “raw” query language).

                                                      We kind of have that over in the Windows world via things like LINQPad, or just the LINQ APIs in .NET in general. You can use LINQ to query databases, WMI, arbitrary raw data, and so on, irrespective of source, and with relatively unsurprising performance. I could also make a case with a straight face that MongoDB is indeed, or at least has the potential to be, a NoSQL RDBMS.

                                                      But you’re right that we’re not really there on either front in a general sense.

                                                    1. 13

                                                      I am intrigued by the framing of the Sturm und Drang about the state of the web as being driven, to some significant degree, by politics internal to Google.

                                                      1. 26

                                                        As I stated earlier this week, promo packets are what’ll do in the web.

                                                        I think a lot of developers simply lack the interest in context to process the realpolitik that shapes and distorts the fabric of spacetime for our industry.

                                                        If you refuse to understand that Google’s whole business is threatened by adblockers, you probably would be confused at the some of the changes to web extensions webRequest that make that work harder. If you don’t understand the desire to make SEO, crawling, and walled gardens easier AMP probably seemed like a great return to roots.

                                                        Other companies do this too, of course. If you didn’t know about OS/2 Warp some of the Windows APIs probably seemed weird. If you don’t know about Facebook trying to own everything you do then the lack of email signup for Oculus probably seems strange. If you invested heavily into XNA you probably got bit when internal shifts at Microsoft killed XNA off. If you don’t know about internal Canonical and RHEL shenanigans, systemd and other things probably are a surprise.

                                                        Developers need to pay as much attention to the business dependencies as the technical ones.

                                                        1. 6

                                                          What do you mean by promo packets? I’m not familiar with this term.

                                                          1. 21

                                                            When you’re doing a performance review at Google, you can request a promotion. If you do this, you put together a ‘packet’ including the impactful work you’ve done. New work is rewarded heavily, maintenance less so. For senior engineers, shipping major projects with an industry wide impact is a path to promotion.

                                                            1. 30

                                                              Which means Google rewards doing something new for the sake of doing something new. It’s tremendously difficult to get promoted by improving older systems. Crucially, you often need to demonstrate impact with metrics. The easiest way to do that is sunset an old system and show the number of users who have migrated to your new system, voluntarily or otherwise.

                                                              1. 16

                                                                Ew. Thanks for the insight. But ew.

                                                              2. 1

                                                                Is there any material evidence suggesting that someone’s promotion is the reason that chrome will remove alert? Obviously google will push the web in the direction that juices profit, but an individual promotion? Seems like a red herring.

                                                                1. 6

                                                                  It is often difficult to pick it apart as it’s rarely a single person or team. What happens in large organizations is that there is a high-level strategy and different tactics spring from that. Then, there are metrics scorecards, often based on a proxy, which support the tactics delivering the strategy. This blurs the picture from the outside and means that rarely one person is to blame, or has singular control over the successes.

                                                                  I haven’t followed the alert situation very closely, but someone familiar with large organizations can get a good read from the feature blurb. There is a strong hint from the language that they are carrying a metric around security, and possibly one around user experience. This translates to an opportunity for a team to go and fix the issue directed by the metrics since it’s quantifiable. The easiest way to start might be to work back from what moves the metric, but this is a very narrow perspective.

                                                                  Developers may know what the best things to work on having been a developer in that area for 10 years, but their impact tracks towards those top-level strategies. Management can’t justify promotion because someone else is very focused on metrics that drive the strategy.

                                                                  In lots of places this is called alignment. Your boss may only support X amount of work on non-aligned projects, if you do at least Y amount of work on Y projects. A classic big company alignment example is a talented person in a support department. If they can fix your biggest problem at the source it’d be best to let them do this. However, metrics incentivize assigning them to solving N support cases per week and other metrics designed for lower-skilled individuals instead of working on fixing root causes. Eventually, they leave unless you have smart management taking calculated risks, manage the metrics at the team level so the team is not noticed working the way it wants, seeking paths for talented people to work on the product, etc.

                                                                  1. 1

                                                                    Many of us understand how metrics and incentives at tech companies work. Was just pointing out that it’s a bold claim to assume that chrome is removing alert due to an individual seeking a promotion.

                                                            2. 3

                                                              I think about this in terms of my time at Apple – like, people ascribed all kinds of causes to various seemingly peculiar Apple decisions that to those of us on the inside were obvious cases of internal politicking leaking out.

                                                              1. 2

                                                                WHATWG is a consortium of multiple companies so I’m curious why everyone is pointing the finger at Google here, or is the assertion that Google has so much power over the WHATWG and Chrome at this point that there’s no ability for other companies to dissent? (And I mean we all know that the W3C lost and WHATWG won so a consortium of vendors is the web.)

                                                                1. 9

                                                                  The multiple companies are Apple, Google, Microsoft, and Mozilla (https://whatwg.org/sg-agreement#steering-group-member, section 3.1b) Of the three, only Apple develops a browser engine that is not majority funded by Google.

                                                                  1. 4

                                                                    I’m pretty sure Apple develops a browser engine that is majority funded by Google: https://www.theverge.com/2020/7/1/21310591/apple-google-search-engine-safari-iphone-deal-billions-regulation-antitrust

                                                                    1. 5

                                                                      That’s some pretty weird logic.

                                                                      The browser engine Apple creates is used for a whole bunch of stuff across their platforms, besides Safari:

                                                                      Mail, iMessage, Media Store fronts, App Store fronts.. Those last two alone produce revenue about 4x what Google pays Apple to make it the default.

                                                                      Do I wish they’d get more people using alternatives and pass on the google money? Sure. Is there any realistic chance their ability to fund Safari and/or Webkit would be harmed by not taking the google money? Seems pretty unlikely.

                                                                      1. 1

                                                                        I don’t think the stores use WebKit. They didn’t last time I investigated.

                                                                      2. 4

                                                                        It’s true-ish. But I’m sure the most profitable company in the world probably doesn’t require that money and would be able to continue without.

                                                                        1. 3

                                                                          You don’t become the most profitable company by turning down revenue.

                                                                      3. 1

                                                                        Right I was just wondering if folks think the WHATWG is run solely by Google at this point. Thanks for the clarification.

                                                                      4. 5

                                                                        The point is that many of those new APIs don’t happen in standards groups at all. Exactly because they’d require more than one implementation.

                                                                        1. 5

                                                                          Yes, this. Google’s play here is less about controlling standards per se (ed: although they do plenty of that too) and more about getting everyone to treat Whatever Google Does as the standard.

