Threads for christianbundy

  1. 1

    Is this the first time someone has version-bumped a semantically versioned license?

    1. 18

      Mitigation not listed: use a base64 decoder that errors if the padding bits are not all zero, instead of ignoring them. Then there will be only one valid encode for a given payload.

      1. 5

        Then there will be only one valid encode for a given payload.

        If anyone wants to do more research, this is called “canonical base64”.

        1. 4

          Great suggestion! I’ll add it.

        1. 1

          Am I the only one seeing different font sizes in each line of the code examples?

          1. 2

            I see that too.

          1. 57

            The developer of these libraries intentionally introduced an infinite loop that bricked thousands of projects that depend on ’colors and ‘faker’.

            I wonder if the person who wrote this actually knows what “bricked” means.

            But beyond the problem of not understanding the difference between “bricked” and “broke”, this action did not break any builds that were set up responsibly; only builds which tell the system “just give me whatever version you feel like regardless of whether it works” which like … yeah, of course things are going to break if you do that! No one should be surprised.

            Edit: for those who are not native English speakers, “bricked” refers to a change (usually in firmware on an embedded device) which not only causes the device to be non-functional, but also breaks whatever update mechanisms you would use to get it back into a good state. It means the device is completely destroyed and must be replaced since it cannot be used as anything but a brick.

            GitHub has reportedly suspended the developer’s account

            Hopefully this serves as a wakeup call for people about what a tremendously bad idea it is to have all your code hosted by a single company. Better late than never.

            1. 25

              There have been plenty of wakeup calls for people using Github, and I doubt one additional one will change the minds of very many people (which doesn’t make it any less of a good idea for people to make their code hosting infrastructure independent from Github). The developer was absolutely trolling (in the best sense of the word) and a lot of people have made it cleared that they’re very eager for Github to deplatform trolls.

              I don’t blame him certainly; he’s entitled to do whatever he wants with the free software he releases, including trolling by releasing deliberately broken commits in order to express his displeasure at companies using his software without compensating him in the way he would like.

              The right solution here is for any users of these packages to do exactly what the developer suggested and fork them without the broken commits. If npm (or cargo, or any other programming language ecosystem package manager) makes it difficult for downstream clients to perform that fork, this is an argument for changing npm in order to make that easier. Build additional functionality into npm to make it easier to switch away from broken or otherwise-unwanted specific versions of a package anywhere in your project’s dependency tree, without having to coordinate this with other package maintainers.

              1. 31

                The developer was absolutely trolling (in the best sense of the word)

                To the extent there is any good trolling, it consists of saying tongue-in-cheek things to trigger people with overly rigid ideas. Breaking stuff belonging to people who trusted you is not good in any way.

                I don’t blame him certainly; he’s entitled to do whatever he wants with the free software he releases, including trolling by releasing deliberately broken commits in order

                And GitHub was free to dump his account for his egregious bad citizenship. I’m glad they did, because this kind of behavior undermines the kind of collaborative trust that makes open source work.

                to express his displeasure at companies using his software without compensating him in the way he would like.

                Take it from me: the way to get companies to compensate you “in six figures” for your code is to release your code commercially, not open source. Or to be employed by said companies. Working on free software and then whining that companies use it for free is dumbshittery of an advanced level.

                1. 33

                  No I think the greater fool is the one who can’t tolerate changes like this in free software.

                  1. 1

                    It’s not foolish to trust, initially. What’s foolish is to keep trusting after you’ve been screwed. (That’s the lesson of the Prisoner’s Dilemma.)

                    A likely lesson companies will draw from this is that free software is a risk, and that if you do use it, stick to big-name reputable projects that aren’t built on a house of cards of tiny libraries by unknown people. That’s rather bad news for ecosystems like node or RubyGems or whatever.

                  2. 12

                    Working on free software and then whining that companies use it for free is dumbshittery of an advanced level.

                    Thankyou. This is the point everybody seems to be missing.

                    1. 49

                      The author of these libraries stopped whining and took action.

                      1. 3

                        Worked out a treat, too.

                        1. 5

                          I mean, it did. Hopefully companies will start moving to software stacks where people are paid for their effort and time.

