1. 2

    I would look at wiki software, though I don’t think there is anything that meets all your requirements. MediaWiki may be familiar to non-technical people, and has calendar addons, though it is not simple.

    1. 2

      Anyone use this? It’s time I learn to use a spreadsheet, but I want something lighter than LibreOffice Calc. There’s siag, sc, sc-im. I might also consider gnumeric in a chroot of an old linux or something (for stability and good look/feel).

      1. 2

        If you want a lispy spreadsheet maybe emacs org mode?

        Otherwise sc is very unixy and nice.

      1. 3

        Why would I use screen over tmux? Honestly curious, have no experience with screen.

        1. 7

          It’s often preinstalled. Many users are familiar with it over tmux for that reason.

          1. 7

            There are many reasons, none of them is really general:

            • Being oldschool and being used to it. tmux is different and even if you change Ctrl-B back to Ctrl-A, it’s not a drop-in replacement.
            • Missing serial console support in tmux and some other more exotic features missing in tmux (probably on purpose).
            • IMHO easier to configure (albeit definitely less mighty)

            (Disclaimer: I’m the author of the linked blog posting and the maintainer of Debian’s screen package, so I’m probably biased. ;-)

            1. 5

              Screen is good enough, I know the shortcut keys I need and it does serial ports. There is nothing I need that it doesn’t do, so why change? Not all change is progress…

              1. 7

                Good summary, yes. :-)

                There are admittedly also some downsides: Most of the code of screen is ancient, has only few comments and is not easy to understand. It’s older than the Linux kernel. And despite it’s a GNU project these days, it started as IIRC “BSD Screen Manager” or so on BSDs.

                1. 1

                  what’s wrong with old code?

                  1. 3

                    The rest of the sentence says:

                    has only few comments and is not easy to understand

                    So, harder to maintain, fix, improve upon?

                    1. 1

                      that would be an issue, but i don’t see what that has to do with the age of the code

                      1. 2

                        Different common sense and coding style now and back then.

                        1. 2

                          Maybe, but two developers today may differ just as much in their common sense and coding style. It can be a pain to work on a code base written in a fancy IDE, if the author leaned on syntax highlighting and auto-completion to compensate for clunky names. There are a lot of factors that could make old code better or worse than new code.

                    2. 3

                      Nothing in general, but it tends to accumulate issues over time:

                      • Occasionally stops compiling with newer, more strict compilers.
                      • Does not adhere to current coding standards which usually focus on readability and avoiding common errors → harder to read, more error prone.
                        • Also might hinder attracting new contributors or maintainers.
                      • The current maintainers might no more know what the code was for if the original authors are no more around.
                      • At least Screen is known to have support for quite a few dead operating systems (think SunOS, etc.). These kind of tweaks can cause issues on modern operating systems. The master branch in Screen’s git repo has some cleanup on that, but unfortunately also kicked out some features which are still in use. No release has been made out of that branch anyway. I suspect that it will become version 5 if there will be ever a release out of that branch.
              2. 2

                In addition to the other answers… tmux feels generally more vim-like, while screen is more emacs-like. If you already have a preference in that game, that tends to color your perceptions of them.

                1. 2

                  Any chance you could elaborate on that? I’ve never gone deep into configuring either of them, but by default both feel more emacsy in bindings. What is there beyond that?

                  1. 2

                    Interesting. Never came to that thought, but at least it seems to fit for me: I’m a GNU Emacs (and GNU Zile) guy. :-)

                    Then again: I don’t see where Screen is very emacs-ish. So I’d also be interested in a more detailed explanation.

                1. 2

                  I see old shit served via HTTP, I upvote.

                  1. 3

                    My goscreen alias looks like this:

                    stty erase ^? ; screen -wipe ; screen -h 500 -d -R

                    i.e., wipe dead sessions, then reattach to any live session, creating a new one if necessary. If I get disconnected, I log back in, type goscreen and I’m back where I was.

                    1. 1

                      What do you need the:

                      stty erase ^?
                      

                      Exotic keyboard layout, so backspace doesn’t… Backspace?

                      1. 1

                        No, it’s a Mac keyboard and Delete is in that position.

                        1. 2

                          ba dum tss

                          when did they start doing that? i have a 2007 mac keyboard and the key in the backspace position works as a backspace, as you would expect (though it is labeled “delete”)

                    1. 17

                      Where do we go from here? What can a freedom-minded person do to avoid censorship by tech oligarchs?

                      Nearly stopped reading here, but I’ll happily post it again and again: It’s not censorship if one company chooses to not do business with you.

                      1. 14

                        That’s actually still censorship:

                        tr.v. cen·sored, cen·sor·ing, cen·sors To examine and expurgate.

                        There’s a subtler meaning in there around “but it isn’t the government doing it”, but given the size of Google, Cloudflare, Facebook, and others who have successfully walled-in the public square, it is pretty disingenuous to pretend like there isn’t at least something going on there.

                        For the folks going “hah, so what if it happens to people I don’t like?”–remember that time Tumblr’s ban hurt LGBTQ+ folks? Remember the various pro-BLM folks Twitter banned? Pepperidge Farm remembers.

                        It’s completely reasonable for people to be concerned and want to learn how to host their own services, and mocking them for attempted independence seems to me to be both short-sighted and a defection against the hacker spirit.

                        1. 2

                          a defection against the hacker spirit

                          Also on that topic, I’m reminded of the part in chapter 6 of Hackers by Steven Levy, where the MIT AI Lab hackers hated Multics in part because of its fine-grained usage accounting. Kind of like AWS and similar services, no?

                          (So yes, the fact that my current project is all-in on AWS causes me cognitive dissonance. Not sure how to resolve it though. Multi-AZ deployments with automated recovery from instance failures are certainly good for peace of mind.)

                          1. 2

                            Think about what infrastructure changes you would need to make in order not to be fully dependent on AWS, and then make them. Even if you don’t switch away from AWS immediately, being prepared to do so will make it easier on you if they do decide for whatever reason to deplatformed you, or if a competing cloud provider starts offering a better deal.

                        2. 9

                          maybe it is if the handful of companies that are powerful than most countries decide not to do business with you.

                          Regardless of that highly charged political question, I think fighting oligarchy is worthwhile in itself.

                          1. 7

                            What is it when all the infrastructure providers, payment processors, banks, and social media platforms all decide to stop doing business with you?

                            So glad my beliefs are currently in vogue with whatever you call that collective, whatever their non-censorship is, I’m glad I’m not being subjected to it.

                            1. 3

                              I followed this saga at the time, and my impression was that AWS bent over backwards to accommodate this service. It was only after those responsible failed to moderate the statements made by their users that violated the ToS they had willingly agreed to that service was suspended - not terminated.

                              The site is back online. The service is not, which really makes one wonder how much this is a genuine wish to offer a free-speech platform and how much it was an attempt to soak a well-healed backer for a lot of money.

                              1. 3

                                In what way did they bend over backwards? Was there even a court order telling them to take the site down?

                                1. 3

                                  AWS gave them multiple chances to implement effective moderation.

                                  There was no court order, the issue was a breach of contract (the ToS).

                                  I can recommend Techdirt’s coverage of the issue, with this opinion piece as a good starting point https://www.techdirt.com/articles/20210115/00240746061/few-more-thoughts-total-deplatforming-parler-infrastructure-content-moderation.shtml.

                                  https://www.techdirt.com/search-g.php?q=parler

                                  1. 4

                                    That writer seems to think any action is justified as long as it’s done by private companies in a competitive free market. Under that assumption, of course a breach of contract is more than enough reason to suspend service.

                                    But if we care about who actually has power in society and how communication is shaped by different actors, this cold comfort. If AWS “bends over backwards” to offer a service they are being paid for, until the risk of a PR crisis makes it not worth it for them, they are still wielding unaccountable power to limit who gets to speak.

                                    1. 2

                                      Masnick’s position is more nuanced than you summarize it, but the idea of private parties competing in a free market is one that has served the US economy well for a long time.

                                      As for AWS “wielding unaccountable power”, they’re far from a monopoly. Oracle is gunning aggressively for their business, as mentioned in other threads on this very page, and in the article I linked.

                                      And whose speech are we talking about? The users of the site are free to create accounts elsewhere, and many have surely done so. What’s left is the limited speech rights of the service to make money hosting these users. This right has to be weighed against AWS’ rights to make money providing cloud computing to many other customers, all of whom AWS is aware can change providers if AWS allows toxic actors on its service.

                                      If the service’s business model was to make money hosting speech that was banned elsewhere, it bordered on criminal negligence not to take the risk of being suspended into account, and making plans to shift hosting providers accordingly. Again, this points to this being a grift rather than a sound business idea.

                                      1. 1

                                        I think it is perverse to give any weight to a large company’s “right” to make money in a certain way, when weighed against issues that affect the mass of society. But I suspect you and I disagree fundamentally about this, so there’s probably no use trying to find agreement.

                                        Another thing we will probably disagree about: the potential for competition among a small group of companies does not amount to accountability. People have very little say over what these companies do.

                            2. 9

                              Agreed. i appreciate the meat of the article but I can definitely do without the edgy quote at the beginning.

                              1. 5

                                Ditto with the mentions to Parler (including in the title)

                              2. 7

                                haha agreed, this the second time I’ve seen someone cite the “First they came for” poem to defend groups of people actively “coming for” me and my loved ones.

                                1. 8

                                  Always feel weird when this kind of content use proto-fascism and right-wing extremists as an example for why we need to fight oligarch censorship. Of all the victims of censorship, those are the one I could not care less.

                                  1. 6

                                    Of all the victims of censorship, those are the one I could not care less.

                                    I think that’s rather the point of the poem, isn’t it?

                                    1. 4

                                      No. Not when those being censored are the very same people that would want to be the “They” in the poem. The poem is that we shouldn’t stay idle while some group is trying to take advantage over other groups. I feel like what happened right now is that someone actually did speak up…

                                      1. 2

                                        Not when those being censored are the very same people that would want to be the “They” in the poem.

                                        Plenty of people in Weimar Germany felt that way about the communists.

                                      2. 2

                                        Not really, at least in my reading. It’s not about the dangers of a “couldn’t care less” mindset but rather one of cowardice.

                                      3. 2

                                        HUAC was first used to jail Nazi sympathizers

                                        1. 2

                                          And good for them, let them rot in jail for all I care. I don’t mean that we should stand idle while states and corporations consolidate their power. Let’s speak about how HUAC or oligarchs can use their power monopoly and use it against the rest of the population. Let’s discuss about how we can fight against these crackdown in the point of view of freedom and privacy, not about how a right-wing extremist community should have done better.

                                          1. 1

                                            Who is discussing how a right-wing extremist community “should have done better”? You lost me there.

                                            I guess you don’t value the legal and social norm of free speech as such, and take no issue if that norm is violated to target racist groups. You either don’t think that makes it easier to target non-racist groups, or you don’t care.

                                            1. 3

                                              Who is discussing how a right-wing extremist community “should have done better”?