                                                                        2. 4

                                                                          WHATWG was run at inception by a Googler and was created to give Google even more power over the standards process than the hopelessly broken W3C already gave them. That they strong armed Mozilla into adding their name or that Apple (who was using the same browser engine at the time) wanted to be able to give feedback to the org doesn’t change the Googlish nature of its existence, IMO

                                                                      5. 12

                                                                        Like it or not, Google is the www. It is the driving force behind the standards, the implementations (other than Safari), and the traffic that reaches websites.

                                                                        It would be odd if Google’s internal politics didn’t leak into the medium.

                                                                        1. 6

                                                                          Right, it’s just … one of those things that is obvious in retrospect but that I would never be able to state.

                                                                          1. 9

                                                                            A lot of people seem to think that standards work is a bit like being in a university - people do it for the love of it and are generally only interested in doing what’s best for all.

                                                                            In reality it’s a bunch of wealthy stakeholders who realize that they need to work together for everyone’s best - they’re not a monopoly, yet - but in the meantime it behooves them to grab every advantage they can get.

                                                                            As mentioned in the post, standards work is hard and time-consuming, and if an organisation can assign a dedicated team to work on standards, that work will get implemented.

                                                                            1. 3

                                                                              Universities work like that too now

                                                                              1. 1

                                                                                This is sadly true.

                                                                      1. 2

                                                                        You see the same with “fullstack developers”, who are usually either backend or frontend developers who can also do the other thing a bit.

                                                                        I’ve actually done quite a bit of sysadmin stuff on production systems over the years, as well as a lot JavaScript frontend stuff. But at the end of the day I’m I’m mostly just a backend/systems programmer who can also do a bit of the other stuff.

                                                                        1. 2

                                                                          IME most “fullstacks” are better at frontend than those who would cling to being “frontend-only” because they still care and are willing to learn things.

                                                                          My big beef about the word “fullstack” is it presumes webdev is the only dev. Most “fullstacks” are missing experience in many stacks, such as OS, embedded, rich client, or networks other than http

                                                                          1. 2

                                                                            I agree with your sentiments as I was thinking about how I should update my CV. This devolved into thoughts on how other people perceive a person’s skills and how I’ve tried to think about them when hiring.

                                                                            The model from Football Manager (formerly, Championship Manager) for player attributes came to mind. It provides a summary of:

                                                                            • All attributes (which are not that useful alone)
                                                                            • Possible playing positions with their strongest, along with a style suggestion (are they more frontend than backend?)
                                                                            • Then they provide a summary visualization of strengths with implied weakness in the radar chart (what’s the correct name for this?)
                                                                            • I haven’t played recently, but I think in the game it caters for the multiple stacks by changing the context to other playing positions and rolling up relevant attributes into the radar chart.

                                                                            This could be applied to any set of roles you are hiring and the summary visualization can be overlaid for comparison. You could also use it as a way to communicate the requirements for a preferred hire. It’s all food for thought, but I think it’s an interesting way to think about skillsets given how complex we’ve made the requirements.

                                                                        1. 16

                                                                          I believe in mandatory reviews, but I usually communicate what I expect from my reviewer when I request a review. Likewise as a reviewer I ask what’s expected of me when I don’t already know. I don’t think mandatory reviews create a culture of carelessly tossing reviews over the wall, and if you stop doing mandatory reviews I don’t think people will magically try harder.

                                                                          One policy doesn’t make or break a culture of developing quality code.

                                                                          1. 12

                                                                            I worry that a standard process gets in the way of building a flexible culture for collaboration.

                                                                            This gets to the heart of my problems with the piece, I think.

                                                                            Lack of process does not scale: in an ideal world everyone would be disciplined in their approach but as the size of an organisation increases you need to agree on what “disciplined” looks like.

                                                                            Even for small projects, I have on days and off days and I appreciate technology that can prompt me towards the better approach. The way I often phrase this in discussions about tooling is: it should be harder not to use it.

                                                                            That comes with a corollary: you should still be able to not use it! No process is sacred or perfect for every situation and it’s important to be flexible. If you’re bypassing something regularly, maybe it’s time to think about why it’s not working. A good process is one that makes your life easier.

                                                                            Maybe this is what the author is trying to get to, and I’m missing the point. I’m certainly not arguing that enforcing PR review is the only way to do things.

                                                                            But I’m wary of arguing that something is all bad just because we might want to do something different sometimes.

                                                                            1. 3

                                                                              That comes with a corollary: you should still be able to not use it!

                                                                              This is fine in many situations. The problems crop up when developers do not fully understand their commitments. These should always be explicit, but a significant number of organizations work with significantly complicated customers and industries that understanding the domain becomes as a big a challenge as the project. You also have the human elements of being hired into a role that’s different from the one presented, organization changes, etc.

                                                                              The rules and process in an effective organization, where “effective” means meeting customer requirements, needs to have some level of enforcement. If it was purely size then the option to skip it would be more acceptable, but for many situations it isn’t. I’m ignoring a large set of organizations that operate with risk by unknowingly violating regulations, or have just hit a point where their legal department will finally force them to snap to a process.

                                                                              Quality of life is an important consideration for developers and operators. In the current tech market, this group tends to be well positioned to dictate a lot about what a good process means from their perspective. When it comes to a drive towards process is optional, especially as short-hand for developers will opt out of the processes that they feel like, then it starts to challenge our level of professionalism as an industry.

                                                                              1. 1

                                                                                This is very true! Some process should not be skipped - and we’re back to expecting people to use good discipline and judgement, which doesn’t always work.

                                                                                Perhaps in such cases that should read: “you should be able to skip it if you can prove you have a damn good reason for doing so”?

                                                                                1. 4

                                                                                  Treating the skippage of very important steps as an incident and holding a plain post-mortem is a good start. So less about the skipper proving themselves, more about exploring the circumstances that lead to skippage.

                                                                                  1. 2

                                                                                    Perhaps in such cases that should read: “you should be able to skip it if you can prove you have a damn good reason for doing so”?

                                                                                    If you act with good intent and break a regulatory requirement, you have still broken a regulatory requirement. Depending on circumstances this is still a serious issue and not infrequently investigation finds that it was avoidable. It is much better to pause and collaborate with others to overcome the impasse even when you are uncomfortable because the consequences are not always immediate, or direct.

                                                                                2. 2

                                                                                  I agree. Processes like mandatory code review is important in so far as they document your beliefs and knowledge about what was best at the time the decision was made. Beliefs and knowledge change with evidence and circumstances, and so will your processes.

