Threads for calpaterson
-
Instead of doing everything in a GitHub Action separately, I suggest pre-commit: https://pre-commit.com/ It’s better because:
- The same tasks can be run locally.
- The tools are pinned, formatting, linting rules will be the same. When you ran it locally, it will pass on CI.
- The whole team can run the same tests, no need to wait problems in CI, it’s too late.
- Checks can run in pre-commit Git hooks, so no mistakes in review/CI etc.
-
A better tool for python specifically is tox which is like make/rake specifically for python builds. It’s designed to be the glue between jenkins/etc and your tests. It knows all about virtualenvs and so on.
I found pre-commit much more invasive in the past - you’re typically deciding everyone’s local development workflow centrally. I also don’t see why there is any connection between git commits/pushes and having a clean build. eg I’m making progress on a bug and want to save my game and git commit fails with “nope! variable name too short!”
-
What you described sounds annoying, but on the other hand, I’m yet to personally work with someone that actually does the “commit often and in small chunks” thing IRL. I might do it sometimes but it’s pretty rare.
It’s also something easy to work around, I think, with pre-commit.
A much bigger problem I’ve found, specially when working with lots of inexperienced people, is that everyone will develop their own, ad-hoc, often horrible, local workflow, and a lot of time gets spend on code review checking for things that all those tools could catch locally, automatically. I found that that trumps the inconvenience of pre-commit.
If your working with seasoned devs, though, I can see how your priorities could be different.
-
A much bigger problem I’ve found, specially when working with lots of inexperienced people, is that everyone will develop their own, ad-hoc, often horrible, local workflow, and a lot of time gets spend on code review checking for things that all those tools could catch locally, automatically. I found that that trumps the inconvenience of pre-commit.
That isn’t a usecase for pre-commit per se, that is a usecase for having any kind of branch CI. There are numerous tools that will allow you to run your build on a branch but pre-commit is about tying build to unrelated git activities like commit/push/rebase/etc
-
I partially agree. Current teams I work with have a decent CI, so code review time is better spent, but I’m still seeing loads of commits fixing stuff caught by the CI. Which means they are mostly not running things locally. Pre-commit is a convenient interface to give to them to run things locally.
-
I read that more as pre-commit is convenient for you because you’ve forced them to run things locally. Which I don’t totally disagree with, but a couple issues I do have are:
- Hooking pre-commit seems like the worst time to force the extra step into the process… either you should be doing it as you work, or you should be doing it at the end in handling a PR. Forcing it piecemeal at random times when you happen to commit just seems like the worst option as the work isn’t necessarily fresh in your mind, and you’re in the middle of trying to accomplish something else, but you get pulled into handling the failures immediately.
- This approach also assumes you have invested in making the pre-commit environment 100% reliable and consistent with the CI workers… which is the ideal we would hope for, but I don’t always see in practice. I’ve frequently seen pre-commits that rely on something like node/npm blowing up frequently even when you’re not touching (or even know anything about) frontend, so people just disable the pre-commit and push to CI anyway to see if it works there, because who really wants to debug the npm failure of the day if it might be ok on the worker anyway?
-
I can see how those can be valid concerns in general.
They don’t apply to my case, because, as I mentioned, no one I work with really does the “commit often and in small chunks” thing, our projects are all only python, no frontend, and the set of tools we run on CI is not that big.
I would say that pushing to see if it works on CI is kinda of a antipattern, though, and something that should be fixed somehow. Maybe not with pre-commit, but people shouldn’t feel forced to push to remote and wait a potentially long time just to see if their code work.
By the way, on making local validation consistent with CI, this is a big beef I have with most CI systems, it’s basically impossible to reuse the CI setup to do validation locally.
-
as I mentioned, no one I work with really does the “commit often and in small chunks” thing
I often see the same, but that seems to make it worse in my mind. If you’re frequently committing, then at least anything that fails a precommit should be fresh in your mind and likely relevant to the reason you were committing. When users pile up layers of loosely related changes, possibly over days, they will need to context switch back to something they might have done days ago when some unrelated task calls for a commit.
I totally agree that not being able to align local and CI build envs is an issue, and that relying on pushing to CI is an antipattern. But pragmatically those are antipatterns that frequently exist in the wild, and that pre-commit hooks need to account for… and if and when you have resolved those issues, you’ve solved much of what people call out pre-commit as a fix to, so I don’t see a whole lot of added value in it.
-
You know, now that you expanded on it, I think we configured pre-commit as a pre-push hook, in the project I used before. So, that would solve some your concerns.
The other part is that you can run pre-commit on demand, without a commit or push action, which I remember doing often just to run the lintings and stuff.
-
-
Yeah, basically, I don’t care how, just give the same validations as CI, in as easy an invocation as possible.
-
-
-
-
-
-
-
-
I share the same feeling regarding pre-commit, everytime I install the hook, I uninstall it in rage after it takes whole seconds everytime I want to do a temp save point or try to amend a commit I know is imperfect, only to have the commit rejected. I should just acknowledge this tool is not compatible with my way of working. To my workflow, pre-commit is like an annoying peer eavesdropping me and poking me everytime I make a typo that I have already noticed myself when the wrong char appearid on screen.
-
-
I’m pretty interested in this approach as well. I think the answer is that most projects should run these sorts of checks both in a hosted, shared, environment, and locally on developer machines regularly. Running all of these locally is absolutely possible, and should be in a team’s pre-commit hook. I tend to just alias black / isort / bandit together and run them regularly while developing if it’s a personal project.
How are you executing the pre-commit scripts in your CI environment post-push?
-
We just setup everything needed for all the pre-commit hooks to run and just invoke their GitHub Action. See an example here: https://github.com/onekey-sec/unblob/blob/main/.github/workflows/main.yml#L32-L33 Pretty simple!
-
Side note: Just discovered vulture from your pre-commit, looks super interesting.
This is a neat approach, and yeah, totally agree with you that if your team is all-in on pre-commit this makes total sense. It gives you one place to configure what’s running (as well as the options for those steps). I need to have a deeper look into using it for my personal projects.
In the past I’ve seen teams go both ways - especially with things like unittests in pre-commit. In your example you have your checks in the hook but not the tests. That’s probably what I’d end up with too.