                                              Taken as-is from the article:

                                              Parler’s epic fail: A crash course on running your own servers with a shoestring budget

                                              I argue that your chances of survival are much better this way, and Parler is foolish for not going this route. We can do better.

                                              Parler was cut off by their cloud hosting provider, Amazon. Where do we go from here? What can a freedom-minded person do to avoid censorship by tech oligarchs?

                                              1. 1

                                                ah

                                      4. 2

                                        whos coming for you

                                      5. 3

                                        Hosting your own content is exactly the method by which you work around private platform companies refusing to do business with you for political reasons.

                                      1. 7

                                        $200 per month in recurring costs at the end. Not bad if you’re running a business, but otherwise pretty steep for home use.

                                        But I guess for home use you might as well keep the computer running 24/7… in your home.

                                        1. 6

                                          But I guess for home use you might as well keep the computer running 24/7… in your home.

                                          Pretty much what I do, in conjunction with wireguard (proxying from a $5 VPS).

                                          1. 4

                                            You may want to proxy from a free oracle VPS instead (10TB transfer/month) https://www.oracle.com/cloud/free/#always-free

                                            1. 2

                                              What are they getting out of it?

                                              1. 1

                                                Your contact details, to sell to marketers.

                                              2. 1

                                                Oh wow thank you for linking this, seems like a great offer. Might make me actually stop paying for hosting completely.

                                                1. 4

                                                  You become the product there though

                                                  1. 1

                                                    I recently signed up for one, to use as a secondary VM. For an “always free” plan, that’s sure an excellent offer, assuming they don’t change their mind abruptly one day.

                                                    1. 3

                                                      they wouldn’t do that, it says “always” right on the box

                                              3. 2

                                                One (potential) downside of hosting out of your home is running into your ISP’s AUP (Acceptable Use Policy). Sometimes these outright forbid hosting any servers. But even for those that don’t forbid such acts, they usually have clauses that forbid serving material that is not illegal but is simply indecent, racist, or defamatory. It could prove challenging to remain in compliance if you host a site with user-generated content where even a small number of users are inclined towards posting such things.

                                                1. 4

                                                  Add a jump host somewhere on the net (eg. some $5/month OVH system) that routes all connections through a VPN (or Tor to an onion service, which would make it harder for the provider to tell your ISP about you) back to the host at home: CloudFlare on a shoestring budget (there are many such providers and by tweaking DNS entries you can hop relatively quickly)

                                                  1. 2

                                                    This doesn’t help you comply with an AUP, just circumvent it.

                                                    1. 3

                                                      That’s often good enough. Using encryption makes it difficult for other agents to see any details about your internet traffic, and that includes your ISP enforcing its AUP on you (which they would be very prone to enforcing selectively, that is, only if they had some reason to think you specifically were a political problem for them).

                                                  2. 2

                                                    Which is when you end up towards running your own ISP, or other such nonsense.

                                                1. 18

                                                  What this rant does not focus on: It’s a good thing that these usecases are broken. Wayland prohibits your desktop applications from capturing keystrokes or recording other apps’ screens by default. X’s security model (and low level graphics APIs) is/are severely outdated, and Wayland promises not only to be more secure, but also expose cleaner APIs at the lower level (rendering, etc.)

                                                  These usecases are/will still be supported though, but this time via standardized interfaces, many of which already exist and are implemented in today’s clients.

                                                  X is based on a 30 year old code base and an outdated model (who runs server-side display servers these days?). Of course, switching from X to Wayland will break applications, and until they are rewritten with proper Wayland support they will stay that way. For most X11 apps there even is Xwayland, which allows you to run X11 apps in Wayland if you must.

                                                  1. 25

                                                    What this rant does not focus on: It’s a good thing that these usecases are broken

                                                    You should have more compassion for users and developers who have applications that have worked for decades, are fully featured, and are being asked to throw all of that away. For replacements that are generally very subpar. With no roadmap when party will be reached. For a system that does not offer any improvements they care about (you may care about this form of security, not everyone does).

                                                    I could care less about whether when I run ps I see Xorg or wayland. And I doubt that most of the people who are complaining really care about x vs wayland. They just don’t want their entire world broken for what looks to them like no reason at all.

                                                    1. 5

                                                      I’m not saying that those apps should be thrown away immediately. Some of these work under XWayland (I sometimes stream using OBS and it records games just fine).

                                                      If your application really does not run under XWayland, then run an X server! X is not going to go away tomorrow, rather it is being gradually replaced.

                                                      I’m simply explaining that there are good reasons some applications don’t work on Wayland. I’m a bit sore of hearing “I switched to Wayland and everything broke” posts: Look behind the curtain and understand why they broke.

                                                    2. 17

                                                      I’m kind of torn on the issue.

                                                      On the one hand, the X security model is clearly broken. Like the UNIX security model, it assumes that every single application the user wants to run is 100% trusted. It’s good that Wayland allows for sandboxing, and “supporting the use cases, but this time via standardized interfaces” which allow for a permission system sounds good.

                                                      On the other hand, there’s clearly no fucking collaboration between GNOME and the rest of the Wayland ecosystem. There’s a very clear rift between the GNOME approach which uses dbus for everything and the everything-else approach which builds wayland protocol extensions for everything. There doesn’t seem to be any collaboration, and as a result, application authors have to choose between supporting only GNOME, supporting everything other than GNOME, or doing twice the work.

                                                      GNOME also has no intention of ever supporting applications which can’t draw their own decorations. I’m not opposed to the idea of client-side decorations, they’re nice enough in GTK applications, but it’s ridiculous to force all the smaller graphics libraries which just exist to get a window on the screen with a GL context - like SDL, GLFW, GLUT, Allegro, SFML, etc - to basically reimplement GTK just to show decorations on GNOME on Wayland. The proposed solution is libdecorations, but that seems to be at least a decade away from providing a good, native-feeling experience.

                                                      This isn’t a hate post. I like Wayland and use Sway every day on my laptop. I like GNOME and use it every day on my desktop (though with X because nvidia). I have written a lot of wayland-specific software for wlroots-based compositors. But there’s a very clear rift in the wayland ecosystem which I’m not sure if we’ll ever solve. Just in my own projects, I use the layer-shell protocol, which is a use-case GNOME probably won’t ever support, and the screencopy protocol, which GNOME doesn’t support but provides an incompatible dbus-based alternative to. I’m also working on a game which uses SDL, which won’t properly support GNOME on Wayland due to the decorations situation.

                                                      1. 13

                                                        the X security model is clearly broken

                                                        To be honest I feel the “brokenness” of the security model is vastly overstated. How many actual exploits have been found with this?

                                                        Keyloggers are a thing, but it’s not like Wayland really prevents that. If I have a malicious application then I can probably override firefox to launch something that you didn’t intend (via shell alias, desktop files) or use some other side-channel like installing an extension in ~/.mozilla/firefox, malicious code in ~/.bashrc to capture ssh passwords, etc. Only if you sandbox the entire application is it useful, and almost no one does that.

                                                        1. 10

                                                          This isn’t a security vulnerability which can be “exploited”, it’s just a weird threat model. Every single time a user runs a program and it does something to their system which they didn’t want, that’s the security model being “exploited”.

                                                          You might argue that users should never run untrusted programs, but I think that’s unfair. I run untrusted programs; I play games, those games exist in the shape of closed-source programs from corporations I have no reason to trust. Ideally, I should be able to know that due to the technical design of the system, those closed source programs can’t listen to me through my microphone, can’t see me through my webcam, can’t read my keyboard inputs to other windows, and can’t see the content in other windows, and can’t rummage through my filesystem, without my expressed permission. That simply requires a different security model than what X and the traditional UNIX model does.

                                                          Obviously Wayland isn’t enough on its own, for the reasons you cite. A complete solution does require sandboxing the entire application, including limiting what parts of the filesystem it can access, which daemons it can talk to, and what hardware it can access. But that’s exactly what Flatpak and Snaps attempts to do, and we can imagine sandboxing programs like Steam as well to sandbox all the closed source games. However, all those efforts are impossible as long as we stick with X11.

                                                          1. 3

                                                            Every single time a user runs a program and it does something to their system which they didn’t want, that’s the security model being “exploited”.

                                                            If you think a permission system is going to solve that, I going to wish you good luck with that.

                                                            Ideally, I should be able to know that due to the technical design of the system, those closed source programs can’t listen to me through my microphone, can’t see me through my webcam, can’t read my keyboard inputs to other windows, and can’t see the content in other windows, and can’t rummage through my filesystem, without my expressed permission.

                                                            Ah yes, and those closed-source companies will care about this … why exactly?

                                                            They will just ask for every permission and won’t run otherwise, leaving you just as insecure as before.

                                                            But hey, at least you made the life of “trustworthy” applications worse. Good job!

                                                            But that’s exactly what Flatpak and Snaps attempts to do […]

                                                            Yes, letting software vendors circumvent whatever little amount of scrutiny software packagers add, that will surely improve security!

                                                            1. 7

                                                              If you think a permission system is going to solve that, I going to wish you good luck with that.

                                                              It… will though. It’s not perfect, but it will prevent software from doing things without the consent of the user. That’s the goal, right?

                                                              You may be right that some proprietary software vendors will just ask for every permission and refuse to launch unless given those permissions. Good. That lets me decide between using a piece of software with the knowledge that it’ll basically be malware, or not using that piece of software.

                                                              In reality though, we don’t see a lot of software which takes this route from other platforms which already have permission systems. I’m not sure I have ever encountered a website, Android app or iOS app which A) asked for permissions to do stuff it obviously didn’t need, B) refused to run unless given those permissions, and C) wasn’t obviously garbage.

                                                              What we do see though is that most apps on the iOS App Store and websites on the web, include analytics packages which will gather as much info on you as possible and send it back home as telemetry data. When Apple, for example, put the contacts database behind a permission wall, the effect wasn’t that every app suddenly started asking to see your contacts. The effect was that apps stopped snooping on users’ contacts.

                                                              I won’t pretend that a capability/permission system is perfect, because it isn’t. But in the cases where it has already been implemented, the result clearly seems to be improved privacy. I would personally love to be asked for permission if a game tried to read through my ~/.ssh, access my webcam or record my screen, even if just to uninstall the game and get a refund.

                                                              Yes, letting software vendors circumvent whatever little amount of scrutiny software packagers add, that will surely improve security!

                                                              I mean, if you wanna complain about distros which use snaps and flatpaks for FOSS software, go right ahead. I’m not a huge fan of that myself. I’m talking about this from the perspective of running closed source software or software otherwise not in the repos, where there’s already no scrutiny from software packagers.

                                                              1. 3

                                                                There’s probably evidence from existing app stores on whether users prefer to use software that asks for fewer permissions. There certainly seems to be a market for that (witness all the people moving to Signal).

                                                                1. 3

                                                                  But hey, at least you made the life of “trustworthy” applications worse. Good job!

                                                                  “Trustworthy software” is mostly a lie. Every application is untrustworthy after it gets remotely exploited via a security bug, and they all have security bugs. If we lived in a world without so much memory-unsafe C, then maybe that wouldn’t be true. But we don’t live in that world so it’s moot.

