1. 7

    I jumped on the K8s train moderately early, and have since jumped right back off owing to the rapidly accelerating unnecessary extra complexity.

    I’m sympathetic to the idea that enterprise requires a sometimes bewildering array of configuration options, and that the usual array of systems-screwer-uppers (e.g., Red Hat, IBM) were naturally going to show up to the party to try to increase consultant billing time, but man did that thing get messy and confused in a hurry. It almost makes you sympathize with the go development philosophy.

    1. 3

      It feels like the K8s train replaced the OpenStack train.

      1. 2

        Now consider that there are organization that deploy OpenStack on a hypervisor, then kubernetes on that openstack :)

      2. 2

        LOL I couldn’t agree more. “systems-screwer-uppers” I hadn’t heard that before. beautiful turn of phrase!

      1. 2

        Why we even tolerate a closed-source, proprietary text editor in XXI century?

        1. 10

          Nobody’s holding a sword to your throat and forcing you to use it.

          1. 7

            You might want that intolerance looked at, it sounds like it’s reducing your quality of life.

            1. 3

              Could you elaborate? I wouldn’t say most ST users are tolerating anything. They are in fact enjoying the experience with the editor, perhaps more than an open source editor. Unless you are one of the small minority who are forced to use an extremely esoteric development setup you have some degree of choice in how you work, which might even include using a proprietary editor if that’s what you prefer. FWIW I think ST has actually jump-started some of the wider interest and innovation in text editors in recent years.

              My personal favourite closed-source editor is EmEditor (https://www.emeditor.com/). If I need to work in a Windows environment, it’s the first software I install, but it’s not the editor that I spend most of my time coding in. I often have to deal with huge CSV and other text files which the developer specializes in handling. They added features for opening CSV files in an Excel-like way which is a huge boon if you need that. It can open Visual Studio solutions and is extremely fast. It lacks all of the useful plug-ins that editors I prefer to code with have, but it really knows it’s niche. Perhaps there are equivalent capabilities with other open source products, but it doesn’t seem a problem that these proprietary products exist and innovate.

              1. 3

                The dude might need money.

                1. 4

                  Being paid to program? gasps Only I’m allowed to do that.

              1. 1

                I’m going to PyCon US next week. It’s now much bigger than my first in 2008, but I’ve always gotten a lot from it. I’ve even got some PyCon friends from around the world and we only meet there. A while ago the conference made the headlines for some of the wrong reasons, but it is generally a very well run conference with a team who try to make everyone feel welcome.

                Last October I attended PyGotham in New York. As @srbaker noted elsewhere in this thread, small conferences of 100-300 attendees are a sweet spot for learning. I found this to be the case with PyGotham, although the costs of travel and nights in NYC can be expensive.

                Most of my conference attendance has been something I’ve paid for. As a contractor, I never wanted something to be held over me, but it forced me to be picky and try out a number of different types and sizes of conferences. Over my career I’ve gotten more out of conferences that cost under $700 per ticket.

                The quality of sessions, and to some degree the hallway conversations, at the $1500+ conferences has been so variable that I don’t feel like they are worth attending. Plus, these are often happening right in the middle of the week which is inconvenient if work isn’t supporting you. It also allows time for a little sightseeing around the conference when it runs up to a weekend.

                My wife spoke very highly of Strange Loop, so I might give that a go soon. The cost and the days of the week for the event are aligned with what I prefer too.

                Does anyone know of smaller security conferences?

                1. 24

                  “There are a lot of CAs and therefore there is no security in the TLS CA model” is such a worn out trope.

                  The Mozilla and Google CA teams work tirelessly to improve standards for CAs and expand technical enforcement. We remove CAs determined to be negligent and raise the bar for the rest. There seems to be an underlying implication that there are trusted CAs who will happily issue you a google.com certificate: NO. Any CA discovered to be doing something like this gets removed with incredible haste.

                  If they’re really concerned about the CA ecosystem, requiring Signed Certificate Timestamps (part of the Certificate Transparency ecosystem) for TLS connections provides evidence that the certificate is publicly auditable, making it possible to detect attacks.

                  Finally, TLS provides good defense in depth against things like CVE-2016-1252.

                  1. 13

                    Any CA discovered to be doing something like this gets removed with incredible haste.