                                                                                  The option to duck out of It – if the situation so demands – is also important to me. I think the only road to long term success is to hire smart people and give them freedom under responsibility.

                                                                                  Of course, you could argue that doesn’t scale, and I think that’s not a problem with the principle, but simply a consequence of the fact that human creative work does not scale, period. You can’t construct a well-functioning 500 person product development organisation. In order for it to work at all, you’d have to extinguish many of the things that make creative teamwork powerful.

                                                                                  Of course, the alternative might be better: put together the 500 people into small mini-orgaanisations that are as independent as possible, and essentially run a little company inside the company (driving stuff from user need to sunset), but with goals determined by larger coherent strategic initiatives.

                                                                              1. 2

                                                                                Great article! I might try async requests sometime.

                                                                                When using Requests, I throttled to avoid overwhelming remote server. Like in BASIC days, I just used “sleep” to guarantee a minimal amount of time between requests. Has the advantage that it’s less likely to be buggy or have unpredictable behavior than my custom, throttling code.

                                                                                1. 4

                                                                                  Adding sleep is good, especially if you’re trying to remain undetected.

                                                                                  However people typically gravely underestimate what a server can handle. Even at home servers can handle 10k connections/s if configured properly.

                                                                                  There’s something to be said about being nice, but in general I say that you can hit things as hard as you want and the server won’t stutter.

                                                                                  1. 2

                                                                                    There’s something to be said about being nice, but in general I say that you can hit things as hard as you want and the server won’t stutter.

                                                                                    That works fine when there is simple rate-limiting and tracking on the server end. When you are dealing with larger APIs, or services that might be sensitive to request rates (e.g. LinkedIn), then you need to be aware of how they may take action later. Your client may appear to be working the first time around and then you get blocked later. It is worth understanding more about the service you are making requests to and taking a cautious approach because the response may be more sophisticated than you are prepared to deal with.

                                                                                    1. 1

                                                                                      you get blocked later

                                                                                      Yes please always check this first, you don’t want to run into captcha requests (yt-dl..)

                                                                                1. 7

                                                                                  It seems very weird to even have a “CPU MHz” graph, as if the hertz mean anything at all - especially since it’s comparing AMD CPUs and Intel CPUs?

                                                                                  I have no idea what “Events per second” means. What kind of event? It doesn’t seem like that’s explained anywhere?

                                                                                  I don’t know what’s going on with the memory read and write measurements. Obviously the average and minimum speed for a single memory read or write operation is going to be 0ms? Isn’t milliseconds way too coarse grained for that kind of measurement? What is counted as a “memory read operation” or “memory write operation” anyways? Does it measure a read from cache or does the benchmark make sure to actually read from main memory? Wouldn’t memory throughput and memory latency (with separate measurements for read and write) make more sense than “memory operations per second” and “milliseconds per memory operation”?

                                                                                  Same with “File I/O”; isn’t latency and throughput more interesting than just ops per second? Is the “operations” the same as what’s measured when we measure IOPS or is it something else? What is the “minimum/maximum/average”? Is the “minimum time for a read operation” just measuring the time it takes to read a page from the page cache (aka just a benchmark of the memory system) or does it make sure the files aren’t in the page cache? And again, clearly milliseconds is way too coarse grained for these measurements given that they’re all at 0?

                                                                                  Am I missing something or do most of these benchmarks seem underexplained and not that well thought through? I like the concept, seeing a wide variety of benchmarks on the various VPSes could be interesting, but I don’t really feel like I can conclude anything from the numbers here. Maybe running the Phoronix benchmark suite on the different $5/month VPSes could provide some more useful results.

                                                                                  1. 5

                                                                                    I’ve flagged this as spam because it’s some vague hand waving to get you to click on the referrer links at the bottom of the page. It looks as if it’s really just there to get referrer kick-backs.

                                                                                    1. 3

                                                                                      Am I missing something or do most of these benchmarks seem underexplained and not that well thought through?

                                                                                      Aren’t you talking about most benchmarks that do the rounds? Benchmark blogs never seem to learn from the earlier criticism. They are often:

                                                                                      • Have simplistic or naïve design. At most they test something the author was interested in.
                                                                                      • Unreproducible even when they include scripts because they are missing other key information.
                                                                                      • Designed around supporting a specific narrative (e.g. slamming Python for having the GIL).
                                                                                      • Are purely designed to drive clicks for a company that’s not too close to any of the products or services being benchmarked, that they’ll complain a lot.

                                                                                      A better test of VPS usage, especially when it’s a single node, might be to see how many requests per second you can get out of a WordPress instance on it. It’s far from perfect, but that’s a big reason they exist. Ideally, you’d add in some problematic code and see how well that performs. That was actually an idea that Ian Bicking had suggested at PyCon long ago for Python performance comparisons because that’s what is happening when most people need to investigate performance.

                                                                                      1. 3

                                                                                        Am I missing something or do most of these benchmarks seem underexplained and not that well thought through? I like the concept, seeing a wide variety of benchmarks on the various VPSes could be interesting, but I don’t really feel like I can conclude anything from the numbers here.

                                                                                        You’re not missing anything.

                                                                                        Another factor is that VPSs can have pretty variable performance, which is why he used three instances and “averaged the results where applicable”. A provider giving consistent performance vs. a provider with large differences seems like an interesting data point. Also n=3 seems pretty low to me.

                                                                                        And things like “Maximum (ms)” for “CPU” (maximum what? The time an “event” took?) could be a single event that’s an outlier, and the mean average for these kind of statistics isn’t necessarily all that useful. You really want a distribution of timings.

                                                                                        I did find the scripts he uses on his GitHub though; basically it just runs sysbench.

                                                                                        I agree something like this could be useful; but this is not it. Quite frankly I’d say it’s borderline blogspam

                                                                                      1. 6

                                                                                        I wish this incident were taught in every CS curriculum and every bootcamp. I think it’s particularly important to look not only at how the failure happened, but at how the device manufacturer tried to minimize its importance - a pattern I see repeated frequently. Software, as a profession, needs to hold itself to higher standards.

                                                                                        1. 4

                                                                                          I wish this incident were taught in every CS curriculum and every bootcamp.

                                                                                          This was something I studied at my university in the UK during the first week of my first semester in 1999. I understand that this was intentional as part of British Computer Society (BCS) accreditation. It was accompanied by a requirement for a full ethics course in the second year. There was no option to skip it, and UK degrees generally didn’t offer any “choose your own adventure” path around it.

