1. 14

    Can someone explain to me why this article is getting so many upvotes since this is basically only telling to think about before introducing kubernetes? The article links to another article of hers, Building Container Images Securely on Kubernetes, which is way more interesting in my opinion.

    Edit: formatting

    1. 7

      The author is respected for their knowledge in this area and has done a lot for the community.

      1. 20

        Basically, having one of the highest authorities on containers say that people are overthinking how they approach containers is a nice thing to hear, particularly as people have to fight overgrown infrastructure.

        1.  

          ^ This

        2.  

          Although I’m about separation architectures, I did like her write-up listing many security practices that container tech are using with a nice, little chart. I saved it in case I ever wanted to follow-up on them to use as extra layers, do work improving them from high-security perspective, or (most likely) share them with anyone using containers who could benefit. Just an example supporting your point.

      1. 5

        Also my excuse to mention i (previously AS/400) again - C source in the native environment isn’t compiled to native code, but an intermediate representation called the Machine Interface. You can even include “inline assembly” in the form of MI instructions. In this IR, pointers are non-integer quadwords, and since pointers are tagged, trying to dereference an untagged pointer kills your program. Another one of the other annoying issues with C in the native environment is that strings are in EBCDIC.

        1. 6

          Another one of the other annoying issues with C in the native environment is that strings are in EBCDIC.

          EBCDIC is great for revealing things you didn’t know you were depending on. Stuff like c == 0x30 to compare characters doesn’t work, nor does c >= 'a' && c <= 'z'. These are things used all the time.
          When we were porting some C utilities to z systems, this was the first thing we looked for and just assumed was there.

          1. 2

            EBCDIC is a programmer transparent encryption algorithm, after all.

        1. 6

          Sorry about the pay wall; it should work if this is the first article from the site you’ve read recently, and in an incognito window.

          1. 8

            A route around the pay wall: https://outline.com/5TP6J3

            1. 2

              @pushcx can we just set the URL to this for the submission instead?

            2. 6

              The archive link works as well.

            1. 3

              Hm, as an organiser of many meetups: I like this, but I’d prefer it to not encourage more meetups to serve pizza.

              (I have no issue with pizza per se, but moving beyond the “pizza & beer” monoculture important)

              1. 5

                Hey now, everyone loves pizza! It’s versatile, readily available, easily eaten without utensils, and can serve most niches for people with dietary requirements or taste preferences. (Beer, on the other hand…)

                1. 3

                  I do even agree with your points! Pizza is the easiest food to quickly get on short notice with a wide variety of variants. This is not a “I hate pizza and you should feel bad for ever serving it”.

                  But everyone loves pizza until all you serve is pizza. You’d be surprised how much positive response you get when you finally run something with other food.

                  Also, with caterers taking note of meetups as a target, other food gets close to pizza when it comes to convenience and price. Usually, they serve a rolling menu where you can only pick what’s available at that night.

                  1. 3

                    Oh, totally agreed that too much of a good thing is a bad thing. More variety would be nice - at least pizza places offer non-pizza things if that’s your only option.

                    1. 1

                      Hmm what are some other things that you would like to server in place of pizza? Other dishes such as pasta/salads? (I can’t think of a good replacement)

                      1. 2

                        One meetup in Chicago does empanadas and those work pretty well. I’ve also seen burritos go over well.

                        1. 1

                          Those both sound like good ideas - I guess it really depends on location as well.

                        2. 2

                          For larger things, curry/rice is a great alternative that can easily cover many food styles. Bagels are also awesome.

                          For smaller meetups, any buffet can be made affordable or even be prepared yourself with a short trip to the supermarket and 15 minutes of cutting and slicing.

                          If you have enough money, any city has a lot of small scale caterers, though they tend to cost a little more then pizza. (Not much, but it may be prohibitive) At least in Germany, getting some food from the restaurant around the corner is usually possible, even if they don’t officially cater. If they are close, they might even bring stuff up to your offer and lend you plates. This definitely becomes easier if you are always at the same location.

                          My rule of thumb: go to a local sports club, see what they do ;).

                      2. 1

                        I suspect you’ve never tried to eat vegan, gluten-free pizza.

                      3. 2

                        I’ve gotten some feedback on some of the events I run that having non-pizza options was definitely a thing. I started running one event out of the venue space in a bar, and that’s worked quite well. Lots of food/beverage options there.

                        1. 1

                          Yep. There’s lots of way to solve it. I want meetup organisers to be creative. (also, I want meetup organisers not to spend too much time, it may become exhausting)

                        2. 1

                          In my previous company (which just raised money) we had trouble to find other “sponsors”, so we tried not to put the usual pizza and beer stuff. The result is that less people came because they had to come back late at home without eating and going to the restaurant for a meetup was too expensive.