                    WoSign got dropped by Mozilla and Google last year after it came to light that they were issuing fraudulent certificates, but afaict there was a gap of unknown duration between when they started allowing fraudulent certs to be issued and when it was discovered that they were doing so. And it still took over six months before the certificate was phased out; I wouldn’t call that “incredible haste”.

                    1. 2

                      I’m not sure where the process is, but if certificate transparency becomes more standard, I think that would help with this problem.

                    2. 5

                      TLS provides good defense in depth against things like CVE-2016-1252.

                      Defense in depth can do more harm than good if it blurs where the actual security boundaries are. It might be better to distribute packages in a way that makes it very clear they’re untrusted than to additionally verify the packages if that additional verification doesn’t actually form a hard security boundary (e.g. rsync mirrors also exist and while rsync hosts might use some kind of certification, it’s unlikely to follow the same standards as HTTPS. So a developer who assumed that packages fed into apt had already been validated by the TLS CA ecosystem would be dangerously mislead)

                      1. 5

                        This is partly why browsers are trying to move from https being labeled “secure” to http being labeled “insecure” and displaying no specific indicators for https.

                        1. 1

                          e.g. rsync mirrors also exist and while rsync hosts might use some kind of certification, it’s unlikely to follow the same standards as HTTPS

                          If you have this additional complexity in the supply chain then you are going to need additional measures. At the same time, does this functionality provide enough value to the whole ecosystem to exist by default?

                          1. 5

                            If you have this additional complexity in the supply chain then you are going to need additional measures.

                            Only if you need the measures at all. Does GPG signing provide an adequate guarantee of package integrity on its own? IMO it does, and our efforts would be better spent on improving the existing security boundary (e.g. by auditing all the apt code that happens before signature verification) than trying to introduce “defence in depth”.

                            At the same time, does this functionality provide enough value to the whole ecosystem to exist by default?

                            Some kind of alternative to HTTPS for obtaining packages is vital, given how easy it is to break your TLS libraries on a linux system through relatively minor sysadmin mistakes.

                      1. 1

                        Sendgrid have offers with at least one cloud provider (https://azuremarketplace.microsoft.com/en-us/marketplace/apps/SendGrid.SendGrid?tab=PlansAndPrice) that might cover your requirements. You didn’t say how many emails you need to send.

                        1. 12

                          As a Linux user, I don’t really care, because I’ve lived with the knowledge that my screen locker (whatever the local DE’s substitute for xscreensaver is) has been totally busted(*) for years without it really bothering me.

                          (* by which I mean, multiple times it has manifested security vulns wherein mashing randomly on the keyboard for a bit would crash the screen locker and unlock the screen)

                          Something something if you have access to the hardware you can just futz with it anyway.

                          1. 5

                            Something something if you have access to the hardware you can just futz with it anyway.

                            A critical difference here is that “you can futz with the harder” is something you’d need at least some knowledge and some equipment to do, not necessarily much of each, but you need to know what you’re doing.

                            You can fit the instructions for this exploit in a single tweet.

                            1. 2

                              Very much this, but:

                              You can fit the instructions for this exploit in a single tweet.

                              That has also been the case for many other exploits of that kind, independent of operating system, with or without a graphical shell.

                              Screen locking seems to be a surprisingly nasty problem, even all smartphone platforms have had similar issues.

                            2. 4

                              This one is accessible remotely.

                              1. 3

                                Oh, it is? The exploit described here sounds like you need local access. This is interesting.

                                Is it exploitable via RDP or VNC or something if you have screen sharing turned on, and if so do you need to log in as an ordinary user account first?

                                1. 3

                                  Screen sharing is indeed the remote exploit vector, [1] [2]. You don’t need to log in as an ordinary user account first.

                                  1. 3

                                    Does Remote Login allow SSH’ing in as root? I’m not familiar with the default macOS config.

                                    1. 2

                                      I don’t know, but you could enable it pretty trivially.

                                      1. 1

                                        I did try after enabling SSH to “All Users” and it didn’t allow me to log in as root.

                                      2. 2

                                        Thank you for elaborating. Yeah that’s genuinely scary. Good reason to leave screen sharing turned off I guess. :x

                                  2. 3

                                    Another reason to consider a Wayland composer? I’ve got Wayland and Weston with xwayland comparability running on my media PC right now. Seems to work pretty well.