                                                                  Mozilla has its faults, but I trust them enough to trust that Firefox won’t turn on my webcam and start phoning home with the images. I could even look at the source code if I wanted. But I’d still like Firefox sandboxed away from my webcam because Firefox has memory bugs all the time, and they’re probably exploitable. (As does every other browser, of course, but I trust those even less.)

                                                                2. 1

                                                                  A complete solution does require sandboxing the entire application, including limiting what parts of the filesystem it can access, which daemons it can talk to, and what hardware it can access. But that’s exactly what Flatpak and Snaps attempts to do

                                                                  But that’s quite limited sandboxing, I think? To be honest I’m not fully up-to-speed with what they’re doing exactly, but there’s a big UX conundrum here because write access to $HOME allows side-channels, but you also really want your applications to do $useful_stuff, which almost always means accessing much (or all of) $HOME.

                                                                  Attempts to limit this go back a long way (e.g. SELinux), and while this works fairly well for server applications, for desktop applications it’s a lot harder. I don’t really fancy frobbing with my config just to save/access a file to a non-standard directory, and for non-technical users this is even more of an issue.

                                                                  So essentially I don’t really disagree with:

                                                                  I should be able to know that due to the technical design of the system, those closed source programs can’t listen to me through my microphone, can’t see me through my webcam, can’t read my keyboard inputs to other windows, and can’t see the content in other windows, and can’t rummage through my filesystem, without my expressed permission. That simply requires a different security model than what X and the traditional UNIX model does.

                                                                  and I’m not saying that the Wayland model isn’t better in theory (aside from some pragmatical implementation problems, which should not be so casually dismissed as some do IMHO), but the actual practical security benefit that it gives you right now is quite limited, and I think that will remain the case for the foreseeable future as it really needs quite a paradigm shift in various areas, which I don’t really seeing that happening on Linux any time soon.

                                                                  1. 2

                                                                    I don’t really fancy frobbing with my config just to save/access a file to a non-standard directory

                                                                    If a standard file-picker dialog were used, it could be granted elevated access & automatically grant the calling application access to the selected path(s).

                                                                    1. 1

                                                                      there’s a big UX conundrum here because write access to $HOME allows side-channels, but you also really want your applications to do $useful_stuff, which almost always means accessing much (or all of) $HOME.

                                                                      This is solved on macOS with powerboxes. The Open and Save file dialogs actually run as a separate process and update the application’s security policy dynamically to allow it to access files that the user has selected, but nothing else. Capsicum was designed explicitly to support this kind of use case, it’s a shame that NIH prevented Linux from adopting it.

                                                                      1. 1

                                                                        This sounds like a good idea! I’d love to see that in the X11/Wayland/Unix ecosystem, even just because I hate that awful GTK file dialog for so many reasons and swapping it out with something better would make my life better.

                                                                        Still; the practical security benefit I – and most users – would get from Wayland today would be very little.

                                                                  2. 5

                                                                    I think “broken” is too loaded; “no longer fit for purpose” might be better.

                                                                    1. 2

                                                                      Well, the security model is simply broken.

                                                                      I agree that a lot of focus is put on security improvements compared to Wayland’s other advantages (tear-free rendering being the one most important to me). But it’s still an advantage over X, and I like software which is secure-by-default.

                                                                      1. 1

                                                                        How many actual exploits have been found with this?

                                                                        They were very common in the ‘90s, when folks ran xhost +. Even now, it’s impossible to write a secure password entry box in X11, so remember that any time you type your password into the graphical sudo equivalents that anything that’s currently connected to your X server could capture it. The reason it’s not exploited in the wild is more down to the fact that *NIX distros don’t really do much application sandboxing and so an application that has convinced a user to run it already has pretty much all of the access that it needs for anything malicious that it wants to do. It’s also helped by the fact that most *NIX users only install things from trusted repositories where it’s less likely that you’ll find malware but expect that to change if installing random snap packages from web sites becomes common.

                                                                      2. 4

                                                                        It’s good that Wayland allows for sandboxing

                                                                        If I wanted to sandbox an X application, I’d run it on a separate X server. Maybe even an Xnest kind of thing.

                                                                        I’ve never cared to do this (if I run xnest it is to test network transparency or new window managers or something, not security), so I haven’t tried, but it seems to me it could be done fairly easily if someone really wanted to.

                                                                        1. 2

                                                                          Whoa, I’ve never heard about the GNOME issues (mostly because I’m in a bubble including sway and emersion, and what they do looks sensible to me). That sucks though, I hope they somehow reconcile.

                                                                          Regarding Nvidia I think Simon mentioned something that hinted at them supporting something that has to do with Wayland, but I could just as easily have misunderstood.

                                                                        2. 8

                                                                          Wayland prohibits your desktop applications from capturing keystrokes or recording other apps’ screens by default

                                                                          No, it doesn’t. Theoretically it might enable doing this by modifying the rest of the system too, but in practice (and certainly the default environment) it is still trivial for malware to keylog and record screen on current Wayland desktop *nix installs.

                                                                          1. 3

                                                                            it is still trivial for malware to keylog and record screen on current Wayland desktop *nix installs.

                                                                            I don’t think that’s true. The linked article says recording screens and global hotkeys is “broken” by Wayland. How can it be so trivial for “malware” to do something, and absolutely impossible for anyone else?

                                                                            Or is this malware that requires I run it under sudo?

                                                                            1. 10

                                                                              It’s the difference between doing something properly and just doing it. Malware is happy with the latter while most non malware users are only happy with the former.

                                                                              There are numerous tricks you can use if you are malware, from using LD_PRELOAD to inject code and read events first (since everyone uses libwayland this is really easy), to directing clients to connect to your mitm Wayland server, to just using a debugger, and so on and so forth. None of these are really Wayland’s fault, but the existence of them means there is no meaningful security difference on current desktops.

                                                                              1. 2

                                                                                I don’t know if I agree that the ability to insert LD_PRELOAD in front of another application is equivalent to sending a bytestring to a socket that is already open, but at least I understand what you meant now.

                                                                            2. 4

                                                                              I’m sick of this keylogger nonsense.

                                                                              X11 has a feature which allows you to use the X11 protocol to snoop on keys being sent to other applications. Wayland does not have an equivalent feature.

                                                                              Using LD_PRELOAD requires being on the other side of an airtight hatch. It straight-up requires having arbitrary code execution, which you can use to compromise literally anything. This is not Wayland’s fault. Wayland is a better lock for your front door. If you leave your window open, it’s not Wayland’ fault when you get robbed.

                                                                              1. 7

                                                                                Indeed, it’s not waylands fault, and I said as much in response to the only reply above yours, an hour and 20 minutes before you posted this reply. You’re arguing against a straw man.

                                                                                What is the case is that that “airtight hatch” between things that can interact with wayland and things that can do “giant set of evil activities” has been propped wide open pretty much everywhere on desktop linux, and isn’t reasonably easy to close given the rest of desktop software.

                                                                                If you were pushing “here’s this new desktop environment that runs everything in secure sandboxes” and it happened to use wayland there would be the possibility of a compelling security argument here. Instead what I see is people making this security argument in a way that could give people the impression it secures things when it doesn’t actually close the barn doors, which is outright dangerous.

                                                                                In fact, as far as I know the only desktop *nix OS that does sandbox everything thing is QubesOS, and it looks like they currently run a custom protocol on top of an X server…

                                                                                1. 2

                                                                                  Quoting you:

                                                                                  Wayland prohibits your desktop applications from capturing keystrokes or recording other apps’ screens by default

                                                                                  No, it doesn’t.

                                                                                  Yes, it does. Wayland prohibits Wayland clients from using Wayland to snoop on other Wayland clients. X11 does allow X11 clients to use X11 to snoop on other X11 clients.

                                                                                  Other features of Linux allow you to circumvent this within the typical use-case, but that’s a criticism of those features moreso than of Wayland, and I’m really tired of it being trotted out in Wayland discussions. Wayland has addressed its part of the problem. Now it’s on the rest of the ecosystem to address their parts. Why do you keep dragging it into the Wayland dicsussion when we’ve already addressed it?

                                                                                  1. 7

                                                                                    This

                                                                                    Wayland prohibits your desktop applications from capturing keystrokes or recording other apps’ screens by default

                                                                                    And this

                                                                                    Wayland prohibits Wayland clients from using Wayland to snoop on other Wayland clients.

                                                                                    Are two very different statements. The latter partially specifies the method of snooping, the former does not.

                                                                                    Why do you keep dragging it into the Wayland dicsussion when we’ve already addressed it?

                                                                                    I do not, I merely reply to incorrect claims brought up in support of wayland claiming that it solves a problem that it does not. It might one day become part of a solution to that problem. It might not. It certainly doesn’t solve it by itself, and it isn’t even part of a solution to that problem today.

                                                                            3. 4

                                                                              X’s design has many flaws, but those flaws are well known and documented, and workarounds and extensions exist to cover a wide range of use cases. Wayland may have a better design regarding modern requirements, but has a hard time catching up with all the work that was invested into making X11 work for everyone over the last decades.

                                                                              1. 3

                                                                                X’s design has many flaws, but those flaws are well known and documented, and workarounds and extensions exist to cover a wide range of use cases.

                                                                                Once mere flaws become security issues it’s a different matter though.

                                                                                [Wayland] has a hard time catching up with all the work that was invested into making X11 work for everyone over the last decades.

                                                                                This may be true now, but Wayland is maturing as we speak. New tools are being developed, and there isn’t much missing in the realm of protocol extensions to cover the existing most-wanted X features. I see Wayland surpassing X in the next two, three years.

                                                                                1. 2

                                                                                  Yeah, I started to use sway on my private laptop and am really happy with it. Everything works flawlessly, in particular connecting an external HiDPI display and setting different scaling factors (which does not work in X). However, for work I need to be able to share my screen in video calls occasionally and record screencasts with OBS, so I’m still using X there.

                                                                              2. 4

                                                                                I wonder if X’s security model being “outdated” is partly due to the inexorable slide away from user control. If all your programs are downloaded from a free repo that you trust, you don’t need to isolate every application as if it’s out to get you. Spotify and Zoom on the other hand are out to get you, so a higher level of isolation makes sense, but I would still prefer this to be the exception rather than the rule.

                                                                                In practice 99.9% of malicious code that is run on our systems is done via the web browser, which has already solved this problem, albeit imperfectly, and only after causing it in the first place.

                                                                                1. 4

                                                                                  If all your programs are downloaded from a free repo that you trust, you don’t need to isolate every application as if it’s out to get you

                                                                                  I completely agree, as long as all of my programs are completely isolated from the network and any other source of untrusted data, or are formally verified. Otherwise, I have to assume that they contain bugs that an attacker could exploit and I want to limit the damage that they can do. There is no difference between a malicious application and a benign application that is exploited by a malicious actor.

                                                                                  1. 1

                                                                                    all of your programs are completely isolated from the network?

