1. 6

    Now, that’s pretty shitty.

    HOWEVER.

    I kinda sorta somewhat a little bit see the point in this kind of research/test. Maybe I’m wrong (although the fact that this even happened kinda suggests I’m not), but it seems like their premise was correct: the Linux kernel review process, and lots of similar opensource projects, ARE vulnerable to malicious agents introducing the so called hypocrite patches.

    Now, the way those people tried to test it was absolutely unethical, I think there’s barely a discussion there. But could there be an ethical way of testing these process? Maybe by seeking consent of some maintainers, kinda like a pentest? Does anyone see any other kind of way?

    1. 17

      One way would be to get people to consent that at some point there may be a “test patch” (or “hypocrite patch”) like this. This could possibly be months or even a year later. I suspect that many maintainers will agree to this, and when done right I suspect many will even consider it helpful and useful; no one wants to accidentally approve bad patches and we can all learn from this. Takes a bit of time and effort, but it’s really not that hard, and won’t influence the study results too much.

      In the end, it’s the difference between asking “can I borrow your bike for an hour?” vs. just taking it for an hour. I will almost certainly say yes if you just ask, but I will be quite cross with you if you would just take it.

      1.  

        the Linux kernel review process, and lots of similar opensource projects, ARE vulnerable to malicious agents introducing the so called hypocrite patches.

        All code is vulnerable to malicious agents, it’s a human process and humans make mistakes. They also generally assume good intent.

        You have to assume corporate/state agents are embedded at all major companies, tech companies included.

        1.  

          Proprietary code usually has access control, so, good intent is only assumed of the people who have access to the code, which have been hired and, consequently, been through some vetting process.

          Also, I feel like the world rely more on open source than proprietary code? Like, there might be more proprietary code out there, but there’s more things depending on single pieces of opensource code than in single pieces of proprietary code.

      1. 47

        The paper has this to say (page 9):

        Regarding potential human research concerns. This experiment studies issues with the patching process instead of individual behaviors, and we do not collect any personal information. We send the emails to the Linux community and seek their feedback. The experiment is not to blame any maintainers but to reveal issues in the process. The IRB of University of Minnesota reviewed the procedures of the experiment and determined that this is not human research. We obtained a formal IRB-exempt letter.

        [..]

        Honoring maintainer efforts. The OSS communities are understaffed, and maintainers are mainly volunteers. We respect OSS volunteers and honor their efforts. Unfortunately, this experiment will take certain time of maintainers in reviewing the patches. To minimize the efforts, (1) we make the minor patches as simple as possible (all of the three patches are less than 5 lines of code changes); (2) we find three real minor issues (i.e., missing an error message, a memory leak, and a refcount bug), and our patches will ultimately contribute to fixing them.

        I’m not familiar with the generally accepted standards on these kind of things, but this sounds rather iffy to me. I’m very far removed from academia, but I’ve participated in a few studies over the years, which were always just questionaries or interviews, and even for those I had to sign a consent waiver. “It’s not human research because we don’t collect personal information” seems a bit strange.

        Especially since the wording “we will have to report this, AGAIN, to your university” implies that this isn’t the first time this has happened, and that the kernel folks have explicitly objected to being subject to this research before this patch.

        And trying to pass off these patches as being done in good faith with words like “slander” is an even worse look.

        1. 71

          They are experimenting on humans, involving these people in their research without notice or consent. As someone who is familiar with the generally accepted standards on these kinds of things, it’s pretty clear-cut abuse.

          1. 16

            I would agree. Consent is absolutely essential but just one of many ethical concerns when doing research. I’ve seen simple usability studies be rejected due to lesser issues.

            It’s pretty clear this is abuse.. the kernel team and maintainers feel strongly enough to ban the whole institution.

            1. 8

              Yeah, agreed. My guess is they misrepresented the research to the IRB.

              1.  

                They are experimenting on humans

                This project claims to be targeted at the open-source review process, and seems to be as close to human experimentation as pentesting (which, when you do social engineering, also involves interacting with humans, often without their notice or consent) - which I’ve never heard anyone claim is “human experimentation”.

                1. 16

                  A normal penetration testing gig is not academic research though. You need to separate between the two, and also hold one of them to a higher standard.

                  1.  

                    A normal penetration testing gig is not academic research though. You need to separate between the two, and also hold one of them to a higher standard.

                    This statement is so vague as to be almost meaningless. In what relevant ways is a professional penetration testing contract (or, more relevantly, the associated process) different from this particular research project? Which of the two should be held to a higher standard? Why? What does “held to a higher standard” even mean?

                    Moreover, that claim doesn’t actually have anything to do with the comment I was replying to, which was claiming that this project was “experimenting on humans”. It doesn’t matter whether or not something is “research” or “industry” for the purposes of whether or not it’s “human experimentation” - either it is, or it isn’t.

                    1. 7

                      Resident pentester and ex-academia sysadmin checking in. I totally agree with @Foxboron and their statement is not vague nor meaningless. Generally in a penetration test I am following basic NIST 800-115 guidance for scoping and target selection and then supplement contractual expectations for my clients. I can absolutely tell you that the methodologies that are used by academia should be held to a higher standard in pretty much every regard I could possibly come up with. A penetration test does not create a custom methodology attempting do deal with outputting scientific and repeatable data.

                      Let’s put it in real terms, I am hired to do a security assessment in a very fixed highly focused set of targets explicitly defined in contract by my client in an extremely fixed time line (often very short… like 2 weeks maximum and 5 day average). Guess what happens if social engineering is not in my contract? I don’t do it.

                      1.  

                        if you’re an employee in an industry, you’re either informed of penetration testing activity, or you’ve at the very least tacitly agreed to it along with many other things that exist in employee handbooks as a condition of your employment.

                        if a company did this to their employees without any warning, they’d be shitty too, but the possibility that this kind of underhanded behavior in research could taint the results and render the whole exercise unscientific is nonzero.

                        either way, the goals are different. research seeks to further the verifiability and credibility of information. industry seeks to maximize profit. their priorities are fundamentally different.

                    2. 13

                      This project claims to be targeted at the open-source review process, and seems to be as close to human experimentation as pentesting (which, when you do social engineering, also involves interacting with humans, often without their notice or consent) - which I’ve never heard anyone claim is “human experimentation”.

                      I had a former colleague that once bragged about getting someone fired at his previous job during a pentesting exercise. He basically walked over to this frustrated employee at a bar, bribed him a ton of money and gave a job offer in return for plugging a usb key into the network. He then reported it to senior management and the employee was fired. While that is an effective demonstration of a vulnerability in their organization, what he did was unethical under many moral frameworks.

                      1.  

                        If there is a pentest contract, then there is consent, because consent is one of the pillars of contract law.

                    3. 38

                      The statement from the UMinn IRB is in line with what I heard from the IRB at the University of Chicago after they experimented on me, who said:

                      I asked about their use of any interactions, or use of information about any individuals, and they indicated that they have not and do not use any of the data from such reporting exchanges other than tallying (just reports in aggregate of total right vs. number wrong for any answers received through the public reporting–they said that much of the time there is no response as it is a public reporting system with no expectation of response) as they are not interested in studying responses, they just want to see if their tool works and then also provide feedback that they hope is helpful to developers. We also discussed that they have some future studies planned to specifically study individuals themselves, rather than the factual workings of a tool, that have or will have formal review.

                      They because claim they’re studying the tool, it’s OK to secretly experiment on random strangers without disclosure. Somehow I doubt they test new drugs by secretly dosing people and observing their reactions, but UChicago’s IRB was 100% OK with doing so to programmers. I don’t think these IRBs literally consider programmers sub-human, but it would be very inconvenient to accept that experimenting on strangers is inappropriate, so they only want to do so in places they’ve been forced to by historical abuse. I’d guess this will continue for years until some random person is very seriously harmed by being experimented on (loss of job/schooling, pushing someone unstable into self-harm, targeting someone famous outside of programming) and then over the next decade IRBs will start taking it seriously.

                      One other approach that occurs to me is that the experimenters and IRBs claim they’re not experimenting on their subjects. That’s obviously bullshit because the point of the experiment is to see how the people respond to the treatment, but if we accept the lie it leaves an open question: what is the role played by the unwitting subject? Our responses are tallied, quoted, and otherwise incorporated into the results in the papers. I’m not especially familiar with academic publishing norms, but perhaps this makes us unacknowledged co-authors. So maybe another route to stopping experimentation like this would be things like claiming copyright over the papers, asking journals for the papers to be retracted until we’re credited, or asking the universities to open academic misconduct investigations over the theft of our work. I really don’t have the spare attention for this, but if other subjects wanted to start the ball rolling I’d be happy to sign on.

                      1. 21

                        I can kind of see where they’re coming from. If I want to research if car mechanics can reliably detect some fault, then sending a prepared car to 50 garages is probably okay, or at least a lot less iffy. This kind of (informal) research is actually fairly commonly by consumer advocacy groups and the like. The difference is that the car mechanics will get paid for their work where as the Linux devs and you didn’t.

                        I’m gonna guess the IRBs probably aren’t too familiar with the dynamics here, although the researchers definitely were and should have known better.

                        1. 16

                          Here it’s more like keying someone’s car to see how quick it takes them to get an insurance claim.

                          1.  

                            Am I misreading? I thought the MR was a patch designed to fix a potential problem, and the issue was

                            1. pushcx thought it wasn’t a good fix (making it a waste of time)
                            2. they didn’t disclose that it was an auto-generated PR.

                            Those are legitimate complaints, c.f. https://blog.regehr.org/archives/2037, but from the analogies employed (drugs, dehumanization, car-keying), I have to double-check that I haven’t missed an aspect of the interaction that makes it worse than it seemed to me.

                            1.  

                              We were talking about Linux devs/maintainers too, I commented on that part.

                              1.  

                                Gotcha. I missed that “here” was meant to refer to the Linux case, not the Lobsters case from the thread.

                          2.  

                            Though there they are paying the mechanic.

                          3. 17

                            IRB is a regulatory board that is there to make sure that researchers follow the (Common Rule)[https://www.hhs.gov/ohrp/regulations-and-policy/regulations/common-rule/index.html].

                            In general, any work that receives federal funding needs to comply with the federal guidelines for human subject research. All work involving human subjects (usually defined as research activities that involve interaction with humans) need to be reviewed and approved by the institution IRB. These approvals fall within a continuum, from a full IRB review (which involve the researcher going to a committee and explaining their work and usually includes continued annual reviews) to a declaration of the work being exempt from IRB supervision (usually this happens when the work meets one of the 7 exemptions listed in the federal guidelines). The whole process is a little bit more involved, see for example (all the charts)[https://www.hhs.gov/ohrp/regulations-and-policy/decision-charts/index.html] to figure this out.

                            These rules do not cover research that doesn’t involve humans, such as research on technology tools. I think that there is currently a grey area where a researcher can claim that they are studying a tool and not the people interacting with the tool. It’s a lame excuse that probably goes around the spirit of the regulations and is probably unethical from a research stand point. The data aggregation method or the data anonymization is usually a requirement for an exempt status and not a non-human research status.

                            The response that you received from IRB is not surprising, as they probably shouldn’t have approved the study as non-human research but now they are just protecting the institution from further harm rather than protecting you as a human subject in the research (which, by the way, is not their goal at this point).

                            One thing that sticks out to me about your experience is that you weren’t asked to give consent to participate in the research. That usually requires a full IRB review as informed consent is a requirement for (most) human subject research. Exempt research still needs informed consent unless it’s secondary data analysis of existing data (which your specific example doesn’t seem to be).

                            One way to quickly fix it is to contact the grant officer that oversees the federal program that is funding the research. A nice email stating that you were coerced to participate in the research study by simply doing your work (i.e., review a patch submitted to a project that you lead) without being given the opportunity to provide prospective consent and without receiving compensation for your participation and that the research team/university is refusing to remove your data even after you contacted them because they claim that the research doesn’t involve human subjects can go a long way to force change and hit the researchers/university where they care the most.

                            1. 7

                              Thanks for explaining more of the context and norms, I appreciate the introduction. Do you know how to find the grant officer or funding program?

                              1. 6

                                It depends on how “stalky” you want to be.

                                If NSF was the funder, they have a public search here: https://nsf.gov/awardsearch/

                                Most PIs also add a line about grants received to their CVs. You should be able to match the grant title to the research project.

                                If they have published a paper from that work, it should probably include an award number.