There are those occasional times that you want to be able to commit / push something that’s work in progress without executing all of those checks (
--no-verifyto the rescue), but really that should be few and far between. I’m not actually sure what the arguments against using a pre-commit hook in a professional setting are these days.-
I’m not actually sure what the arguments against using a pre-commit hook in a professional setting are these days.
Naaa, hooks are just a wrong solution to the right problem. What you want is to ensure that the canonical version of code (tip of the main branch) possesses certain properties at any time. Where properties are pretty general: unit tests are passing, code is formatted, no vulnerable dependencies are used, licensees are in order, etc. The correct way to check for that is when you update the tip of the main branch on the server which keeps the canonical version of the code. So, to incorporate changes from a feature branch (or just a feature commit):
- Server which holds the canonical version of code creates a new “merge commit”
- Server checks that this new commit possesses all the required properties
- Server atomically updates the tip of the master branch to point to this already checked commit.
pre-commit is a “client-side validation” version of this workflow — advisory validation which doesn’t enforce anything, and runs on the outdated version of the code (main is probably ahead of the base of the feature branch by the time you finish).
Practically, pre commits very much get in a way of people who like to do small changes, and who strive to maintain clean git history, because the way you do that is by rewriting many drafts, and pre-commit creates friction proportional to the number of the wip-commits, rather than finished commits.
Ultimately, you want to enforce properties somewhere between typing things in the editor and getting code in the canonical tree. Moving enforcement point to the left increases friction, moving it to the right increases correctness.
-
Keeping every single commit clean from trivial mistakes is very useful form automated git bisect debugging. A seriously underrated way of debugging regresions.
-
-
I would agree with you in a unitemporal setting. But I think that integration is bitemporal. In particular, whether dependencies are vulnerable is a bitemporal property. This doesn’t negate your point, but it suggests that your “right problem” is a bit too broad, and it’s actually two problems that we’re trying to solve:
- whether the code integrates correctly for the developer’s environment at time of authorship
- whether the code integrates correctly for the user’s environment at the time of installation
-
-
-
I personally write all checks as tests using the standard testing framework of a particular language. So it’s, eg,
cargo testlocally,cargo teston CI, and, if you enjoy pre-commit hooks,cargo testIn the hook.If some tests are particularly slow, I h skip them unless
RUN_SLOW_TESTSenv var is set (which is set in CI).
-
-
Something in favor of using non-default SSH ports that is often overlooked: it won’t stop a determined attacker, but that’s not the point. The point is that it significantly cuts down on noise in your logs created by automated low-effort intrusion attempts.
-
The problem with a non-default port is that it’s either a low number (in which case it shows up on a port scan) or it’s an insecure port. If you pick a port above 1024 then any user on the system can bond to the same port if they win a race against the ssh daemon. This means that someone who compromises an unprivileged user has a path to privilege elevation by impersonating the ssh daemon.
I’m also not wild about disabling X11 forwarding on the server. It doesn’t improve server security, it helps only prevent the server from attacking the client and so it should be the client’s responsibility. The ssh command doesn’t enable it by default, so you are only protecting clients that have explicitly requested it against attacks by someone who has the privileges to reenable this setting if they actually wanted to launch the attack and so you add inconvenience in exchange for no security.
-
-
Yup, that’s a better solution (and one I’ve used in the past).
-
-
-
-
I don’t understand why noise in logs is so concerning? It’s not a security issue for them to fail to get in…
-
-
It is a mild annoyance that instead of genuine log messages, >99% of your logs are to do with automated scanners. It can even make logs roll more quickly in some configurations.
Same thing happens for web servers listening on ipv4 but there you can’t change port. Instead where possible I only listen on ipv6 and have the CDN proxy ipv4 to ipv6.
Fail2ban is useful for this too.
-
-
The point is that it significantly cuts down on noise in your
logs created by automated low-effort intrusion attempts.
I’ve been making the same point for years. Unfortunately, over the last several months, I’ve noticed that the high-numbered SSH port I commonly use has been getting numerous brute force attempts. I wonder if it is listed on shodan or one of those types of services, and that’s where the attention is coming from?
I also noticed one of my IPv6-only hosts getting some loving on its high-numbered SSH port from a Hurricane Electric IP address. I was about to send an abuse report to abuse@he.net, but when I looked at whois, I found that the address was assigned to “The Shadowserver Foundation”, https://shadowserver.org. My server’s upstream is HE, so I’m assuming HE is asking these folks to scan their address space.
-
-
Firewalls can easily stop an attack by counting failed attempts without the need for additional tools.
I don’t know why would anyone open
sshdto the intenret these days. I use tailscale these days to connect back home.-
I don’t know why would anyone open sshd to the intenret these days. I use tailscale these days to connect back home.
good point. along that note though… why would anyone use some external company to configure wireguard for them? I could understand something more complicated to set up, like openvpn… but wireguard is dead simple. and relying on a possibly fly-by-night “tech” company to do it seems like a bad idea. am I wrong?
-
-
-
-
This matches my experience too. I love that there’s no big release upgrades, it’s just incrementally updated over time and just keeps working—no major releases that seem to be very disruptive and commonly break things in the so called “stable” distros.
-
-
Conversely, in the years that used Debian and Ubuntu based distros, I had tons of issues doing an upgrade whenever I was using third party packages. In particular for Ubuntu, PPAs and proprietary software repos tend to not be prepared for a dist-upgrade sometimes for months after the new release comes out.
Not hating on Debian or Ubuntu, just pointing out that both approaches are imperfect.
-
I’ve had lots of problems with upgrading while I have third-party software installed too. The official upgrade runbook for debian upgrades advises to remove non-debian packages and sources as well.
Worth considering the container-thingys (snaps/flatpaks/appimages) for proprietary software. They can work better that way. I use slack, signal, heroku, etc that way and it’s mostly ok.
-
Yep, as much hate as snaps/flatpaks get at least they encapsulate all their dependencies so a change on the underlying glibc won’t break them. Still a bunch of things to fix (just look at how Ubuntu is still dealing with huge performance issues in their Firefox snap) but at least it’s step in the right direction.