                          We finally setup for the pizza and very few beers, but it felt like people preferred the catering than the talks…

                          1. 1

                            Oh, food is important, I just want variety.

                          2. 1

                            Pizza isn’t the most healthy, but hey, John Carmack didn’t develop Doom ordering chinese takeout every night :p

                            1. 3

                              BRB, registering the “John Carmack Meetup”, where everyone is John Carmack.

                              It isn’t as much about health. Eating Pizza once a month is fine and if you visit meetups so often that their choice of meal becomes a health issue, you should probably reconsider your meetup habit before your food habit.

                          1. 15

                            Q: is the HTTP protocol really the problem that needs fixing?

                            I’m under the belief that if the HTTP overhead is causing you issues then there are many alternative ways to fix this that don’t require more complexity. A site doesn’t load slowly because of HTTP, it loads slowly because it’s poorly designed in other ways.

                            I’m also suspicious by Google’s involvement. TCP HTTP 1.1 is very simple to debug and do by hand. Google seems to like closing or controlling open things (Google chat support for XMPP, Google AMP, etc). Extra complexity is something that should be avoided, especially for the open web.

                            1. 10

                              They have to do the fix on HTTP because massive ecosystems already depend on HTTP and browsers with no intent to switch. There’s billions of dollars riding on staying on that gravy train, too. It’s also worth noting lots of firewalls in big companies let HTTP traffic through but not better-designed protocols. The low-friction improvements get more uptake by IT departments.

                              1. 7

                                WAFs and the like barely support HTTP/2 tho; a friend gave a whole talk on bypasses and scanning for it, for example

                                1. 6

                                  Thanks for feedback. I’m skimming the talk’s slides right now. So far, it looks like HTTP/2 got big adoption but WAF’s lagged behind. Probably just riding their cash cows minimizing further investment. I’m also sensing business opportunity if anyone wants to build a HTTP/2 and /3 WAF that works with independent testing showing nothing else or others didn’t. Might help bootstrap the company.

                                  1. 3

                                    ja, that’s exactly correct: lots of the big-name WAFs/NGFWs/&c. are missing support for HTTP/2 but many of the mainline servers support it, so we’ve definitely seen HTTP/2 as a technique to bypass things like SQLi detection, since they don’t bother parsing the protocol.

                                    I’ve also definitely considered doing something like CoreRuleSet atop HTTP/2; could be really interesting to release…

                                    1. 4

                                      so we’ve definitely seen HTTP/2 as a technique to bypass things like SQLi detection, since they don’t bother parsing the protocol.

                                      Unbelievable… That shit is why I’m not in the security industry. People mostly building and buying bullshit. There’s exceptions but usually setup to sell out later. Products based on dual-licensed code are about only thing immune to vendor risk. Seemingly. Still exploring hybrid models to root out this kind of BS or force it to change faster.

                                      “I’ve also definitely considered doing something like CoreRuleSet atop HTTP/2; could be really interesting to release…”

                                      Experiment however you like. I can’t imagine what you release being less effective than web firewalls that can’t even parse the web protocols. Haha.

                                      1. 5

                                        Products based on dual-licensed code

                                        We do this where I work, and it’s pretty nice, tho of course we have certain things that are completely closed source. We have a few competitors that use our products, so it’s been an interesting ecosystem to dive into for me…

                                        Experiment however you like. I can’t imagine what you release being less effective than web firewalls that can’t even parse the web protocols. Haha.

                                        pfff… there’s a “NGFW” vendor I know that…

                                        • when it sees a connection it doesn’t know, analyzes the first 5k bytes
                                        • this allows the connection to continue until the 5k+1 byte is met
                                        • subsequently, if your exfiltration process transfers data in packages of <= 5kB, you’re ok!

                                        we found this during an adversary simulation assessment (“red team”), and I think it’s one of the most asinine things I’ve seen in a while. The vendor closed it as works as expected

                                        edit fixed the work link as that’s a known issue.

                                        1. 3

                                          BTW, Firefox complains when I go to https://trailofbits.com/ that the cert isn’t configured properly…

                                          1. 2

                                            hahaha Nick and I were just talking about that; its been reported before, I’ll kick it up the chain again. Thanks for that! I probably should edit my post for that…

                                            1. 2

                                              Adding another data point: latest iOS also complains about the cert

                                2. 3

                                  They have to do the fix on HTTP

                                  What ‘fix’? Will this benefit anyone other than Google?

                                  I’m concerned that if this standard is not actually a worthwhile improvement for everyone else, then it won’t be adopted and IETF will lose respect. I’m running on the guess that’s it’s going to have even less adoption than HTTP2.