                                    1. 2

                                      Yeah I’m hoping Wayland fixes this properly by using a protocol for screen locking that is not intrinsically silly like X11’s is. I assume it does (why would Wayland devs bother to copy such an obvious misfeature of X11?), but I haven’t checked.

                                    2. 1

                                      You’re perhaps referring to gnome-screensaver https://www.jwz.org/blog/2015/04/i-told-you-so-again/ ?

                                      How is light-locker’s track-record? KDE’s thing?

                                      I still use xscreensaver on Xubuntu 17.10. I have a feeling jwz has a better track-record than all of the above, but it’s probably not perfect either …

                                      1. 3

                                        Yes. I don’t know about the others’ record but I’d be surprised if it was perfect. xscreensaver can’t do a perfect job here either because it, like any process, could be arbitrarily killed by something like an OOM killer or a hardware bug causing SIGBUS to be emitted in it.

                                        The underlying problem is that X11’s protocol for screen lockers is silly: the screen unlocks when the locker quits for any reason at all. jwz asserts that gnome-screensaver ought to take more care about crash proofing in light of that, which I can’t dispute. Solving the root problem is going to be much more robust anyway though.

                                        The 2004 article on this is much better BTW: https://www.jwz.org/xscreensaver/toolkits.html

                                    1. 14

                                      Lacking a bachelors degree effects your career in development in at least one significant way; limiting your salary and promotion potential. Outside “competent” tech companies, Big Dumb Corp (ie the rest of the Forturn 500) HR will always use lack of a BS degree (or only an Associates) as reason to offer less salary up front, and lower raises once you’re on staff, and deny promotion. It’s a check box incompetents use to because they can’t tell who actually contributes. Some of the best developers I’ve worked with have had no degrees, have been self taught. It’s not right, but what I’ve seen where ever I’ve worked.

                                      1. 6

                                        Another unfortunate but real side effect is many people may be less than thrilled to “work under” you if they have degrees (i.e. self-taught engineer in charge of multiple PhDs).

                                        The only exception is if you are some god authority figure like Linus Torvalds where no one dares to challenge your expertise.

                                        1. 4

                                          That’s a bias too. There is nothing to say that an engineer without a degree cannot do a good job managing a highly credentialed staff. As long as they have humility, know their limits, and are thinking about how to get the best out of someone it should be possible. Lots of research-based organisations don’t have this occurring a lot because the needs of the job (not the people management) require the PhD, but in the tech industry there are lots of PhDs being managed by less credentialed individuals.

                                          1. 1

                                            I agree. The thing is it’s common enough that you will not be able to consistently escape it.

                                        2. 3

                                          True, startups and most tech companies don’t care. Fortune 500, consultancies etc will be harder.

                                          1. 1

                                            I think that is less of a problem outside of the US (And maybe the UK?). I not in those countries and have not been to university. I’m doing ok as a developer. I think you just need other ways to show your skills such as a website/blog/github/experience. Once you get your first job (It’s probably not going to be stellar) then all the companies after that will mainly be looking at your experience in the work force.

                                          1. 1

                                            Is this actually a good idea from a security perspective? Simply searching for “SVG parser security” results in some “interesting” results… Although, to be fair, this is more something that a browser implementer should worry about, but this was my reason for not using SVG (anymore) for logos.

                                            1. 2

                                              The browser support and therefore (security) bugs would exist irrespective of whether developers actually use SVG, or not. Similar issues could exist with font handling if a problem exists with that code.

                                            1. 10

                                              We use LaunchDarkly for feature flagging so we can do contained rollouts and testing of new beta features

                                              We use Optimizely for A/B testing

                                              Surely there are libraries for many languages and web frameworks for doing that? For example

                                              I can understand using Pusher (even though there’s a lot of open source self-hosted solutions for that as well), but A/B testing and feature rollout? Why are these things even offered as-a-Service?

                                              I don’t understand this “use 3rd party services for everything” mentality. Downloading a library is easier than creating another goddamn account.

                                              1. 4

                                                They are offered as a service because you have the library wrapping your feature, but can inevitably end up with lots of supporting infrastructure. By supporting infrastructure, I mean things like feature group management, automating roll out of the feature to a larger cohort etc. If your support team needs to replicate a customer issue they might need to be able to report on users that have a feature flag, and ensure they see the exact same feature set too. In many cases you don’t need all this, but some people do.