-
Yeah I also haven’t managed to do this for firefox. I tried it (with a snap?) and there were some font issues that I couldn’t be bothered to debug. I’m using the official (non-deb) binary from Mozilla.
-
If your glibc updates won’t the rest of your system update at the same time to use the new glibc?
-
-
-
Agreed, if you wander off the beaten path into PPA’s and proprietary repos, you are definitely well into You get all the pieces when it inevitably breaks.
However, if you stay within the Stable repos, the chances of breaking are low to near zero, even during upgrades.
If you have to play a lot in random package repos, you probably shouldn’t be playing in stable in the first place.
-
-
-
-
-
snej
10 months ago
|
link
| on:
Why Programmers Can’t Stop Programs With Ctrl-C, but Used to Be Able To, and Why They Should Be Able to Again
I would like to see some tips on how to implement a SIGINT handler. My understanding has been that you can’t do anything safely other than set a flag, so that’s what I’ve done the few times I’ve implemented one.
-
Yeah that’s all you can do in the handler. The rest of the handling logic is spread throughout the rest of the program as you try to handle, everywhere, the case, everywhere, that the user wants to exit.
Imagine you are waiting on network IO to some SQL database when you receive SIGINT/TERM. What now? Do you cut what you are doing or wait a bit longer? If so, how long?
Someone else mentioned the unintentional “Real Programmers” elements to this article and it certainly smacked of that in places. Especially the bit about invariably wrapping up what you’re doing inside of 30ms.
-
You can do anything in a signal handler except call signal-unsafe functions. In general, you should assume that any function is signal unsafe if it might (now or in the future):
- Acquire locks (including indirectly, for example via memory allocation), or
- Modify any thread-local state.
The key problem with signals is that they can top any thread in your program at any point in between two instructions, which might be in the middle of a C statement. If you attempt to acquire a lock, you may find that the thread that you’ve interrupted holds the lock and now you have a thread deadlocking with itself. This is particularly dangerous with recursive locks, where the second acquisition will succeed, but now you’ve got concurrent mutation of the thing that the lock was protecting. Modifying thread-local state is also problematic because most functions assume that thread-local state can’t be mutated out from under them, yet this can happen in signals.
As a rule of thumb, the following things are safe:
- Modifying individual words of memory, especially
_Atomicwords (but be very careful about larger_Atomictypes because they might be lowered to a call with locks. - Calling system calls
This means that you can set a flag or you can wake up a pipe. You need to be careful of things like
printfbecause they might acquire locks to load locales. That kind of thing will work 99.99% of the time, so it’s fine in a debug build that you never share with anyone else but is problematic if it makes it into CI (for example).When I have to use Linux, the first thing I notice is that ^T doesn’t send SIGINFO. Most *BSD (including Mac) long-running utilities will print status information to standard error on SIGINFO, so you can see what’s happening in a long-running task.
-
-
This is really great information on how to set up good 4G links but I find his final results confusing.
The “4G on phone” results actually look a little better than “Internet Speeds - With 4G Router and Extenral Anteenas” for his aim - videoconferencing - to me. Bandwidth is lower but fine for videoconferencing and ping is bad but jitter is lower than with his router/antenna setup. I’d also worry that his TP-Link router probably has bufferbloat which is a big wrecker of zoom calls for most people. In his introduction he mentions much worse figures for “before I did anything” so perhaps the “4G on phone” is not the before state?
-
Nice article.
I personally think of auto-scaling as a bit of a minefield, both for planning and for practice. For example, one counter-intuitive issue is that the gradient of the peak your system can handle is a factor of the startup time of each additional process and your maximum response time.
Process startup times on cloud platforms can be really long. One quite popular service adds 2 minutes to the programs own startup time. That makes it only of very limited use for handling demand peaks. It’s only really good for saving money on day/night cycles.
I don’t want to say that auto-scaling is harmful per se either, but I have seen, on balance, more issues caused by it that solved. A fair chunk of that is because it’s over-used - or used very casually with an extremely large range.
-
It removes redundancy, because the function name should already be in the call stack.
That implies that the only time you ever look at a test is when it fails. I spend a lot of time trying to navigate test organization to write new tests and review code. There’s no stack trace, so the tests just look jumbled together.
Test organization is one of the most frustrating topics, to me. It seems that every language/framework has a different approach to it, none are perfect, and it’s impossible to aggregate all the good ideas, due to technical difficulties. For example, there’s good aspects to the author’s idea, but I can’t use it in
pytestbecause test names have to start withtest_. I’ve largely broken down to using doc strings to explain tests, and I don’t love that that’s the best I can come up with.-
Test organization is one of the most frustrating topics
Yes. I haven’t seen satisfactory solutions either. One thing which helps a bit are explicit coverage marks which sometimes help you to identify where tests for specific area live.
-
-
in pytest […] test names have to start with test_
FWIW this is configurable.
-
-
Jeff Forcier (the author of Invoke and the maintainer of Fabric and Paramiko) wrote a plugin for Pytest that lets you specify tests in this more literate fashion as well: https://github.com/bitprophet/pytest-relaxed
It’s not quite as expressive in this regard as rspec is, but it makes for nice readable test output when it’s the right model for your tests.
-
-
-
-
How does this pass GDPR?
-
Vodafone is already the Controller of your data if you are a Vodafone subscriber, so they’re transmitting your preferences (consent) to various Processors (people who have implemented the TrustPid API, which looks like this) whilst not transmitting your data.
-
-
IANAL, but I read up on TrustPID. It looks like they will argue that because they are taking hashed data (IP address + other stuff) from the mobile ISP they will argue they are not able to identifying a living person, even indirectly (criteria from the UK version of the GDPR). There are also some opt ins and the ability to opt out.
Looks thin to me.
-
-
-
Unreadable font
-
Just a bit wonky, helps with dyslexia. Very readable actually, but maybe too off-putting for most.
-
Haha, it’s my design. Work in progress. Seems to have some issues with rendering on some screens. Feedback welcome ;)
-
My personal feedback is just don’t set the font and everyone can use their preferred default font. If you really feel the need for some “personality” set a font for headers but leave the body text alone.