                                                                                    how are you posting here?

                                                                                    1. 2

                                                                                      They’re not, that’s my point and that’s why I’m happy that my browser runs sandboxed. Just because I trust my browser doesn’t mean that I trust everyone who might be able to compromise it.

                                                                                      1. 1

                                                                                        that makes sense for a browser, which is both designed to run malicious code and too complex to have any confidence in its security. but like i said i would prefer cases like this to be the exception. if the rest of your programs are relatively simple and well-tested, isolation may not be worth the complexity and risk of vulnerabilities it introduces. especially if the idea that your programs are securely sandboxed leads you to install less trustworthy programs (as appears to be the trend with desktop linux).

                                                                                        1. 2

                                                                                          Okay, what applications do you run that never consume input from untrusted sources (i.e. do not connect to the network or open files that might come from another application)?

                                                                                          1. 1

                                                                                            I don’t think you are looking at this right. The isolation mechanism can’t be 100% guaranteed free of bugs any more than an application can. Your rhetorical question is pretty far from what I thought we were discussing so maybe you could rephrase your argument.

                                                                                2. 1

                                                                                  This argument seems similar to what happened with cinnamon-screensaver a few weeks ago:

                                                                                  https://github.com/linuxmint/cinnamon-screensaver/issues/354#issuecomment-762261555 (responding to https://www.jwz.org/blog/2021/01/i-told-you-so-2021-edition/)

                                                                                  It’s a good thing for security (and maybe for users in the long term once they work again) that these usecases are broken, but it is not a good thing for users in the short term that these usecases don’t work on Wayland.

                                                                                1. 3

                                                                                  I personally dislike what they’ve done with the CSS.

                                                                                  1. 3

                                                                                    If you go up a directory you’ll find a widescreen variant that looks more like it used to.

                                                                                  1. 47

                                                                                    If you think pulling apt sources is telemetry then it means apt should send less data about you. You have the same problem with any mirror: Those cannot be trusted all that much and may retain any metadata. I know for sure I don’t really trust my ISP’s package mirror when it comes to privacy, it just happens to be very fast and reliable.

                                                                                    There is always a trust issue when unwanted software and gpg keys are installed secretly, which is the main issue

                                                                                    Not sure if I understand the issue correctly, but if adding Microsoft’s repo to apt requires installing a GPG key that is trusted for signing arbitrary packages even if installed from other repos then that’s for sure a problem with apt too.


                                                                                    Overall, can’t help but also roll my eyes on this. User complains that the image isn’t lightweight enough but clearly the stock image of RbPI is not sharing this kind of goal. Might as well complain that it doesn’t come with Alpine.

                                                                                    BTW this article adds nothing over the reddit thread. Not that I really sympathize with either.

                                                                                    1. 23

                                                                                      Unless there is something special about Microsoft’s repository, this is pure prejudice against Microsoft.

                                                                                      Microsoft has thankfully provided their software in a convenient repository, and the RPi Foundation chose to include it by default – nothing wrong with that.

                                                                                      Software providers should be judged on merit … oh well, the prejudice is somewhat deserved, but my point is that recent merits should weigh more than old.

                                                                                      1. 8

                                                                                        You mean like the way Windows 10 keeps installing random applications (Cortana, Skype, Spotify) without my ever asking for them? Or the constant whack-a-mole required to turn off telemetry in their flagship operating system?

                                                                                        They remain as hostile to user control as ever, but have learned to be a data vacuum too.

                                                                                        1. 4

                                                                                          recent merits should weigh more than old.

                                                                                          Linking to a wikipedia article on EWMA doesn’t really justify what you said. Many of us are old enough to remember the bullshit, destructive behavior of Microsoft, and are (rightfully so..) highly skeptical at Microsoft’s abrupt change of heart.

                                                                                          Why do you feel that EWMA applies to human behavior, and and to corporate/business strategy?

                                                                                          1. 2

                                                                                            Exponential decay is simply the nullhypothesis of decay (including perception of the past, I argue), because it makes the least amount of assumptions. Adding constraints, such as human lifetime, is a liability.

                                                                                            For starters, if you argue that people have a long memory, and businesses don’t change overnight, you are merely arguing for a long half-life of those exponential weights on which to perceive the past – perfectly within the model!

                                                                                          2. 4

                                                                                            Microsoft has recent merits?

                                                                                          3. 20

                                                                                            Yeah, this really feels overblown. They really think MS would bother linking your apt updates to your IP for advertising purposes? And so it makes it “ironic” that Pi-Hole would use it? Mountains out of molehills.

                                                                                            1. 13

                                                                                              bother linking your apt updates to your IP for advertising purposes

                                                                                              Who knows what they will use it for, but yes, absolutely. All of this data will end up in their lake and be joinable by what ever additional data they have on hand. They also have all of your github activity. I’d personally love to have all the IP addresses of someone running a raspberry pi.

                                                                                              This absolutely should have been opt-in.

                                                                                              1. 13

                                                                                                IP addresses are a lot less useful than people would think; they’re often cycled, and the increased prevalence of carrier-grade NAT makes it pretty much impossible to single out individuals. For consumer addresses it’s very hard to have insight about whether an IP from yesterday refers to the same person as today. You can’t “just join” it.

                                                                                                At any rate, using this information in these ways would be illegal. Doesn’t mean they can’t do it, but if the NSA can’t keep their secret data collection a secret, then I don’t think Microsoft can either. Secret cabals are hard to keep a secret, especially for long periods of time.

                                                                                                These large corporations are also a lot less monolithic than people seem to assume; I wouldn’t be surprised if the people in charge of Windows have hardly ever (or never!) spoken to the people in charge of GitHub. It’s not like they have regular meetings filled with moustaches twirling, diabolical laughter, and hatching of evil plots.

                                                                                                1. 6

                                                                                                  Both my IP address and my parents’ IP address rarely changes. I have been sshing from the outside for years without dynamic DNS. I don’t know what you mean by “it’s very hard to have insight,” but in practice IP addresses carry a lot of information that can be exploited. There is a tendency to overlook this and emphasize that the mapping is not perfect, as if this offers some degree of privacy protection. At best it offers some slight plausible deniability, but this does not prevent a data collector from having a very good guess of who an IP address corresponds to.

                                                                                                  This is especially true in cases where the data sent from your IP address is relatively uncommon. How many people in a given household or neighborhood are likely to be running a Raspberry Pi with Raspberry Pi OS? The same issue arises with Signal which falsely claims to protect the identity of the message sender.

                                                                                                  At any rate, using this information in these ways would be illegal. Doesn’t mean they can’t do it, but if the NSA can’t keep their secret data collection a secret, then I don’t think Microsoft can either. Secret cabals are hard to keep a secret, especially for long periods of time.

                                                                                                  So… we know that Microsoft is handing user data to the NSA? Hardly reassuring.

                                                                                                  Besides, the last window into the illegal NSA data collection operation (featuring Microsoft!) was in 2013. You don’t suppose there have been any developments since then? A sparse scattering of past leaks does not mean any current illegal program would’ve been leaked already.

                                                                                                  It’s not like they have regular meetings filled with moustaches twirling, diabolical laughter, and hatching of evil plots.

                                                                                                  If you’ve ever been to a coffee shop in Redmond, the moustache twirling is not as far fetched as one might think.

                                                                                                  1. 7

                                                                                                    If you’ve ever been to a coffee shop in Redmond, the moustache twirling is not as far fetched as one might think.

                                                                                                    … What? I have been to several coffee shops in Redmond and have no idea what you’re talking about

                                                                                                    1. 1

                                                                                                      ohh yeah i forgot redmond is a clean shaven oasis

                                                                                              2. 9

                                                                                                IMHO in light of what they’ve done with the (immutable) telemetry, privacy dark patterns, and non-removable apps in Windows 10, which I consider user abuse, Microsoft has lost the right to the benefit of the doubt. I respect people who opt for a more charitable view, maybe I’m just cynical.

                                                                                                1. 3

                                                                                                  The author entirely misses the real concern here with this move: by using microsoft repos, microsoft controls the software you install. You want to apt install some application? Well, you’re going to get that application as it is distributed by microsoft, and (the real kicker) potentially modified by microsoft. Things might be rosey now, but the opportunity here for microsoft is likely too great for them to “ignore” for long.

                                                                                                1. 2

                                                                                                  Would you mind summarizing for those of us with short attention spans?

                                                                                                  1. 9

                                                                                                    Browsers will never be done, because they’ve become operating systems, and operating systems themselves are never complete.

                                                                                                    Now look at our current popular options: Windows, Mac, Linux. Each have their own ecosystems.

                                                                                                    The web is currently “ChromeOS web”. This means it is pointless to build something like Firefox, which ends up being just an alternative “ChromeOS”. This is very similar to Windows vs ReactOS scenario. It’s impossible for ReactOS to catch up.

                                                                                                    So what we need is a lot of people to get fed up and create the equivalent “Linux web”. We need a “POSIX web” of sorts. There are many Linux distributions but they are somewhat the same.

                                                                                                    1. 7

                                                                                                      POSIX web

                                                                                                      Just like POSIX is the lowest common denominator of (old) Unix systems, HTTP/1.1 and HTML 4 with Ecmascript 3 are the lowest common denominator of (old) web browsers. These standards are absolutely fine. The problem is developers’ endless hunger for new features and more new capabilities. POSIX tends to not be enough either if you want modern software that can do things like use cgroups (Linux only; for example, Docker just runs inside a Linux VM on Mac) or eBPF (linux only). Most of the other *nixes are just playing catch up to Linux, except perhaps for OpenBSD which provides novel and useful APIs of their own like pledge and unveil, and of course Mac which is like a universe unto its own.

                                                                                                      So all in all, I don’t think this is going to happen. Innovation can’t be stopped and almost all the development power is behind Chrome (Linux) and anything new that’s implemented by Firefox (BSD) will eventually end up in some shape or form in Chrome (Linux).

                                                                                                      Edit: Ironically enough, I just noticed that you consider Linux to be the “alternative”, where I was comparing Linux to Chrome. Note that Linux != POSIX. In fact, POSIX is that which you rely on when you’re trying to write portable non-Linux-only software.

                                                                                                      1. 4

                                                                                                        The problem is developers’ endless hunger for new features and more new capabilities. POSIX tends to not be enough either if you want modern software that can do things like use cgroups (Linux only; for example, Docker just runs inside a Linux VM on Mac) or eBPF (linux only).

                                                                                                        I think a lot of that “hunger” makes sense though; The Web™ isn’t really all that more complex than Qt (which already includes much more than just a GUI toolkit), or GTK3 + some libs (gstreamer, whatnot), or other desktop libraries/frameworks to build similar applications.

                                                                                                        The difference is mainly in the development model: I can ship a POSIX system and that will be useful because many things are built on top of that (not everything, as you pointed out), but I can’t ship a “HTML 4/ES 3” system and expect it to really be useful, since everything is driven by standards that are expected to be implemented rather than libraries built on top of the POSIX foundation.