                                                For others though, having it as a service can be an easy way to adopt feature flags, although in practice they could probably have achieved the same result as your approach. The founders of LaunchDarkly and CircleCI produce a podcast (https://www.heavybit.com/library/podcasts/to-be-continuous/), so it’s unsurprising that they use eachother’s products.

                                                1. 2

                                                  I can understand using Pusher (even though there’s a lot of open source self-hosted solutions for that as well), but A/B testing and feature rollout? Why are these things even offered as-a-Service?

                                                  Different companies have differing amounts of engineering resources, different patterns to their revenue (e.g. to hire more engineers… or not), and different levels of legacy cruft in their products. Stemming from these differences, and especially for anything infrastructure- or process-related, the “build vs buy” conversation will also differ greatly between companies.

                                                  I have had this same conversation with people regarding Heroku and SendGrid. That is, I know people who cannot fathom why anyone would need (or want) to pay for that category of PaaS in that way. Meanwhile, I shudder to imagine how much more difficult my company would have had it without them.

                                                  1. 1

                                                    It’s more “download vs buy” here. For trivial stuff like A/B testing and feature flags, integrating a 3rd party service isn’t significantly easier than adding a library.

                                                    Heroku and SendGrid

                                                    That’s why I said “I can understand using Pusher”. That kind of stuff is actual infrastructure than needs maintenance, yeah.

                                                    1. 2

                                                      Curious: What library are you referring to when you mention of A/B testing, and what does it provide?

                                                      Followup: Have you used Optimizely? I am not currently a customer, but when I was, I found it impressive. I would not be able to implement the same level of tooling, WYSIWYG DOM editing, analytics integrations and reporting for less money (the cost of my time) than their subscription costs. Not that simpler needs could not be met with a simpler solution, but if you need what they offer, Optimizely is not a service without its value.

                                                      1. 1

                                                        I linked to https://github.com/ankane/field_test in the original comment, of course there are lots more for different web frameworks and stuff.

                                                        WYSIWYG DOM editing

                                                        That sounds horrifying.

                                                        1. 2

                                                          Quick edit: First off, thanks for pointing out the link!

                                                          That sounds horrifying.

                                                          I thought so too, at first, but it’s not.
                                                          Not entirely, anyway. I of course then thought “but what if you’re using some SPA framework?” and, to my surprise, there was an answer for that, and it wasn’t a bad one. I’m speaking beyond my minor experience, but I suspect it messes with load times a bit, and might not be something to layer on top of, say, a Rails app that already struggles with bad load times. But if you’ve already got a snappy site, Optimizely probably isn’t going to hurt, and might make a marketing team feel like they have freakin’ super powers.

                                                          I have seen things like Optimizely and Infusionsoft give marketing teams amazing productivity boosts that the company’s product engineering team would be hard-pressed to match, and arguably shouldn’t try to match. Especially if it would distract them from their central product and serving their primary/external users needs better.

                                                          Through quirks of the current labor market, software engineers command higher salaries than rank-and-file-but-sophisticated digital marketers (though at the top-of-the-top they even out). This leads software engineers, myself included, to assume that our higher pay means we are more important to a company’s goals in some absolute sense. This is not true, and if a company happens to have an engineering team of 5, and a marketing team of 20, distracting those 5 engineers to have them build and maintain a tertiary A/B-testing framework that can match Optimizely, versus enabling those 20 marketers to do more in less time, can make the latter look very appealing.

                                                  2. 1

                                                    Feature flagging seems a bit extreme to me.

                                                  1. 4

                                                    So, here’s the thing - I posted a comment around this at the original site / post but it looks as if it’s been deleted.

                                                    The author basically is taking a big old poop all over CircleCI because of token / javascript bleed. Fine, that’s a reasonable potshot to make - BUT what’s not clear to me, and what I asked in my question - is has the author actually done the work to compare and contrast against another hosted CI provider?

                                                    This feels like a lazy smear to me. There are trade offs to be made when you choose to trust your sources to a hosted provider like this, and I am not convinced that CircleCI is doing anything at all untoward here other than needing to do a better job of communicating its dependencies to its users.

                                                    1. 3

                                                      I tend to agree, but in a way you have to question the judgement of the developers when they include so many trackers. I don’t think it’s surprising that someone has latched onto this issue and it can be raised with many products that have a business model that doesn’t rely on advertising. Launch Darkly might actually be functional compared to the others listed by the author. I see Facebook references blocked by EFF’s Privacy Badger when I log into the product.