                                                                                          The situation is very different globally, especially in the US. There seems to be a great deal more flexibility than the British system for students and institutions. It’s hard to ensure exposure to this, or similar ethics material in that situation.

                                                                                          Many of the teachers at bootcamps are products of universities. If something wasn’t taught earlier in their academic life, then it’s unlikely that they would choose it as bootcamp content. I’m also sidelining some other issues, including CS versus SWE, rigour and (mathematical) depth of CS all courses is the most important feature of the degree, professors not taking “soft” subjects seriously, lack of experience teaching these subjects, etc.

                                                                                          1. 3

                                                                                            Same - UK, software module of a general engineering course, in the first year, along with a general ethics and professional responsibility module.

                                                                                            I think in ‘real’ (sorry @hwayne) engineering degrees there is a much more constant drumbeat of the fact that people’s lives depend on you understanding the problem you’re trying to solve and thinking deeply about the solution, combined with longer history of established practice and lessons learned. It seemed quite natural at the time, and I’m surprised about the inference from the GP post that these sorts of examples are not brought up by default in any programming course.

                                                                                            Almost anyone in my world (mech/aero engineering) who has done at least one formal software engineering module at university can recite Ariane 5 and Therac 25. Whether or no that overpowers their subsequent PRINCE2 training is a matter of debate, but it’s certainly taught along with all the other basics.

                                                                                          2. 2

                                                                                            Software, in this case, was one lone developer, who I’m presuming was working the way they were directed to work by their manager.

                                                                                            Higher professional standards in software development would be great. But I don’t think they’d have helped, in this case.

                                                                                          1. 8

                                                                                            Something I love about Python is how the language managed to consistently evolve. I started with Python 1.6, and just loved how each version pushed me to try and adopt new practices. I remember decorators, str/bytes, format strings, async and typing as key improvements that changed the way I code today.

                                                                                            1. 17

                                                                                              And for the same reasons, I am more and more afraid to see where all the duct tapes and layer over layer cake in Python is gonna taste is a few years. The language changed a lot even when focused on Python3 that the motto “There is only one way to do it” is meaningless. Already when working with numpy & pandas a lot, there is more than one sane way to do it and that will propagate to all Python ecosystem. On the other side of the coin, is that the language keeps growing and adapting. Let’s see where Python 4 lends in the future.

                                                                                              1. 9

                                                                                                I have same feelings. Python is getting more complicated than it’s ever been. There are many ways to do a simple thing and it’s opposite of Python zen.

                                                                                                1. 2

                                                                                                  Just because a new feature is available doesn’t mean you have to use it.

                                                                                                  1. 14

                                                                                                    Of course but someone, some day, will use it in a project you collaborate to and you will have to deal with it.

                                                                                                    1. 1

                                                                                                      I’ve dug into this a bit more and I’m probably inclined to agree (I don’t use Python myself though).

                                                                                                      However, the change does seem to be quite divisive, so it’s very possible this will just be used sparingly in most code bases.

                                                                                                      1. 3

                                                                                                        It’s hard to limit this given the massive size of the Python ecosystem. One observation around this is how the new PEG parser is allowing language developments to be proposed and land very much quicker than before. There seems to have been a barrier to entry before which much of the community was accustomed to.

                                                                                                        I’m personally neutral on this feature. But, I’d prefer that the whole ecosystem was considered during prioritisation rather than considering language features separately. I think they can be implemented independently, but from product perspective it doesn’t feel like the most important thing.

                                                                                                    2. 6

                                                                                                      I don’t know about you, but I work in a team environment

                                                                                                      1. 2

                                                                                                        My experience is more about being dropped in various projects where the lead and the team have already settled on what they accept or not and after being done, I was moving to the next one. So I tend to have less to say (if it is not critical).

                                                                                                        I agree that in a team env on a project,it is easier to settle on what you accept or not as practice. I am a minority here.

                                                                                                        1. 1

                                                                                                          From what I’ve read, the decision to add pattern matching seems to have been a fraught one. I’d imagine you would have plenty of allies in your team to argue against adopting the paradigm in your team’s code.

                                                                                                    3. 4

                                                                                                      To be fair, I think Python has really embraced its position as the duct-tape language. It’s the language that lets you do anything from crafting custom packets to modelling neural nets. My experiences with it, in both corporate settings and ML usage, have been pretty subpar, but for folks who want to learn the language once and just learn domain specific duct tape to enter new subfields, it’s great.

                                                                                                      1. 1

                                                                                                        TBH, in long term I feel that Python will act more as Graphql API to reach those numerous data and ML libraries so tightly linked to it from other languages. It is almost a gimmick to be able to call Python from your language of choice (Julia,Common Lisp,Go,etc.) for the purpose to access ML and Data libraries. IMHO, Python is not a good language to be treated as an API.

                                                                                                        1. 1

                                                                                                          IMHO, Python is not a good language to be treated as an API.

                                                                                                          It’s not in my opinion but there really aren’t any other serious competitors for the sheer breadth of applications that Python provides that is also a nice, generatable API. Julia is a much more fun language for data science, but the libraries are still a lot more raw than Python, and folks still do use PyCall for stuff (e.g. there’s no good equivalent to something like spaCy). Nobody else has really “put their money where their mouth is”.

                                                                                                  1. 5

                                                                                                    I too hated SQL when I first started with it. It grew on me though and I think it actually gets a lot of undeserved flak.

                                                                                                    any serious DBA must examine the query plan of their SQL statements

                                                                                                    A lot of people who aren’t DBAs write sql. And anyone who writes sql should know how to view and read a query plan. I would also suggest that knowing the database your working with (oracle, mysql, postgres, etc.) and how to write effective and efficient queries for it is no different, IMO, than telling me that I should know how to effectively write and debug efficient python programs. Every programming language has its own quirks and ins and outs. Frankly, again IMO, sql is fairly easy comparatively. Query plans are honestly pretty easy to read. For example, compare them to using gdb.

                                                                                                    I naively think an imperative DSL for writing queries

                                                                                                    If you look around the net enough you’ll find various people have come up with such things. They do exist though almost no one uses them. At this point sql is very entrenched and unseating it is going to take a genuine revolution in how to do it versus a couple of steps better.

                                                                                                    So why is SQL so successful despite its shortcoming?

                                                                                                    A large part of this, IMO, is it’s age. sql is old. All the OGs of the database world used it. And all the upstarts used it because the OGs did.