                                                                                                        So I don’t think that HTML 4 + HTTP 1.1 + ES3 is really a “POSIX web”; as it won’t really allow me to build many useful applications, whereas POSIX does.


                                                                                                        I wouldn’t say this standards-driven model is “flawed” per se, but it does come with some serious drawbacks. It’s also not an easy problem to solve without basically chucking away everything we have now. Look at the discussions surrounding Python 2’s and Flash’s EOL this week to see how hard that is, and everyone is using IPv6 yet, right? Besides, this is not an easy problem to solve well in the first place.

                                                                                                        You see this “drive towards standards-driven complexity” even with much simpler systems like email. Reading and implementing RFC5321 (SMTP) RFC5322 (message format) is not enough to implement a functional email client today: you need 10+ other specifications too if you want it to really be useful, even for plain text email, and 25+ specifications if you want it to be fully-featured. And even then you won’t be done yet because there are a number of unstandardised common behaviours too. It’s not as complex as the web as the scope is much smaller, but it’s the same issue really. This was also a big problem with XMPP.

                                                                                                        1. 2

                                                                                                          Thanks for your thoughtful and long reply!

                                                                                                          I can’t ship a “HTML 4/ES 3” system and expect it to really be useful.

                                                                                                          I dunno, people have been bending over backwards to keep stuff compatible with old versions of Internet Explorer for so long that I think it has proved that even buggy implementations of these standards are “useful”. Maybe not if you want to build videoconferencing or such, but for the majority of web apps, it was (and probably still is) enough.

                                                                                                          I wouldn’t say this standards-driven model is “flawed” per se, but it does come with some serious drawbacks.

                                                                                                          The biggest drawback being that who decide what goes in the standard tend to be big stakeholders interested in the status quo.

                                                                                                          You see this “drive towards standards-driven complexity” even with much simpler systems like email.

                                                                                                          It makes sense of course. Popular system A adds a new feature which pulls people away from popular system B, so they decide to add that feature too to retain its users. Then they add another feature which system A then needs to add and so on and so forth. Incremental evolution of standards like this without an overarching vision is exactly what leads to complexity because more often than not, the features interact in weird ways or are not completely complementary so the need for another feature arises to paper over the seams.

                                                                                                          Unfortunately, I don’t really have a solution. I like the careful way the Scheme standard has evolved (even though it’s design by committee, it’s a committee of passionate people who come together with mostly the same vision), but its pace is so glacial it’s like watching paint dry, so it’s probably not an option for developing standards in this fast-paced business ;)

                                                                                                          1. 1

                                                                                                            I dunno, people have been bending over backwards to keep stuff compatible with old versions of Internet Explorer for so long that I think it has proved that even buggy implementations of these standards are “useful”. Maybe not if you want to build videoconferencing or such, but for the majority of web apps, it was (and probably still is) enough.

                                                                                                            You wouldn’t be able to easily express Lobster’s JS in ES3; it uses XMLHttpRequest for example, which is its own specification and not something you can write yourself with just JS. There are a few other things as well, such as localStorage which are pretty useful and their own standard and not something you can implement yourself in just JS.

                                                                                                            Then there’s the whole layout issue; floated divs to align things suck, as do tables, but those are the only options you have with HTML 4/CSS2. Flexboxes and Grid are pretty nice. And things like border-radius, box-shadow, opacity, etc. to replace all these hacks we previously did with images is pretty nice too.

                                                                                                            There are also things that don’t really need a standard IMO; for example the “drag and drop” thing, as you can easily just write a JS library to do this (and many exist already), but a lot of things that were added solve real problems that were much harder or impossible to solve before.

                                                                                                            I think a lot of problems are because of legacy and backwards compatibility; the whole HTML/CSS thing is so needlessly complex now that writing a “bug compatible” HTML renderer is quite the task, although writing a basic one is not that hard (I did it in a weekend last year).

                                                                                                            1. 1

                                                                                                              You wouldn’t be able to easily express Lobster’s JS in ES3; it uses XMLHttpRequest for example

                                                                                                              Sure - but you could absolutely do it with ES5.

                                                                                                              Did we need to add, say, fetch to the standard - given 99% of what it implements can be provided via a thin wrapper around XHR?

                                                                                                        2. 1

                                                                                                          Yep.

                                                                                                        3. 2

                                                                                                          Linux web

                                                                                                          The Gemini protocol? Or do you mean like Display PostScript?

                                                                                                          1. 1

                                                                                                            Probably more like nix-shell for “web applicaitons” and then just the various internet protocols like ipfs, hypercore, https, etc.

                                                                                                            1. 1

                                                                                                              the language for web applications would be up to the author right? or are you envisioning some system where web application code is part of the standard?

                                                                                                              1. 1

                                                                                                                I mean the platform is linux and the application runs on the system and uses internet protocols. You’d use a package manager like nix or guix to install ephemeral apps and simulate the web experience.

                                                                                                                Sorry the reply wasn’t highlighted or I’d have answered sooner.

                                                                                                                1. 1

                                                                                                                  so this wouldn’t really be the “web,” it would be more like the pre-web world where each use case had its own protocol and application. if the web apps are running locally, they could just as well be native programs.

                                                                                                                  1. 1

                                                                                                                    Exactly. Native programs are the web apps of the next generation because microkernels are coming. The whole stack is shifting down one later.

                                                                                                    1. 5

                                                                                                      Betteridge’s law strikes again.

                                                                                                      One of the key features of a blockchain, which the author tries to handwave away, is that every link in the chain is verifiable, and unalterable. The author tries to claim that because each commit carries a reference to its parent, it’s a “chain of blocks”, but it’s not so much a chain as just an order. You can edit the history of a git repo easily, reparent, delete, squash, and perform many other operations that entirely modify the entire chain. It was kinda made that way.

                                                                                                      1. 12

                                                                                                        The technical properties of git’s and common block chain data structures are relatively similar.

                                                                                                        You can also fork a bitcoin block chain and pretend that your fork is the canonical one. The special bit about block chains is that there’s some mechanism for building agreement about the HEAD pointer. Among other things, there’s no designated mover of that pointer (as in a maintainer in a git-using project), but an algorithm that decides which among competing proposals to take.

                                                                                                        1. 16

                                                                                                          They are technically similar because both a blockchain and a git repo are examples of a merkle tree. As you point out though the real difference is in the consensus mechanism. Git’s consensus mechanism is purely social and mostly manual. Bitcoin’s consensus mechanism is proof of work and mostly automated.

                                                                                                          1. 2

                                                                                                            Please stop referring to “Proof of _” as a consensus mechanism. It is an anti-sybil mechanism, the consensus mechanism is called “longest chain” or “nakomoto consensus” - you can use a different anti-sybil mechanism with the same consensus mechanism (but you may lose some of the properties of bitcoin).

                                                                                                            The point is that there are various different combinations available of these two components and conflating them detracts from people’s ability to understand what is going on.

                                                                                                            1. 2

                                                                                                              You are right. I was mixing definitions there. Thanks for pointing it out. The main point still stands though. The primary distinction between a blockchain and git is the consensus mechanism and not the underlying merkle tree datastructure that they both share.

                                                                                                            2. 1

                                                                                                              Mandatory blockchain != bitcoin. Key industrial efforts listed in https://wiki.hyperledger.org/ are mostly not proof-of-work in any way (the proper term for this is permissioned blockchain, which is where industrial applications are going).

                                                                                                              1. 2

                                                                                                                You are correct. I don’t disagree at all. I used bitcoin as an example because it’s well known. There are lots of different blockchains with different types of consensus mechanisms.

                                                                                                          2. 2

                                                                                                            You can make a new history but it will always be distinct from the original one.

                                                                                                            I think what you’re really after is the fact that there is no one to witness that things like the author and the date of a commit are genuine – that is, it’s not just that I can edit the history, I can forge a history.

                                                                                                            1. 1

                                                                                                              what was all that hullabaloo about git moving away from SHA-1 due to vulnerabilities? why where they using a cryptographic hash function in the first place?

                                                                                                              what you said makes sense, but it seems to suggest this SHA-1 thing was a bit of bikeshedding or theater

                                                                                                              1. 2

                                                                                                                Git uses a cryptographic hash function because it wants to be able to assume that collisions never occur, and the cost of doing so isn’t too large. A collision was demonstrated in SHA-1 in 2017.

                                                                                                                1. 3

                                                                                                                  SHA-1 still prevents accidental collisions. Was Git really designed to be robust against bad actors?

                                                                                                                  1. 1

                                                                                                                    ¯_(ツ)_/¯

                                                                                                                    1. 1

                                                                                                                      The problem is that it was never properly defined what properties people expect from Git.

                                                                                                                      You can find pieces of the official Git documentation and public claims by Linus Torvalds that are seemingly in contradiction to each other. And the whole pgp signing part does not seem to be very well thought through.

                                                                                                                  2. 2

                                                                                                                    Because you can sign git commits and hash collisions ruins that.

                                                                                                                    1. 1

                                                                                                                      ah that makes some sense

                                                                                                                  3. 1

                                                                                                                    Technically you haven’t really made the others disappear. They are all still there just not easily viewed without using reflog. All you are really doing is creating a new branch point and moving the branch pointer to the head of that new branch when you do those operations. But to the average user it appears that you have edited history.

                                                                                                                  1. 6

                                                                                                                    Wayland is one of the reasons I moved from Linux to Mac. Anti-systemd horseshit was another. I miss i3 and the technical superiority of the kernel, but it’s difficult to understate how little I miss this drama.

                                                                                                                    1. 3

                                                                                                                      macs still have web browsers that can access hackernews

                                                                                                                      1. 1

                                                                                                                        No, I’m doing this from inside virtualbox so I can browse the web.

                                                                                                                        1. 2

                                                                                                                          then you’re still exposed

                                                                                                                    1. 3

                                                                                                                      does this mean nerds will be buying nissans for the next 20 years

                                                                                                                      1. 22

                                                                                                                        This and many many other events in the last few months have shown everybody that we must get out of the silos (Google, WhatsApp, Facebook, Twitter, Reddit, Amazon, etc.). I’m glad that I’m using a Google-free Android (LineageOS), and even though it’s sometimes more work, freedom is never free, and there are many other great federated services around. You should also give an F-Droid-based Android like LineageOS a try.

                                                                                                                        If I may give advice to those promoting alternative silos (Signal, Threema, Telegram, etc.): It won’t take long until legislators, companies, etc. double down on them as well. The only way out is federation and you should definitely give Matrix a try.

                                                                                                                        1. 1

                                                                                                                          I can install any android app I want while also making use of the Play Store.

                                                                                                                          For now there is no major functional difference for most users.

                                                                                                                          1. 10

                                                                                                                            Being able to use the Play Store is a functional difference.

                                                                                                                        1. 6

                                                                                                                          Very small and nice to look at, but keep in mind the context and time in which it was written, and be careful not to base a new wm on this: It uses xlib, not xcb.

                                                                                                                          1. 1

                                                                                                                            xlib is built on top of xcb. See the xcb adoption page.