                                                      I wonder if these trackers are toggled off when I use a paid version of their product? I think that’s a possible trade-off since they are letting you test the product for free. Toggling these off might result in a loss of analytics data that they wouldn’t want, so there is a vicious circle.

                                                      1. 3

                                                        I used CircleCI in a past job, and it does something pretty unique among SaS CI vendors - it lets you use an arbitrary number of VMs to run your unit tests.

                                                        So, we were able to halve the amount of time it took our unit tests to run by increasing the number of simultaneous servers running them. When you’re an org dealing with a legacy code base where the test corpus is taking HOURS and HOURS to run, that is some serious bottom line ROI right there.

                                                        They just need to update their comms to VERY CAREFULLY indicate what’s happening and everybody can choose to use them or not. What bugs me about the original post is the slapdash nature of the accusations levied and the lack of any kind of even handedness.

                                                        Also, when I posted my question to the original article, my comment was deleted. Their bat and ball, their rules, but if we’re gonna question judgement or motivation I think we can point the flying fickle finger of fate at this post’s author as well.

                                                        1. 4

                                                          the slapdash nature of the accusations levied and the lack of any kind of even handedness.

                                                          I don’t understand this. What was I supposed to do differently be “even-handed”? Companies imbue CircleCI with an enormous amount of trust, and they do an incredibly risky thing with that trust. “If I am going to pay you thousands of dollars a month, please don’t build a dashboard where my source code gets stolen if someone hacks Quora.js” seems like a reasonable request. I suppose I could have said “By loading third party Javascript in a secure environment, CircleCI is picking up pennies in front of a steamroller, but in fairness, they do have the pennies.”

                                                          I posted my question to the original article, my comment was deleted.

                                                          I didn’t delete your comment; I manually approve all comments that appear on my website, there should have been a notice above the post that said “Comments are heavily moderated.”

                                                          I haven’t looked at your comment and couldn’t say, but generally I get low quality comments on posts and approving them isn’t really a priority for me.

                                                          1. 0

                                                            Thanks for the clarification. Have you considered simply disabling comments for your blog in that case? Offering them but leaving them in limbo seems like a questionable practice. Your bat and ball, etc.

                                                            1. 2

                                                              Thanks. Occasionally I get a good comment, one that does not describe hours of research and writing as a “lazy smear,” for that reason I like having the option to approve them.

                                                              1. 0

                                                                Would you disagree that calling a particular vendor out for particular problems might warrant citing similar issues with other vendors in the name of even handedness?

                                                                1. 5

                                                                  You called my article a “lazy smear” because there are, supposedly, other CI companies that let arbitrary third party Javascript run in a trusted environment and access CSRF tokens/create API tokens that could result in data compromise, but you’ve provided zero evidence that such companies exist. I can, however, cite many CI tools that do not let arbitrary 3rd party Javascript run in a trusted environment, as Circle does: Phabricator, Jenkins, Gitlab, Travis.

                                                                  Even if they did exist, no, I am under no obligation to cite them. The fact that many people drive drunk is not an excuse for your own decision to drink and drive. You are welcome to do your own research and post your own findings about other companies.

                                                                  1. 3

                                                                    I would disagree. Someone pointed out problems, why should we demand extra work? We should be thankful that someone has pointed out problems.

                                                          2. 1

                                                            I wonder if these trackers are toggled off when I use a paid version of their product?

                                                            No, they are not, everyone gets them, even if you pay them thousands of dollars per month. You can collect analytics data on the server side, and there’s no way a compromise of your server side analytics provider affects the security of my source code.

                                                          3. 3

                                                            This is like complaining that arresting someone for drunk driving is unfair because other people also drive drunk and did not get caught. Across the entire industry companies don’t care enough about third party javascript that runs on secure pages (dashboards, credit card input forms, API token creation, more). It’s a dangerous situation and consumers should demand better. I understand there are tradeoffs to be made letting a third party run CI, but I don’t think that “outsource my company’s source code security to Quora.js” is a reasonable one. I also think those companies overstate the benefit compared to the risks, the benefits are small and immediate, the risks are larger and unquantifiable.

                                                            There are steps they could take to secure important fields - for example, use a different domain for marketing/dashboards, require an HMAC token that the third party Javascripts don’t have access to, but they did not take those steps.