                                3. 13

                                  I understand and sympathize with your criticism of Google, but it seems misplaced here. This isn’t happening behind closed doors. The IETF is an open forum.

                                  1. 6

                                    just because they do some subset of the decision making in the open shouldn’t exempt them from blame

                                    1. 3

                                      Feels like Google’s turned a lot public standards bodies into rubber stamps for pointless-at-best, dangerous-at-worst standards like WebUSB.

                                      1. 5

                                        Any browser vendor can ship what they want if they think that makes them more attractive to users or what not. Doesn’t mean it’s a standard. WebUSB has shipped in Chrome (and only in Chrome) more than a year ago. The WebUSB spec is still an Editor’s Draft and it seems unlikely to advance significantly along the standards track.

                                        The problem is not with the standards bodies, but with user choice, market incentive, blah blah.

                                        1. 3

                                          Feels like Google’s turned a lot public standards bodies into rubber stamps for pointless-at-best, dangerous-at-worst standards like WebUSB.

                                          “WebUSB”? It’s like kuru crossed with ebola. Where do I get off this train.

                                        2. 2

                                          Google is incapable of doing bad things in an open forum? Open forums cannot be influenced in bad ways?

                                          This does not displace my concerns :/ What do you mean exactly?

                                          1. 4

                                            If the majority of the IETF HTTP WG agrees, I find it rather unlikely that this is going according to a great plan towards “closed things”.

                                            Your “things becoming closed-access” argument doesn’t hold, imho: While I have done lots of plain text debugging for HTTP, SMTP, POP and IRC, I can’t agree with it as a strong argument: Whenever debugging gets serious, I go back to writing a script anyway. Also, I really want the web to become encrypted by default (HTTPS). We need “plain text for easy debugging” to go away. The web needs to be great (secure, private, etc.) for users first - engineers second.

                                            1. 2

                                              That “users first-engineers second” mantra leads to things like Apple and Microsoft clamping down on the “general purpose computer”-think of the children the users! They can’t protect themselves. We’re facing this at work (“the network and computers need to be secure, private, etc) and it’s expected we won’t be able to do any development because of course, upper management doesn’t trust us mere engineers with “general purpose computers”. Why can’t it be for “everybody?” Engineers included?

                                              1. 1

                                                No, no, you misunderstand.

                                                The users first / engineers second is not about the engineers as end users like in your desktop computer example.

                                                what I mean derives from the W3C design principles. That is to say, we shouldn’t avoid significant positive change (e.g., HTTPS over HTTP) just because it’s a bit harder on the engineering end.

                                                1. 6

                                                  Define “positive change.” Google shoved HTTP/2 down our throats because it serves their interests not ours. Google is shoving QUIC down our throats because again, it serves their interests not ours. That it coincides with your biases is good for you; others might feel differently. What “positive change” does running TCP over TCP give us (HTTP/2)? What “positive change” does a reimplementation of SCTP give us (QUIC)? I mean, other than NIH syndrome?

                                                  1. 3

                                                    Are you asking what how QUIC and H2 work or are you saying performance isn’t worth improving? If it’s the latter, I think we’ve figured out why we disagree here. If it’s the former, I kindly ask you to find out yourself before you enter this dispute.

                                                    1. 3

                                                      I know how they work. I’m asking, why are they reimplementing already implemented concepts? I’m sorry, but TCP over TCP (aka HTTP/2) is plain stupid—one lost packet and every stream on that connection hits a brick wall.

                                                      1. 1

                                                        SPDY and its descendants are designed to allow web pages with lots of resources (namely, images, stylesheets, and scripts) to load quickly. A sizable number of people think that web pages should just not have lots of resources.

                                        1. 5

                                          Title is slightly wrong. You can boot it but you can’t install it because the OS is blocked from seeing the internal storage.

                                          1. 15

                                            I don’t think “blocked from seeing the internal storage” is quite the correct characterization. The T2 chip is acting as an SSD controller, I bet if somebody takes the time to write a T2 driver for Linux everything will work just fine. The difficulty there will likely be that there is no datasheet available for the chip so the driver will have to be reverse engineered from mac OS which is certainly not trivial.

                                            1. 5

                                              This has shades of the “Lenovo is blocking Linux support” “incident” where Lenovo just forced the storage controller into a RAID mode Linux didn’t have a driver for.

                                              1. 2

                                                At least from what the system report tool says the drive appears as an NVME SSD and just an iteration on the one from previous generations (AP0512J vs AP0512M in the 2018 Air). So it might just work with the Linux NVME drivers once there’s a working UEFI shim that’s trusted. At that point this tutorial seems plausible.