                                                                                                    1. 3

                                                                                                      A lot of people who aren’t DBAs write sql. And anyone who writes sql should know how to view and read a query plan.

                                                                                                      I think in most businesses these points are in conflict. The only people looking at query plans are developers and DBAs (where they still exist.) Many of the people writing SQL are in business areas. They’ll possibly be using the SQL tools that developers have, but more likely they’ll be running some tool focused on report development. Smart DBAs will setup replicas and restrict access so there is risk is reduced. It’s only when these queries get moved into a more formal setting that developers and DBAs start optimizing.

                                                                                                      That for me, is the crux of why SQL is successful. You have a language that flourishes is a relatively non-technical environment outside of IT, yet can be directly translated into a high performance system most of the time. Much software development involves throwing it all away when these transitions happen, but SQL (and the implication of RDBMS use) allows a relatively smooth transition. For this reason, use of anything other than a relational database should be exposed to reasonable scrutiny in a business setting. Startups, ML, search, etc. are all special areas compared to the regular businesses which is all around us. It’s often hard to appreciate that when we work in tech, like optimizing, and are enthusiastic about learning new things.

                                                                                                    1. 7

                                                                                                      I hate to ad hominem this place up, but these are the same people who wrote that truly atrocious article on Vim and IDEs, so I’m hesitant to take any of their claims at face value.

                                                                                                      1. 4

                                                                                                        This one is not good too. “Some people have millions of rows in the database, so they have to go NoSQL route”. Yeah, no shit. I have billions of rows in some tables (with a sizeable churn) and Postgres looks pretty happy to me and can easily endure so much more.

                                                                                                        Also a bit about “flexible NoSQL”… there is another comment on the top level that goes into more detail.

                                                                                                        1. 2

                                                                                                          It unfortunate that they seem to have such inconsistent quality for a site that was originally intended to separate the wheat from the chaff in terms of answers to programming questions. There are many issues with that approach, the site, the community, and there is a need for all levels of content - but, more editorial control might be good on the blog.

                                                                                                        1. 21

                                                                                                          These statements annoy me:

                                                                                                          Heck, if you ask some people, Rust is less secure than a GC’ed language for web apps if you use any crates that have unsafe code - which includes Actix, the most popular web framework, because unsafe code allows things like deferencing raw pointers.

                                                                                                          I can’t help but think calling the unsafe keyword unsafe was a potential marketing error. Actually, within the rust community it helps to keep the portions of unsafe -marked code lower.

                                                                                                          But many people short circuit to the conclusion that code with the unsafe keyword must be, indeed, unsafe. Maybe, they should think of it as expert or free code that relaxes some constraints (and by far not all, you have still more checks than in normal C++).

                                                                                                          In terms of Rust unsafe, Java/ruby is full of unsafe code since some crucial safety guarantees in these languages are weaker. Obviously, there is a lot of unsafe rust code in the Rust std lib and especially in low level libraries. If this code is carefully vetted, this is all good. Rust allows you to focus extra attention on the small blocks of unsafe code.

                                                                                                          Will I avoid unsafe code when I can? Yes. Should popular libraries make prudent use of unsafe if it results in large benefits? Absolutely. Is that dangerous? Not more than in other languages without these restrictions but yeah, it requires great care that you can avoid if you avoid unsafe.

                                                                                                          1. 8

                                                                                                            It’s an especially annoying considering that performance-critical parts can always be written in unsafe ways, GC’d language or not. A prime example is uwsgi for Python.

                                                                                                            1. 5

                                                                                                              @matklad Thank you for pointing out weak parts in my post. I wanted to post this as a separate reply to your reply but lobste.rs prevents me from multiple replies in short succession??

                                                                                                              Having to mark certain snippets of code as unsafe is a great tool – that not all languages have. The less unsafe you use, the easier it is to achieve the security, of course, without being a genius or having lots of people helping out.

                                                                                                              We agree that unsafe code should be avoided and carefully weight against advantages. I personally thing that well-reviewed libraries are a good place for unsafe code with huge performace benefits: crossbeam, …

                                                                                                              To quote from async-std security:

                                                                                                              Writing a highly perfomant async core library is a task involving some instances of unsafe code.

                                                                                                              To clarify my remarks on the comparison to “GC’d languages”:

                                                                                                              A) The quote compares safety of Rust to “GC’d” languages and says that Rust is maybe less unsafe because it uses “unsafe” code in its libraries.

                                                                                                              I’d argue that there is no completely “safe” web app stack in any language that I am aware of. (and then you’d have to deal with compiler errors, operating systems, …)

                                                                                                              If you look at NodeJS or Ruby on Rails, the interpreters and the HTTPS stacks contain lots of native code that isn’t verified by a smart compiler for safety guarantees. Correct me if my assumptions are wrong. I’d not be surprised if a Rust web app with actix contained a lot less “unsafe” code (in the Rust meaning) than an app built with these other stacks.

                                                                                                              Of course, maybe more importantly, counting unsafe code lines is only a proxy argument because we cannot measure security: One line of unsafe code can destroy the safety of the whole application in crucial ways as can a compiler or std library bug. And a library like actix with six usages of unsafe could be completely secure. Or not.

                                                                                                              B) I didn’t say what I meant with “crucial safety guarantees”, it was misleading. What I had in mind was more than only basic memory safety. The initial quote was about security. The argument was that Rust was less secure than “GC’d’ languages. I don’t believe that Rust code is usually less secure than that of GC’d languages and the expressive type system and guarantees that go beyond basic memory safety contribute to that.

                                                                                                              I hope that makes sense. I wish I could make my point clearer in less words ;)

                                                                                                              1. 5

                                                                                                                Thanks for the clarification! I think we are in a broad agreement here. In a narrow sense, unsafe is a sharp tool, easily misused, and dangerous even in the hands of an expert. However, it does improve the overall system’s security.

                                                                                                                I violently agree with your point about full-stack safety of web apps. On the one hand, Rust’s unsafe (unlike Python’s ctypes) is available to “application programmer”, and pulls in the less safe direction. On the other hand, safe Rust is available to “systems programmer” (which again is unlike ctypes), and this massively improves the safety of lower levels of the stack, which feels like a bigger deal.

                                                                                                                I also agree that Rust’s other type-system niceties improve application level correctness (and hence security) in comparison to current crop of popular static or dynamic languages.