                                                          1. 20

                                                            MVPs are too M and almost never V.

                                                            Then it’s not an MVP.

                                                            1. 5

                                                              Indeed. And the author’s experience is clearly the opposite of my own at a medium sized company where “MVP”s are usually not at all minimal.

                                                              1. 4

                                                                Yeah, in my experience there’s no shortage of people who look at the original MVP spec and say “but surely we can’t show it to people without XYZ?” and by the time they’re through, you end up with triple the requirements, but no additional time budgeted :)

                                                                1. 1

                                                                  It’s hard to get an idea of what “not minimal” is for a medium-sized company. My observation is that you can get into problems once you start making micro-adjustments based on A/B tests, or have to cater for negative impacts to other parts of your product. This happens in larger organizations, but I can see any size of organization getting caught up in their own metrics and approach. Features get cut into smaller and smaller pieces and/or don’t get fully fleshed out later once the original A/B test completes. The feature is less value to the user, but the team feel like they are doing the right thing for the product, and no one may be minding the overall product.

                                                                  1. 2

                                                                    Sure. But I’m talking about things like defining your ideal feature set, selecting half of that and calling it minimal, even if the core functionality is 1/10th of the ideal feature set. My general rule is that if your MVP has a settings or configuration screen, it’s not minimal enough. :-)

                                                              1. 5

                                                                I have thought of going back to school at various points in my career, but I’ve never done it. My degree is in a softer category and not well-respected for hardcore programming type jobs, but I have a good amount of real experience that balances it out a bit.

                                                                I honestly think college is greatly over-valued for most jobs. You already have a job, you already have experience. Why burden yourself with something that may never pay for itself? School is increasingly expensive. Are you going to ever get THAT much more money to justify it?

                                                                I also have the issue of three children who will be looking to start college within the next 8-12 years. Maybe not all will go, but at least one will I’m sure. Why add to that inevitable debt or cause undue stress just for a slip of paper?

                                                                1. 7

                                                                  I think if I were in your situation (BA degree + kids) I would do exactly the same thing. Unfortunately, I think there’s quite an advantage to having any degree over none. This may play into people’s unconscious biases, but I won’t get into that.

                                                                  1. 6

                                                                    I would definitely not go back for a second bachelor’s if you already have a bachelor’s. If I went for anything it’d be a masters. You don’t typically need a CS BSc to do a CS MSc, just evidence that you have enough CS background to be able to handle the courses. If you’ve worked in a tech job that’s probably enough evidence; mostly schools just want to make sure they aren’t admitting people who know nothing at all about computing (e.g. don’t know how to program), since a MSc isn’t going to start from Intro to Programming. Masters courses are also more likely to offer flexible evening/weekend schedules, and some larger tech companies will even cover the tuition.

                                                                    1. 4

                                                                      I’m not sure if other universities in the US are doing this, but the University of Pennsylvania have a programme called MCIT. The “IT” in the title may be a negative signal to some people, but this is a pretty heavy-duty CS course. My wife found it to be very rigorous and the approach was helpful for someone without programming experience. In the UK, it was fairly common (circa 2004) to find various MSc programmes that were termed “conversion courses” intended for individuals without a CS undergraduate degree.

                                                                  1. 1

                                                                    Many years ago when we implemented our CMS, we decided to use urls like example.com/aaaa/bbbb/cccc/dddd (content is structured like a tree). This was terrible idea (obviously). After we let the users in, not only were they easily creating structures ten levels deep, but also constantly moving and renaming items.

                                                                    At first we tried some clever tricks to navigate users where necessary even after items were moved/renamed, but it was still terrible pain and had to be rewritten.

                                                                    Now the content is still a tree, but urls are like example.com/language-code/id-name where only id is important (similar to SO), name can be whatever (but we redirect you to proper one, if not present/wrong). This has worked very well for many years.

                                                                    1. 1

                                                                      The tree structure is nice, but it definitely has limits. Could your system have handled that issue by tracking URL changes so that users could be automatically redirected?

                                                                      1. 2

                                                                        Probably could, but as I said people went crazy with moving and renaming items. Tracking all these changes wouldn’t be impossible, but still at least tidyous. The main issue was still super long urls with like ten levels. Actually I was ashamed when sending link to someone :) We kept tree structure, but it is mainly for organizing items now.