                          1. 6

                            He also set fire to the building making bombs at home, maybe he’s not a great model.

                            1. 3

                              Not if you’re being responsible and pinning your deps though?

                              Even if that weren’t true though, the maintainer doesn’t have any obligation to companies using their software. If the company used the software without acquiring a support contract, then that’s just a risk of business that the company should have understood. If they didn’t, that’s their fault, not the maintainer’s - companies successfully do this kind of risk/reward calculus all the time in other areas, successfully.

                              1. 1

                                I know there are news reports of a person with the same name being taken into custody in 2020 where components that could be used for making bombs were found, but as far as I know, no property damage occurred then. Have there been later reports?

                              2. 3

                                Yeah, like proprietary or in-house software. Great result for open source.

                                Really, if I were a suit at a company and learned that my product was DoS’d by source code we got from some random QAnon nutjob – that this rando had the ability to push malware into his Git repo and we’d automatically download and run it – I’d be asking hard questions about why my company uses free code it just picked up off the sidewalk, instead of paying a summer intern a few hundred bucks to write an equivalent library to printf ANSI escape sequences or whatever.

                                That’s inflammatory language, not exactly my viewpoint but I’m channeling the kind of thing I’d expect a high-up suit to say.

                      2. 4

                        There have been plenty of wakeup calls for people using Github, and I doubt one additional one will change the minds of very many people

                        Each new incident is another feather. For some, it’s the last one to break the camel’s back.

                        1. 4

                          in order to express his displeasure at companies using his software without compensating him in the way he would like.

                          This sense of entitlement is amusing. This people totally miss the point of free software. They make something that many people find useful and use (Very much thanks to the nature of being released with a free license, mind you), then they feel in their right to some sort of material/monetary compensatiom.

                          This is not miss universe contest. It’s not too hard to understand that had this project been non free, it would have probably not gotten anywhere. This is the negative side of GitHub. GitHub has been an enormously valuable resource for free software. Unfortunately, when it grows so big, it will inevitably also attract this kind of people that only like the free aspect of free software when it benefits them directly.

                          1. 28

                            This people totally miss the point of free software.

                            An uncanny number of companies (and people employed by said companies) also totally miss the point of free software. They show up in bug trackers all entitled like the license they praise in all their “empowering the community” slides doesn’t say THE SOFTWARE IS PROVIDED “AS IS” in all fscking caps. If you made a list of all the companies to whom the description “companies that only like the free aspect of free software when it benefits them directly” doesn’t apply, you could apply a moderately efficient compression algorithm and it would fit in a boot sector.

                            I don’t want to defend what the author did – as someone else put it here, it’s dumbshittery of an advanced level. But if entitlement were to earn you an iron “I’m an asshole” pin, we’d have to mine so much iron ore on account of the software industry that we’d trigger a second Iron Age.

                            This isn’t only on the author, it’s what happens when corporate entitlement meets open source entitlement. All the entitled parties in this drama got exactly what they deserved IMHO.

                            Now, one might argue that what this person did affected not just all those entitled product managers who had some tough explaining to do to their suit-wearing bros, but also a bunch of good FOSS “citizens”, too. That’s absolutely right, but while this may have been unprofessional, the burden of embarrassment should be equally shared by the people who took a bunch of code developed by an independent, unpaid developer, in their spare time – in other words, a hobby project – without any warranty, and then baked it in their super professional codebases without any contingency plan for “what if all that stuff written in all caps happens?”. This happened to be intentional but a re-enactment of this drama is just one half-drunk evening hacking session away.

                            It’s not like they haven’t been warned – when a new dependency is proposed, that part is literally the first one that’s read, and it’s reviewed by a legal team whose payment figures are eye-watering. You can’t build a product based only on the good parts of FOSS. Exploiting FOSS software only when it benefits yourself may also be assholery of an advanced level, but hoping that playing your part shields you from all the bad parts of FOSS is naivety of an advanced level, and commercial software development tends to punish that.

                            1. 4

                              They show up in bug trackers all entitled like the license they praise in all their “empowering the community” slides doesn’t say THE SOFTWARE IS PROVIDED “AS IS” in all fscking caps

                              Slides about F/OSS don’t say that because expensive proprietary software has exactly the same disclaimer. You may have an SLA that requires bugs to be fixed within a certain timeframe, but outside of very specialised markets you’ll be very hard pressed to find any software that comes with any kind of liability for damage caused by bugs.