                                                1. 3

                                                  Trust is not an issue because secure boot can be completely disabled.

                                                  As the article mentions, people who tried live USBs found out that the internal storage is not recognized. So looks like T2 is indeed actually acting as an SSD controller. (And of course macOS would report the actual underlying SSD even if there is no direct connection to it. The T2 could be reporting that info to the OS.)

                                              2. 8

                                                The difficulty there will likely be that there is no datasheet available for the chip

                                                Unless they completely and utterly butchered the initialization, no amount of datasheets will save you. From the T2 documentation:

                                                By default, Mac computers supporting secure boot only trust content signed by Apple. However, in order to improve the security of Boot Camp installations, support for secure booting Windows is also provided. The UEFI firmware includes a copy of the Microsoft Windows Production CA 2011 certificate used to authenticate Microsoft bootloaders.

                                                NOTE: There is currently no trust provided for the the Microsoft Corporation UEFI CA 2011, which would allow verification of code signed by Microsoft partners. This UEFI CA is commonly used to verify the authenticity of bootloaders for other operating systems such as Linux variants.

                                                To bypass the check of the cryptographic signature, you’d probably have to find some kind of exploitable vulnerability in the verification code (or even earlier in the boot process so that you get code execution in the bootloader before the actual check).

                                                1. 8

                                                  As the article says, you can disable the T2 Secure Boot so the code signature verification is not the problem at that point. The problem then is that the T2 acts as the SSD controller, and nobody has taught Linux yet how to talk to a T2 chip. The article incorrectly conflates the two issues.

                                                  1. 5

                                                    Doesn’t look like it’s conflating them. You might have to scroll down further :) but there’s a screenshot of the Startup Security Utility and this text:

                                                    However, reports have come in that even with it disabled, users are still unable to boot a Linux OS as the hardware won’t recognize the internal storage device. Using the External Boot option (pictured above), you may be able to run Linux from a Live USB, but that certainly defeats the purpose of having an expensive machine with bleeding-edge hardware.

                                                  2. 2

                                                    Secure boot can be disabled. Then the machine will boot anything you tell it to boot, bringing the security inline with machines predating the T2.

                                                    Source: I tried it out on my iMac pro which is a T2 machine.

                                                    1. 1

                                                      edit: mis-read that. Yeah until they add partner support you’re probably pretty stuck. Although somebody like RedHat or Canonical that have relationships with Microsoft might be able to have them cross-sign their shim to support booting on the new Air. Either that or we’re stuck waiting for Apple to support the UEFI CA.

                                                1. 4

                                                  Pleased to see that LSP world domination is on-going. Having implemented an LSP server myself I could rant at length about its flaws but none of them really matter because the fact that you can fire up almost any editor and get something close to full IDE support for a whole range of languages is fantastic.

                                                  (Which reminds me, I must try Emacs’ C++ LSP support again - last time round it had some rough edges & I went back to the dedicated clang based setup built around irony-mod.)

                                                  1. 2

                                                    I’ve personally never had good experiences with LSPs; they feel tacked on, and that’s if they even feel like working properly.

                                                    IMHO, the only way to do editor intelligence is in the editor.

                                                    1. 9

                                                      Sure, in a perfect world we would all use editors with an infinite supply of programmer time to provide deep integration with every programming language we wanted to use.

                                                      Back in the real world, the LSP means that a new language can get “good enough” support (good enough is: has “go to definition”, “provide completions at point”, “outline view”, “show documentation”) on every editor that supports the protocol, by simply implementing a single LSP daemon.

                                                      Does it match the deep integration + support that comes from using (e.g.) NetBrains Java editors? No. Is it /hugely/ better than the pre-LSP status quo? Definitely.

                                                  1. 5

                                                    Oy, another build tool.

                                                    I kind of weary of seeing them show up. Each subtle in their own right, with deep strangenesses and incompatibilities. One Ring to Rule Them All would be grand.

                                                    1. 4

                                                      An important thing to preserve: for most projects, you can cd into the project directory, and type make (with sometimes configure) and end of the story.

                                                      1. 6

                                                        (this reply may or may not contain trolling)

                                                        • Doesn’t apply to Windows,
                                                        • Sometimes you need to run ./autogen.sh
                                                        • Sometimes you need to install a few packages (you have to know the names) because autoconf isn’t bundled as one package on most distros,
                                                        • Sometimes autoconf scripts require its tool packages to be installed in specific versions,
                                                        • Learning to use autoconf requires you to learn a build system which contains backward compatibility for shells/systems that are installed on maybe 10 machines worldwide.
                                                        1. 3

                                                          autotools can be used by developers or maintainers, the release tarballs will not require you to run autogen nor install autoconf/automake

                                                          1. 4

                                                            Except cases where you’re the user and you need to use the git version, because it contains a fix for some obscure bug only you’re encountering ;)

                                                            1. 4

                                                              Or, as is increasingly common, there are no releases and the git repo is rolling-release.