                                                                                                                            1. 4

                                                                                                                              It is, and that simplified the xlib codebase, but that doesn’t matter much to library users. XCB is a very thin wrapper around the X11 protocol. XLib provides a set of abstractions above the protocol. The problem with XLib is that it provides the wrong abstractions. It builds synchronous APIs on top of a fundamentally asynchronous protocol, which means it’s almost impossible to write code on top of XLib that performs well on a high-latency link.

                                                                                                                              1. 1

                                                                                                                                You’d think this problem would’ve motivated a different design back in the old days, when high-latency links were common, yet everyone used Xlib. What accounts for that?

                                                                                                                                1. 3

                                                                                                                                  I think it is because the problem is greatly exaggerated. There are some specific functions that have the round trip latency problem - XInternAtom, XGetWindowProperty, and querying extensions I know do this… there’s probably more but I can’t think of them right now.

                                                                                                                                  XInternAtom was particularly problematic in the day, so they moved to XInternAtoms - the batch version and you can do all the atoms you actually need in one go at startup. Problem solved. Extensions not as popular back then, but again, a relatively small number of calls at startup in most programs and not a huge deal. (Higher level toolkits may not use this optimization though, or request a lot more atoms than they actually need, making the problem look worse than it actually is.)

                                                                                                                                  XGetWindowProperty is used in protocols like copy paste, but that’s in response to specific events and accompanied with data so a little lag there isn’t a big deal…. unless you use a higher level library that treats the clipboard as a whole to be a synchronous event. But Xlib doesn’t do that as a whole, just getting the next chunk.

                                                                                                                                  So I’d question if xlib is actually the problem in the first place.

                                                                                                                                  1. 1

                                                                                                                                    So why was the point of XCB? To spray XML over everything and make names longer?

                                                                                                                                2. 1

                                                                                                                                  What specific APIs would you blame? I just said this in another comment but I can’t think of very many.

                                                                                                                                3. 3

                                                                                                                                  Yes, but (unless I’m very much mistaken) Xlib is supposed to be deprecated, and new applications are to use XCB directly.

                                                                                                                              1. 33

                                                                                                                                Disclaimer: I represent a GitHub competitor.

                                                                                                                                The opening characterization of GitHub detractors is disingenuous:

                                                                                                                                The reasons for being against GitHub hosting tend to be one or more of:

                                                                                                                                1. it is an evil proprietary platform
                                                                                                                                2. it is run by Microsoft and they are evil
                                                                                                                                3. GitHub is American thus evil

                                                                                                                                GitHub collaborated with US immigration and customs enforcement under the Trump administration, which is a highly controversial organization with severe allegations of “evil”. GitHub also recently fired a Jewish employee for characterising armed insurrectionists wearing Nazi propeganda as Nazis.

                                                                                                                                It’s not nice to belittle the principles of people who have valid reasons to cite ethical criticisms of GitHub. Even if you like the workflow and convenience, which is Daniel’s main justification, other platforms offer the same conveniences. As project leaders, we have a responsibility to support platforms which align with our values. There are valid ethical and philosophical complaints about GitHub, and dismissing them because of convenience and developer inertia is cowardly.

                                                                                                                                1. 27

                                                                                                                                  GitHub collaborated with US immigration and customs enforcement under the Trump administration

                                                                                                                                  This makes it sound worse than it actually was, ICE bought a Github Enterprise Server license through a reseller. Github then tried to compensate by donating 500.000$ to “nonprofit organizations working to support immigrant communities”.

                                                                                                                                  … other platforms offer the same conveniences.

                                                                                                                                  Maybe, but they definitely lack the networking effect that was one of main points for curl to use Github.

                                                                                                                                  1. 24

                                                                                                                                    The inconsistency is what kills me here. Allowing ICE to have an account became a heinous crime against neoliberalism, meanwhile how many tech companies openly collaborated with the US military while we killed a million innocent people in Iraq? Or what about Microsoft collaborating with our governments surveillance efforts?

                                                                                                                                    I’m not even engaging in what-about-ism here in the sense that you must be outraged at all the things or none. I’m suggesting that ICE outrage is ridiculous in the face of everything else the US government does.

                                                                                                                                    Pick less ridiculous boogeymen please.

                                                                                                                                    1. 20

                                                                                                                                      I see a lot of the same people (including myself) protesting all of these things…

                                                                                                                                      I feel like I should say something to make this remark longer, and less likely to be taken as hostile, but that’s really all I have to say. Vast numbers of people are consistently opposing all the things you object to. If you’re attempting to suggest that people are picking only one issue to care about and ignoring the other closely related issues, that’s simply wrong - factually, that is not what is happening. If you’re not trying to suggest that, I don’t understand the purpose of your complaint.

                                                                                                                                      1. 13

                                                                                                                                        The inconsistency is what kills me here.

                                                                                                                                        Also:

                                                                                                                                        1. Free Software and Open Source should never discriminate against fields of endeavour!
                                                                                                                                        2. GitHub should discriminate against this particular organisation!

                                                                                                                                        and:

                                                                                                                                        1. We need decentralised systems that are resistant to centralised organisation dictating who can or can’t use the service!
                                                                                                                                        2. GitHub should use its centralised position to deny this service to this particular organisation!

                                                                                                                                        Anyway, how exactly will curl moving away from GitHub or GitHub stopping their ICE contract help the people victimized by ICE? I don’t see how it does, and the entire thing seems like a distraction to me. Fix the politics instead.

                                                                                                                                        1. 14

                                                                                                                                          Is some ideological notion of consistency supposed to weigh more heavily than harm reduction in one’s ontological calculus? Does “not discriminating against a field of endeavor” even hold inherent virtue? The “who” and “on what grounds” give the practice meaning.

                                                                                                                                          If I endeavor to teach computer science to under-served groups, and one discriminated against my practice due to bigotry, then that’s bad. If I endeavor to make a ton of money by providing tools and infrastructure to a power structure which seeks to violate the human rights of vulnerable populations, you would be right to “discriminate” against my endeavor.

                                                                                                                                          Anyway, how exactly will curl moving away from GitHub or GitHub stopping their ICE contract help the people victimized by ICE?

                                                                                                                                          I don’t think anyone here has suggested that if curl were to move away from github that it would have an appreciable or conclusive impact on ICE and it’s victims. The point of refusing to work for or with with ice or their enablers is mainly to raise awareness of the issue and to build public opposition to them, which is a form of direct action - “fixing the politics” as you put it. It’s easy to laugh at and dismiss people making noise online, or walking out of work, or writing a heated blog post, but as we’ve seen over the last decade, online movements are powerful forces in democratic society.

                                                                                                                                          1. 8

                                                                                                                                            Is some ideological notion of consistency supposed to weigh more heavily than harm reduction in one’s ontological calculus?

                                                                                                                                            If you’re first going to argue that 1) is unethical and should absolutely never be done by anyone and then the next day you argue that 2), which is in direct contradiction to 1), is unethical and should absolutely never be done by anyone then I think there’s a bit of a problem, yes.

                                                                                                                                            Because at this point you’re no longer having a conversation about what is or isn’t moral, and what the best actions are to combat injustices, or any of these things, instead you’re just trying to badger people in to accepting your viewpoint on a particular narrow issue.

                                                                                                                                            1. 3

                                                                                                                                              If you’re first going to argue that 1) is unethical and should absolutely never be done by anyone and then the next day you argue that 2), which is in direct contradiction to 1), is unethical and should absolutely never be done by anyone then I think there’s a bit of a problem, yes.

                                                                                                                                              does anyone say that though

                                                                                                                                          2. 12

                                                                                                                                            Your first two points are a good explanation of the tension between the Open Source and Ethical Source movements. I think everyone close to the issue is in agreement that, yes, discriminating against militant nationalism is a form of discrimination, just one that ought to happen.

                                                                                                                                            There was some open conflict last year between the Open Source Institute, and the group that became the Organization for Ethical Source. See https://ethicalsource.dev/ for some of the details.

                                                                                                                                            Your second two points, also, highlight a real and important concern, and you’ve stated it well. I’m personally against centralized infrastructure, including GitHub. I very much want the world to move to decentralized technical platforms in which there would be no single entity that holds the power that corporations presently do. However, while centralized power structures exist, I don’t want those structures to be neutral to injustice. To do that is to side with the oppressor.

                                                                                                                                            (Edit: I somehow wrote “every” instead of “everyone”. Too many editing passes, I guess. Oops.)

                                                                                                                                            1. 11

                                                                                                                                              To clarify: this wasn’t really intended as a defence of either the first or second points in contradictions, I just wanted to point out that people’s views on this are rather inconsistent, to highlight that the issue is rather more complex than some people portray it as. To be fair, most people’s worldviews are inconsistent to some degree, mine certainly are, but then again I also don’t make bold absolute statements about these sort of things and insult people who don’t fit in that.

                                                                                                                                              I think that both these issues are essentially unsolvable; similar to how we all want every criminal to be convicted but also want zero innocent people to be convicted unjustly. This doesn’t mean we shouldn’t try, but we should keep a level head about what we can and can’t achieve, and what the trade-offs are.

                                                                                                                                              I don’t want those structures to be neutral to injustice. To do that is to side with the oppressor.

                                                                                                                                              In Dutch we have a saying I rather like: “being a mayor in wartime”. This refers to the dilemma of mayors (and journalists, police, and so forth) during the German occupation. To stay in your position would be to collaborate with the Nazis; but to resign would mean being replaced with a Nazi sympathizer. By staying you could at least sort of try to influence things. This is a really narrow line to walk though, and discussions about who was or wasn’t “wrong” during the war continue to this day.

                                                                                                                                              I don’t think GitHub is necessarily “neutral to injustice”, just like the mayors during the war weren’t. I know people love to portray GitHub as this big evil company, but my impression is that GitHub is actually not all that bad; I mean, how many other CEOs would have joined youtube-dl’s IRC channel to apologize for the shitty situation they’re in? Or would have spent time securing a special contract to provide service to Iranian people? Or went out of their way to add features to rename the default branch?

                                                                                                                                              But there is a limit to what is reasonable; no person or company can be unneutral to all forms of injustice; it would be debilitating. You have to pick your battles; ICE is a battle people picked, and IMO it’s completely the wrong one: what good would cutting a contract with ICE do? I don’t see it, and I do see a lot of risk in alienating the government of the country you’re based in, especially considering that the Trump administration was not exactly know for its cool, level-headed, and calm responses to (perceived) sleights. Besides, in the grand scheme of injustices present in the world ICE seems small fries.

                                                                                                                                              And maybe all tech companies putting pressure on ICE would have made an impact in changing ICE’s practices, I don’t really think it would but let’s assume it would. But what does that mean? A bunch of undemocratic companies exerting pressure to change the policy of a democratically elected government. Yikes? Most of the time I see corporate influence on government it’s not for the better and I would rather we reduce this across the board, which would also reduce the potential “good influences”, but the bad influences vastly outnumber the good ones that this is a good trade.