                                Once you have the award number, you can search the funder website for it and you should find a page with the funding information that includes the program officer/manager contact information.

                                1.  

                                  If they published a paper about it they likely included the grant ID number in the acknowledgements.

                                  1.  

                                    You might have more luck reaching out to the sponsored programs office at their university, as opposed to first trying to contact an NSF program officer.

                                2.  

                                  How about something like a an Computer Science - External Review Board? Open source projects could sign up, and include a disclaimer that their project and community ban all research that hasn’t been approved. The approval process could be as simple as a GitHub issue the researcher has to open, and anyone in the community could review it.

                                  It wouldn’t stop the really bad actors, but any IRB would have to explain why they allowed an experiment on subjects that explicitly refused consent.

                                  [Edit] I felt sufficiently motivated, so I made a quick repo for the project . Suggestions welcome.

                                  1.  

                                    At least in security, there are a lot of different Hacker Codes of Ethics floating around, which pen testers are generally expected to adhere to… I don’t think any of them cover this specific scenario though.

                                    1.  

                                      any so-called “hacker code of ethics” in use by any for-profit entity places protection of that entity first and foremost before any other ethical consideration (including human rights) and would likely not apply in a research scenario.

                                    2.  

                                      I’m in favor of building our own review boards. It seems like an important step in our profession taking its reponsibility seriously.

                                      The single most important thing I’d say is, be sure to get the scope of the review right. I’ve looked into this before and one of the more important limitations on IRBs is that they aren’t allowed to consider the societal consequences of the research succeeding. They’re only allowed to consider harm to experimental subjects. My best guess is that it’s like that because that’s where activists in the 20th-century peace movement ran out of steam, but it’s a wild guess.

                                  2. 20

                                    They are bending the rules for non human research. One of the exceptions for non-human research is research on organization, which my IRB defines as “Information gathering about organizations, including information about operations, budgets, etc. from organizational spokespersons or data sources. Does not include identifiable private information about individual members, employees, or staff of the organization.” Within this exception, you can talk with people about how the organization merges patches but not how they personally do that (for example). All the questions need to be about the organization and not the individual as part of the organization.

                                    On the other hand, research involving human subjects is defined as any research activity that involves an “individual who is or becomes a participant in research, either:

                                    • As a recipient of a test article (drug, biologic, or device); or
                                    • As a control.”

                                    So, this is how I interpret what they did.

                                    The researchers submitted an IRB approval saying that they just downloaded the kernel maintainer mailing lists and analyzed the review process. This doesn’t meet the requirements for IRB supervision because it’s either (1) secondary data analysis using publicly available data and (2) research on organizational practices of the OSS community after all identifiable information is removed.

                                    Once they started emailing the list with bogus patches (as the maintainers allege), the research involved human subjects as these people received a test article (in the form of an email) and the researchers interacted with them during the review process. The maintainers processing the patch did not do so to provide information about their organization’s processes and did so in their own personal capacity (In other words, they didn’t ask them how does the OSS community processes this patch but asked them to process a patch themselves). The participants should have given consent to participate in the research and the risks of participating in it should have been disclosed, especially given the fact that missing a security bug and agreeing to merge it could be detrimental to someone’s reputation and future employability (that is, this would qualify for more than minimal risk for participants, requiring a full IRB review of the research design and process) with minimal benefits to them personally or to the organization as a whole (as it seems from the maintainers’ reaction to a new patch submission).

                                    One way to design this experiment ethically would have been to email the maintainers and invite them to participate in a “lab based” patch review process where the research team would present them with “good” and “bad” patches and ask them whether they would have accepted them or not. This is after they were informed about the study and exercised their right to informed consent. I really don’t see how emailing random stuff out and see how people interact with it (with their full name attached to it and in full view of their peers and employers) can qualify as research with less than minimal risks and that doesn’t involve human subjects.

                                    The other thing that rubs me the wrong way is that they sought (and supposedly received) retroactive IRB approval for this work. That wouldn’t fly with my IRB, as my IRB person would definitely rip me a new one for seeking retroactive IRB approval for work that is already done, data that was already collected, and a paper that is already written and submitted to a conference.

                                    1. 6

                                      You make excellent points.

                                      1. IRB review has to happen before the study is started. For NIH, the grant application has to have the IRB approval - even before a single experiment is even funded to be done, let alone actually done.
                                      2. I can see the value of doing a test “in the field” so as to get the natural state of the system. In a lab setting where the participants know they are being tested, various things will happen to skew results. The volunteer reviewers might be systematically different from the actual population of reviewers, the volunteers may be much more alert during the experiment and so on.

                                      The issue with this study is that there was no serious thought given to what are the ethical ramifications of this are.

                                      If the pen tested system has not asked to be pen tested then this is basically a criminal act. Otherwise all bank robbers could use the “I was just testing the security system” defense.

                                      1. 8

                                        The same requirement for prior IRB approval is necessary for NSF grants (which the authors seem to have received). By what they write in the paper and my interpretation of the circumstances, they self certified as conducting non-human research at time of submitting the grant and only asked their IRB for confirmation after they wrote the paper.

                                        Totally agree with the importance of “field experiment” work and that, sometimes, it is not possible to get prospective consent to participate in the research activities. However, the guidelines are clear on what activities fall within research activities that are exempt from prior consent. The only one that I think is applicable to this case is exception 3(ii):

                                        (ii) For the purpose of this provision, benign behavioral interventions are brief in duration, harmless, painless, not physically invasive, not likely to have a significant adverse lasting impact on the subjects, and the investigator has no reason to think the subjects will find the interventions offensive or embarrassing. Provided all such criteria are met, examples of such benign behavioral interventions would include having the subjects play an online game, having them solve puzzles under various noise conditions, or having them decide how to allocate a nominal amount of received cash between themselves and someone else.

                                        These usually cover “simple” psychology experiments involving mini games or economics games involving money.

                                        In the case of this kernel patching experiment, it is clear that this experiment doesn’t meet this requirement as participants have found this intervention offensive or embarrassing, to the point that they are banning the researchers’ institution from pushing patched to the kernel. Also, I am not sure if reviewing a patch is a “benign game” as this is the reviewers’ jobs, most likely. Plus, the patch review could have adverse lasting impact on the subject if they get asked to stop reviewing patches if they don’t catch the security risk (e.g., being deemed imcompetent).

                                        Moreover, there is this follow up stipulation:

                                        (iii) If the research involves deceiving the subjects regarding the nature or purposes of the research, this exemption is not applicable unless the subject authorizes the deception through a prospective agreement to participate in research in circumstances in which the subject is informed that he or she will be unaware of or misled regarding the nature or purposes of the research.

                                        As their patch submission process was deceptive in nature, as their outline in the paper, exemption 3(ii) cannot apply to this work unless they notify maintainers that they will be participating in a deceptive research study about kernel patching.

                                        That leaves the authors to either pursue full IRB review for their work (as a full IRB review can approve a deceptive research project if it deems it appropriate and the risk/benefit balance is in favor to the participants) or to self-certify as non-human subjects research and fix any problems later. They decided to go with the latter.

                                    2. 34

                                      We believe that an effective and immediate action would be to update the code of conduct of OSS, such as adding a term like “by submitting the patch, I agree to not intend to introduce bugs.”

                                      I copied this from that paper. This is not research, anyone who writes a sentence like this with a straight face is a complete moron and is just mocking about. I hope all of this will be reported to their university.

                                      1. 18

                                        It’s not human research because we don’t collect personal information

                                        I yelled bullshit so loud at this sentence that it woke up the neighbors’ dog.

                                        1.  

                                          Yeah, that came from the “clarifiactions” which is garbage top to bottom. They should have apologized, accepted the consequences and left it at that. Here’s another thing they came up with in that PDF:

                                          Suggestions to improving the patching process In the paper, we provide our suggestions to improve the patching process.

                                          • OSS projects would be suggested to update the code of conduct, something like “By submitting the patch, I agree to not intend to introduce bugs”

                                          i.e. people should say they won’t do exactly what we did.

                                          They acted in bad faith, skirted IRB through incompetence (let’s assume incompetence and not malice) and then act surprised.

                                        2. 14

                                          Apparently they didn’t ask the IRB about the ethics of the research until the paper was already written: https://www-users.cs.umn.edu/~kjlu/papers/clarifications-hc.pdf

                                          Throughout the study, we honestly did not think this is human research, so we did not apply for an IRB approval in the beginning. We apologize for the raised concerns. This is an important lesson we learned—Do not trust ourselves on determining human research; always refer to IRB whenever a study might be involving any human subjects in any form. We would like to thank the people who suggested us to talk to IRB after seeing the paper abstract.

                                          1. 12

                                            I don’t approve of researchers YOLOing IRB protocols, but I also want this research done. I’m sure many people here are cynical/realistic enough that the results of this study aren’t surprising. “Of course you can get malicious code in the kernel. What sweet summer child thought otherwise?” But the industry as a whole proceeds largely as if that’s not the case (or you could say that most actors have no ability to do anything about the problem). Heighten the contradictions!

                                            There are some scary things in that thread. It sounds as if some of the malicious patches reached stable, which suggests that the author mostly failed by not being conservative enough in what they sent. Or for instance:

                                            Right, my guess is that many maintainers failed in the trap when they saw respectful address @umn.edu together with commit message saying about “new static analyzer tool”.

                                            1. 14

                                              I agree, while this is totally unethical, it’s very important to know how good the review processes are. If one curious grad student at one university is trying it, you know every government intelligence department is trying it.

                                              1. 5

                                                I entirely agree that we need research on this topic. There’s better ways of doing it though. If there aren’t better ways of doing it, then it’s the researcher’s job to invent them.

                                              2. 6

                                                It sounds as if some of the malicious patches reached stable

                                                Some patches from this University reached stable, but it’s not clear to me that those patches also introduced (intentional) vulnerabilities; the paper explicitly mentions the steps that they’re taking steps to ensure those patches don’t reach stable (I omitted that part, but it’s just before the part I cited)

                                                All umn.edu are being reverted, but at this point it’s mostly a matter of “we don’t trust these patches and will need additional review” rather than “they introduced security vulnerabilities”. A number of patches already have replies from maintainers indicating they’re genuine and should not be reverted.

                                                1.  

                                                  Yes, whether actual security holes reached stable or not is not completely clear to me (or apparently to maintainers!). I got that impression from the thread, but it’s a little hard to say.

                                                  Since the supposed mechanism for keeping them from reaching stable is conscious effort on the part of the researchers to mitigate them, I think the point may still stand.

                                                  1.  

                                                    It’s also hard to figure out what the case is since there is no clear answer what the commits where, and where they are.

                                            1. 2

                                              A great overview.

                                              I also wouldn’t pick a new system part that isn’t written in Rust (or a similar safe & efficient language).

                                              Existing bits and pieces of my tech stack have Bestandsschutz, but if you try to sell me a replacement, it better be not written in C/C++ if you don’t want to get laughed out of the room.

                                              1. 16

                                                I also wouldn’t pick a new system part that isn’t written in Rust (or a similar safe & efficient language).

                                                This reads as very cargo-cult.

                                                1. 4

                                                  I was thinking the same thing. @soc: are you really worried about your shell segfaulting? Or being attacked somehow? What attack vector would that be? You could easily write a shell just as insecure in Rust, you’d just have different vectors.

                                                  1. 2

                                                    I’d compare C/C++¹ with greenhouse emissions:

                                                    Every line of C/C++ that doesn’t get written is another C/C++ piece that doesn’t need to be decommissioned later.


                                                    ¹ I use “C/C++” as a catch-all phrase for the shared belief of their users that they can write “safe” C/C++ – despite 50 years of evidence to the contrary.

                                                  2. 1

                                                    I really don’t care. :-)

                                                1. 21

                                                  Agree that CPU and disk (and maybe ram) haven’t improved enough to warrant a new laptop, but a 3200x1800 screen really is an amazing upgrade I don’t want to downgrade from.

                                                  1. 6

                                                    I love my new 4k screen for text stuff.. Sadly on linux it seems to be pain in the ass to scale this appropriately and correctly. Even more with different resolutions between screens. So far windows does this quite well.

                                                    1. 4

                                                      Wayland can handle it ok, but Xorg doesn’t (and never will) have support for per-display DPI scaling.

                                                      1. 3

                                                        I don’t see myself being able to afford a 4k screen for a few years but if you just scale everything up, what’s the advantage?