                                                          2. 2

                                                            And then you spend hours tracing m4 scripts because there’s a bug in autofools.

                                                            1. 1

                                                              What a joy to dig into the autogenerated configure file to debug what is going wrong when you compile statically a project with 10+ libraries !

                                                              1. 1

                                                                That’s true, but normally you shouldn’t dig into autogenerated makefiles, unless you’re debugging CMake itself. Standard case is that you debug your build on CMakeLists level (if you’re using CMake).

                                                              2. 1

                                                                Doesn’t apply to Windows,

                                                                I’m there now with a work project that can build on Linux with some of it also on Windows but uses all of CMake and premake on top of autotools, gmake/nmake, gcc toolchain/VC++ toolchain. For a mixed Python/C project this is too much baggage for external users so I’m trying the waf build system. I happen to be stuck on a peculiar and possibly locally inflicted Windows linking behavior but writing rules in a Python DSL is great.

                                                                1. 1

                                                                  I’ve tried waf some time ago. It was nice on the beginning, but after a year of using it I’ve stopped understanding my own build systems, because they were nearly standalone Python programs in their own right. Still it was better than pure Makefiles though.

                                                                2. 1

                                                                  Learning to use autoconf requires you to learn a build system which contains backward compatibility for shells/systems that are installed on maybe 10 machines worldwide.

                                                                  And people like me thank them for that!

                                                                3. 4

                                                                  yeah…. that is why, despite its manifest and many defects, I tend to default to make for projects that aren’t deeply intermeshed into a single build system. It often calls out to the ecosystem-specific toolsystem (my home work these days is mostly ocaml, for instance).

                                                                  ./build.sh is also a nice standard to have.

                                                                  I’m not opposed to redo or another build system. But new generalized systems IMO have to be clearly and visibly The Better Way Forward: 10x or more the obvious effectiveness of make, for someone comfortable writing make.

                                                                  (mumble: maybe if we stopped writing C/C++, build systems coagulated around that arcane world would stop appearing, letting us get on with writing new scala build systems)

                                                                  1. 3

                                                                    I often write a trivial makefile that calls whatever other build tool I’m using, just to preserve this.

                                                                    1. 2

                                                                      In all my projects, the Makefile is the entrypoint to building, developing, testing & sometimes even deploying the software.

                                                                      Yes, you usually end up calling out to programming-language-specific tools underneath (like mix or cabal), but the ability to organize tasks in a dependency tree and to have a single place where they’re all listed is great. Especially when you come back to a project after a long break.

                                                                    2. 4

                                                                      One Ring to Rule Them All would be grand

                                                                      Unlikely. But here’s One Theory to Classify Them All:

                                                                      (Yes, same work posted twice, six months apart, by different people.)

                                                                      1. 1

                                                                        Thanks for links. I just tied a knot around them to facilitate easier discovery of both for anyone who lands on just one.

                                                                    1. 2

                                                                      Wonder if he’s aware of how tags on the AS/400 worked? There’s a dedicated PPC instruction to “bless” a pointer, then another instruction to load a tagged pointer, or previously, test the pointer when loading. Copied or modified pointers lose this bit. This is enforced by language-based security, where the only code generator is the AOT bytecode compiler. The tags seemed to be stored in ECC like the SPARC implementation.

                                                                      1. 2

                                                                        I’m looking forward to see functional feature phones in the market that aren’t overpriced hipster toys.

                                                                        1. 3

                                                                          I can’t wait for this either! The industry is desperate for a middle-ground. Give me a feature phone that has a touchscreen QWERTY keyboard, where I can check my emails and have Whatsapp. I’ll ditch my smartphone tomorrow.

                                                                          1. 3

                                                                            If you don’t mind the lack of a touchscreen (it’s not a smartphone, after all), Nokia 8810 4G is what you’re looking for.

                                                                            1. 1

                                                                              I don’t believe it has a QWERTY keyboard?

                                                                              1. 1

                                                                                Ah, yes, I interpreted “touchscreen QWERTY keyboard” as one item.

                                                                          2. 1

                                                                            Why wait when feature phones like these are still on the market. Hell, if you check out your nearest electronics shop I’m sure you can still find feature phones for sale. Or did you mean something special when you said ‘functional’?

                                                                            1. 2

                                                                              Modern feature phones with LTE run Android.