                                                                    1. 2

                                                                      Was this a response to Discourse in any way? It seems to hit on a few pain points with Discourse such as the boring deployment. For a non-Rails dev, how hard is it to add a custom authentication provider to Thredded so that users from another site don’t need to have a separate logon?

                                                                      1. 3

                                                                        Was this a response to Discourse in any way?

                                                                        Yes. :)

                                                                        For a non-Rails dev, how hard is it to add a custom authentication provider to Thredded so that users from another site don’t need to have a separate logon?

                                                                        That depends. Integrating it with thredded is very easy (you only need to provide a current_user method) but writing it might not be.

                                                                      1. 1

                                                                        Are you planning a feedback mechanism in the site to flag items that are good, or bad? I guess I can skip to the next item, but it’d be nice to leave you some feedback.

                                                                        1. 1

                                                                          I was thinking about something like the kudos button here https://dcurt.is/iphone-introduction-and-my-moment-of-awe but not sure for now

                                                                        1. 15

                                                                          I really doubt that wifi chips will be dropped from phones. At least here in Europe (more specifically: Germany), mobile internet is still volume-capped (after reaching the limit it will drop down to GPRS/Edge speeds) and real infinite flatrates just aren’t available.

                                                                          Usual tariffs start at 1 or 1,5Gb and go up to maybe 15, with prices starting at 10EUR for 3Gb or. Some providers (looking at you, Telekom) are prohibitively expensive and are actually dropping net neutrality (by excluding for example Youtube and their own music streaming) from the data caps.

                                                                          1. 5

                                                                            Any US user who needs to roam will quickly discover the cost reasons to revert to WiFi as much as possible :) I was just in Romania and while getting a local SIM seemed relatively inexpensive, the overall performance for tethering wasn’t great so finding WiFi was a life-saver.

                                                                            I’ve been to Morocco and Turkey and the cellular performance was even patchier. They were using a WiFi for all of their streaming needs (which is why I question the other comment about “70% relying on cellular”), but seemed to have more cellular-friendly sites and SMS-based services than we have in the US.

                                                                            1. 4

                                                                              Any US user who needs to roam will quickly discover the cost reasons to revert to WiFi as much as possible :)

                                                                              Not if you switch to Google Fi! They charge the same in every country. Join today and help make Google’s stranglehold on the Internet of today even greater! ;)

                                                                              1. 1

                                                                                You’re right. Even in Germany the mobile internet coverage is spotty at best. You can really only depend on it in bigger cities (but not too big or during sport or other events because then it’ll break down).

                                                                                1. 1

                                                                                  Indeed. We live in (somewhat) rural Germany. 3G reception here is very spotty. If I couldn’t use home Wifi on my phone, I simply wouldn’t buy it.

                                                                                  (Our home connection is 200/20MBit.)

                                                                            1. 20

                                                                              As a long-time pythonista, I hope this stays in a niche somewhere. This is probably labor of love, but it would only confuse the matter more if a distro actually shipped it.

                                                                              1. 5

                                                                                I doubt they could ship it (at least with the name it currently has) due to trademark issues: https://github.com/naftaliharris/python2.8/issues/47

                                                                                1. 0

                                                                                  As a long-time pythonista

                                                                                  … I can’t wait to package this baby for my distro and start using it in production. May Python3 die a terrible death in the recycling bin of history!

                                                                                  Seriously, though, why would you be afraid of some proper competition? Did you also hope that pypy would “stay in a niche somewhere”?

                                                                                  1. 8

                                                                                    Python 2 Unicode story sucks. Most ASCII-only developers totally ignore the difference and mix strings and bytes freely, leading to horrible failures when you attempt to use their applications anywhere else in the world. I have had a decent load of issues related to Unicode handling in CKAN and having the sensible defaults of Python 3 would basically prevent all of that.

                                                                                    1. 2

                                                                                      the sensible defaults of Python 3

                                                                                      See http://lucumr.pocoo.org/2014/5/12/everything-about-unicode/ or my favourite comparison - Django’s force_text() function:

                                                                                                  if six.PY3:
                                                                                                      if isinstance(s, bytes):
                                                                                                          s = six.text_type(s, encoding, errors)
                                                                                                      else:
                                                                                                          s = six.text_type(s)
                                                                                                  elif hasattr(s, '__unicode__'):
                                                                                                      s = six.text_type(s)
                                                                                                  else:
                                                                                                      s = six.text_type(bytes(s), encoding, errors)
                                                                                      
                                                                                      1. 4

                                                                                        about force_text: you speak of a function which is only necessary because the python 2 confusion between bytes and strings ?