                                                        1. 4

                                                          The text looks much crisper, so you can use smaller font sizes without straining your eyes if you want more screen real estate. Or you can just enjoy the increased readability.

                                                          Note: YMMV. Some people love it and report significantly reduced eye strain and increased legibility, some people don’t really notice a difference.

                                                          1. 2

                                                            I use a much nicer font on my terminals now, which I find clearer to read. And I stare at terminals, dunno, 50% of my days.

                                                            This is a Tuxedo laptop (I think it’s the same whitelabel as system86 sells) which don’t feel expensive to me.

                                                            1. 1

                                                              hah I’m also using a tuxedo one, but the font is far too tiny on that screen to work with everyday

                                                              1. 1

                                                                Which tuxedo laptop has 4k?

                                                                1. 1

                                                                  I can’t find them anymore either. They used to have an option for the high res display. I go this one a bit over a year ago:

                                                                  1 x TUXEDO InfinityBook Pro 13 v4  1.099,00 EUR
                                                                   - QHD+ IPS matt | silber/silber | Intel Core
                                                                  i7-8565U
                                                                  ...
                                                                  Summe: 1.099,00 EUR
                                                                  
                                                                  1. 1

                                                                    how was your driver experience ? I’ve had to re-send mine twice due to problems with the CPU/GPU hybrid stack. Though mine is now 3? years old.

                                                                    1. 2

                                                                      Drivers are fine, it all simply works. Battery could last longer.

                                                                  2. 1

                                                                    Yeah ok. I just ordered a Pulse 15. Also wanted a 4k display but didn’t see it anywhere. thanks

                                                                2. 1

                                                                  well you have a much sharper font and can go nearer if you want (like with books). I get eye strain over time from how pixelated text can appear at evening to me. Also you can watch higher res videos and all in all it looks really crisp. See also you smartphone, mine is already using a 2k screen, and you can see how clean text etc is.

                                                                  You may want to just get an 2k screen (and maybe 144 FPS?) as that may already be enough for you. I just took the gamble and wanted to test it. Note that I probably got a modell with an inferior background lighting, so it’s not the same around the edges when I’m less than 50CM away. I also took the IPS panel for superior viewing angle as I’m using it for movie watching also. YMMV

                                                                  My RTX 2070 GPU can’t play games like destiny on 4k 60 FPS without 100% GPU usage and FPS drops the moment I’m more than walking around. So I’ll definitely have to buy a new one if I want to use that.

                                                                3. 1

                                                                  I also just got a new 4k monitor, and that’s bothering me also. It’s only a matter of time before I fix the glitch with a second 4k monitor… Maybe after Christmas

                                                                  1. 2

                                                                    I ended up doing that. It sucks, but Linux is just plain bad at HiDPI in a way Windows/macOS is not. I found a mixed DPI environment to be essentially impossible.

                                                                4. 2

                                                                  This is where I’m at too. I’m not sure I could go back to a 1024x768 screen or even a 1440x900 screen even. I have a 1900x1200 xps 13 that I really enjoy which is hooked up to a 3440x1440p ultrawide.

                                                                  Might not need all the CPU power, but the screens are so so nice!

                                                                  1. 2

                                                                    And the speakers.

                                                                    I love my x230, but I just bought an M1 Macbook Air, and god damn, are those speakers loud and crisp!

                                                                    1. 1

                                                                      For me it’s also screen size and brightness that are important. I just can’t read the text on a small, dim screen.

                                                                      1. 1

                                                                        Oh I’d love to have a 4k laptop. I’m currently using a 12” Xiaomi laptop from 2017 with 4GB of RAM and a 2k display. After adding a Samsung 960 evo NVMe and increasing Linux swappiness this is more than enough for my needs - but a 4k display would just be terrific!

                                                                      1. 6

                                                                        Fabulous hacking. Perfect lobste.rs article, A++++ would upvote again.

                                                                        1. 3

                                                                          As a company, we are looking to move from being tightly coupled to Amazon AWS to a more agnostic approach where we can deploy our platform to different cloud providers (this is not a technical requirement at first, but needed by the business).

                                                                          The obvious approach for achieving such outcome is to go with Kubernetes; for the past two weeks, I have been diving in the documentation of various tools including Kubernetes (+ Kustomise), Helm, ArgoCD, Ingresses (Istio, Nginx), etc. etc. I have found the amount of information to be overwhelming. We are pretty happy with our current pipeline which deploys on three separate environments (Staging/QA/Production) in Amazon ECS; the move to Kubernetes and GitOps already sound like a big endeavour, with a lot of decisions to be made on tooling and pipelines, and that’s frankly frightening.

                                                                          1. 1

                                                                            My company uses kubernetes and has a similar business requirement to be cloud agnostic. We use all of the hosted clusters, but there is still a crazy amount of complexity going on. Despite a dedicated team and some deep experience, we run into issues fairly often, especially when trying to spin up new services. Once a service is set up its fairly robust, but getting new things deployed is a massive pain.

                                                                            All of this is to say unless you really need it, I would try to avoid the complexity. I primarily work on the backend, so I don’t interact with the devops work super often, but every time I do its just layers upon layers of abstractions. Even the experts at our company have trouble.

                                                                            You can be cloud agnostic without k8s + co., and there are alternatives like nomad that I have heard good things about. But yeah, there is a crazy amount to learn, and even once you have things running there is a crazy amount to debug. Troubleshooting also becomes 2x harder.

                                                                            1. 1

                                                                              Thanks for your comment. It confirms my concerns regarding the complexity of a solution like Kubernetes for a small sized company. My main concern at this stage is how to get started since the most basic setup seems to involve many different tools, and supporting multiple environments like we do today involve adding even more complexity.

                                                                              I have also heard very good feedback on Nomad, but we need to think of future recruitments. There is no doubt that Kubernetes has won the container orchestration, and the number of potential knowledgeable / expert candidates would be significantly higher with Kubernetes vs Nomad (even if the latter is more suitable for our needs).

                                                                              1. 1

                                                                                You’re right, there are numerous tools. I think for getting started you can forgo things like helm and flux, and stick with raw k8s manifests. Helm is a pretty attrocious templating solution in my opinion, and we have run into a number of bugs in what should be a really simple program, so I’d argue you don’t ever need it. Even with just k8s manifests there is a lot to learn, but at least its just one tool rather than 5 or 6.

                                                                                You will have to do what is best for your situation, so definitely take everything with a grain of salt. One argument I would have for recruitments is that usually the popular technology has a bigger pool of talent, but the average quality of that talent is worse off. Personally I think startups should use niche but powerful tech rather than popular tech, since the applicant pool will self filter. Hiring takes a long time and a bad hire is 2x worse than missing out on a good hire at a small size.

                                                                                Just food for thought! Wish you all the best in your endeavors.

                                                                                1. 1

                                                                                  I agree with your comment on niche technologies unlocking a pool of experts; the counterpart to this argument is that these people may cost a lot of money to acquire and retain, since they will be in demand. Having a large pool of candidates means that you, indeed, you will have more junior candidates, but it’s also an opportunity for people to grow in your company and for building a diverse team that can grow with your organisation.

                                                                                  That being said, I will have definitely have a look and build a small POC with it.

                                                                            2. 1

                                                                              Author here. I wrote this other piece about this specific choice/challenge: https://zwischenzugs.com/2019/03/25/aws-vs-k8s-is-the-new-windows-vs-linux/

                                                                              1. 1

                                                                                Interesting read, thank you very much. The infographic at the end describes my feeling as a newcomer in the Kubernetes world; it feels that the best practices are not yet fully established so the ecosystem is super diverse and full of products of varying quality.

                                                                                PS: I am one of those people who were playing Linux in its early days! I remember (not very fondly) the kernel panics following plugging an USB device (especially DSL modems, Linux loved those!)

                                                                              2. 1

                                                                                Disclaimer: I work for Google on what I would call a k8s “adjacent” product where we are heavily invested in the k8s ecosystem, but not part of it.

                                                                                I think the k8s ecosystem is pretty Wild West as there is so much, and it’s impossible to figure out which tool is best-of-class. I think this is a common situation for “new” technologies. k8s is basically a cloud low-level operating system at this point, and there needs to be layers on top. Some good abstractions for some use cases do exist now, e.g. GCP Cloud Run, but if you’re determined on being cloud agnostic, it’s going to be a hard road until each cloud has comparable products. I don’t spend time in AWS/Azure land as I have my own job to do, but I do not think they have a Cloud Run-esque solution yet.

                                                                                Do you have to be cloud agnostic? If it’s for super high 99.999% reliability then yeah, that’s your only realistic option. If it’s for having an escape ramp if you want to switch to a different provider for some reason, then I think you could get away with just building your Docker images, and having scaffolding around the single provider you’re invested in. Retooling to a new provider wouldn’t be simple, but it would be an order months, not order years, issue, in my estimation.

                                                                                But I’ve never done this so don’t take my word for it.

                                                                              1. 1

                                                                                Bullet Journal was a life changer for me. I use the official Bullet Journal journal. It costs a bit more but it’s got reminders of how to use the system which is helpful. I tried a million different organizational methods. BuJo was the only one that stuck.

                                                                                I use a Pilot Vanishing Point which is like having a ballpoint pen with a fountain pen nib. I love it. Its not a pen to baby: it gets scratched up and stuff. Mine certainly has a “patina”. It’s a workhorse, not an artifact.

                                                                                I use Google Calendar, and Gmail, but things I need to do go in the journal. I also plan ahead and write down the meetings I have the next day in the journal anyway, so I feel a bit more prepared and less surprised by “oh I have that today?”

                                                                                1. 4

                                                                                  I just switch depending on how much natural light I have. Lots of natural light: Solarized Light. Not a lot: Solarized Dark.

                                                                                  1. 10

                                                                                    I am 100% over versioning. I have never seen an implementation that doesn’t suck. It’s miserable. Something is fundamentally wrong with the whole model, whatever methodology you use for tagging won’t fix that.

                                                                                    There could be different ways:

                                                                                    1. Google has run decently internally by building everything from HEAD. It’s not easy, and it requires a monorepo, but it does work. Could this work in the real world? Probably not. But what if you say “GitHub is a monorepo”? What if when the dependency author uploads a breaking change, GitHub can say who they broke and how it broke, prompt the dependency author to document what the remediation for that pattern of breakage is, and just let people be broken until they upgrade? Maybe this is pushed to per-language registries like crates.io or the Go proxy.
                                                                                    2. Unison tries to sidestep versioning entirely at the language level.
                                                                                    3. Stop trying to meld dependencies together across packages. Every package and its dependencies are treated separately, and binaries just include every version that is depended on. Hard drive size is a trivial concern, binary sizes when you’re building binaries into Docker containers means the image size almost certainly dominates.
                                                                                    1. 2

                                                                                      I can’t wait for some of the ideas from Unison to permeate into more mainstream ecosystems. Lots of great ideas (globally accessible CAS, AST storage etc.) stuck behind a Haskell-like syntax.

                                                                                      1. 1

                                                                                        CAS

                                                                                        Compare-And-Swap? Content-Aware Scaling? Close Air Support? Computer Algebra System? Content-Addressable Storage?

                                                                                        1. 1

                                                                                          Content-Addressable Storage. Check it out! https://www.unisonweb.org/

                                                                                      2. 2

                                                                                        I sort of agree because I don’t think there’s a perfect versioning system, but I think semver2 may be as good as it gets.

                                                                                        I like it because it’s more functional than the marketing driven “versions don’t matter, we’ll just call it version 2.0 to sell more” and all the alternatives get into too much time spent on perfecting versioning systems to diminishing returns.

                                                                                        I use it just so we have something, it saves time from deciding what to do, and it helps denote drafts or breaking changes. I use it even for stupid stuff like the “enterprise policy on bathroom breaks.” If it’s version 0.4.77 then it’s still in progress and could change any time. If it’s 1.1.16 then I mean it’s probably approved by someone. If I use 1.1.16 and see version 2.0 then it probably means I should read it because now it means I can only go to the bathroom on even hours or something that disrupts or may disrupt me.

                                                                                      1. 3

                                                                                        I had never heard of DOOM Emacs, but as a former Emacs user (but Vim since 2000), I would be quite curious to give it a shot. Also this article has quite a few good Vim plugins that I had not tried yet.

                                                                                        Now the million dollar question, when are we going to see structured editors appear and be used for real?