                                                                                                                That being said, I expect in the web domain specifically, application-level security (csrf tokens, protection against SQL injection, not storing passwords in plain text, etc) is a relatively bigger issue than execution-environment security. And here I expect a lot depends on maturity. I am not an expert in web dev, and, at this point I think I’ll be able to develop overall more secure web app with Django, as that should be much more hardened against misuse by web-security-naive programmers.

                                                                                                                1. 1

                                                                                                                  Interesting point about what is “available” to the “application programmer.” I guess the “available” is in terms of convenience and just writing unsafe somewhere is very convenient.

                                                                                                                  I, for myself, was never tempted to use unsafe but I neither wrote a low-level lib nor should I assume that I am the standard… I might be overcareful. And I can already shoot myself in the foot with misunderstanding atomic variables in safe code already ;)

                                                                                                              2. 4

                                                                                                                But many people short circuit to the conclusion that code with the unsafe keyword must be, indeed, unsafe.

                                                                                                                The short-circuiting might be wrong, but I personally don’t disagree with the conclusion. Unsafe code is hard, even widely battle tested things like SmallVec get CVEs. So, in practice, rust with unsafe does have memory safety issues due to bugs (although it’s important to keep in mind that Rust CVE have a somewhat lower bar, as theoretical, and not only practical, unsoundness counts).

                                                                                                                In terms of Rust unsafe, Java/ruby is full of unsafe code since some crucial safety guarantees in these languages are weaker.

                                                                                                                I am not sure I exactly understand what you are saying here. I think I agree with the general idea, but I disagree with the specific wording. In the context of Rust, unqualified safe/unsafe refers to memory safety, and, in terms of memory safety, Rust, Ruby, and Java are roughly equivalent (roughly because there’s extensions/ffi/native runtime angle). Things like iterator invalidation are not covered by the safety terminology.

                                                                                                                1. 9

                                                                                                                  Frankly, if we hadn’t had years of the Rust Evangelion Strike Force shitting on C and C++ for their use of unsafe pointers and whatnot, this might fly.

                                                                                                                  This charity wasn’t extended to references and some of the nice pointer types in C++ that solve memory safety issues, so why should we give unsafe a pass now?

                                                                                                                  Sorry your language doesn’t actually match its marketing.

                                                                                                                  1. 24

                                                                                                                    Your ax grinding is absurd. It is possible to entertain two different problems simultaneously:

                                                                                                                    • People get too excited about new technology like Rust and oversell its benefits by stating misleading things like “Rust can’t have memory safety bugs.” (I personally have been pretty consistent and vocal about clarifying this particular point.)
                                                                                                                    • People get too curmudgeony and undersell Rust’s benefits by pointing to existence of unsafe as proof positive that Rust is no better than [insert other language here].

                                                                                                                    Really, it’s not difficult to see how both of these problems can exist simultaneously. Just because the first exists doesn’t mean we can’t also talk about the second.

                                                                                                                    Your consistent anti-RESF ax grinding is really just as bad as RESF zealots, if not worse. And yours has been going on for years too.

                                                                                                                    1. 7

                                                                                                                      You didn’t say a damn thing when the user I replied to said “oh ho ho Rust is no less safe than Java or Ruby, if you just vet the code”. This is the same argument as neckbeards going “C is safe if you just write the code carefully!”. It’s pretty obvious when you give a pass to one but not the other.

                                                                                                                      Again, for context:

                                                                                                                      In terms of Rust unsafe, Java/ruby is full of unsafe code since some crucial safety guarantees in these languages are weaker. Obviously, there is a lot of unsafe rust code in the Rust std lib and especially in low level libraries. If this code is carefully vetted, this is all good.

                                                                                                                      Kettle meet pot, and you’re experienced enough (grats on ripgrep) that you should know when shilling is happening.

                                                                                                                      Anyways: my grinding has been consistent, for years, because the RESF has been obnoxious, for years.

                                                                                                                      I have observed no patterns of this behavior behind other C/C++ replacements. The D folks are underappreciated and chill. The Zig people don’t spam message boards and bug trackers asking to rewrite things in Zig. The Nim community, to my observation, don’t show up in every comment section to talk about how impossible is is to write safe software in C and how Nim is the answer, every time C shows up. Go people seemingly are too busy shipping useful utilities to even talk very much about Go being better than C–even at the height of Google’s shilling of it.

                                                                                                                      And every time this gets brought up, people like you show up to motte-and-bailey it and go “oh no no, who are those other ruffians, we’re just a kind and inclusive and loving community, oh we’d never say anything bad about another language, perish the thought!” This is a real problem, and just because y’all either can’t or won’t acknowledge it doesn’t mean the damage hasn’t been done to people outside your blessed tribe.

                                                                                                                      ~

                                                                                                                      The hell of it is, I think Rust is a neat language with some neat features. I think it has some cool things going for it, even though the Rust talking-point bingo is predictable (almost as much as Elixir bingo). I can list the ideas I like from it, and if my workflow looked like it needed Rust more than what I’m already doing, I’d be excited to switch.

                                                                                                                      I just don’t like a community whose evangelism seemingly requires pervasive and persistent propaganda and, at times, lying. It shows a lack of moral character and engineering rigor that makes me concerned for the long-term health of the ecosystem.

                                                                                                                      1. 12

                                                                                                                        You didn’t say a damn thing when the user I replied to said “oh ho ho Rust is no less safe than Java or Ruby, if you just vet the code”.

                                                                                                                        Because that isn’t a sensational thing to say? It’s nowhere near the same as the “neckbeard C programmer” you alluded to.

                                                                                                                        Kettle meet pot, and you’re experienced enough (grats on ripgrep) that you should know when shilling is happening.

                                                                                                                        Anyways: my grinding has been consistent, for years, because the RESF has been obnoxious, for years.

                                                                                                                        Is this some kind of joke? And you aren’t obnoxious? If that isn’t the kettle calling the pot black, then I don’t know what it is.

                                                                                                                        It’s one thing to respond and clarify things said by the “RESF” (and other claims made by zealots), but you go far beyond that and consistently engage in this meta flame war.

                                                                                                                        I have observed no patterns of this behavior behind other C/C++ replacements.

                                                                                                                        Well, what patterns of behavior have you observed among C/C++ programmers? The D, Nim and Zig communities aren’t nearly as big as Rust’s. And Go doesn’t really bring any new big ideas to the mainstream, so I really wouldn’t expect people to get that excited about it. That’s a feature of Go IMO. You also have immense pressure against talking about Go anyway, lest you be shouted down by PL zealots. (Zealots zealots everywhere, yet you seem to love to grind against one particular group in particular. How… obnoxious?)