                                                                              1. 2

                                                                                Almost every non-hipster feature phone is just an old phone still in production. Most of them don’t even support 3G even though 2G is going to be phased out in less than a decade. I’m looking for a modern phone that isn’t a smartphone, rather than just an old phone.

                                                                                The actually innovative looking ones (eg Alcatel 2008G) are usually intended for non-tech savvy people, especially old people with vision impairments, and even those are grossly overpriced for what they do.

                                                                                Nokia’s 8810 remake is the closest thing to what I’m looking for. It’s durable with a long battery life and runs KaiOS (Firefox OS fork). It is rumoured that WhatsApp will be ported to KaiOS this year, which is (quite unfortunately) an app I cannot do without.

                                                                                1. 2

                                                                                  Ah right, network support is going to be a killer. good point

                                                                            1. 2

                                                                              Isn’t this just yet another Clevo rebrand?

                                                                              1. 2

                                                                                supported by the Mozilla WebRender rendering engine

                                                                                So… electron.rs? ☹️

                                                                                But, no javascript? 😀

                                                                                I’m so conflicted.

                                                                                1. 12

                                                                                  So… electron.rs? ☹️

                                                                                  Doesn’t seem so: https://hacks.mozilla.org/2017/10/the-whole-web-at-maximum-fps-how-webrender-gets-rid-of-jank/ & https://github.com/servo/webrender & https://github.com/servo/webrender/wiki

                                                                                  As I seem to understand, WebRender is nowhere close to be an Electron alternative. Seems to be an efficient and modern rendering engine for GUI and provide nothing related to JavaScript/Node/Web API.

                                                                                  So it looks like you can be free of conflict and enjoy this interesting API :) . I personally definitely keep an eye on it for my next pet project and find it refreshing to have an API for UI that look both usable and simple.

                                                                                  1. 4

                                                                                    If you’re a fan of alternative, Rust-native GUI’s, you might want to have a look at xi-win-ui (in the process of being renamed to “druid”). It’s currently Windows-only, because it uses Direct2D to draw, but I have plans to take it cross-platform, and use it for both xi and my music synthesizer project.

                                                                                    1. 1

                                                                                      Please, give us some screenshots! ;)

                                                                                      1. 1

                                                                                        Soon. I haven’t been putting any attention into visual polish so far because I’ve been focusing on the bones of the framework (just spent the day making dynamic mutation of the widget graph work). But I know that screenshot are that important first impression.

                                                                                        1. 1

                                                                                          Please do submit a top-level post on lobste.rs once you add the screenshots :)

                                                                                          1. 1

                                                                                            Will do. Might not be super soon, there’s more polishing I want to do.

                                                                                            1. 1

                                                                                              Thanks! :) And sure, take your time :)

                                                                                  2. 6

                                                                                    If comparing with Chromium stack, Webrender is similar to Skia, and this is GUI toolkit on top of it, instead of on top of whole browser. BTW, there’s example of app that has whole (non-native) UI on top of Skia: Aseprite.

                                                                                    (AFAIK, Skia is something a la Windows GDI, immediate mode, and Webrender is scene graph-style lib, more “retained-mode”)

                                                                                    And seems that, despite there’s no components from real browser, Azul has DOM and CSS. So, Azul is something in the spirit of NeWS and Display Postscript, but more web-ish, instead of printer-ish?

                                                                                    1. 4

                                                                                      There is also discussion of making an xml format for specifying the dom, like html.

                                                                                      1. 1

                                                                                        It’s using Mozilla’s WebRender, so how about XUL?

                                                                                        1. 1

                                                                                          Considering that Mozilla is actively trying to get rid of XUL, doing anything new with it seems like a bad idea.

                                                                                          But also, if I understand what XUL is correctly it’s mostly a defined list of widgets over a generic XML interface, if I understand that proposal properly it’s to make the list of widgets completely user controllable (though there will no doubt be some default ones, including HTML like ones).

                                                                                    2. 1

                                                                                      WebRender is basically a GPU-powered rectangle compositor, with support for the kinds of settings / filters you can put on HTML elements. It’s nowhere near the bloated monstrosity that is electron.

                                                                                    1. 29

                                                                                      I have friends who work for Red Hat who are Not Happy about this.

                                                                                      My speculation is that clients of Red Hat will see at most slow change. IBM’s not going to toss the cash cow RHEL, and the various cloud software offerings are what they apparently bought it for. However, internally I think we’ll see a massive diaspora of talent as Red Hat becomes IBM-ified. (All claims to the contrary from either company’s PR are of course to be ignored completely. They have to say that, to stave off the employee flight as long as possible.)