                                                                                        1. 3

                                                                                          Doom Emacs is fine. I enjoyed using it as an out of the box experience.

                                                                                          I eventually went back to Vim again with the 8ish plugins I find to be indispensable. I know I sound like an old beardy but there really is value in just knowing what is going on in the editing environment at all times, rather than dealing with oddities where you don’t know what is going on. The author of Doom Emacs is great and responsive on Discord, but it’s just kind of a bummer that you sometimes need to resort to that. That’s part and parcel of the out-of-thx-box experience in non-paid editors as far as I’ve experienced.

                                                                                          I do think that LSPs and coc.nvim has been a huge productivity boost. You’re getting very close to VS Code levels of editor support but with full keyboard navigation.

                                                                                        1. 2

                                                                                          A neat analogy, but it seems the author is unaware of the Altor SAF lock.

                                                                                          1. 4

                                                                                            I have previously found that if thieves can’t get through the lock, they’ll just take the parts that aren’t locked or just damage your bike out of malice.

                                                                                            1. 3

                                                                                              Indeed. I’m simply pointing out that this arms race is always evolving.

                                                                                            2. 3

                                                                                              A massive 6.2kg $300 lock is probably a poor trade-off for many due to size, weight, and price.

                                                                                              1. 2

                                                                                                For most, but probably not for the owner of that $7k bike in the top comment on this post.

                                                                                                1. 2

                                                                                                  Maybe; but adding 7kg to your tour bike is not insignificant, never mind the huge size of the thing. I certainly wouldn’t look forward at hauling that around (especially not when using it as a touring bike) and would probably prefer either getting insurance or accepting the increased risk of theft.

                                                                                                  For an expensive racing bike it’s even worse, as they usually weigh less than 10kg (even my €400 fixie was ~11kg) so you’re basically doubling your weight.

                                                                                                  It all depends on your personal situation, chance of theft (i.e. where you live), what you do with it, and so forth. Generally speaking, I find that the quality of my life is better if I’m not so paranoid about this kind of stuff and just accept that I lose a bike every few years. It sucks, but one bad event every few years is better than spending time/brain cycles on this kind of stuff every day. YMMV of course.

                                                                                              2. 3

                                                                                                Altor SAF

                                                                                                https://www.youtube.com/watch?v=1HvMPh6JBBI

                                                                                                That thing is comically large! But it looks like it does resist the typical angle grinder.

                                                                                              1. 5

                                                                                                Ever since ponying up for PragmataPro, I find it very difficult to switch back to wider fonts. The extra information I get per line without sacrificing readability is wonderful.

                                                                                                1. 3

                                                                                                  I’m the opposite, I recently switched to a wider font (IBM Plex Mono) and I noticed I can reduce the font size by a couple of points (11 to 9), increasing the number of lines of code I can display compared to Iosevka. I’m still able to display 2 buffers side by side.

                                                                                                  1. 1

                                                                                                    +1 for wider fonts, Source Code Pro is king here.

                                                                                                  2. 1

                                                                                                    I had the same, though I went from Iosevka which is nice to see whether you enjoy these kinds of fonts. PragmataPro is just very slightly nicer, but the incredible configurability and free license of Iosevka is definitely cool.

                                                                                                  1. 13

                                                                                                    As someone who helped design the Cloud SQL VM environment, I can corroborate with the OP that it is utterly boring :) I left that team some time ago, basically after we launched this architecture.

                                                                                                    When we wrote it we really were just using VMs as originally provisioned by Google Compute Engine and shoving MySQL as a Docker container and an API communication layer as a Docker container too. We deliberately wanted it to be as boring as possible partly for security concerns. The blast radius is pretty small when all you can do is compromise your single-tenant VM.

                                                                                                    Obviously nowadays instead of single-tenant VMs you’d do this with Kubernetes. We were about two years too early.

                                                                                                    1. 18

                                                                                                      Nice setup.

                                                                                                      1. I really advice against the side by side monitors. There problem is, your going to have your main app open in one monitor at a time so your going to be turning your neck for hours at a time. Suggest either stacking it going with a single large monitor. I got a Dell 43” 4k monitor for $700 ish. I previously had a single 32” ultra wide, which as the author mentioned is too short. Then a friend sold me his and I stacked them. That was ok but made me standing desk hard to use in standing mode.

                                                                                                      I like the single monitors with a window management app. I’d love this setup now if I could get it in a curved version and a higher resolution for sharper text, but otherwise it’s amazing.

                                                                                                      1. I’m always amazed that people are so hesitant to spend money on their work tools. They are tax-deductible but more importantly, they are in investment in your long term health and happiness. It’s one of the biggest advantages of working from home. Your don’t have to use the cheap crap your employer provides.

                                                                                                      It’s doubly amazing because many in this situation are making $100k (possibly multiples of that). Also do many people have some crazy expensive bike,car,boat,guitars, home theater, etc that’s only used a few hours a week.

                                                                                                      I know it’s tempting to cheap out, but 30,40,50 year old you will thank you.

                                                                                                      That’s my PSA if the day.

                                                                                                      1. 3

                                                                                                        Shouldn’t have read this. The night just got expensive.

                                                                                                        1. 3

                                                                                                          turning your neck for hours at a time. Suggest either stacking it going with a single large monitor.

                                                                                                          So you should be looking up for hours at a time?

                                                                                                          1. 1

                                                                                                            The distance between the center of two widescreen monitors is much smaller when stacked than when side-by-side. And of course that’s not true of landscape or square monitors. Not ALL stacked monitors are ergonomically arranged but you can reduce neck movement by stacking.

                                                                                                            1. 4

                                                                                                              I don’t know if it’s just about distance. I find the vertical angle matters much more than the horizontal angle. For example, I find laptops difficult to use for long periods because my neck gets sore looking down all the time, instead of looking straight ahead. However, I don’t have any problems with horizontal monitors.

                                                                                                          2. 1

                                                                                                            That’s a good point about the dual monitors. I’m considering having one facing flat forward, and another angled off to the side. I’d probably have to sit off to one side of my desk but that’s not too concerning.

                                                                                                            I get your point about spending money on work tools, which might fall in the same category as what people say about beds & shoes. I do worry this attitude if adopted too enthusiastically can dull judgement about whether a given tool is really necessary - for example a gas-spring monitor stand instead of a basic one or an Ergodox instead of Goldtouch keyboard (although I admit being tempted by the Kinesis Advantage2 from seeing all the people who swear by it). With the way our society is set up it is often very difficult to determine (even within our own heads) whether something expensive is a reasonable purchase that supports good craftsmanship, or just a flex.

                                                                                                            1. 6

                                                                                                              Consider rotating one of the screens. I sit straight down the middle for the landscape screen, then have the portrait screen to my right.

                                                                                                              I’m pretty sensitive to shitty ergonomic setups, and this causes me no problems at all.

                                                                                                              1. 2

                                                                                                                This is my setup too. Looks dorky, works great.

                                                                                                                1. 2

                                                                                                                  I do this too. The only problem is that 16:9 screens reeally don’t like being in portrait. I have a 24” 16:9 screen to the left of the primary screen used mostly for web browsing, and it’s really common for websites to grow a combination of horizontal scroll bars and buttons with text extending outside of their bounds.

                                                                                                                  1. 1

                                                                                                                    Hah, yeah I got the last 16:10 that dell sold a few years ago and just picked up a partner for it, and having them side-by-side vertically is great, but I would be loathe to throw away 10% of that space.

                                                                                                                  2. 1

                                                                                                                    That’s a neat idea, I think I’ll try that!

                                                                                                                  3. 2

                                                                                                                    All decisions come with error bars. Fall on one side, you have a flex; fall on the other, you are performing worse at work than you could be.

                                                                                                                    I know which side I’m happier to land on.

                                                                                                                    1. 2

                                                                                                                      The main point is this: every single person I’ve had a discussion on buying quality tools for work and had an objection to spending money also had some expensive hobby they were willing to splurge on. (I’m sure not everyone is like this, just seemed the people with the strongest objection had other money sinks). Is just a matter of logical consistently. They might have $25k of bike equipment in the garage but get upity about spending $500 on good equipment. That’s why this is one of my hot button issues. A course of physical therapy is going to cost more than decent equipment.

                                                                                                                      My old equipment always finds it way to friends and family and tends to get years of useful life beyond me.

                                                                                                                      1. 2

                                                                                                                        There’s nothing logically inconsistent about spending money in some places and saving it in others. “I spent a bunch of money on thing X, so I should also spend a lot of money on thing Y” sounds more like sales tactic psychology than logical reasoning. You can easily get good enough ergonomic equipment to keep the PT away without spending much money. A $20 used Microsoft Natural Ergonomic 4000 keyboard, a $25 Anker vertical mouse… even monitor stands can be replaced with a stack of old technical manuals. A good chair is really the only thing I’d say you need, and you can get a good-enough used Costco model for like $60.

                                                                                                                        1. 1

                                                                                                                          a stack of old technical manuals

                                                                                                                          To be fair, these are harder and harder to find. Same goes for phone books…

                                                                                                                          1. 1

                                                                                                                            It is if a) this is the way you make your living and b) you are oddly cheap in this area but spend big money on things you use way less. That’s the point in trying to make and I still find the behavior quite baffling.

                                                                                                                            Invest in yourself and your health.

                                                                                                                            I’m not trying to sell you a standing desk.

                                                                                                                        2. 1

                                                                                                                          That’s a good point about the dual monitors. I’m considering having one facing flat forward, and another angled off to the side. I’d probably have to sit off to one side of my desk but that’s not too concerning.

                                                                                                                          At work with a two monitors set-up, I tended to have my main one in front of me flat and the other angled on the left. Not being in the centre of the desk allowed me to have a notebook and pen on the left of the mouse that I can reach for quick notes and having a space not in front of the main screen for thinking with reasonable space to use the notebook.

                                                                                                                        3. 1

                                                                                                                          Could not agree more with this! Many of my colleagues think I’m crazy for sticking to one monitor but I find it not only saves my kneck but also helps keep focus.

                                                                                                                        1. 19

                                                                                                                          I’m probably not the only one with the opinion that rewrites in Rust may generally a good idea, but Rust’s compile times are unacceptable. I know there are efforts to improve that, but Rust’s compile times are so abysmally slow that it really affects me as a Gentoo user. Another point is that Rust is not standardized and a one-implementation-language, which also discourages me from looking deeper into Haskell and others. I’m not saying that I generally reject single-implementation languages, as this would disregard any new languages, but a language implementation should be possible without too much work (say within two man-months). Neither Haskell nor Rust satisfy this condition and contraptions like Cargo make it even worse, because implementing Rust would also mean to more or less implement the entire Cargo-ecosystem.

                                                                                                                          Contrary to that, C compiles really fast, is an industry standard and has dozens of implementations. Another thing we should note is that the original C-codebase is a mature one. While Rust’s great ownership and type system may save you from general memory-handling- and type-errors, it won’t save you from intrinsic logic errors. However, I don’t weigh that point that much because this is an argument that could be given against any new codebase.

                                                                                                                          What really matters to me is the increase in the diversity of git-implementations, which is a really good thing.

                                                                                                                          1. 22

                                                                                                                            but a language implementation should be possible without too much work (say within two man-months)

                                                                                                                            Why is that a requirement? I don’t understand your position, we shouldn’t have complex, interesting or experimental languages only because a person couldn’t write an implementation by himself in 2 months? We should discard all the advances rust and haskell provide because they require a complex compiler?

                                                                                                                            1. 5

                                                                                                                              I’m not saying that we should discard those advances, because there is no mutual exclusion. I’m pretty certain one could work up a pure functional programming language based on linear type theory that provides the same benefits and is possible to implement in a reasonable amount of time.

                                                                                                                              A good comparison is the web: 10-15 years ago, it was possible for a person to implement a basic web browser in a reasonable amount of time. Nowadays, it is impossible to follow all new web standards and you need an army of developers to keep up, which is why more and more groups give up on this endeavour (look at Opera and Microsoft as the most recent examples). We are now in a state where almost 90% of browsers are based on Webkit, which turns the web into a one-implementation-domain. I’m glad Mozilla is holding up there, but who knows for how long?

                                                                                                                              The thing is the following: If you make the choice of a language as a developer, you “invest” into the ecosystem and if the ecosystem for some reason breaks apart/dies/changes into a direction you don’t agree with, you are forced to put additional work into it.