                                                                                                                        And every time this gets brought up, people like you show up to motte-and-bailey it and go “oh no no, who are those other ruffians, we’re just a kind and inclusive and loving community, oh we’d never say anything bad about another language, perish the thought!” This is a real problem, and just because y’all either can’t or won’t acknowledge it doesn’t mean the damage hasn’t been done to people outside your blessed tribe.

                                                                                                                        Given that I’m a moderator in the Rust community and that I have shut down PL flame war discussions in official Rust spaces, it would be pretty weird of me to say that we never say anything bad about another language, now wouldn’t it?

                                                                                                                        And it has been acknowledged. That’s why I always do my best to clarify claims that are too bold. Do I get every single one? No. But then again, I don’t spend my time responding to every single one of your ridiculous comments either.

                                                                                                                        I just don’t like a community whose evangelism seemingly requires pervasive and persistent propaganda and, at times, lying. It shows a lack of moral character and engineering rigor that makes me concerned for the long-term health of the ecosystem.

                                                                                                                        This is a giant load of conspiracy-like bullshit. For someone who is so keen to call out bullshit and shilling, you sure do like to sling a lot of it yourself.

                                                                                                                        1. 8

                                                                                                                          I’m not sure the community is actively funded to evangelize. Could it just be that using rust makes people want to share their enthusiasm?

                                                                                                                          1. 2

                                                                                                                            It’s certainly possible. Maybe people just really liked Java, C#, and Go too.

                                                                                                                          2. 6

                                                                                                                            You didn’t say a damn thing when the user I replied to said “oh ho ho Rust is no less safe than Java or Ruby, if you just vet the code”. This is the same argument as neckbeards going “C is safe if you just write the code carefully!”. It’s pretty obvious when you give a pass to one but not the other.

                                                                                                                            I mean, yes? @burntsushi is a member of the Rust community, of course it’s going to bother him a bit more when someone like you is attacking that community vs someone in that community (politely!) making a debatable claim. That’s basic human social skills, not him being a hippocrite.

                                                                                                                            Kettle meet pot, and you’re experienced enough (grats on ripgrep) that you should know when shilling is happening. […] And every time this gets brought up, people like you show up to motte-and-bailey it and go “oh no no, who are those other ruffians, we’re just a kind and inclusive and loving community, oh we’d never say anything bad about another language, perish the thought!” This is a real problem, and just because y’all either can’t or won’t acknowledge it doesn’t mean the damage hasn’t been done to people outside your blessed tribe.

                                                                                                                            I know you’ve been trying to be less angersock and more friendlysock, so I’m just going to say this straight: you’re being an obnoxious jerk right now.

                                                                                                                            1. 4

                                                                                                                              Agreed. This is like mom and dad fighting. Both are respected members of the community. Obviously it’s okay to disagree, but I expect both to be examples of what it means to be a good citizen.

                                                                                                                              I have a bias here. However my commentary should be applied broadly. Let’s demonstrate an eagerness to give each other the benefit of the doubt. Our community is known for being effective and compassionate regardless of disagreements. I’m committed to that because of lobster leaders like you have both demonstrated that it works here.

                                                                                                                              Thank you both for being candid. I look forward to the constructive conversation this exchange will lead to.

                                                                                                                              1. 2

                                                                                                                                Yeah, again, sorry for setting a bad example. :(

                                                                                                                              2. 2

                                                                                                                                I know you’ve been trying to be less angersock and more friendlysock, so I’m just going to say this straight: you’re being an obnoxious jerk right now.

                                                                                                                                Yeah, you got me there–fair point. I’ll go cool off.

                                                                                                                          3. 1

                                                                                                                            I totally agree. There’s more than a little bit of trying to have it both ways here, and observers are too smart for that.

                                                                                                                          4. 1

                                                                                                                            I can’t help but think calling the unsafe keyword unsafe was a potential marketing error.

                                                                                                                            Isn’t there a comparison to unsafe in C#? The same arguments were made back in the early 2000s about that and it made for many tirades and comments.

                                                                                                                            I think Rust user’s domain requirements might provide longevity to the use of unsafe, it has disappeared from discussions in the C# space. It’s to the point where many C# programmers would give you a puzzled look if you mentioned unsafe existed.

                                                                                                                          1. 6

                                                                                                                            The post from @chobeat is something I agree with in terms of the bigger picture that is being missed by a mile. Analogies like those presented are flawed and ultimately damage our industry.

                                                                                                                            They had been forced to learn to program computers without the luxury of endless computer time. Many years later, when he had plenty of computer time, Serge still wrote out new programs on paper before typing them into the machine …snip… Good Russian programmers, they tend to have had that one experience at some time in the past—the experience of limited access to computer time.

                                                                                                                            This is written like there is something special about being Russian. The truth is that many programmers learned to write code in this fashion. Distribution of programmers with this experience would vary globally and with time period. In the mid-90s, I was taught by a curmudgeon how to program with this method in the UK. I’d expect that the best programmers from the US, Asian, and Europe of different ages had a similar experience at a different time. This method is only compatible with some personality types, so it’s never going to remain the pervasive method when alternatives exist.

                                                                                                                            So, there is nothing special about being Russian in the general case when it comes to knowing this technique. That said, at certain times, Russian programmers may have been in demand in particular areas. For example, the wisdom at a certain time might have been that you could get “inexpensive programmers with solid mathematical foundations easily from Russia.” This is really inappropriate and biased.

                                                                                                                            The result however, is that you have concentrations of developers who recommend former colleagues further reinforcing the cycle. This pattern has happened with immigration in the US many times over the history. Sponge diving in Florida brought many Greeks to the US. Greeks were considered to be the best at that, but other than having experience, what makes a Greek person explicitly suited to the task? The common pattern is that there is a person that can be exploited for money, even though life in the US may be better than that in Russia, or Greece for that matter.

                                                                                                                            I was curious what your thoughts were about this - in this specific case (computer time) and in general (any other tooling that has made programming more accessible)? Is Serge right or wrong about this?

                                                                                                                            Every industry suffers from this same pattern because as soon as something is profitable it brings more people to the field. Competition is good, especially at the top level because it really drives a field forward. More and more so-called menial jobs are created as programmers move on to more prestigious roles and don’t want to do mundane work.

                                                                                                                            The experienced programmers realise that their work can be the basis for new software, so they create tools that empower those without experience. That’s the whole point of better tools.