                                                                                                                                              1. 6

                                                                                                                                                Yes, those are all fair and thoughtful points. I agree very much that with any system, no matter how oppressive, if one has a position of power within the system it’s important to weigh how much good one can do by staying in, against how much they can do by leaving. I rather wish I were living in times that didn’t require making such decisions in practice so frequently, but none of us get to choose when we’re born.

                                                                                                                                                On the strategic point you raise, I disagree: I do think the GitHub/ICE issue is a valuable one to push on, precisely because it prompts conversations like this. Tech workers might be tempted to dismiss our own role in these atrocities; I think it’s important to have that reminder. However, I very much acknowledge that it’s hard to know whether there’s some other way that might be better, and there’s plenty of room for disagreement, even among people who agree on the goals.

                                                                                                                                                When I was young, I was highly prone to taking absolute positions that weren’t warranted. I hope if I ever fall back into those old habits, you and others will call me out. I do think it’s really important for people who disagree to hear each other out, whenever that’s feasible, and I also think it’s important for us all to acknowledge the limits of our own arguments. So, overall, thank you for your thoughts.

                                                                                                                                                1. 2

                                                                                                                                                  I recently read a really approachable article article from Stanford Encyclopedia of Philosophy (via HN), which I found really interesting and balanced in highlighting the tensions between (in this case study) “free speech” and other values. To me it also helps to understand that those apparent “conflicts of interest” are still rather possible to balance (if not trivially) given good will; and IMO that the “extreme positions” are something of a possibly unavoidable simplifications - given that even analyzing the positions of renowned philosophers, skilled at precise expression, it’s not always completely clear where they sat.

                                                                                                                                                  https://plato.stanford.edu/entries/freedom-speech/

                                                                                                                                                  edit: though I am totally worried when people refuse to even discuss those nuances and to explore their position in this space of values.

                                                                                                                                                  1. 7

                                                                                                                                                    Anyone with a sincere interest in educating themselves about the concept of free speech and other contentious issues will quickly learn about the nuances of the concepts. Some people will however not give a fig about these nuances and continue to argue absolutist positions on the internet, either to advance unrelated political positions or simply to wind people up.

                                                                                                                                                    Engaging with these people (on these issues) is generally a waste of time. It’s like wrestling with a pig - you’ll get dirty and the pig enjoys it.

                                                                                                                                                    1. 3

                                                                                                                                                      I’m not sure I agree that anyone who makes a sincere effort will learn about the nuances. The nuance is there, but whether people have the chance to learn it is largely a function of whether the social spaces they’re in give them the chance to. I’m really worried about how absolutist, reactionary positions are the bulk of discussion on social media today. I think we all have an obligation to try to steer discussions away from reductive absolutism, in every aspect of our lives.

                                                                                                                                                      With that said, it’s clear you’re coming from a good place and I sympathize. I only wish I felt that not engaging is clearly the right way; it would be easier.

                                                                                                                                                      1. 5

                                                                                                                                                        I’ll have to admit that my comment was colored by my jaundiced view of the online conversation at this point in time. “Free speech” has become a shibboleth among groups who loudly demand immunity from criticism, and who expect their wares to be subsidized in the Marketplace of Ideas, but who would not hesitate to restrict the speech of their enemies should they attain power.

                                                                                                                                                        I’m all for nuanced discussion, but some issues are just so hot button it’s functionally useless in a public forum.

                                                                                                                                                        1. 3

                                                                                                                                                          I completely understand, and that’s very fair.

                                                                                                                                                          I agree with your assessment but, purely for myself and not as something I’d push on others, I refuse to accept the outcome of stepping back from discussion - because that would be a win for reactionary forms of engagement, and a loss for anyone with a sincere, thought-out position, wherever they might fall on the political spectrum.

                                                                                                                                                          It’s fine to step back and say that for your own well being, you can’t dedicate your efforts to being part of the solution to that. You can only do what you can do, and no person or cause has a right to demand more than that. For myself, only, I haven’t given up and I’ll continue to look for solutions.

                                                                                                                                              2. 6

                                                                                                                                                There are a lot of people in the OSS community who don’t agree with your first point. You might find it contradictory, or “wrong” (And sure, I guess it wouldn’t be OSI certified if you codified it in a license). But it’s what a decent part of the community thinks.

                                                                                                                                                And the easy answer to your comment about helping, let’s do the contrary. ICE has policies. Selling them tools to make it easier is clearly helping them to move forward on those policies. Just like AWS was helping Parler exist by offering its infrastructure. You can have value judgements or principles regarding those decisions, but you can’t say that it doesn’t matter at all.

                                                                                                                                                And yeah, maybe there’s someone else who can offer the services. But maybe there are only so many Github-style services out there! And at one point it starts actually weighing on ICE’s ability to do stuff.

                                                                                                                                                Of course people want to fix the politics. But lacking that power, people will still try to do something. And, yeah, people are allowed to be mad that a company is doing something, even they probably shouldn’t be surprised.

                                                                                                                                                1. 4

                                                                                                                                                  And yeah, maybe there’s someone else who can offer the services. But maybe there are only so many Github-style services out there! And at one point it starts actually weighing on ICE’s ability to do stuff.

                                                                                                                                                  I’d expect ICE to be more than capable of self-hosting GitLab or some other free software project.

                                                                                                                                                  Of course people want to fix the politics. But lacking that power, people will still try to do something.

                                                                                                                                                  I don’t think it’s outside of people’s power to do that, but it is a lot harder, and requires more organisation and dedication. And “doing something” is not the same as “doing something useful”.

                                                                                                                                                  As for the rest, I already addressed most of that in my reply to Irene’s comment, so I won’t repeat that here.

                                                                                                                                              3. 12

                                                                                                                                                no disagreement with your main point, but… a crime against neoliberalism?

                                                                                                                                                1. 4

                                                                                                                                                  I think they mean against the newest wave of liberal politics in the US. Not the actual term neoliberalism which—as you clearly know—refers to something completely different, if not totally opposite.

                                                                                                                                                2. 10

                                                                                                                                                  there are active campaigns inside and outside most companies about those issues. It’s not like https://notechforice.com/ exists in a bubble. Amazon, Google, Microsoft, Palantir, Salesforce and many others have been attacked for this. Clearly the DoD created the Silicon Valley and the connections run deep since the beginning, but these campaigns are to raise awareness and build consensus against tech supporting imperialism, concentration camps and many other crimes committed by the American Government against its citizens or foreign countries. But you have to start somewhere: political change is not like compiling a program, it’s not on and off, it’s nuanced and complex. Attacking (and winning) stuff like Project Maven or ICE concentration camps is a way to show that you can achieve something, break the tip of the iceberg and use that to build bigger organizations and bigger support for bigger actions.

                                                                                                                                                  1. 1

                                                                                                                                                    Clearly the DoD created the Silicon Valley and the connections run deep since the beginning

                                                                                                                                                    Oh, I’d love to be red-pilled into that!

                                                                                                                                                3. 22

                                                                                                                                                  This makes it sound worse than it actually was, ICE bought a Github Enterprise Server license through a reseller.

                                                                                                                                                  LA Times:

                                                                                                                                                  In a fact sheet circulating within GitHub, employees opposing the ICE contract wrote that the GitHub sales team actively pursued the contract renewal with ICE. The Times reviewed screenshots of an internal Slack channel after the contract was renewed on Sept. 4 that appear to show sales employees celebrating a $56,000 upgrade of the contract with ICE. The message, which congratulated four employees for the sale and was accompanied by emojis of a siren, bald eagle and American flag, read “stay out of their way. $56k upgrade at DHS ICE.” Five people responded with an American flag emoji.

                                                                                                                                                  It was not as at arm’s length as they’d like you to believe. Several prominent organisations rejected offers of parts of the $500k donation because they didn’t want to be associated with the ICE contract. Internally the company was shredded as it became clear that GitHub under MSFT would rather be torn apart inside than listen to employees and customers and commit to stop serving ICE in the future.

                                                                                                                                                  There were plenty of calls to cancel the contract immediately, which might’ve been a pipedream, but even the more realistic “could we just not renew it in future” was met with silence and corporatespeak. Long-serving employees asking “well, if this isn’t too far for us, what concretely would be over the line?” in Q&A’s were labelled hostile, and most certainly not answered.

                                                                                                                                                  1. 15

                                                                                                                                                    We could debate the relative weight of these and other grievances here, but I’d rather not. My point is simply that the ethical concerns are based on reason, and Daniel’s blithe dismissal of them is inappropriate.

                                                                                                                                                    1. 7

                                                                                                                                                      Could you elaborate on the reasons?

                                                                                                                                                      You state that the reasons exist, and you give an example of someone you think github should reject as a customer. But you don’t talk about what those reasons are, or really go into principles, rationales or philosophy at all.

                                                                                                                                                      I worry that without a thought-through framework, your attitude degenerates into mindless shitstorms.

                                                                                                                                                      1. 4

                                                                                                                                                        He has not engaged with the ethical concerns you raise. That may well be because he is simply not aware of them. You are overinterpreting that as “blithe dismissal”.

                                                                                                                                                    2. 10

                                                                                                                                                      The firing of the employee has been reversed.

                                                                                                                                                      1. 10

                                                                                                                                                        Just a honest question: does this poop management actually makes them look better to you? Despite this being a reaction to public outrage that would have hurt the company? Like, do you think they that out of guilt or something like that?

                                                                                                                                                        1. 3

                                                                                                                                                          Considering the fired employee was reinstated and the head of HR resigned, this looks like a much more substantive concession than the employment status Ctrl-Z that internet outrages usually produce.

                                                                                                                                                          1. 3

                                                                                                                                                            how? isn’t the “let’s sacrifice a scapegoat without fundamentally changing anything” a quite common strategy?

                                                                                                                                                            1. 2

                                                                                                                                                              None of us know the details of this case. It’s way too easy to form a conclusion from one party, especially if they’re not bound by law from discussing sensitive HR details openly.

                                                                                                                                                              So while I can project a hope that this is a lasting change at GH, you are free to cynically dismiss it as window dressing. The facts, as we know them, support either view.

                                                                                                                                                        2. 16

                                                                                                                                                          Aye, and I commend them for that. But that doesn’t change the fact that “retaliated against an employee who spoke out against Nazism” is a permanent stain on their reputation which rightfully angers many people, who rightfully may wish to cease using the platform as a result. Daniel’s portrayal of their concerns as petty and base is not right.

                                                                                                                                                          1. 2

                                                                                                                                                            Not only that but the HR person who fired him was fired.

                                                                                                                                                            1. 4

                                                                                                                                                              Probably out of convenience and not actually the person who gave the order. At least, I think that’s the case more than we know.

                                                                                                                                                              1. 5

                                                                                                                                                                The person who resigned was the head of HR. It almost certainly wasn’t the person who made the call, or even their manager, it was likely their manager’s manager. That sends a pretty strong signal to the rest of HR that there will be consequences for this kind of thing in the future.

                                                                                                                                                                1. 1

                                                                                                                                                                  Damn, the head of HR!? What a turnover. Maybe that means they’re taking this more seriously than I thought at first.