                                                                                                                              This additional work can be a lot if you’re talking about proprietary ecosystems, meaning more or less you are forced to rewrite your programs. Rust satisfies the necessary condition of a qualified ecosystem, because it’s open source, but open source systems can also shut you out when the ABI/API isn’t stable, and the danger is especially given with the “loose” crate system that may provide high flexibility, but also means a lot of technical debt when you have to continually push your code to the newest specs to be able to use your dependencies. However, this is again a question of the ecosystem, and I’d prefer to only refer to the Rust compiler here.

                                                                                                                              Anyway, I think the Rust community needs to address this and work up a standard for the Rust language. On my behalf, I won’t be investing my time into this ecosystem until this is addressed in some way. Anything else is just building a castle on sand.

                                                                                                                              1. 5

                                                                                                                                A good comparison is the web: 10-15 years ago, it was possible for a person to implement a basic web browser in a reasonable amount of time. Nowadays, it is impossible to follow all new web standards and you need an army of developers to keep up, which is why more and more groups give up on this endeavour (look at Opera and Microsoft as the most recent examples). We are now in a state where almost 90% of browsers are based on Webkit, which turns the web into a one-implementation-domain. I’m glad Mozilla is holding up there, but who knows for how long?

                                                                                                                                There is a good argument by Drew DeVault that it is impossible to reimplement a web browser for the modern web

                                                                                                                                1. 4

                                                                                                                                  I know Blink was forked from webkit but all these years later don’t you think it’s a little reductive to treat them as the same? If I’m not mistaken Blink sends nothing upstream to webkit and by now the codebases are fairly divergent.

                                                                                                                              2. 8

                                                                                                                                I feel ya - on OpenBSD compile times are orders of magnitude slower than on Linux! For example ncspot takes ~2 minutes to build on Linux and 37 minutes on OpenBSD (with most features disabled)!!

                                                                                                                                1. 5

                                                                                                                                  37 minutes on OpenBSD

                                                                                                                                  For reals? This is terrifying.

                                                                                                                                  1. 1

                                                                                                                                    Excuse my ignorance – mind pointing me to some kind of article/document explaining why this is the case?

                                                                                                                                    1. 7

                                                                                                                                      There isn’t one. People (semarie@ - who maintains the rust port on OpenBSD being one) have looked into it with things like the RUSTC_BOOTSTRAP=1 and RUSTFLAGS='-Ztime-passes -Ztime-llvm-passes' env vars. These point to most of the time being spent in LLVM. But no one has tracked down the issue fully AFAIK.

                                                                                                                                  2. 6

                                                                                                                                    Another point is that Rust is not standardized and a one-implementation-language

                                                                                                                                    This is something that gives me pause when considering Rust. If the core Rust team does something that makes it impossible for me to continue using Rust (e.g. changes licenses to something incompatible with what I’m using it for), I don’t have anywhere to go and at best am stuck on an older version.

                                                                                                                                    One of the solutions to the above problem is a fork, but without a standard, the fork and the original can vary and no one is “right” and I lose the ability to write code portable between the two versions.

                                                                                                                                    Obviously, this isn’t a problem unique to Rust - most languages aren’t standardized and having a plethora of implementations can cause its own problems too - but the fact that there are large parts of Rust that are undefined and unstandardized (the ABI, the aliasing rules, etc) gives me pause from using it in mission-critical stuff.

                                                                                                                                    (I’m still learning Rust and I’m planning on using it for my next big thing if I get good enough at it in time, though given the time constraints it’s looking like I’ll be using C because my Rust won’t be good enough yet.)

                                                                                                                                    1. 2

                                                                                                                                      The fact that the trademark is still owned by the Mozilla foundation and not the to-be-created Rust Foundation is also likely chilling any attempts at independent reimplementation.

                                                                                                                                    2. 1

                                                                                                                                      As much as I understand your point about the slowness of compile time in Rust, I think it is a matter of time to see them shrink.

                                                                                                                                      On the standard point, Haskell have a standard : Haskell 2010 . GHC is the only implementation now but it have a lot of plugins to the compiler that are not in the standard. The new standard Haskell 2020 is on his way. Implementing the standard Haskell (not with all the GHC add-ons) is do-able but the language will way more simple and with flaws.

                                                                                                                                      1. 2

                                                                                                                                        The thing is, as you said: You can’t compile a lot of code by implementing Haskell 2010 (or 2020 for that matter) when you also don’t ship the “proprietary” extensions.

                                                                                                                                        1. 1

                                                                                                                                          It is the same when you abuse GCC or Clang extensions in your codebase. The main difference with Haskell is that you, almost, only have GHC available and the community put their efforts in it and create a ecosystem of extensions.

                                                                                                                                          As for C, your could write standard-compliant code that an hypothetical other compiler may compile. I am pretty sure if we only had one main compiler for C for so long that Haskell have had GHC, the situation would have been similar : lots of language extension outside the standard existing solely in the compiler.

                                                                                                                                          1. 3

                                                                                                                                            But this is exactly the case: There’s lots and lots of code out there that uses GNU extensions (from gcc). For a very long time, gcc was the only real compiler around and it lead to this problem. Some extensions are so persistent that clang had no other choice but to implement them.

                                                                                                                                            1. 1

                                                                                                                                              But does those extensions ever reached the standard? It as asked candidly as I do not know a lot of the evolution of C, compilers and standard that much.

                                                                                                                                              1. 4

                                                                                                                                                There’s a list by GNU that lists the extensions. I really hate it that you can’t enable a warning flag (like -Wextensions) that warns you about using GNU extensions.

                                                                                                                                                Still, it is not as bad as bashism (i.e. extensions in GNU bash over Posix sh), because many scripts declare a /bin/sh-shebang at the top but are full of bashism because they incidentally have bash as the default shell. Most bashisms are just stupid, many people don’t know they are using them and there’s no warning to enable warnings. Another bad offender are GNU extensions of the Posix core utilities, especially GNU make, where 99% of all makefiles are actually GNU only and don’t work with Posix make.

                                                                                                                                                In general, this is one major reason I dislike GNU: They see themselves as the one and only choice for software (demanding people to call Linux “GNU/Linux”) while introducing tons of extensions to chain their users to their ecosystem.

                                                                                                                                                1. 2

                                                                                                                                                  Here are some of the GNU C extensions that ended up in the C standard.

                                                                                                                                                  • // comments
                                                                                                                                                  • inline functions
                                                                                                                                                  • Variable length arrays
                                                                                                                                                  • Hex floats
                                                                                                                                                  • Variadic macros
                                                                                                                                                  • alignof
                                                                                                                                              2. 1

                                                                                                                                                If I remember correctly 10 years ago hugs was still working and maybe even nhc :)

                                                                                                                                                1. 1

                                                                                                                                                  Yep :) and yhc never landed after forking nhc. UHC and JHC seem dead. My main point is mainly that the existence of a standard does not assure the the multiplication of implementations and the cross-cIompilation between compilers/interpreters/jit/etc. It is a simplification around it and really depends on the community around those languages. If you look at Common Lisp with a set in the stone standard and a lot of compilers that can pin-point easily what is gonna work or not. Or Scheme with a fairly easy standard but you will quickly run out of the possibility to swap between interpreters if you focus on some specific stuffs.

                                                                                                                                                  After that, everyone have their checklist about what a programming language must or must not provide for them to learn and use.

                                                                                                                                        1. 22

                                                                                                                                          If you’re the kind of person who’s willing to put up with a learning curve and a smaller ecosystem of plugins to gain access to a powerful editing model, also consider Kakoune. It’s like Vim, but moreso.

                                                                                                                                          1. 8

                                                                                                                                            I simply can’t go back to Vim after using Kakoune. Feels like a step back to me.

                                                                                                                                            1. 8

                                                                                                                                              I am in the same boat. I think by and large Kakoune is a step up from Vim. That said, it is not emulated in very many other places (it is in vs-code now via dance) – so you do lose the ability to pop into IDE of your choice and have a good experience.

                                                                                                                                              1. 2

                                                                                                                                                Dance is cool, but there are a lot of little things that does not work the same way and it’s annoying.

                                                                                                                                                When i’m at the beginning of a line and press x, it doesn’t select the line. It selects the line below. If i go forward one character before pressing x, it works.

                                                                                                                                                It’s good enough…

                                                                                                                                                1. 1

                                                                                                                                                  That smells like a bug more than a difference.

                                                                                                                                              2. 1

                                                                                                                                                I wish emacs had a kakoune mode like the evil mode. It would help me pick up emacs finally. Each time I have tried evil, I got stuck in small differences with vim.

                                                                                                                                                1. 2

                                                                                                                                                  Unfortunately every emulation of another editor is not the same thing.

                                                                                                                                                  I use kakoune to write small programs and scripts, but i have vscode as well. Vscode has a plugin called “dance”, it is a kakoune simulation plugin. It works, but not very much…

                                                                                                                                                  The problem is the little things… there is always something that doesn’t really work the same and becomes annoying.

                                                                                                                                              3. 6

                                                                                                                                                How would you say the transition to Kakoune from someone who’s been using vim for awhile is like? I took it for a spin and am very confused, but I can already see things that I like.

                                                                                                                                                1. 6

                                                                                                                                                  I switched from vim to kakoune about 6 months ago. I think the majority of the users, including the author himself, came from vim. My strategy was to switch entirely for a week then decide if it was worth committing fully or not. I never went back to vim. Once you get over the initial hurdle of unlearning your vim muscle memory, kakoune is very intuitive to learn, more so than vim in my opinion.

                                                                                                                                                  1. 4

                                                                                                                                                    Seconding ifreund’s experience, I came to Kakoune after maybe 20 years using Vim and it took me maybe a month for Kakoune to feel comfortable. The biggest hurdles for me were a few commonly-used key-bindings that changed (x in Kakoune is “select the current line”, not “delete the character under the cursor), and that Kakoune is a little bit like that “Snake” game on old Nokia phones: as you’re moving around, you need to be conscious of where the “tail” of your selection is as well as the “head”.

                                                                                                                                                    The thing I love most about Kakoune is global search-and-replace. In Vim, I’d often wind up in a cycle of “write a replacement regex, try it, check the document, find a mistake, undo, try again”, which was particularly frustrating when the thing I wanted to select was easy to describe in Vim’s normal mode (like % to select a matched pair of brackets) but difficult to describe in regex. Meanwhile, in Kakoune, I can match a regex across the entire document, producing multiple selections, cycle through them all to check I’ve selected the right things, manually adjust them with normal-mode commands or even drop false-positives, and then do the replacement. It’s more work than the best-case Vim equivalent, but far smoother and more pleasant than the worst-case Vim equivalent.

                                                                                                                                                    1. 2

                                                                                                                                                      I know you don’t use Vim anymore but for anyone else who has the problem described in the second paragraph: traces.vim offers a live preview that makes searching and replacing easier, if not quite as easy as it seems to be in Kakoune. As you’re typing a :s command, the plugin will highlight the parts of the file or line that would be matched, and it will also show you what they would be replaced with. It’s pretty magical.

                                                                                                                                                  2. 3

                                                                                                                                                    powerful editing model

                                                                                                                                                    Can someone pitch to me, the established emacs user, what the benefits of Kakoune are? I have multiple cursors package enabled, plus helm and swoop (intra file fuzzy matching), but I presume Kakoune presents more benefits.

                                                                                                                                                    1. 7

                                                                                                                                                      EDIT: This explains it better https://kakoune.org/why-kakoune/why-kakoune.html


                                                                                                                                                      Disclaimer: I’ve used Emacs for fewer than 10 hours in my life. I remember very little.

                                                                                                                                                      The last time I looked into it, the big difference that Kakoune brings to the table is that nouns come before verbs. This feels minor but in practice it makes discoverability so much easier because you’re deciding which text to act upon before doing an action.

                                                                                                                                                      For example, in Vim if you want to delete three words you type d3w, and if you realize that you meant to delete 2 words then you have to undo and try again. Kakoune lets you make your selection first, highlighting as you go, and makes it easy to change your selection before taking an action. It’s also constantly auto-completing with all of the possible commands you might want to make, which is much simpler than reading through a manual.