                                                                                                                            We have some other forces at work which I won’t go into at length. We’ve got software becoming applicable in many more areas where it wasn’t feasible before. We don’t really have a surplus of programmers either. Our industry doesn’t really represent our society as a whole. Society will force the industry to change rather than the other way round.

                                                                                                                            1. 3

                                                                                                                              I do agree that the reasons given for why Russian programmers are better are probably not the actual reasons, but there is truth in the fact that a lot of Russian programmers have good theoretical knowledge. Russia has been dominating in programming competitions over the last couple of decades (14 wins in ICPC over the last 20 years) and have a strong competitive programming tradition in general. Looking into the courses of Russian universities, I can see that they place a lot more importance for theoretical topics than the western ones. I don’t think that a blanket statement “Russian programmers are better” is correct, but there might be some truth in “Russian programmers have better theoretical knowledge”.

                                                                                                                              1. 4

                                                                                                                                ICPC/Olympiad type competitions are national programmes in Russia and other post-Soviet states. Typically all urban high schools participate. School level winners are groomed for city competitions, city competition winners for local, then regional, then national, culminating in international competitions.

                                                                                                                                The teachers of winning students are paid a premium and the students have a chance of simplified enrolment into better universities, so incentives are in place. Hence comparing this industrialized effort to largely amateur act in the West is not entirely fair. The whole mother Russia was combed with a fine brush, repeatedly, for these 14 medals.

                                                                                                                                1. 1

                                                                                                                                  I know all of this. But to win those competitions, you have to have good theoretical knowledge. So the teachers are more incentivized to tech them the theoretical knowledge. Hence, the “Russian programmers have better theoretical knowledge”. It’s not about how fair is it to compare the results of the competitions or such. It’s about how much they teach it there. And they teach it a lot more.

                                                                                                                                  1. 3

                                                                                                                                    There’s a huge difference in how they teach their competition potential (with region’s best teachers holding training seminars for the talent), and “ordinary” students. Hence “Russian programmers have better theoretical knowledge” is incorrect. “Russian programmers who were groomed for competition have better training” is more like it, and it’s only a subset of Russian programmers in general.

                                                                                                                            1. 1

                                                                                                                              I wanted to stop using my phone for video calls, so I also went researching. The linux information I found was confusing, so I just took a leap and ordered the Logitech Brio. I hooked it up with USBC. It took me a couple of hours to understand UVC, but in the end it works just fine in 1080p. It’s supposed to do 4k, but I don’t really care about streaming that kind of quality.. most of the people on the other end are on phones or laptops that aren’t 4k. I had some Jabra Elite 75t Active earbuds sitting around, and that was a waste of time. The Jabra subreddit is imformative on the brand. Linux support for bluetooth profiles with mic support is severely lacking and seems stuck in arguments. The brio presents it’s mics in two ways, one showing up as SPDIF. Choosing that and doing a little tuning with someone on the other end of the call settled it. Viber (I have to.) doesn’t let you choose the video resolution anyway. I can mute myself when I’m not talking if it’s not just one-to-one. Ubuntu 20.04.

                                                                                                                              1. 1

                                                                                                                                Jabra Elite 75t Active earbuds sitting around, and that was a waste of time.

                                                                                                                                I’m curious if you tried with one of their Link adapters, or not? They had some discounts on Amazon, but I want to try with one of their Link 380 adapters. Based on what I’ve read on the Jabra subreddit, the use of one of those adapters with the consumer headphones and earbuds will make an improvement (although it’s unsupported.)

                                                                                                                                1. 1

                                                                                                                                  Well, mine won’t firmware update, and it seems to be a common problem. Reading the subreddit gave me an idea that there are lots of such issues and their usual resolution was to defer the conversation somewhere private and offer warranty replacement. That isn’t viable for me. They’re sold as bluetooth earbuds and shouldn’t need a special dongle. If I replace them I’m looking at Sony or Bose.

                                                                                                                              1. 13

                                                                                                                                I know you are looking for tools and techniques you can just deploy, but ultimately many people with these issues are better in invest in therapy to understand and deal with the behaviour.

                                                                                                                                You may see it impacting your programming, but this is likely only one example of it. We all suffer from varying degrees of mental issues and programmers need their minds operating as optimally as possible. There are lots of blog posts espousing exercise for the sedentary programmer because it’s an important aspect of health. Few directly mention anxiety, depression, etc which we are not immune from as programmers. In fact, we are going to be hurt because our minds are so important to our work.

                                                                                                                                I wouldn’t have guessed some of my behaviour was driven by anxiety because I didn’t understand these disorders and thought it only manifested in very big ways (and that it couldn’t be me.) I was very apprehensive about talking to a therapist, but I eventually reframed it as a performance optimisation versus a recovery. I now have some tools and techniques for dealing with it, but the main part was recognising when it was kicking in.

                                                                                                                                I would caution against life, or exec coaches, because you need someone who can properly diagnose a health issue. Some therapists work with executives, sports people, and the like. They are good ones to seek out. Finding the right therapist take some time.

                                                                                                                                1. 4

                                                                                                                                  Tools/life-hacks and therapy are both valuable, and synergistic. (Medication may help too.) I have ADD and mild anxiety, so I know whereof you all speak. I am pretty sure that ADD is very common among coders: hyperfocus is a very useful skill, as is the drive to keep bouncing around trying and learning new things. But there are downsides to it too. No one should feel a stigma about seeing a therapist — I think of it like debugging my mind, or getting a brain massage.

                                                                                                                                  Personally, I haven’t needed to take measures to prevent myself from web-surfing during work. I usually find it more of a helpful break, between bouts of focusing. But we’re all different. I do agree that Dash is enormously useful as a fast way to look up docs on anything.

                                                                                                                                  The main life-hack I use is an app called BreakTime that blocks the entire screen for one minute every 30 minutes (configurable) so I can stretch, wiggle my wrists, focus my eyes on something distant.

                                                                                                                                  1. 2

                                                                                                                                    I seek stimulation - both interesting or easy to digest information fills the requirement.

                                                                                                                                    Information is my drug of choice and the internet is a very well designed supplier. I deal with the addiction by adding enough friction between me and the reward. As long as I can finish my work I’m fine. This isn’t going to go away by talking to someone.

                                                                                                                                    1. 1

                                                                                                                                      Metta meditation is a great way to address anxiety.

                                                                                                                                    1. 4

                                                                                                                                      Really cool to see this, but it’s not an entirely new concept. Code Co-Op (Wikipedia article) was the first P2P source control tool I used.