                              1. 1

                                Well… I meant the license, not the slides :-P. Indeed, commercial licenses say pretty much the same thing. However, at least in my experience, the presence of that disclaimer is not quite as obvious with commercial software – barring, erm, certain niches.

                                Your average commercial license doesn’t require proprietary vendors to issue refunds, provide urgent bugfixes or stick by their announced deadlines for fixes and veatures. But the practical constraints of staying in business are pretty good at compelling them to do some of these things.

                                I’ve worked both with and without SLAs so I don’t want to sing praises to commercial vendors – some of them fail miserably, and I’ve seen countless open source projects that fix security issues in less time than it takes even competent large vendors to call a meeting to decide a release schedule for the fix. But expecting the same kind of commitment and approachability from Random J. Hacker is just not a very good idea. Discounting pathological arseholes and know-it-alls, there are perfectly human and understandable reasons why the baseline of what you get is just not the same when you’re getting it from a development team with a day job, a bus factor of 1, and who may have had a bad day and has no job description that says “be nice to customers even if you had a bad day or else”.

                                The universe npm has spawned is particularly susceptible to this. It’s a universe where adding a PNG to JPG conversion function pulls fourty dependencies, two of which are different and slightly incompatible libraries which handle emojis just in case someone decided to be cute with file names, and they’re going to get pulled even if the first thing your application does is throw non-alphanumeric characters out of any string, because they’re nth order dependencies with no config overrides. There’s a good chance that no matter what your app does, 10% of your dependencies are one-person resume-padding efforts that turned out to be unexpectedly useful and are now being half-heartedly maintained largely because you never know when you’ll have to show someone you’re a JavaScript ninja guru in this economy. These packages may well have the same “no warranty” sticker that large commercial vendors put on theirs, but the practical consequences of having that sticker on the box often differ a lot.

                                Edit: to be clear, I’m not trying to say “proprietary – good and reliable, F/OSS – slow and clunky”, we all know a lot of exceptions to both. What I meant to point out is that the typical norms of business-to-business relations just don’t uniformly apply to independent F/OSS devs, which makes the “no warranty” part of the license feel more… intense, I guess.

                            2. 12

                              The entitlement sentiment goes both ways. Companies that expect free code and get upset if the maintainer breaks backward compatibility. Since when is that an obligation to behave responsibly?

                              When open source started, there wasn’t that much money involved and things were very much in the academic spirit of sharing knowledge. That created a trove of wealth that companies are just happy to plunder now.

                            3. 1

                              releasing deliberately broken commits in order to express his displeasure at companies using his software without compensating him in the way he would like.

                              Was that honestly the intent? Because in that case: what hubris! These libraries were existing libraries translated to JS. He didn’t do any of the hard work.

                            4. 8

                              There is further variation on the “bricked” term, at least in the Android hacker’s community. You might hear things like “soft bricked” which refers to a device that has the normal installation / update method not working, but could be recovered through additional tools, or perhaps using JTAG to reprogram the bootloader.

                              There is also “hard bricked” which indicates something completely irreversible, such as changing the fuse programming so that it won’t boot from eMMC anymore. Or deleting necessary keys from the secure storage.

                              1. 3

                                this action did not break any builds that were set up responsibly; only builds which tell the system “just give me whatever version you feel like regardless of whether it works” which like … yeah, of course things are going to break if you do that! No one should be surprised.

                                OK, so, what’s a build set up responsibly?

                                I’m not sure what the expectations are for packages on NPM, but the changes in that colors library were published with an increment only to the patch version. When trusting the developers (and if you don’t, why would you use their library?), not setting in stone the patch version in your dependencies doesn’t seem like a bad idea.

                                1. 26

                                  When trusting the developers (and if you don’t, why would you use their library?), not setting in stone the patch version in your dependencies doesn’t seem like a bad idea.

                                  No, it is a bad idea. Even if the developer isn’t actively malicious, they might’ve broken something in a minor update. You shouldn’t ever blindly update a dependency without testing afterwards.