                                                                                        about armin ramblings : do you really think that sticking with posix madness which treat erroneous input as acceptable input and propagate to all dark corner of your program to crash randomly is a super good idea ?

                                                                                        1. 3

                                                                                          It’s interesting that you point to Armin Ronacher’s blog post, given his later writing on the subject

                                                                                          1. 1

                                                                                            What is wrong with Django’s force_text function? This function is a short-hand for doing things like forcing translation strings.

                                                                                            1. 1

                                                                                              It’s production-quality code showing that Unicode handling in Python 3 is not any cleaner than in Python 2. That code is written in a Python subset that runs in both languages and uses a special wrapper library to make things easier, so it’s the perfect setting to do a comparison.

                                                                                              1. 9

                                                                                                You can do the “right thing” in Python 2 and Python 3. But you can also do the wrong thing in Python 2, but not in Python 3:

                                                                                                from sys import argv
                                                                                                with open(argv[1], 'rb') as f:
                                                                                                    json.loads(f.read())
                                                                                                
                                                                                                >>> cat in.txt
                                                                                                "Hello World"
                                                                                                
                                                                                                >>> iconv -f SHIFT-JIS -t UTF-8 in-shift-jis.txt
                                                                                                "月曜日"
                                                                                                

                                                                                                In python 2 , this program will work when receiving in.txt but not when receiving in-shift-jis.txt, because there’s implicit bytes to text conversion. The program is broken in Python 2, but you will not find this out unless you properly test files with different encodings. Bytes are not text, and Py2’s implicit conversion hides many bugs

                                                                                                In python 3, this program will blow up when receiving in.txt as well as in-shift-jis.txt, because there is no more implicit bytes-to-text conversion, and json.loads expects text, but got bytes from the file handle.

                                                                                                Python 3 helps me catch these bugs (type errors, really). Python 2 not only hides these errors, but encourage almost cargo-cult level spurious .encodes everywhere that will inevitably lead to data corruption.

                                                                                        2. 6

                                                                                          May Python3 die a terrible death in the recycling bin of history!

                                                                                          You do realize it’s a work of people who (presumably) provide you with something you can build upon without lock-in and for free? And I mean Python in general, not any particular version. Show some respect at least, even if you disagree on technical matters.

                                                                                          1. [Comment from banned user removed]

                                                                                            1. 3

                                                                                              So they are assholes because they don’t provide you with (more) free work that would save you from doing free work for people who actually do pay you (but not for this)?

                                                                                              Some classy act you are.

                                                                                          2. 3

                                                                                            What are you motivations for packaging this? Why is this such a big deal for you?

                                                                                            1. 1

                                                                                              I use Python2 and I hate it that it only gets bug fixes, threats of discontinuation and slander from the core Python devs.

                                                                                              I have no intention of switching to Python3, so any project taking over from where those morons left off is a bloody godsend.

                                                                                              1. 3

                                                                                                Seriously: What do you think got worse in Python 3? Is this just about the transition cost (perfectly valid reason!), or do you think there’s some more fundamental issues.

                                                                                                1. 0

                                                                                                  You should demand they refund every red cent you’ve paid for it.

                                                                                                  1. 4

                                                                                                    You’re under the impression that you can only criticize what you bought?

                                                                                          1. 1

                                                                                            When I saw the author was Andrew Tutt I skipped this.

                                                                                            1. 4

                                                                                              As my mother always used to say:

                                                                                              If you don’t have anything nice to say, at least cite some goddamn sources so others can share a fully articulated loathing.

                                                                                              Your link doesn’t even suggest the author is bad. Your admission that you haven’t even read the material is worse.

                                                                                              EDIT:

                                                                                              For example, you could’ve cited this delightfully optimistic view of what we as developers do when debugging:

                                                                                              If something goes wrong, the programmer can go back through the program’s instructions to find out why the error occurred and easily correct it.

                                                                                            1. 3

                                                                                              I grew up outside [London]derry, Northern Ireland, but I now live in a suburb of Philadelphia, PA.