But I’m probably in the minority and most users have terrible default fonts.
-
On my system, the browser is configured to ignore all website font requests. It is kinda funny using bad websites that insist on icon fonts and such (looking at most anything Google makes), but since they’re bad websites, I can only gain by not using them.
My bliss is real never having to see these things.
-
Yeah, I did this for a while and it was quite nice. Unfortunately icon fonts haven’t completely died out yet.
I don’t know if I would go as far as calling those sites “bad”, it was the best option available for quite a while. Thankfully technology has improved such that inline SVG or separate images can fill the role and perform better.
-
-
Hm, I actually didn’t know you can set a default font for browsers.
In this case, this is a font that I am designing, so I meant to ask about feedback for the font itself.
-
-
-
-
came up with semantic styles way before the semantic web was established. It’s just a very good invention. Bolding a word to highlight it is fine, but way too often people
It might be the interaction with Windows’ antialisaing, but I had to switch to reader mode to read the article. The font is so narrow that vertical lines almost disappear in places.
-
-
-
toastal
edited
1 year ago
|
link
| on:
7 Gettext lessons learned after 2 years of developing a European platform
Second paragraph and I’m already mad.
Rule 8: Flags represent nations, not languages – so don’t use flags.
Some obviously controversial flags: United Kingdom, Spain, France, Portugal. These examples have more speakers outside the origin country than within and is a very Euro-centric, colonial viewpoint of language to use any flag whatsoever. Not to mention, many countries have more than one language which further propagates stereotypes or belittlement of minority groups inside those countries.
Luckily the Steady site doesn’t break this rule, just the blog entry.
-
The reason flags are used is that if a website is in a language you do not understand you may not otherwise know where to click to change the language, or recognise the name of your language. The word for “English” in Russian is “английский”. Are you going to know to click on that unless there is a American or British flag next to it?
Everyone knows that people get het up about flags. Flags are used despite this for usability reasons.
-
-
-
This can also be fun for country names. Sending something to someone in France, I had to find the UK in a French-language drop-down. At school, I learned a few variations on how the country name is translated into French, this web site introduced me to a new one.
-
Le Royaume Uni I suppose?
The UK is a hard nut in these forms. I often try a number of options, but I can’t complain when even the Olympic team uses the wrong name (“Team GB” - the UK is not just Great Britain).
-
A bit tangential, but UK government forms really threw me for a loop the first time I used one, as it’s the only place I’ve seen the adjective form of nationality used for the Citizenship/Nationality field. When listing my citizenship for visa/etc. purposes, on most countries’ forms it’s just a drop-down of country names. So usually you can find the USA under U somewhere (United States, USA, U.S.A., etc.). But for
gov.ukit was under A for American instead (UK was likewise under B, for British). I’m not too knowledgeable about the details, but I assume this has something to do with the complexities of British nationality.
-
-
-
Sure, you just need to find the “язык” dropdown. Should be easy as the currently selected value will be русскийрусский which is obviously wrong.
-
Yes! Languages get closer to nationalities than most other pictograms. I couldn’t know to pick a picture of Spain’s boarders to change language, nor would I know to click on the alphabet (which doesn’t work for languages without alphabets). And flags help. Then, you say what the language actually is in the drop down so you can select it…
Other rejected pictograms: Official bird View from the capitol Airport code Biggest company based there Slowly moving language names
-
-
-
As sibling noted, obviously they should be in the native language spelling (or maybe put both). With Spanish being the US’s #2 most spoken language (no official language), should those Spanish speakers not count and find it odd they speak Spanish daily and click the US flag where they live and get English? Should they look for a flag of Spain? Or Mexico? Or their birth country (which is likely missing)? “español” +
esis very clear (even if all dialects aren’t yet translated) and doesn’t have the same degree of political baggage as flags and countries do. When people migrate – and they do a lot in the 21st century – their languages come with them because languages belong to the people and flags belong to the nation.But do you really think people really know their flags? I don’t think this assertion is true. Which of these is Poland: 🇲🇨 🇵🇱 🇮🇩? Romania 🇦🇩 🇲🇩 🇷🇴? Ireland 🇨🇮 🇮🇪? Bolivia 🇧🇴 🇬🇭? Mali 🇸🇳 🇲🇱?
But imagine if a user could send their preferred language through the user-agent and the server or browser could choose a ‘good’ default for them …
Accept-Languagesounds like a good name for this, maybe evennavigator.languages. That would be better than what Google does: ignoring my request and mislabeling me based on IP instead.-
If you did user research on American Spanish speakers I wonder how many be confused by the American flag being used to denote English. Have you ever tested this?
I think using Accept-Language by default would be a big improvement though it’s not a panacea. To some extent it just punts the issue to the browser. Changing your language in most browsers requires you download a language pack which you won’t have permission to do in internet cafes. Maybe that is no longer a problem now people have smart phones?
-
-
-
Chrome and Firefox have easy to use setting to change the language header that you send to websites. There is nothing you have to install. You do not need admin rights for that. This has worked like this for the last 2 decades at least. That is what I am referring to.
If websites ignore the header, that is not a problem of the browser, but our industry.
-
-
-
-
-
I live in India. We have at least 13 languages that have 10+ million speakers, and hundreds of minor languages in active use by smaller communities. Indian currency notes have text in 15 languages. From what I understand, there are several other countries with this kind of linguistic diversity (Nigeria, Pakistan, Indonesia, to name a few).
Using flags to represent languages is a Western European notion. I personally find it both disrespectful and confusing.
-
Using flags to represent languages is a Western European notion. I personally find it both disrespectful and confusing.
It’s worse than that. It’s not just that it’s a Western European notion, the equivalence of language and country is one that has been specifically pushed by majority groups to marginalise minorities. Ask folks whose native language is Gaelic, Welsh, Breton, or Catalan, for example what they think of the equivalence and you’ll get a very different view.
-
-
-
I think that is because they developed it for the European market, as their title suggests, and to illustrate their text with emoji/icons.
-
-
-
The screenshot uses a flag for German/“Deutsch” which I’ve never seen before, and German is my first language :)
-
-
What’s controversial about the Union Jack representing English, a language born of and primary to that soverign country?