                                                                                      Hot take: I wonder what this will mean for SystemD? ;)

                                                                                      1. 8

                                                                                        I’m unfamiliar with IBM’s Linux strategy; why would this mean anything wrt systemd specifically?

                                                                                        1. 5

                                                                                          Nothing, it’s just a play on the (IMHO very wrong) meme that systemd is only as successful as it is because it had RedHat backing.

                                                                                          IBM probably doesn’t even know what systemd is on the “we’re buying a huge company for 20 billion” plane.

                                                                                        2. 6

                                                                                          Employees are rarely excited about being acquired, and let’s face it, history has shown that’s it’s been bad for both customers and employees unless the company being acquired is going out of business.

                                                                                          1. 12

                                                                                            Hot take: I wonder what this will mean for SystemD?

                                                                                            Can it be a hot take if it’s not even a take? This is inquisitive (not argumentative), which is good for discussion but probably bad if your goal was to have an opinion.

                                                                                            1. 3

                                                                                              hot question

                                                                                            2. 5

                                                                                              I’m out of the loop. Could you explain the systemd comment?

                                                                                              1. 14

                                                                                                systemd was originally written by Lennart Poettering and Kay Sievers who work at Red Hat.

                                                                                                1. 3

                                                                                                  Is it still maintained by them as part of their jobs at Red Hat?

                                                                                                  1. 5

                                                                                                    Yes

                                                                                                    1. 3

                                                                                                      Lennart Poettering on Twitter this morning (:

                                                                                                      As you all know we never have been fans of portability. It will come at no surprise that in light of the recent developments we will discontinue all non-S/390 ports of systemd very soon now. Please make sure to upgrade to an S/390 system soon. Thank you for understanding.

                                                                                                      1. 1

                                                                                                        Even POWER? ;)

                                                                                              2. 3

                                                                                                Hot take: I wonder what this will mean for SystemD? ;)

                                                                                                I’m pretty sure Facebook will keep developing it if nobody else does:

                                                                                                https://media.ccc.de/v/ASG2018-192-state_of_systemd_facebook

                                                                                                (disclaimer: I work there, though not on the team that works most with systemd – and this is of course my personal opinion)

                                                                                              1. 15

                                                                                                I wonder if painters are ever influenced by paintings that were made before they were born.

                                                                                                1. 1

                                                                                                  Video games are a young medium, so being influenced by games made after you were born is somewhat novel, but increasingly more likely. Young creators are also seen as unusual, particularly when the end result is polished.

                                                                                                1. 2

                                                                                                  Until there is code or something more than a paper, it’s academic.

                                                                                                  1. 1

                                                                                                    The diagram looks pretty close to L4Linux. That was in the TUDOS demo. VM’s loaded about as fast as I could click them on a microkernel. A form of it was deployed by Sirrix (now R&S) in Trusted Desktop (originally Turaya Desktop). OK Labs did something similar with OK-Linux for OKL4 they put on mobile phones. So, the stuff predating unikernels proves at least OS-in-a-process is doable since it’s been in FOSS and commercial products a long time. They also did better at containing security problems since there was simply less attack surface and isolation was the default option.

                                                                                                    1. 2

                                                                                                      Interesting! I guess now the trick is making it accessible.

                                                                                                      1. 1

                                                                                                        Always with cutting-edge tech. Few go that far. (sighs)

                                                                                                      2. 2

                                                                                                        Unikernels look like a mix of a lot of stuff from the IBM world, sometimes to the point it feels like they’re accidentally reinventing it: VM/CMS spawning a VM per user session and for network services, and OS/400’s collapse of address space. (though unikernels go farther with ending the boundaries and turning syscalls into function calls; and less in others, like no trusted compiler running, no single-level store, and often no paging, just a filesystem like an embedded system)

                                                                                                        1. 3

                                                                                                          kev009 on Hacker News made similar observation. I think quite a bit of what cloud sector is doing is reinventing IBM. Worst case, they should give them credit and look to see what’s worth copying. If not, they’ve at least vastly improved on IBM’s offering by making something open, flexible, and commodity pricing. Mainframes and AS/400’s were always about profitable lock-in developed at a glacial pace compared to rest of the industry. OpenVMS improved a bit by using commodity-ish servers. Kept lock-in and slow development with results predictable.

                                                                                                          All this copycat stuff at least democratizes the technology with less lock-in and more momentum than before.

                                                                                                    1. 8

                                                                                                      At work, I’m continuing to chip away at some Active Merchant improvements.

                                                                                                      At home, I’m working on my other hobby, my DeLorean, which needs a new window regulator. Two of the bolts are borderline impossible to get in, so I’m making a custom tool for the purpose, which will be the first thing I’ll have 3D printed that isn’t, like, a soap tray.