                                                                                                                                                          2. 7

                                                                                                                                                            Every time someone asked me to move away from GitHub it’s been because “it’s not Free Software” and various variants of “vendor lock-in” and “it’s centralized”. I am aware there are also other arguments, but those have not been stated in the two instances people asked me to move away from GitHub. What (probably) prompted this particular Twitter thread and that doesn’t mention ICE or anything like that (also: 1 2). Most comments opposed to GitHub on HN or Lobsters don’t focus on ICE either.

                                                                                                                                                            That you personally care a great deal about this is all very fine, but it’s not the most commonly used argument against GitHub.

                                                                                                                                                            There are valid ethical and philosophical complaints about GitHub

                                                                                                                                                            According to your view of ethics, which many don’t share.

                                                                                                                                                            1. 2

                                                                                                                                                              I think that asking someone to change their infrastructure based solely on personal preferences is a step or two too far, be it based on ethics or ergonomics (“all the other code I use is on GitHub, yours should be too”).

                                                                                                                                                              It’s at the very least a bunch of work to move, and the benefit is likely small. You’ve already made a choice when deciding to put your code where it is, so why would you want to change it?

                                                                                                                                                              If asked, I’d recommend using something other than Github to work against the monoculture we’re already pretty deep in, but I don’t see myself actively trying to persuade others to abandon them.

                                                                                                                                                            2. 4

                                                                                                                                                              Isn’t sr.ht hosted and incorporated in the US? Or are only points (1) and (2) valid? :-D

                                                                                                                                                              GitHub also fought the US Gov to get the Iranian developer access to their platform, which is also helping your platform as far as I know. https://github.blog/2021-01-05-advancing-developer-freedom-github-is-fully-available-in-iran/

                                                                                                                                                              Any organization that is large enough will have some incidents which, when cherry-picked, can be used to paint the organization as evil. But really what happens is that they represent humanity. In terms of evil, you don’t have to look far to see much worse groups of people than GitHub.

                                                                                                                                                              IMO a more compelling argument would be centered around how he is an open-source developer, depending on a closed platform. Daniel’s utilitarian view is understandable but also short-thinking. He is contributing towards building this monolith just by using it.

                                                                                                                                                              1. 20

                                                                                                                                                                Or are only points (1) and (2) valid? :-D

                                                                                                                                                                None of the points Daniel raises are valid, because they’re strawmen, and bad-faith portrayals of actual positions.

                                                                                                                                                                Actual argument: “GitHub, an American company, is choosing to cooperate with ICE, an American instutition which is controversial for its ethical problems”

                                                                                                                                                                Bad faith re-stating: “GitHub is American thus evil”

                                                                                                                                                                There is nuance here, and indeed you’ve found some of it, but a nuanced argument is not what Daniel is making.

                                                                                                                                                              2. 6

                                                                                                                                                                collaborated with US immigration and customs enforcement

                                                                                                                                                                I think “is American and thus evil” definitely covers this.

                                                                                                                                                                1. 2

                                                                                                                                                                  Why are two [1, 2] of your most popular projects primarily hosted on github?

                                                                                                                                                                  1. https://github.com/swaywm/sway

                                                                                                                                                                  2. https://github.com/swaywm/wlroots

                                                                                                                                                                  1. 19

                                                                                                                                                                    I have been gradually moving off of GitHub, but not all at once. A few months ago I finished migrating all of the projects under my user namespace (github.com/ddevault) to SourceHut. Last week I also announced to my GitHub Sponsors supporters that I intend to leave the program, which is almost certain to cause me to lose money when many of them choose not to move to my personal donation platform (which has higher payment processing fees than GitHub does, so even if they all moved I would still lose money). If you intend to imply that I am a hypocrite for still using GitHub, I don’t think that holds very much weight.

                                                                                                                                                                    Regarding those two projects in particular, some discussion was held about moving to gitlab.freedesktop.org last year, but it was postponed until the CI can be updated accordingly. In any case, I am no longer the maintainer of either project, and at best only an occasional contributor, so it’s not really my place nor my responsibility to move the projects elsewhere. I think that they should move, and perhaps a renewed call for doing so should be made, but it’s ultimately not my call anymore.

                                                                                                                                                                    1. 10

                                                                                                                                                                      If you intend to imply that I am a hypocrite for still using GitHub, I don’t think that holds very much weight.

                                                                                                                                                                      Nope, I was just genuinely curious since I don’t follow you that closely, and hadn’t heard any explanation or reasoning why those repos are still on github when I have heard you explain your position regarding github multiple times. So it seemed odd, so I asked.

                                                                                                                                                                      In any case, thanks for explaining! I hope those projects are moved off too (@emersion !)

                                                                                                                                                                      1. 6

                                                                                                                                                                        Cool, makes sense. Thanks for clarifying.

                                                                                                                                                                      2. 2

                                                                                                                                                                        I love that you represent another point of view here. I firmly believe that free software needs free tools. We don’t want history to repeat. And Yes, there will be some sacrifice for the switch.

                                                                                                                                                                        Watching your actions closely for months, You represent how a free software leader should be.

                                                                                                                                                                  1. 2

                                                                                                                                                                    Am I the only one who sees WebRTC as a pile of security problems without benefit? Just yesterday we had https://lobste.rs/s/dpu0vt/nat_slipstreaming_v2_0_new_attack_variant which leans on multiple issues, but WebRTC is always a part of compromising networks these days.

                                                                                                                                                                    If there’s a task that requires NAT traversal, keeping it in its own process means it’s inaccessible to be used as a drive-by from any page I happen to visit. A router can’t distinguish malicious drive-by use from legitimate use.

                                                                                                                                                                    1. 3

                                                                                                                                                                      without benefit

                                                                                                                                                                      WebRTC provides a huge benefit in that it allows plugin-less video calls from browsers. Especially during the ongoing pandemic, video calls have gained a lot of importance to the point where I feel nobody of us here can go even a week without participating in some kind of video call.

                                                                                                                                                                      I’d much rather do my video calls through a browser which provides excellent isolation from the system it’s running on and which has some of the best security teams of the world working on keeping it secure, none of which is true for any of the alternative native video call applications.

                                                                                                                                                                      There’s no alternative for in-browser video calls than WebRTC, so at least for right now, given the current situation we’re all in, I think WebRTC provides a huge security benefit compared to not having it.

                                                                                                                                                                      1. 2

                                                                                                                                                                        Maybe some benefit?

                                                                                                                                                                        1. P2P connections via browser.
                                                                                                                                                                        2. Load balancing via multi cloud instances that just need to turn on rather than be included in DNS or behind a proxy.

                                                                                                                                                                        I haven’t seen it used yet but I think it sounds pretty practical.

                                                                                                                                                                        1. 1

                                                                                                                                                                          I guess the benefit is that it exists and works?

                                                                                                                                                                          Unless there’s some alternative that also works? The old Jitsi has been nearly memory holed and never worked well anyway.

                                                                                                                                                                          1. 1

                                                                                                                                                                            The alternative that I’m suggesting is to not use a browser for this. Right now I’m in a call in Teams, which is really just Electron so it’s built on a browser stack – but it’s not the same browser instance that’s being used to visit arbitrary web sites. I’d like to make this distinction very strict to prevent drive-by sites from using WebRTC network capabilities.

                                                                                                                                                                            1. 3

                                                                                                                                                                              The Zoom app has a terrible security track record (e.g. taking months to fix an issue that allowed an attacker on the Internet to turn on the camera and microphone and grab whatever they captured) so there’s absolutely no way that I’ll ever install their app on any computer that I use. WebRTC means that, when I have to join a Zoom call, I can do so via the web browser, whose security I trust somewhat more.

                                                                                                                                                                        1. 6

                                                                                                                                                                          Tinywm and the likes of micro wm for X made me play and plan to make my own micro wm for my needs. After I moved to Wayland, I knew that will never happen with compositor framework. I think this is what I was the most disappointed from when I switched from X to Wayland. No more easy way to create a fun micro wm in a reasonable amount of time.Maybe one day the kind of dumbed down API/lib will land to recreate the opportunities to make that approachable again.

                                                                                                                                                                          1. 9

                                                                                                                                                                            just use X dude

                                                                                                                                                                            1. 6

                                                                                                                                                                              I think this is what I was the most disappointed from when I switched from X to Wayland

                                                                                                                                                                              Why switch, then?

                                                                                                                                                                              1. 5

                                                                                                                                                                                Because Xorg isn’t really maintained and X hasn’t reached the place where it doesn’t need maintenance yet so it will suffer bitrot.

                                                                                                                                                                                1. 1

                                                                                                                                                                                  Maybe it isn’t “really” maintained because it hasn’t yet suffered bitrot?

                                                                                                                                                                                2. 3

                                                                                                                                                                                  Simply because I am on Fedora with Gnome and Sway as my main drivers for the last five years and when the switch from X to Wayland has been done, that was it. I don’t have strong opinions about X or Wayland (and do not really care to forge one). And my “biggest disappointment” was basically “oh one of your side projects that you never managed to take the time for, it’s a dead end now”. I mean that is a minor grudge and besides that I stopped distro-hoping and using a netbook since a while.

                                                                                                                                                                                  Fedora is doing fine and Gnome is useful when someone has to use to my computer, Sway is stable enough to let me play with its config and provide what I look for. I do not want to go back to fiddle with every step of my config or at least not this part of my config files.

                                                                                                                                                                                3. 2

                                                                                                                                                                                  You could probably write a short compositor if you relied on a support library like WayFire.

                                                                                                                                                                                  1. 2

                                                                                                                                                                                    Unfortunately, WayFire is based on wlroots which doesn’t support the proprietary nvidia driver. It does support nouveau, but I wasn’t able to get working on my 4 year old card and it doesn’t support anything after the 10xx series.

                                                                                                                                                                                    There are no plans to support it either: https://github.com/swaywm/sway/wiki#nvidia-users https://www.reddit.com/r/swaywm/comments/gvk4np/nvidia_support/ This is unfortunate for multiple reasons, but especially because nvidia has something like 75-80% of the desktop graphics card market.

                                                                                                                                                                                    For me, this makes Wayland pretty much dead in the water - my desktop is a gaming machine which I also dual boot for development and the primary toolkit for building compositors doesn’t work with many modern GPUs (which you obviously want for gaming) and I prefer to use something that can be used on both my laptop and desktop. If I insist on using wayland, that pretty much limits me to Gnome and KDE which isn’t ideal.

                                                                                                                                                                                    1. 1

                                                                                                                                                                                      Fair enough.

                                                                                                                                                                                1. 9

                                                                                                                                                                                  GitHub is a net positive for individual projects in the same way that using LinkedIn is a net positive if you are looking for a job or Microsoft Office is a net positive if you want your employees to be productive. All of these things have network effects that enhance Microsoft’s ability to surveil and control society, and some people think this is worth resisting.

                                                                                                                                                                                  Sad to see that the author reduces this point to the strawman “Microsoft is evil.” Does he think Microsoft is good? Why does he think they are offering this purely good service?