                                  1. 26

                                    Commit package-lock.json like all of the documentation tells you to, and don’t auto-update dependencies without running CI.

                                    1. 3

                                      And use npm shrinkwrap if you’re distributing apps and not libraries, so the lockfile makes it into the registry package.

                                    2. 18

                                      Do you really think that a random developer, however well intentioned, is really capable of evaluating whether or not any given change they make will have any behavior-observable impact on downstream projects they’re not even aware of, let alone have seen the source for and have any idea how it consumes their project?

                                      I catch observable breakage coming from “patch” revisions easily a half dozen times a year or more. All of it accidental “oh we didn’t think about that use-case, we don’t consume it like that” type stuff. It’s truly impossible to avoid for anything but the absolute tiniest of API surface areas.

                                      The only sane thing to do is to use whatever your tooling’s equivalent of a lock file is to strictly maintain the precise versions used for production deploys, and only commit changes to that lock file after a full re-run of the test suite against the new library version, patch or not (and running your eyeballs over a diff against the previous version of its code would be wise, as well).

                                      It’s wild to me that anyone would just let their CI slip version updates into a deploy willynilly.

                                      1. 11

                                        This neatly shows why Semver is a broken religion: you can’t just rely on a version number to consider changes to be non-broken. A new version is a new version and must be tested without any assumptions.

                                        To clarify, I’m not against specifying dependencies to automatically update to new versions per se, as long as there’s a CI step to build and test the whole thing before it goes it production, to give you a chance to pin the broken dependency to a last-known-good version.

                                        1. 7

                                          Semver doesn’t guarantee anything though and doesn’t promise anything. It’s more of an indicator of what to expect. Sure, you should test new versions without any assumptions, but that doesn’t say anything about semver. What that versioning scheme allows you to do though is put minor/revision updates straight into ci and an automatic PR, while blocking major ones until manual action.

                                        2. 6

                                          The general form of the solution is this:

                                          1. Download whatever source code you are using into a secure versioned repository that you control.

                                          2. Test every version that you consider using for function before you commit to it in production/deployment/distribution.

                                          3. Build your system from specific versions, not from ‘last update’.

                                          4. Keep up to date on change logs, security lists, bug trackers, and whatever else is relevant.

                                          5. Know what your back-out procedure is.

                                          These steps apply to all upstream sources: language modules, libraries, OS packages… dependency management is crucial.

                                          1. 3

                                            Amazon does this. Almost no-one else does this, but that’s a choice with benefits (saving the set up effort mostly) and consequences (all of this here)

                                          2. 6

                                            When trusting the developers (and if you don’t, why would you use their library?)

                                            If you trust the developers, why not give them root on your laptop? After all, you’re using their library so you must trust them, right?

                                            1. 7

                                              There’s levels to trust.

                                              I can believe you’rea good person by reading your public posts online, but I’m not letting you babysit my kids.

                                          3. 2

                                            Why wouldn’t this behavior be banned by any company?

                                            1. 2

                                              How do they ban them, they’re not paying them? Unless you mean the people who did not pin the dependencies?

                                              1. 4

                                                I think it is bannable on any platform, because it is malicious behavior - that means he intentionally caused harm to people. It’s not about an exchange of money, it’s about intentional malice.

                                              2. 1

                                                Because it’s his code and even the license says “no guarantees” ?

                                                1. 2

                                                  The behavior was intentionally malicious. It’s not about violating a contract or guarantee. For example, if he just decided that he was being taken advantage of and removed the code, I don’t think that would require a ban. But he didn’t do that - he added an infinite loop to purposefully waste people’s time. That is intentional harm, that’s not just providing a library of poor quality with no guarantee.

                                                  Beyond that, if that loop went unnoticed on a build server and costed the company money, I think he should be legally responsible for those damages.

                                            1. 35

                                              Agreed. I’m for software to be fun in general, but the foundational stuff should stay boring. Bridges, airplanes, and stop lights should also stay boring. They can be beautiful if you want, but I don’t want them to surprise me.


                                              1. 30

                                                Every once in a while I get a feeling that maybe I should have dropped my childhood dream of becoming a programmer when I had the chance, and that it’s still not too late, I can just go get certified and become an electrician instead. This is one of those moments because I swear to God reading through that thread makes it feel like the software industry is bipolar.