                                                                                                                                                      1. 2

                                                                                                                                                        Not having used the Emacs multiple cursors package (or Emacs at all, really) it’s hard for me to say what the advantages of Kakoune’s editing model might be. If I had to guess, though, I suspect the biggest difference would be that since the Emacs core is only built for single selections, most Emacs functionality (including third-party extensions, etc.) only works with single selections, except for the things that the multiple cursors package specifically modifies. Meanwhile, all of Kakoune’s standard features and third-party extensions deal with multiple selections, so you don’t need a mental model of how single-selection features interact with multiple-selection data.

                                                                                                                                                        I don’t know how complete Emacs’ multiple cursors package is, but I expect it has all the same kinds of cursor interactions as Kakoune, like selecting substrings of the selection that match a regex, splitting the selection on a regex, dropping selections that do/do not match a regex, dropping selections interactively, rotating content through selections, etc. If not, that might be another reason to try Kakoune!

                                                                                                                                                      2. 3

                                                                                                                                                        I really want to, but the hidden benefit of Vim keybindings is they translate to other programs too (I assume Vim people are just very militant and force devs to support them ;) ) so I can use IntelliJ or Emacs or even a web-based IDE and have access to those bindings. If I changed muscle memory to Kakoune, I’m going to be in trouble for hopping between programs.

                                                                                                                                                      1. 7

                                                                                                                                                        I’ve written Java professionally for a few years now and continue to recommend Effective Java as a starting point. I originally read the second edition when I started writing Java professionally, and recommend the third edition to others in your shoes that I work with. It will bootstrap a lot of fundamental concepts into your knowledge that you would learn over your first six months or a year of writing Java.

                                                                                                                                                        The third edition covers Java 9, and Java 10 + 11 haven’t introduced too much new stuff that really changes the ball-game of writing Java, especially for someone new to the language. I don’t think there’s anything I would consider critical knowledge in Java 10 + 11 (even var), and anything that is I think you’d quickly learn via code review etc.

                                                                                                                                                        1. 4

                                                                                                                                                          I’d second this. Java 8 introduced streams, which are probably the biggest change since Generics. Java 9 introduced modules, which have major implications for packaging, library compatibility and some other concerns like that. By comparison, Java 11 is pretty small stuff.

                                                                                                                                                          I only read the second edition of Effective Java, but I’ve only heard good things about the third edition.

                                                                                                                                                          1. 1

                                                                                                                                                            Thanks both, I put in an order for the third edition :)

                                                                                                                                                            1. 1

                                                                                                                                                              Java 8 was really major imo: besides streams, 8 also introduced lambdas and the whole java.util.function hierarchy, which changes some codebases quite a bit. Suddenly it became easy to do things like sort by a custom sort order! I agree that 10/11 are pretty minor.

                                                                                                                                                          1. 6

                                                                                                                                                            I can’t specifically speak to Java 11 but I’d say this shouldn’t necessarily be your immediate goal unless you know that the code base you’ll be reading/contributing is using lots of features from Java 11. You should concentrate on learning the code base first so that you can be ramp up quicker. If there are idioms that seem foreign that’s when you go to Oracle docs/Google/Stack overflow/other coworkers.

                                                                                                                                                            There’s two sites that might help with transitioning to another language

                                                                                                                                                            Code Review RosettaCode

                                                                                                                                                            Although Rosetta Code might not have the most idiomatic code.

                                                                                                                                                            1. 4

                                                                                                                                                              I can’t specifically speak to Java 11 but I’d say this shouldn’t necessarily be your immediate goal unless you know that the code base you’ll be reading/contributing is using lots of features from Java 11.

                                                                                                                                                              This is a great point that speaks to something I didn’t mention before: the code we will be writing will be all new, there won’t be any previous code. So all the bells and whistles are available, as the golden rule of staying consistent doesn’t apply. The question is is which bells and which whistles should be thought about :)

                                                                                                                                                              1. 4

                                                                                                                                                                In that case, try to convince your team not to do green field development in an antiquated language.

                                                                                                                                                                There are better JVM languages now, with near-perfect Java interop.

                                                                                                                                                                1. 5

                                                                                                                                                                  Google is all in on Java for the JVM. Sadly Kotlin remains banned except for Android work.

                                                                                                                                                                  1. 4

                                                                                                                                                                    Just curious what the rationale for that is? Kotlin is used in Android but not on the server side?

                                                                                                                                                                    1. 7

                                                                                                                                                                      Google is intensely conservative about server side code languages.

                                                                                                                                                                      There are a few reasons that I can see:

                                                                                                                                                                      • Readability: given the Google monorepo, you will depend on other peoples libraries a lot. It is very important you can read them, and that the documentation that there is is something you can understand. If you’ve only ever seen Kotlin, you have to do mental gymnastics to understand Java libraries or documentation, and no one wants to rewrite documentation/examples over and over in different languages.
                                                                                                                                                                      • SRE support: SREs are the most conservative people on earth for good reason. They need to be able to jump into alien code they didn’t write understand it quickly, figure out what is happening and come up with a mitigation strategy under pressure. Language proliferation makes that much harder as you have to start splitting SREs over languages, and SREs are in short supply.

                                                                                                                                                                      These are the two most obvious ones, I assume there are also plenty more about library support, running things reliably in production, security patching…

                                                                                                                                                                      Kotlin is obviously an easier lift given it’s a JVM language and popular. I’d say it’s a 50:50 proposition it gets accepted in the next 5 years. It really depends on whether it can offer significant provable benefits to productivity over Java, and I think that jury remains out.

                                                                                                                                                                      1. 5

                                                                                                                                                                        Google can’t afford using expressive languages. Their hiring process results in having (enough of) developers thinking of themselves as being the smartest, infallible people on the planet which leads to overly smart, unreadable code in any language, but expressiveness exacerbates that. This is by the way why Go is so minimalist: the fewer variety, the better. Now imagine what damage they’re going to do in a language with five flavors of .let.

                                                                                                                                                                        (This is all purely my speculation based on hearsay.)

                                                                                                                                                                    2. 1

                                                                                                                                                                      I will say that if I were going to choose a language for the JVM–which I’m not, because I don’t have to, thankfully–I would still stick with Java. Groovy and Clojure are dynamically typed, Scala has serious readability and maintainability concerns, and in my experiments with Kotlin I ran into numerous surprising warts that led me to conclude that the benefits it gives aren’t worth it. Java is a verbose, annoying language, but its semantics are well-defined and well-understood, so despite its age it still seems like the best choice to me if you must target the JVM.

                                                                                                                                                                1. 31

                                                                                                                                                                  The reason they spread these misconceptions is straightforward: they want to discourage people from using the AGPL, because they cannot productize such software effectively.

                                                                                                                                                                  This doesn’t stand up to even a modicum of scrutiny. First of all, it assumes you know the intent of Google here. I don’t think Google’s intentions are that great to be honest, but as a rule of thumb, if you form an argument on knowing the intentions of other humans, it’s probably a bad argument unless you can provide credible evidence of their intent. Secondly, I see no such credible evidence in this article, and the lack of attention paid to how Google handles other licenses in this article is borderline disingenuous. All I see is a casual observation that Google’s policy benefits them systemically, which I would absolutely agree with! But that shouldn’t be a surprise to anyone.

                                                                                                                                                                  Why? Because it omits critical context. The AGPL is not the only license that Google bans. They also ban the WTFPL, which is about as permissive as it gets. They ban it because they have conservative legal opinions that conclude it has too much risk to rely on. I think those legal opinions are pretty silly personally, although I am somewhat biased because I’ve released code under the WTFPL only to have one Googler after another email me asking me to change the license because it’s banned at Google.

                                                                                                                                                                  My point is that there are other reasonable business explanations for banning licenses. Like that a team of lawyers paid to give their best expert advice on how a judge would rule for a particular license might actually, you know, be really risk averse. Licenses aren’t some black and white matter where things that are true and things that are not are cleanly separated in all cases. There’s oodles of grey area largely because a lot of it actually hasn’t been tested in court. Who would have thought the courts would rule the way they did in Google v. Oracle?

                                                                                                                                                                  What’s the cost of being wrong and having Google required to publish all of their source code? Can anyone here, even a Googler, even begin to estimate that cost? If you haven’t thought about that, then you probably haven’t thought deeply enough to criticize the intentions on this particular piece of “propaganda.” Because that’s probably what Google’s lawyers are weighing this against. (And probably an assortment of other such things, like the implications of allowing AGPL but giving each such use enough scrutiny as to be sure that it doesn’t wind up costing them dearly.)

                                                                                                                                                                  But by all means, continue punishing companies for making their policies like this public. Because that’s a great idea. (No, it’s not. Despite how annoying I find Google’s policies, I really appreciate having them documented like they are.)

                                                                                                                                                                  Disclaimer: I don’t like copyleft, but primarily for philosophical reasons.

                                                                                                                                                                  1. 11

                                                                                                                                                                    I don’t think Google’s intentions are that great to be honest, but as a rule of thumb, if you form an argument on knowing the intentions of other humans, it’s probably a bad argument unless you can provide credible evidence of their intent.

                                                                                                                                                                    As someone who previously worked on the open source team at Google and sat in the office and am friends with these humans, I can say very strongly that those lawyers do not have some sort of hidden agenda. It is also certainly false to assume they are not competent at their job. My read is that they are, as you might expect, very good at their job (noting I am also not a lawyer).

                                                                                                                                                                    A common mistake I see many commenters (and news stories etc etc) and I think you head to unintentionally, is to talk about Google as if it is a single anthropomorphic entity with its own thoughts and feelings. This piece does the same. There is not “a Google” that is making amoral decisions for its global benefit . There is an office of humans that try their best and have good intentions.

                                                                                                                                                                    The team makes decisions in this order:

                                                                                                                                                                    1. Protect the open source ecosystem.
                                                                                                                                                                    2. Protect the company.

                                                                                                                                                                    “Protect the ecosystem” is hard to believe if you buy into the “amoral entity” argument but is provably true: the easiest way to protect the company is to ban open source contribution (aside from forced copyleft terms) at all, but Google does this a lot under the Apache 2 (permissive) license. The banned licenses, as you note, are those that either do not have enough specificity (like WTFPL) or ones with what the legal team believe are onerous terms. They are good laywers, and so you have to assume they have a pretty strong case for their interpretation. Even if you think they are wrong (as all law is essentially malleable), hashing things out in court to decide what the terms of the license truly mean is a really bad use of time and money.

                                                                                                                                                                    1. 13

                                                                                                                                                                      There is not “a Google” that is making amoral decisions for its global benefit . There is an office of humans that try their best and have good intentions.

                                                                                                                                                                      Yes, there is. The two are not mutually exclusive. A corporation like Google is structured in such a way that the sum of all its humans, all trying their best, serves the interests of the company. It’s not anthropomorphic, but it does have an agenda, and it’s not necessarily that of any of its constituent humans. Whether morality features prominently on that agenda is a legitimate matter for debate.

                                                                                                                                                                      I think you’re trying to open a semantic crack in which responsibility can be lost: misdeeds are attributed to Google, but since Google isn’t one person it can’t be guilty of anything. But if companies really aren’t more than the sum of their parts, at least one person at Google must be responsible for each of its transgressions, which I think casts doubt on the claim that they have good intentions.

                                                                                                                                                                       

                                                                                                                                                                      The team makes decisions in this order:

                                                                                                                                                                      1. Protect the open source ecosystem.
                                                                                                                                                                      2. Protect the company.

                                                                                                                                                                      Maybe that’s true of the open source team. It’d be hard to believe that of Google in general—partly because it’s a coompany and you’d expect it to protect itself first, but more concretely because there’s history. Google has been hegemonizing Android for years. They’re also trying to do the same to the Web, via Chrome. The open source ecosystem gets to use whatever Google puts out, or suffer. I don’t see how that’s healthy.

                                                                                                                                                                       

                                                                                                                                                                      “Protect the ecosystem” is hard to believe if you buy into the “amoral entity” argument but is provably true: the easiest way to protect the company is to ban open source contribution (aside from forced copyleft terms) at all, but Google does this a lot

                                                                                                                                                                      (I note that you don’t have a problem anthropomorphizing Google when it’s doing things you think are good.)