-
The Union Flag is the flag of several distinct political entities that have different sets of official languages:
- England does not have an official language, though practically English is a de-facto standard.
- Wales has English and Welsh as official languages. All official communications are required to be bilingual and some (such as tax things from HMRC) are bilingual for the whole of the UK as a result.
- Scotland has recognised Scottish Gaelic as an official language since 2005 and has had English as an official language since before then, though this recognition does not require government communication to be delivered in Gaelic and so has little effect. Scots (derived from Northumbrian Old English) is also supported by the Scottish government.
- The story of Irish Gaelic is very complicated because the English made an effort to marginalise it for a long time (the history of Ireland is largely omitted in English schools, on the basis that it’s just too embarrassing for the English). It now has similar status in Northern Ireland to Gaelic in Scotland.
So the flag points to at least three distinct language families and several overlapping ones. Only Wales (which is covered by the flag, but whose flag is not represented, in spite of being the part of the UK with the best flag) has a notion of an official language that carries any significant legal weight and it places English and Welsh on the same level.
You could probably use the George Cross to represent en_GB, although both Cornish (Celtic-family) and Scots (mostly the same ancestry as modern English, i.e. a creole of every language spoken by folks who invaded England over a period of a thousand years or so) originated in the area represented by that flag. Either way, you’re marginalising speakers of minority languages.
-
I didn’t say anything about official languages or political entities, which is almost exactly my point. Primarily, British English is spoken throughout the United Kingdom, the soverign country in which it developed to the standard of English which was then spread throughout the world. The flag points to multiple regions with different languages, none of them as immediately relevant as the English language - you don’t see the Union Jack and think of Cornish. If the language was Scots, use the Scottish flag. If the language is Gaelic, use the Irish flag (or Ulster Banner, lol). To feign shock and horror at the Union Flag representing the history and origin of the English Language is inane.
-
If I clicked the Scottish flag, I could be wanting either Scots or Gaelic, as mentioned by david_chisnall. Likewise, if I scanned for the word Gaelic, I’d personally be expecting Gàidhlig, not Irish. When it comes to English, there’s like half a dozen different flags that may have been chosen that I have to scan for (I have seen UK, USA, Canada, England, and Australia, frequently, and probably others less often), and that’s ignoring any personal feelings I have towards any of those. Country flags and $current_language names for other languages just aren’t the best way to display these things for translation pickers, for multiple reasons.
-
-
Two issues:
- The UK is by number of speakers, has the sixth most number of speakers. The language may have come from England, but without a standards body, it’s anyone’s language. The other variants of English are still very much valid and a part of the English language. Picking any of the nations is the wrong call.
- In the weeds, historically England is the kingdom speaking English so if you want to go on history, 🏴 is the flag you are looking for which isn’t nearly as recognizable. Is this the Georgian flag? 🇬🇪
How do we avoid this issue? Just say “English” or
en. -
It doesn’t reflect all the other kinds of english spoken by the far majority of the world. We even call it “British English” to distinguish it from other flavours of English like American, where there’s a number of spelling and pronounciation differences (these distinctions even get taught in school in non-english speaking countries).
-
-
-
-
Oh, absolutely. British English is pretty well-known for that since there is a wide variety of English spoken between Scotland and South England.
Similarly Danish has different amount of grammatical genders between the islands. It is all the same Denmark with the same flag.
-
-
-
-
And for American English, a U.S. flag is oft used. Perhaps one should’ve been used in the article, but having not used Steady, I wouldn’t know.
-
-
What language would you expect behind a Belgian flag? French or Flemish?
German of course! https://en.wikipedia.org/wiki/German_language#German_Sprachraum ;-)
BTW, Flemish is a dialect, the official language is Dutch.
-
The language most spoken in Belgium, obviously.
-
-
That’s not the implication at all, it’s not making a comment on the validity of the non-majority language.
-
-
-
-
-
-
-
-
Help me. I am not a Ruby person and I probably never will be. I just cannot figure out what Hotwire is. I have read this post, I have read the Hotwire homepage, I have googled it, I cannot for the life of me figure out what it actually is.
I keep reading “HTML over the Wire” but that is how normal websites work. What is different?
-
-
-
For others who may be confused: This is dynamic HTML over web sockets. The idea is that the client and server are part of a single application which cooperate. Clients request chunks of HTML and use a small amount of (usually framework-provided) JS to swap it into the DOM, instead of requesting JSON data and re-rendering templates client-side. From the perspective of Rails, the advantage of this is that you don’t need to define an API – you can simply use Ruby/ActiveRecord to fetch and render data directly as you’d do for a non-interactive page. The disadvantage is that it’s less natural to express optimistic or client-side-only behaviors.
-
-
it’s not really a new idea, they stole it from phoenix liveview. https://hexdocs.pm/phoenix_live_view/Phoenix.LiveView.html
-
… which I guess in turn is the spiritual successor to TurboLinks
-
It’s worth noting that idea isn’t new with Phoenix. Smalltalk’s Seaside web framework had this back in 2005 or so (powered by Scriptaculous), and WebObjects was heading down that path before Apple killed it.
Phoenix LiveView looks great, and is likely the most polished version of the concept I’ve seen, don’t get me wrong. But I don’t think DHH is “stealing” it from them, either.
-
There’s a lot of implementations of it, here’s a good list: https://github.com/dbohdan/liveviews
-
Not unsurprising, given that Phoenix is designed by a prolific Rails contributor. There’s a healthy exchange.
https://contributors.rubyonrails.org/contributors/jose-valim/commits
-
Moreover, DHH has been experimenting with these techniques since roughly the same time that Elixir (not even Phoenix) first appeared: https://signalvnoise.com/posts/3697-server-generated-javascript-responses
-
-
-
In addition to brandonbloom’s excellent points, I personally liken it to the Apple/Oxide push for hardware and software being signed together. This type of tech makes it much easier to keep frontend and backend designs coherent. It is technically possible to do with SPAs and the APIs they rely on but the SPA tech makes it too easy (at an organizational level) to lose track of the value of joint design. This tech lowers the cost of that joint design and adds friction to letting business processes throw dev teams in different directions.