                                                On the one hand, yes, cows filling your screen is unprofessional, and it’s one of those things that can unexpectedly fire off during a demo and, to quote one of the commenters, “[make] it look as though the product designers are not taking their role seriously”.

                                                On the other hand: this is all being debated on Github, the pinnacle of professional collaboration, whose fsckin logo is a cartoon octopus-cat, and whose homepage features an astronaut, um, cat, I guess? looking at a cartoon animation of Earth, and whose docs page features a cartoon of squirrels chasing someone running while holding a human-sized pencil. I mean there young adult cartoons out there whose homepages look more serious, if I had to guess Github’s target audience… based on the cutesy cat, my first instinct would be 6-9 year-olds. Is Github really that popular in kindergartens and elementary schools that it’s worth designing the whole UI like that?

                                                Good thing people aren’t opening Github while giving demos…

                                                1. 19

                                                  I kept wondering what kind of awful companies these people work for that having cows show up on the screen during a demo would be an instant fireable offense! Sounds like a dystopian hellscape to me.

                                                  1. 10

                                                    For real. I’m tired of mega-corp-HR-department types getting to decide what’s okay for the entire industry. I understand the point of view of the OP and cURL, and I respect that. But I have nyan cat scroll bars in my editors, sometimes put jokey things in my mockups, and even name my internal work projects funny names (yes, management does know the names, and yes, they actually say them at meetings! XD). None of this is disrespectful or offensive or anything like that. It’s just if I’m asked to write a tool to send alert emails when a phone call goes unanswered, I might name it something stupid like “PhoneNagger” (maybe not that because the phonetics are a little risky, but you get the idea).

                                                    It’s either me being juvenile or perhaps it’s my background in academia, because I remember going to conferences and seeing math professors walking around in sweat pants while discussing way cooler shit than middle-manager-X at YetAnotherWidgetCompany ever did. Yet, Mr. Manager probably has opinions about the professor’s “professionalism”. That just leaves such a bad taste in my mouth.

                                                    1. 5

                                                      Hah, wait until they find out the whole provisioning and deployment cycle is done through a program named after a fictitious device from a sci-fi novel, from a company called Red Hat, whose logo is a red fedora. If that doesn’t inspire bullet-proof, rock-solid confidence and stern, military-like professional discipline, I don’t know what does.

                                                      1. 2

                                                        I am not sure that prussia-style skulls & bones symbolism would make it a more professional discipline. Better engineering practices would though, and they can keep their astronaut cats with red fedoras.

                                                          1. 2

                                                            Unfortunately they abandoned that really cool logo in favour of, uh, how does the phrase go, a more streamlined design. It’s really just a boring red fedora now.

                                                          2. 2

                                                            Absolutely, what I’m getting at is that the whole “it’s unprofessional” thing, of which the cowsay debacle is just a symptom, is just a highly pseudo-efficient kind of bikeshedding – it’s efficient as in nobody wants to argue against something being removed because it’s not professional, but it also generally leads to no improvement at all. Arguably, Lockeed Martin’s planes would fly as right with or without the Skunk logo on the buildings, to cite just another example of something that meets every checklist of “unprofessional” but nobody gives a damn about.

                                                      2. 5

                                                        The complaint isn’t that cowsay is childish, it’s that it’s surprising. GitHub’s illustrations are ridiculous, but they’re consistent. The problem would be if their illustrations only became ridiculous in some web browsers or if you had some specific program installed.

                                                        1. 4

                                                          I’m pretty sure the person who had nightmares about getting fired over it was agonizing over the appearance of cowsay, not their inability to predict whether the ASCII bovine would visit the terminal or not (which, in fact, isn’t hard to determine, either). I imagine there’s not much of a chance of getting fired over things like temporary connection timeouts, mistyping your password at the sudo prompt, or the occasional segfault of early-stage applications, all of which routinely happen during demos and don’t exactly follow a strict timetable, either :-D.

                                                        2. 4

                                                          The article was not about fun logos. It was about not allowing irrelevant code in a core application, to avoid the overhead of reviewing and maintaining that code.