                                                                                                                                                                      I’ve yet to see the proof. Publishing open source software doesn’t necessarily speak to any commitment to the wellbeing of the open-source ecosystem, nor does it typically carry any great risk. Let’s take a couple of minutes to think of as many reasons as we can why a company might publish open-source software out of self-interest:

                                                                                                                                                                      • The existence of good tooling for markets you dominate (web, mobile) directly benefits you
                                                                                                                                                                      • Developers like publishing things, so letting them publish things is a cheap way to keep them happy if it doesn’t hurt you too badly
                                                                                                                                                                      • It’s great PR
                                                                                                                                                                      • If you have a way to use your open-source thing in a way that nobody else does, the free work other people do on it gives you an advantage

                                                                                                                                                                      You might say: so what? Obviously they have businessy motivation to care about open source, but what does it matter if the result is they care about open source? But, as we’ve seen, the moment it benefits them to work flat-out on destroying an open ecosystem, they do that instead.

                                                                                                                                                                      1. 3

                                                                                                                                                                        But, as we’ve seen, the moment it benefits them to work flat-out on destroying an open ecosystem, they do that instead.

                                                                                                                                                                        This could be said of nearly any corporation as well.

                                                                                                                                                                        Move from OS sales to cloud services, buy an open-source friendly company, release a good editor that works on the competition, and even inter-op with rhe competition.

                                                                                                                                                                        The example may have the best intentions in mind, insofar a corporation can, but could also be a long-con for traction and eventually blast out something that makes the users jump ship to the corporation’s platform.

                                                                                                                                                                        Best part of it all is, it could be hedging in case that “something” comes along. There is some win either way and an even bigger win if you can throw the ideals under the bus.

                                                                                                                                                                        1. 2

                                                                                                                                                                          For sure. It’d be naïve to think Microsoft had become nice. They’ve become smarter, and they’ve become a smaller player comparatively, and in their situation it’s pragmatic to be a good citizen. Google was the same with Android before they won their monopoly.

                                                                                                                                                                        2. 2

                                                                                                                                                                          (I note that you don’t have a problem anthropomorphizing Google when it’s doing things you think are good.)

                                                                                                                                                                          It’s easy to do, mistakes were made, I’m human. Don’t assume malice or misdirection.

                                                                                                                                                                          1. 5

                                                                                                                                                                            I don’t assume either. I think it’s a natural way to communicate about organisations. But your opening gambit was about how talking about Google in those terms betrayed some error of thought, so I’d hoped that pointing this out might give you pause to reconsider that position. I didn’t mean to cast doubt on your sincerity. Apologies.

                                                                                                                                                                            1. 2

                                                                                                                                                                              All good 👍

                                                                                                                                                                        3. 10

                                                                                                                                                                          Right, I mostly agree with what you’re saying! I do think a lot of people make the mistake of referring to any large company as a single entity, and it makes generalizing way too easy. With the WTFPL thing, I experienced that first hand: a bunch of individuals at Google reached out to me because none of them knew what the other was doing. And that’s a totally reasonable thing because no large company is one single mind.

                                                                                                                                                                          Now, I don’t want to come off like I think Google is some great thing. The WTFPL thing really left a sour taste in my mouth because it also helped me realize just how powerful Google’s policies are from a systemic point of view. They have all these great open source projects and those in turn use other open source projects and so forth. My libraries got caught up in that, as you might imagine in this day and age where projects regularly have hundreds or thousands of dependencies, and Google had very powerful leverage when it came to me relicensing my project. Because it worked itself back up the chain. “{insert google project here} needs to stop using {foo} because {foo} depends on {burntsushi’s code that uses WTFPL}.” Now foo wants to stop using my code too.

                                                                                                                                                                          I’m not saying any of this is particularly wrong, to be honest. I am an individualist at heart so I generally regard this sort of thing as okay from an ethical or legal perspective. But still, emotionally, it was jarring.

                                                                                                                                                                          Do I think the lawyers in Google’s open source policy office think about that sort of effect it has on individuals? I don’t really. I don’t think many do. It’s probably a third order effect of any particular decision, and so is very hard to reason about. But from my perspective, the line of policy making on Google connects very directly to its impact on me, as an individual.

                                                                                                                                                                          In the grand scheme of things, I think this is not really that big of a deal. I’m not all hot and bothered by it. But I do think it’s a nice counter-balance to put out there at least.

                                                                                                                                                                          1. 4

                                                                                                                                                                            To play devil’s advocate:

                                                                                                                                                                            It appears that seasoned lawyers have deemed the license you use “not specific enough”.

                                                                                                                                                                            Isn’t the whole point of a license to fully lay out your intentions in legal terms? If it doesn’t succeed at that, wouldn’t it be better to find another license that does a better job at successfully mapping your intentions to law?

                                                                                                                                                                            1. 6

                                                                                                                                                                              To be clear, I don’t use the WTFPL any more, even though I think it makes my intent perfectly clear. So in a sense, yes, you’re right and I changed my behavior because of it. I stopped using it in large part because of Google’s influence, although the WTFPL didn’t have a great reputation before Google’s policy became more widely known either. But most people didn’t care until Google’s policy influenced them to care. Because in order for my particular problem to exist, some amount of people made the decision to use my project in the first place.

                                                                                                                                                                              I brought up the WTFPL thing for two reasons:

                                                                                                                                                                              • To demonstrate an example of a license being banned that isn’t copyleft, to show that Google has other reasons for banning licenses than what is stated in the OP.
                                                                                                                                                                              • To demonstrate the impact of Google’s policies on me as an individual.

                                                                                                                                                                              I didn’t bring it up with the intent to discuss the particulars of the license though. I’m not a lawyer. I just play one on TV.

                                                                                                                                                                              1. 2

                                                                                                                                                                                But I think even Google’s influence is just one example of the commercial world interacting with the “libre” world; in this light, Google is just entering earlier and/or investing more heavily than its peers. And it could be argued that’s a good thing, as it puts libre creators more in touch with the real needs of industry. It’s the creator’s choice whether to acknowledge and adapt to that influence, or to bend to it entirely. As I see it, Google can’t make you do anything.

                                                                                                                                                                                I do hope that Google carves out exceptions for things like Affero though, since I share Drew’s confusion at Google’s claim of incompatibility. I’m in the same boat, after all; I’m also a user of a niche license (License Zero), the legal wording of which I nevertheless have great confidence in.

                                                                                                                                                                                I believe that at some point, companies like Google will have to bend to the will of creators to have control over how their work is licensed. I happen to use License Zero because it seems to provide more control on a case-by-case basis, which I think is key to effecting that shift.

                                                                                                                                                                                1. 4

                                                                                                                                                                                  As I see it, Google can’t make you do anything.

                                                                                                                                                                                  Maybe I didn’t express it clearly enough, but as I was writing my comments, I was painfully aware of the possibility that I would imply that Google was making me do something, and tried hard to use words that didn’t imply that. I used words like “influence” instead.

                                                                                                                                                                                  And it could be argued that’s a good thing, as it puts libre creators more in touch with the real needs of industry. It’s the creator’s choice whether to acknowledge and adapt to that influence, or to bend to it entirely.

                                                                                                                                                                                  Sure… That’s kind of what I was getting at when I wrote this:

                                                                                                                                                                                  I’m not saying any of this is particularly wrong, to be honest. I am an individualist at heart so I generally regard this sort of thing as okay from an ethical or legal perspective. But still, emotionally, it was jarring.

                                                                                                                                                                                  Anyway, I basically fall into the camp of “dislike all IP.” I’d rather see it abolished completely, for both practical and ideological reasons. Then things like copyleft can’t exist. But, abolishing IP would change a lot, and it’s hard to say how Google (or any company) would behave in such a world.

                                                                                                                                                                                  1. 2

                                                                                                                                                                                    Anyway, I basically fall into the camp of “dislike all IP.” I’d rather see it abolished completely, for both practical and ideological reasons.

                                                                                                                                                                                    Maybe we should turn Google into a worker coop 😉 Then its employees could change IP policy like you say, the same way they successfully protested the deals w/ China & the US military.

                                                                                                                                                                                  2. 4

                                                                                                                                                                                    I do hope that Google carves out exceptions for things like Affero though, since I share Drew’s confusion at Google’s claim of incompatibility.

                                                                                                                                                                                    Large parts of Google work in a monorepo in which anything goes if it furthers the mission. The Google licensing site brings up that example of a hypothetical AGPL PostGIS used by Google Maps. In normal environments that wouldn’t be an issue: your code interfaces to PostGIS through interprocess APIs (which still isn’t linking even with the AGPL) and users interact with your code, but not with PostGIS. In the monorepo concept code can quickly be drawn into the same process if it helps any. Or refactored to be used elsewhere. That “elsewhere” then ends up under AGPL rules which could be a problem from a corporate standpoint.

                                                                                                                                                                                    It’s a trade-off between that flexibility in dealing with code and having the ability to use AGPL code, and the organizational decision was apparently to favor the flexibility. It can be possible to have both, but that essentially requires having people (probably lawyers) poring over many, many changes to determine if any cross pollination between license regimes took place. Some companies work that way, but Google certainly does not.

                                                                                                                                                                                    I believe the issue with WTFPL is different: because it’s so vague my guess is that the open source legal folks at Google would rather see that license disappear completely to protect open source development at large from the potential fallout of it breaking down eventually, while they probably don’t mind that the AGPL exists. At least that’s the vibe I get from reading the Google licensing site.

                                                                                                                                                                                    (Disclosure: I work at Google but neither on open source licensing nor with the monorepo. I also don’t speak for the company.)

                                                                                                                                                                            2. 3

                                                                                                                                                                              There is not “a Google” that is making amoral decisions for its global benefit . There is an office of humans that try their best and have good intentions.

                                                                                                                                                                              Mike Hoye wrote a short article called “The Shape of the Machine” a couple of months ago that examines the incentives of multiple teams in a large company. Each team is doing something that seems good for the world, but when you look at the company as a whole its actions end up being destructive. The company he’s talking about also happens to be Google, although the lesson could apply to any large organization.

                                                                                                                                                                              I definitely agree with you that Google has lots of capable, conscientious people who are doing what they think is right. (And to be honest, I haven’t thought about the licensing issue enough to be able to identify whether the same thing is at play here.) I just think it’s good to keep in mind that this by itself is not sufficient for the same to be said for the organization as a whole.

                                                                                                                                                                            3. 9

                                                                                                                                                                              This is exactly what I came here to say. Basing an argument on your own interpretation of a license is a great way to get into legal trouble. Not only is there the risk that a judge in a court of law may disagree with your interpretation but there is also the risk that you will invite litigation from others that have a different interpretation and disregarding the risk of losing that litigation that litigation has a cost.

                                                                                                                                                                              So by using AGPL you incur not only the risk of having the wrong interpretation once it is tested in court but also the risk of an increase in costly litigation over time. This risk is further magnified by your size and how much larger it makes the target on your back.

                                                                                                                                                                              1. 12

                                                                                                                                                                                Basing an argument on your own interpretation of a license is a great way to get into legal trouble

                                                                                                                                                                                The article starts with “I’m not a lawyer; this is for informational purposes only”, and then proceeds to make strong un-nuanced claims about the license and even proceeds to claim that Google’s lawyers are incompetent buffoons and/or lying about their interpretation. Saying you’re not an expert and then pretending you are in the very next sentence is pretty hilarious. It’s abundantly clear this article is to support the author’s politics, rather than examine legal details.

                                                                                                                                                                                1. 6

                                                                                                                                                                                  I’m not a lawyer; this is for informational purposes only

                                                                                                                                                                                  I believe that Americans write that type of disclaimer because it is illegal over there to practice law without a license, and articles about software licenses can easily wander into dangerous territory. So based on that, I think it’s unfair to hold that up as a point against the article.

                                                                                                                                                                                  Disclaimer: I’m not a lawyer; this is for informational purposes only.

                                                                                                                                                                                  1. 1

                                                                                                                                                                                    I started to call that tactic ‘joe-roganizing’. He does the same: “I don’t know anything about this.”, Then, in the next sentence: ‘[very strong opinion] - everyone who disagrees is surely stupid….’

                                                                                                                                                                                2. 9

                                                                                                                                                                                  I worked at a startup where we had a massive compliance burden (yay FDA!) and so had even fewer resources than usual. One of my jobs as engineering lead there was to go and audit the tools and source that we were using and set guidelines around what licenses were acceptable because we could not afford the lawyer time if there were any issues.

                                                                                                                                                                                  If the AGPL had been tested in court, I think companies would be a bit more chill about it, but I reckon that nobody wants to bankroll a legal exploration that could turn out very much not in their favor.