-
-
-
-
-
-
Really? How is that the answer to all of life’s problems, the way DHH is carrying on?
-
because now your
(data) -> htmltransformations all exist in one place, so you don’t have a server-side templating language and a client-side templating language that you then have to unify. also the performance of client-side rendering differs more substantially between devices, but whether that’s a concern depends on your project and its audience. just different strategies with different tradeoffs.-
-
Great for mail clients and web stores, the worst for browser games.
-
-
If you genuinely need offline behavior, or are actually building a browser-based application (e.g., a game, or a photo editor, etc.), something like Hotwire/Liveview makes a great deal of sense.
At least until you get to a certain scale, at which point you probably don’t want to maintain a websocket if you can help it, and if you are, it’s probably specialized to notifications. By that time, you can also afford the headcount to maintain all of that. :)
-
-
-
-
-
-
-
Looks like the employee is based in the UK. As you might expect, most of the responses to his announcement are Bad Legal Advice. This comment is also going to be Bad Legal Advice (IANAL!) but I have some experience and a little background knowledge so I hope I can comment more wisely…
The way FOSS (and indeed all private-time) software development works here for employees is that according to your contract your employer will own everything you create, even in your private time. Opinions I’ve heard from solicitors and employment law experts suggest that this practice might constitute an over-broad, “unfair”, contract term under UK law. That means you might be able to get it overturned if you really tried, but you’d have to litigate to resolve it. At any rate the de facto status is: they own it by default.
What employees typically do is seek an IP waiver from their employer where the employer disclaims ownership of the side-project. The employer can refuse. If you’ve already started they could take ownership, as apparently is happening in this case. Probably in that scenario what you should not do is try to pre-emptively fork under some idea that your project is FOSS and that you have that right. The employer will likely take the view that because you aren’t the legal holder of the IP that you aren’t entitled to release either the original nor the fork as FOSS - so you’ve improperly releasing corporate source code. Pushing that subject is an speedy route to dismissal for “gross misconduct” - which a sufficient reason for summary dismissal, no process except appeal to tribunal after the fact.
My personal experience seeking IP waivers, before I turned contractor (after which none of the above applies), was mixed. One startup refused it and even reprimanded me for asking - the management took the view that any side project was a “distraction from the main goal”. Conversely ThoughtWorks granted IP waivers pretty much blanket - you entered your project name and description in a shared spreadsheet and they sent you a notice when the solicitor saw the new entry. They took professional pride in never refusing unless it conflicted with the client you were currently working with.
My guess is that legal rules and practices on this are similar in most common law countries (UK, Australia, Canada, America, NZ).
-
The way FOSS (and indeed all private-time) software development works here for employees is that according to your contract your employer will own everything you create, even in your private time.
This seems absurd. If I’m a chef, do things I cook in my kitchen at home belong to my employer? If I’m a writer do my kids’ book reports that I help with become privileged? If I’m a mechanic can I no longer change my in-laws’ oil?
Why is software singled out like this and, moreover, why do people think it’s okay?
-
There have been cases of employees claiming to have written some essential piece of software their employer relied on in their spare time. Sometimes that was even plausible, but still it’s essentially taking your employer hostage. There have been cases of people starting competitors to their employer in their spare time; what is or is not competition is often subject to differences of opinion and are often a matter of degree. These are shadow areas that are threatening to business owners that they want to blanket prevent by such contractual stipulations.
Software isn’t singled out. It’s exactly the same in all kinds of research, design and other creative activities.
-
-
what’s the problem?
I think it’s a pretty large problem if someone can become a colleague, quickly hoover up all the hard won knowledge we’ve together accumulated over the past decade, then start a direct competitor to my employer, possibly putting me out of work.
You’re thinking of large faceless companies that you have no allegiance to. I’m thinking of the two founders of the company that employs me and my two dozen colleagues, whom I feel loyal towards.
This kind of thing protects smaller companies more than larger ones.
-
…start a direct competitor to my employer, possibly putting me out of work.
Go work for the competitor! Also, people can already do pretty much what you describe in much of the US where non-competes are unenforceable. To be clear, I think this kind of hyper competitiveness is gross, and I would much rather collaborate with people to solve problems than stab them in the back (I’m a terrible capitalist). But I’m absolutely opposed to giving companies this kind of legal control over (and “protection” from) their employees.
-
Go work for the competitor!
Who says they want me? Also I care for my colleagues: who says they want them as well?
where non-competes are unenforceable
Overly broad non-competes are unenforceable when used to attempt to enforce against something not clearly competition. They are perfectly enforceable if you start working for, or start, a direct competitor, profiting from very specific relevant knowledge.
opposed to giving companies this kind of legal control
As I see it we don’t give “the company” legal control: we effectively give humans, me and my colleagues, legal control over what new colleagues are allowed to do, in the short run, with the knowledge and experience they gain from working with us. We’re not protecting some nameless company: we’re protecting our livelihood.
And please note that my employer does waive rights to unrelated side projects if you ask them, waives rights to contributions to OSS, etc. Also note that non-compete restrictions are only for a year anyway.
-
Who says they want me? Also I care for my colleagues: who says they want them as well?
Well then get a different job, get over it, someone produced a better product than your company, that’s the whole point of capitalism!
They are perfectly enforceable if you start working for, or start, a direct competitor, profiting from very specific relevant knowledge.
Not in California, at least, it’s trivially easy to Google this.
As I see it we don’t give “the company” legal control: we effectively give humans, me and my colleagues, legal control over what new colleagues are allowed to do, in the short run, with the knowledge and experience they gain from working with us.
Are you a legal party to the contract? If not, then no, it’s a contract with your employer and if it suits your employer to use it to screw you over, they probably will.
I truly hope that you work for amazing people, but you need to recognize that almost no one else does.
Even small startups routinely screw over their employees, so unless I’ve got a crazy amount of vested equity, I have literally zero loyalty, and that’s exactly how capitalism is supposed to work: the company doesn’t have to care about me, and I don’t have to care about the company, we help each other out only as long as it benefits us.