                                                                                                      I will also try to hack on Factor a bit, but that’s honestly been rare these days. The older I get, the harder it is to follow up a day of coding with…more coding.

                                                                                                      1. 3

                                                                                                        any rumblings on what happened to Factors creator, Slava Pestov? I’ve used jEdit a ton in the past and heard alot about Factor … i heard he moved onto Google at one point, but I’m shocked to have not heard any news regarding him in the recent past…

                                                                                                        I can relate to the “it’s hard to follow up a day of coding with … more coding” … i don’t even get how I have friends that can do hours of WoW after a day of coding. I need to separate myself from the PC in the evening daily :D

                                                                                                        1. 3

                                                                                                          any rumblings on what happened to Factors creator, Slava Pestov?

                                                                                                          He works on Swift at Apple. You can follow his Twitter feed if you’re curious.

                                                                                                        2. 1

                                                                                                          so I’m making a custom tool for the purpose, which will be the first thing I’ll have 3D printed that isn’t, like, a soap tray.

                                                                                                          I always think of stuff that is 3D printed as being – for lack of a better word – fragile. You are going to make a tool with it – that is awesome and interesting. Can you give us some details after the fact about the 3D printer, tool and if it all worked?

                                                                                                          1. 3

                                                                                                            Sure. That said, I think you’re overestimating what a tool means in this case.

                                                                                                            John DeLorean and Steve Jobs have a lot in common, personality-wise, and the DMC-12 is kind of a Macintosh of cars: it’s super-stylish and has tons of things that were novel for the time, but also made tons of compromises in the process. The doors, which are a) gull-wing doors, b) before people figured out how to actually do that sanely, c) and also have some of the earliest power windows, are a complete shit-show. In this case, to put the lower half of the door back on, you have to get two bolts (or screws, if you’re the first one in the door and haven’t replaced them, which is worse) into two holes. You would normally want to hand-thread something like this, but these holes are obscured, and also about 3-4 inches down in the door, accessible only through two holes, each only about 1”x1.5”. And no, you can’t do the bolts first. And, oh yes, if you miss, and the bolt falls into the door, you have to disassemble all of the door you’ve assembled up to that point.

                                                                                                            So, the tool I’m making literally just needs to help me get the bolts threaded in the tiniest, littlest amount, after which its job is done and I can sanely use a ratchet wrench. It’s serving the role my fingers would play…if my fingers were 8” long and as thin as a pencil. If you imagine two joined chopsticks that are bent 90 degrees for the last 2cm or so, that’s literally all I’m making.

                                                                                                            So yeah, I’ll post back, but unless I really fuck up, then while it might not actually work, it at least shouldn’t snap or anything.

                                                                                                            1. 1

                                                                                                              fingers were 8” long and as thin as a pencil

                                                                                                              That image is now etched into my mind. :)

                                                                                                              1. 1

                                                                                                                I’m just a little mad the DMC-12 stole the thunder from the Bricklin SV-1, the local automobile from here. It even had gull-wing doors too!

                                                                                                                1. 1

                                                                                                                  That’s true, but didn’t the SV-1 stop production like half a decade before the first DMC-12 rolled off the assembly line? It’s been awhile, but I remember it having a shorter run and massive quality control issues.

                                                                                                                  1. 1

                                                                                                                    Very much true - but the DMC-12 also has the advantage of becoming a pop culture icon ex post facto as well.

                                                                                                            1. 2

                                                                                                              oops, I grabbed the wrong URL from my RSS reader; sorry for that

                                                                                                            1. 5

                                                                                                              It’s interesting to see the slow but steady rejection of intricate CMSes like Drupal and WordPress (which are increasingly more like script kiddie remote shells with content management on the side) - though for technical crowds, I see the rise of static site tooling over another “lightweight” CMS.

                                                                                                              1. 3

                                                                                                                Consumer laptops have lower build quality and lack in things like panel or battery. IMHO, if you don’t want to pay new prices, used machines are very valid; as long as its a premium or enterprise model like a ThinkPad, Surface, XPS, MacBook, Latitude, or whatever, it’s hard to go wrong.

                                                                                                                For what I’m using, I use an X230 Tablet as my daily driver for being out and about. I used to use a Surface RT, which worked pretty well, and got hideously good battery life, but Windows RT was a bit restrictive even with the jailbreak. I do have an X201, but the screen and battery are so dire that I don’t use it as a laptop and keep it docked onto the UltraBase of shame.

                                                                                                                1. 3

                                                                                                                  Something interesting about this one is that it’s not wrapped by glibc, meaning that we need to call it via the syscall(2) method ourselves.

                                                                                                                  You want opendir(3) and readdir(3).