                                                                                                                                                                                  One of the annoying things too about licensing, especially with networked systems and cloud stuff, is that the old reliable licenses everybody basically understands (mostly) like BSD and MIT and GPL and LGPL were made in a (better) world where users ran the software on machines they owned instead of interacting with services elsewhere. We still haven’t really identified an ontology for how to treat licensing for composed services on a network, versus how to handle services that provide aggregate statistics for internal use but not for end users, versus dumbly storing user data, versus transforming user data for user consumption.

                                                                                                                                                                                  1. 4

                                                                                                                                                                                    What’s the cost of being wrong and having Google required to publish all of their source code?

                                                                                                                                                                                    That’s not how the AGPL works.

                                                                                                                                                                                    The AGPL does not force you to distribute anything.

                                                                                                                                                                                    If they’re “wrong”, they are in breach of contract. That’s it. They can then remedy that breach either by ceasing use of that software or by distributing their changes, or even by coming to some alternative agreement with the copyright holders of the AGPL’d software in question.

                                                                                                                                                                                    1. 2

                                                                                                                                                                                      This seems like a nit-pick. The point of my question was to provoke thought in the reader about the costs of violating the license. What are those costs? Can you say with certainty that they will be small? I’m pretty sure you’d need to be a lawyer to fully understand the extent here, which was my way of saying, “give deference where it’s due.”

                                                                                                                                                                                      I personally think your comment is trying to minimize what the potential costs could be, but this isn’t theoretical. Oracle v. Google is a real world copyright case that has been going on for years and has almost certainly been extremely costly. I don’t see any reason why an AGPL violation couldn’t end up in the same situation.

                                                                                                                                                                                      1. 4

                                                                                                                                                                                        It’s an actual misconception that many people have, and I don’t think it’s good to perpetuate it.

                                                                                                                                                                                        1. 2

                                                                                                                                                                                          I guess that’s fair, but it seems like splitting hairs to me. Even you said “distributing their changes” as a possible remedy, and there’s a fine line between that and “publish all of their source code.” It really depends on how the law and license is interpreted, and nobody knows how it will be. So lawyers guess and they guess conservatively.

                                                                                                                                                                                          1. 0

                                                                                                                                                                                            The easiest way not to perpetuate it is to not use the AGPL.

                                                                                                                                                                                      2. 3

                                                                                                                                                                                        Thanks for saying this. I don’t work at Google, but I know many people who work at it and other large companies and have talked with them about license policy, and the article just reeks of ignorance as to how corporate lawyers work; even for relatively small companies.

                                                                                                                                                                                        There’s no ideology here, there’s just lawyers doing what they were hired to do: use an abundance of caution to give the company as ironclad a position as possible.


                                                                                                                                                                                        Hell, forget WTFPL, I’ve been waved off considering triple licensing of (approved) licenses by Googlers as “the lawyers would never go for this”. The lawyers are going to go for well understood, battle tested licenses where the failure cases aren’t catastrophic.


                                                                                                                                                                                        Besides that it seems like the article misunderstands what constitutes a “derivative work”, if the article’s definition of “derivative work” (i.e., the code must be modified, not simply “used as a dependency”) was the one used by the *GPL licenses, then there would be no need for LGPL to exist.

                                                                                                                                                                                        1. 1

                                                                                                                                                                                          but as a rule of thumb, if you form an argument on knowing the intentions of other humans, it’s probably a bad argument

                                                                                                                                                                                          This is not true.

                                                                                                                                                                                          Firstly, the rule for another person and the rule for CORPORATIONS are completely different. Corporations do not operate like people do. When corporations are small, they sort of do, but as they grow larger then they become more corporations like.

                                                                                                                                                                                          Secondly, it is impossible to know the intentions of other humans. So by this argument, no argument is ever good.

                                                                                                                                                                                          We might give people the benefit of the doubt, because people are mostly good. They are ruled by an ethical system, built into their brain, to socialise and cooperate. Corporations do not have this internal system. Their motivational system is entirely profit based, and therefore you cannot treat them like people.

                                                                                                                                                                                          If you have been alive long enough and paid attention to what corporations do, and especially google, the idea that they consider AGPL hostile, and wish to limit its influence and expansion, is highly plausible. How will they limit its influence? They could ban it completely, and then publish a document detailing why they think it’s bad. That’s highly plausible.

                                                                                                                                                                                          Is risk-averse lawyering a factor? Most likely yes. But risk-averse lawyer adds to the hostility argument. Having received the advice from lawyers to not use AGPL, leadership would easily conclude that a limit to AGPL spread would give them the best chance of getting free software and have their way.

                                                                                                                                                                                          Additionally, your steelman argument does not explain why google publishes that they do not like AGPL. They could keep it entirely internal. Why do you think they would do that? Free legal advice to competing startups?

                                                                                                                                                                                          1. 3

                                                                                                                                                                                            Firstly, the rule for another person and the rule for CORPORATIONS are completely different. Corporations do not operate like people do. When corporations are small, they sort of do, but as they grow larger then they become more corporations like.

                                                                                                                                                                                            That makes sense in a certain light, sure. But I don’t see what it has to do with my point.

                                                                                                                                                                                            Secondly, it is impossible to know the intentions of other humans. So by this argument, no argument is ever good.

                                                                                                                                                                                            I don’t really agree. It might be true in the strictest philosophical sense, but that needn’t be our standard here. Intent is clearly something that we as a society have judged to be knowable to an extent, at least beyond some reasonable doubt. Just look at the criteria for being convicted of murder. It requires demonstrating something about the intent of someone else.

                                                                                                                                                                                            Why do you think they would do that?

                                                                                                                                                                                            When was the last time you saw any company publish legal advice generated by internal review?

                                                                                                                                                                                            If you have been alive long enough and paid attention to what corporations do, and especially google, the idea that they consider AGPL hostile, and wish to limit its influence and expansion, is highly plausible. How will they limit its influence? They could ban it completely, and then publish a document detailing why they think it’s bad. That’s highly plausible.

                                                                                                                                                                                            I think you’ve really missed my point. If the OP were an article discussing the plausibility of one of any number of reasons why Google published an anti-AGPL policy, then I would almost certainly retract my comment. But that’s not what it was. It’s a one sided turd without any consideration of alternative perspectives or explanations at all.

                                                                                                                                                                                        1. 5

                                                                                                                                                                                          An interesting take. Glad to see Linux is still an option and really surprising that perceived performance between KDE and Gnome have flipped.

                                                                                                                                                                                          • Surprising to hear that there isn’t a Google Drive client on Linux (as I recall there used to be one), don’t many engineers at Google use “Goobuntu”? Perhaps they don’t open source the client for public use.
                                                                                                                                                                                          • I know that Steam works on both, do you find that your OS dictates what games you play most, or no?
                                                                                                                                                                                          • OP didn’t mention the screen quality or eyesight issues, curious if there is a noticeable difference between the two? As I suspect there would be.
                                                                                                                                                                                          1. 9

                                                                                                                                                                                            Goobuntu (Ubuntu) was replaced by gLinux (Debian) a couple of years ago for maintainability reasons. They’re functionally the same though.

                                                                                                                                                                                            The machines that we develop on is about what we think gets the programming job done, not as an indication of the target platform.

                                                                                                                                                                                            My guess is that the numbers were crunched and found that Linux users would not have made up enough share to warrant a client. I’ve never missed it, I do all my office work directly in the browser, and we have company-wide disk snapshotting for backup purposes. On my laptop (which isn’t snapshotted) I use RSync.

                                                                                                                                                                                            1. 1

                                                                                                                                                                                              Ahh interesting, thanks for the update.

                                                                                                                                                                                              The machines that we develop on is about what we think gets the programming job done, not as an indication of the target platform.

                                                                                                                                                                                              Of course, but I’d imagine that some engineers would want to have native document sync with GDrive. I also use GDrive, but honestly found the syncing annoying when the usage flow is nearly always New tab > drive.google.com > search doc. But certainly someone on gLinux wanted to keep it? :shrug:

                                                                                                                                                                                              What exactly are you rsync’ing against?

                                                                                                                                                                                              1. 4

                                                                                                                                                                                                Laptop (not snapshotted) > Desktop (snapshotted)

                                                                                                                                                                                                But yeah, we just use the web interface for all docs writing stuff. For documentation (not documents), we have an internal Markdown renderer (think GitHub wiki with internal integrations). No one writes documents outside of a centralized system, and so has no need to back them up with a client.

                                                                                                                                                                                            2. 6

                                                                                                                                                                                              (I’m not OP) I recently started playing games on Linux via Steam. For reference, I’ve never been a Windows gamer – had been a console gamer up to that point. To answer your question:

                                                                                                                                                                                              do you find that your OS dictates what games you play most, or no

                                                                                                                                                                                              Pretty much. I play only what will work, so that means the game must either officially be supported under “Steam OS + Linux”, or work via Proton. But this is just me. Others are free to dual boot, which, of course, vastly broadens their spectrum of available games.

                                                                                                                                                                                              1. 5

                                                                                                                                                                                                I used to be a dual booter, but since Proton, so many games have been working on Linux that I stopped booting to Windows. Then at some point my windows installation broke and I never bothered to fix it.

                                                                                                                                                                                                1. 3

                                                                                                                                                                                                  That’s cool. However, I think we’re a ways off from totally being on par with native Windows. Several anti-cheat systems are triggered by running under Linux. And protondb shows that there are still many games that don’t run.

                                                                                                                                                                                                  That said, things are improving steadily month by month, so that’s encouraging.

                                                                                                                                                                                                  1. 2

                                                                                                                                                                                                    That’s true, I didn’t mean to imply that all games I would like to play work on Proton now. But enough of them work now that instead of dealing with Windows for a game that doesn’t work on Proton, I usually just go and find something else that does.

                                                                                                                                                                                                    If you have a group of gaming buddies, that obviously won’t work, though. It won’t be long before they get hooked up to a Windows-only game.

                                                                                                                                                                                                2. 2

                                                                                                                                                                                                  Same here, I find the biggest area where I need to switch back to windows is for multiplayer. I used to lan a lot and still have many of those contacts. I find a lot of games that have a host/client multiplayer, for example RTS games, have issues on linux even if the single-player works flawlessly. This means I have to keep dual boot available.

                                                                                                                                                                                                  Even though linux does strongly influence which games I play, the range and variety is amazing and it is not reducing the quality or diversity of games I play at all. There are just a few windows only titles that I might play slightly more if they were available on linux.

                                                                                                                                                                                                  While we are on the subject, what are people’s recommendations for a gaming distro? I am on Mint at the moment which is good, but I like to have options.

                                                                                                                                                                                                  1. 1

                                                                                                                                                                                                    I don’t know if I’d call it a gaming distro, but I have been using Gentoo for many years, and it seems to be doing just fine with Steam (which I just installed a couple months ago).

                                                                                                                                                                                                    1. 1

                                                                                                                                                                                                      Frankly, I’m not sure you need a gaming distro. I’ve had little issues running Steam and Wine (using Lutris) games on Void Linux, Debian, etc. (Mind you: always using Nvidia.)

                                                                                                                                                                                                      1. 2

                                                                                                                                                                                                        I actually phrased that really badly, thanks for the correction. I tried out a dedicated gaming distro and it was rubbish. Mint is a variation on Ubuntu.I was looking at Debian to try next.

                                                                                                                                                                                                        It seems like the thing to look for is just something well supported with all the common libraries, so most big distros appear to be fine for gaming. The reason I am not entirely pleased with Mint is that they seem a bit too conservative in terms of adding new stuff to the package manager when it comes out. On the one hand that makes it more stable, but on the other games use a lot of weird stuff sometimes and it makes things a bit messy if you have to install things from outside the package manager.

                                                                                                                                                                                                  2. 4

                                                                                                                                                                                                    perceived performance between KDE and Gnome have flipped

                                                                                                                                                                                                    Gnome Shell is huge and slow. A Canonical engineer (Ubuntu has switched from Unity to Gnome) has recently started to improve its performance with very good results but this also shows how terrible the performance was before: memory leaks, huge redraws all of the time and no clipping, … Now this needs to trickle down to users and the comments might change then.

                                                                                                                                                                                                    PS: KDE has not gotten a lot more bloat or slowness over the years and I don’t know if Gnome will be faster and lighter or if both will be similar.

                                                                                                                                                                                                    1. 2

                                                                                                                                                                                                      The lack of a Google Drive client is shameful, but I tried Insync and it’s the best money I’ve ever spent on a Linux app. Much better than the Mac version of Google Drive which was super buggy