-
-
-
Why did the original company need the person who started the competitor? Companies need workers and if the competitor puts the original company out of business (I was responding to the “putting me out of work” bit) then presumably it has taken on the original company’s customers and will need more workers, and who better than people already familiar with the industry!
-
-
-
-
-
Modern Silicon Valley began with employees starting competitor products: https://en.wikipedia.org/wiki/Traitorous_eight
If California enforced non-compete agreements, Silicon Valley might well not have ended up existing. Non-enforcement of noncompetes is believed to be one of the major factors that resulted in Silicon Valley overtaking Boston’s Route 128 corridor, formerly a competitive center of technology development: https://hbr.org/2016/11/the-reason-silicon-valley-beat-out-boston-for-vc-dominance
-
I don’t think we are talking about the same thing. While I agree that any restriction on post-employment should be banned, I don’t think it is unfair for an organization to ask their employees to not work on competing products while being under their payroll. These are two very different situations.
-
-
If the employee uses company IP in their product then sure, sue them, that’s totally fair. But if the employee wants to use their deep knowledge of an industry to build a better product in their free time, then it sucks for their employer, but that’s capitalism. Maybe the employer should have made a better product so it would be harder for the employee to build something to compete with it. In fact, it seems like encouraging employees to compete with their employers would actually be good for consumers and the economy / society at large.
-
An employee working on competing products on its free time creates an unfair advantage because the employees have access to an organization IP to build its new product while the organization does not have access to the competing product IP. So what’s the difference between industrial espionage and employees working on competing products on their free time?
-
-
-
-
-
-
Joel Spolsky wrote a piece that frames it well, I think. I don’t personally find it especially persuasive, but I think it does answer the question of why software falls into a different bucket than cooking at home or working on a car under your shade tree, and why many people think it’s OK.
-
Does this article suggest the employers view contracts as paying for an employee’s time, rather than just paying for their work?
Could a contract just be “in exchange for this salary, we’d like $some_metric of work”, with working hours just being something to help with management? It seems irrelevant when you came up with something, as long as you ultimately give your employer the amount of work they paid you for.
Why should an employer care about extra work being released as FOSS if they’ve already received the amount they paid an employee for?
EDIT: I realise now that $some_metric is probably very hard to define in terms of anything except number of hours worked, which ends up being the same problem
-
Does this article suggest the employers view contracts as paying for an employee’s time, rather than just paying for their work?
I didn’t read it that way. It’s short, though. I’d suggest reading it and forming your own impression.
Could a contract just be “in exchange for this salary, we’d like $some_metric of work”, with working hours just being something to help with management? It seems irrelevant when you came up with something, as long as you ultimately give your employer the amount of work they paid you for.
I’d certainly think that one of many possible reasonable work arrangements. I didn’t link the article intending to advocate for any particular one, and I don’t think its author intended to with this piece, either.
I only linked it as an answer to the question that I read in /u/lorddimwit’s comment as “why is this even a thing?” because I think it’s a plausible and cogent explanation of how these agreements might come to be as widespread as they are.
Why should an employer care about extra work being released as FOSS if they’ve already received the amount they paid an employee for?
As a general matter, I don’t believe they should. One reason I’ve heard given for why they might is that they’re afraid it will help their competition. I, once again, do not find that persuasive personally. But it is one perceived interest in the matter that might lead an employer to negotiate an agreement that precludes releasing side work without concurrence from management.
-
I only linked it as an answer to the question that I read in /u/lorddimwit’s comment as “why is this even a thing?” because I think it’s a plausible and cogent explanation of how these agreements might come to be as widespread as they are.
I think so too, and hope I didn’t come across as assuming you (or the article) were advocating anything that needs to be argued!
I didn’t read it that way. It’s short, though. I’d suggest reading it and forming your own impression.
I’d definitely gotten confused because I completely ignored that the author is saying that the thinking can become “I don’t just want to buy your 9:00-5:00 inventions. I want them all, and I’m going to pay you a nice salary to get them all”. Sorry!
-
-
-
-
There is a huge difference: We’re talking about creativity and invention. The company isn’t hiring your for changing some oil or swapping some server hardware. They’re hiring you to solve their problems, to be creative and think of solutions. (Which is also why I don’t think it’s relevant how many hours you actually coded, the result and time you thought about it matters.) Your company doesn’t exist because it’s changing oil, the value is in the code (hopefully) and thus their IP.
So yes, that’s why this stuff is actually different. Obviously you want to have exemptions from this kind of stuff when you do FOSS things.
-
I think the chef and mechanic examples are a bit different since they’re not creating intellectual property, and a book report is probably not interesting to an employer.
Maybe a closer example would be a chef employed to write recipes for a book/site. Their employer might have a problem with them creating and publishing their own recipes for free in their own time. Similarly, maybe a writer could get in trouble for independently publishing things written in their own time while employed to write for a company. I can see it happening for other IP that isn’t software, although I don’t know if it happens in reality.
-
I think the “not interesting” bit is a key point here. I have no idea what Bumble is or the scope of the company, and I speak out of frustration of these overarching “legal” restrictions, but its sounds like they are an immature organization trying to hold on to anything interesting their employees do, core to the current business, or not, in case they need to pivot or find a new revenue stream.
Frankly if a company is so fearful that a couple of technologies will make make or break their company, their business model sucks. Technology != product.
-
Similarly, maybe a writer could get in trouble for independently publishing things written in their own time while employed to write for a company
I know of at least one online magazine’s contracts which forbid exactly this. If you write for them, you publicly only write for them.
-
-
-
This is pretty much my (non-lawyer) understanding and a good summary, thanks.
If you find yourself in this situation, talk to a lawyer. However I suspect that unless you have deep pockets and a willingness to litigate “is this clause enforceable” through several courts, your best chance is likely to be reaching some agreement with the company that gives them what they want whilst letting you retain control of the project or at least a fork.
One startup refused it and even reprimanded me for asking - the management took the view that any side project was a “distraction from the main goal”
I think the legal term for this is “bunch of arsehats”. I’m curious to know whether you worked for them after they started out like this?
-
I think the legal term for this is “bunch of arsehats”.
https://www.youtube.com/watch?v=Oz8RjPAD2Jk
I’m curious to know whether you worked for them after they started out like this?
I left shortly after for other reasons
-
-
The way FOSS (and indeed all private-time) software development works here for employees is that according to your contract your employer will own everything you create, even in your private time
Is it really that widespread? It’s a question that we get asked by candidates but our contract is pretty clear that personal-time open source comes under the moonlighting clause (i.e. don’t directly compete with your employer). If it is, we should make a bigger deal about it in recruiting.
-
-
-
A limited alternative to Optional for languages that don’t support it is to always use empty strings and empty collections in preference to null. Any code that iterates over strings or collections will also be cleaner, because it doesn’t need to special-case null.
-
-
a.k.a. the semi predicate problem
-
-
-
How and when does that goes wrong?
-
Both Oracle DB and Django do it! It causes problems very often in both cases
-
edit: misread comment; ignore
-
-
-
calpaterson
1 year ago
|
link
| on:
Tests aren’t enough: Case study after adding type hints to urllib3
This resembles my experience in adding types to existing projects: you almost always find a few a couple of real bugs. The other thing is that typechecking speeds up development: mypy is usually quicker to run than the testsuite so you waste less time before finding out you’ve made a silly mistake.
-
I wholeheartedly agree, however, the type errors can be dizzying for programmers who aren’t software engineers. I work with data scientists & product managers who contribute Python code, and adding mypy types had some negative effects to their ability to contribute. Overall, I think we came out ahead; I’m thankful for mypy. I’d love to see better error messages.
-
Yeah, this is somewhere where I think most type checkers/compilers leave a ton of value on the table – tracking down a bug caught by a type error is usually much easier than than one caught by a test suite (or in prod…), because it points you to the source of the error rather than the eventual consequences of not catching it. But then many type checkers do a poor job of explaining the error, which undermines this. Elm deserves mention for doing a particularly good job here.
-
I would rather teach data scientists who use Python about how to use type annotations than forego using them in Python programs just in case a data scientist needs to touch that code.
-
I work on pytype, and we do try to improve the error messages where we can (e.g. here’s a recent commit improving “primitive types ‘str’ and ‘int’ aren’t comparable” to “primitive types ‘x: str’ and ‘10: int’ aren’t comparable”), however when you’re down in the weeds of developing a type checker it can often be hard to notice an error message is not readily comprehensible or helpful. I would encourage you to file a bug with mypy whenever you find an error message hard to read.
-
-
-
This is cool, and Redirector is a very cool project! Are there any lists of common redirections for, eg, twitter and other sites that are very slow? I use quite an old machine to browse the web
-
Thanks! Redirector isn’t mine FYI, but I agree it’s nice. @ploum pointed me toward Privacy Redirect which has similar sites listed. That might work well for you 🙂
-
-
All this because Mozilla leadership still haven’t set up Firefox to take community funding directly, and instead want to use people’s donations on their irrelevant projects.
-
As I understand Mozilla’s legal structure, you cannot at present give money to Firefox at all.
Donations given to the foundation cannot be passed to the corporation. The irrelevant projects you mention (and there are a lot of them) come out of the Firefox profits so are eating the seed corn directly. I seem to recall off-hand that a lot of the donation money goes on grants to external organisations.
-
-
-
-
I’ve donated as much as $75/mo to neovim. I don’t donate as much nowadays but if I could donate to a specific dev working on furthering my interests in firefox, I would.
I wonder if something like Igalia’s open prioritization would work for Firefox itself.
-
We won’t know until they try. But for some points of reference: bcachefs which is still an out-of-tree alpha level project gets 2k/mth, WhatsApp in 2013-14 charging a dollar/yr (easily avoidable) was decently profitable, Wikipedia gets lots of donations annually even though they don’t really need it, neovim gets probably $50k/yr between various funding methods and neovim is relatively obscure. You can still ask for money on the internet and get a decent sum. With enough users like FF, they could definitely give it a go.
-
-
-
You have neglected to disable FLoC with
Permissions-Policy: interest-cohort=(). Like you I’m disappointed with Google ignoring parts of the robots.txt standard that they clearly understand the meaning of and am unpersuaded by their reasoning but for me the FLoC system is much more obnoxious.I can also tell you from personal experience that disabling FLoC harms your search appearance considerably. My own website was downranked hard after I added that header.
-
Writing a new blog post for my website. We’ll see if I get this one out the door this weekend (unlikely based on past performance. It’s on topic here and so I hope to submit it when I’ve finished
Something weird in the industry, we hold to the highest standard the Toyota model (what pretends to be called Agile, despite not being at all what the Agile manifesto talks about) — yet we ardently refuse to acknowledge that part of the Toyota model was that they owned their entire supply chain.
I guess, for many people on websites like this one and the Orange Site: you can easily turn a blind eye if your salary depends on it.
Every time I talk about owning your data or ensuring that you have the means to fix your most critical issues without depending on a specific third party vendor: I am told the same thing, that “[you are] advocating that we create CPUs from scratch?!”.
Build vs Buy is important, but for love of god: own what you buy. We as an industry keep renting services in the misunderstood notion that renting is somehow owning, and by outsourcing the running of that service you will need to hire fewer people - but then, you have to reconcile that you never really bought anything.
With that in mind, though, there absolutely is a place for build vs buy vs rent.
but people aren’t thinking “rent” when they talk about “buy”-ing a service.
Toyota have never “owned their entire supply chain”.
It seems fair to say that they (and all car companies?) are all about integrating the services of other parties.
The relationships are often much more complicated than conventional SaaS relationships. A lot of exclusive relationships with contracts that allow the procurer to monopolize consumption of given parts or lines of business. These often come with implied buy-outs and joint management decisions. The GM and AC Delco relationship is probably the most interesting and unique relationship, representing the far end of the spectrum from a click-thru SaaS terms of service.
What does it mean? Having the capability of deep-diving into a component you’re using to fix the issues? If so, that’s a great argument for using free and open source software.
I mean, I highly doubt Toyota owned literally every fundamental piece of their supply chain, just the stuff that wasn’t commoditized. CPUs are absolutely a commodity, so you don’t have to build them yourself, you just need people who understand them.