                                                          1. 3

                                                            When you’re not logged in it does look kinda weird and could be confused with kerbal space program. But other than that: It’s FaMiLy FrIeNdLy

                                                            1. 5

                                                              That extremely punchable cat (words I never thought I’d utter, man, I love cats!) is indeed shown only if you’re logged out but the rest of the cartoon characters are everywhere. And it’s not just Github, either, surfing corporate web in 2021 feels like flipping back and forth between Disney Channel and the CNBC business news, it’s cute and nauseating all at the same time!

                                                        1. 2

                                                          This is sad.

                                                          1. 2

                                                            How, why? What’s the point in such an underwhelming comment?

                                                            1. 2

                                                              I at least feel sorry for the poor rat. If the rat could choose what to do it would probably not want to be fixated in this experimental setup.

                                                              1. 4

                                                                Running around a game while drinking sugar water doesn’t sound that different from what some people teach their kids to do on a computer.

                                                                Except for the physical exercise part.

                                                                1. 1

                                                                  According to the post, it took weeks to get the rats trained/accustomed enough to get dressed in the harness. If they really didn’t want to do this, it definitely looks like they had a choice. If they can be taught how to use the setup, they definitely got the harness-experiment association as well.

                                                            1. 3

                                                              Congrats on writing a Dockerfile.

                                                              A few suggestions:

                                                              • Specify which Debian you want. Latest will change.
                                                              • apt-get update && apt-get install -y nodejs npm
                                                                • Doing this in three steps is inefficient and can cause problems.
                                                              1. 6

                                                                Even better, don’t write a Dockerfile at all. Use one of the existing official Node images which allow you to both specify what Debian and what Node version you want.

                                                                1. 1

                                                                  I tried this but I didn’t get a shell, it would be nice to get it working.

                                                                  1. 4

                                                                    Those images have node set as the CMD, which means it will open the node REPL instead of a shell. You can either do docker run -it node:16-buster-slim /bin/bash to execute bash (or another shell of your choice) instead, or you can make a Dockerfile using the node image as your FROM and add an ENTRYPOINT or CMD instead to eliminate the need to invoke the shell.

                                                                    1. 3

                                                                      Incidentally, to follow up as I remembered to write this, one reason that it’s common for images to use CMD in this way is that it makes it easier to use docker run as sort-of-drop-in replacements of uncontained CLI tools.

                                                                      With an appropriate WORKDIR set, you can do stuff like

                                                                      alias docker-node='docker run --rm -v $PWD:/pwd -it my-node-container node

                                                                      alias docker-npm='docker run --rm -v $PWD:/pwd -it my-node-container npm

                                                                      and you’d be able to use them just like they were node/npm commands restricted to the current directory, more or less. It wouldn’t preserve stuff like cache and config between runs, though.

                                                                  2. 1

                                                                    I have to agree with this. I tend toward “OS” docker images (debian and ubuntu usually) for most things because installing dependencies via apt is just too damn convenient. But for something like a node app, all of your (important) deps are coming from npm anyway so you might as well use the images that were made for this exact use case.

                                                                  3. 3

                                                                    what problems?

                                                                    1. 3

                                                                      It creates 3 layers instead of one. You can only have 127 layers in a given docker image so it’s good to combine multiple RUN statements into one where practical.

                                                                      1. 3

                                                                        Also the 3 layers will take unnecessary space. You can follow the docker best practices and remove the cache files and apt lists afterwards - that will ensure your container doesn’t have to carry them at all.

                                                                      2. 2

                                                                        Check out the apt-get section in the best practice guide:

                                                                    1. 3

                                                                      Who hates package managers? I’ve certainly had teammates frustrated by package management, or annoyed by implementations (e.g. “npm is haunted”), but I’ve never met anyone who has maligned package managers in general or maligned the concept of package management.

                                                                      Are these real people with software engineering experience? I can’t help but assume that anyone who says “I hate package managers” is maybe early in their career and unfamiliar with the problem-space that package managers fit in.

                                                                      1. 1

                                                                        “Hate” is a bit strong, but I really dislike some package managers because of how complex they are and how complicated they make it to package/maintain software. I don’t dislike all package managers though.

                                                                        I assumed after reading this article that the author was talking specifically about application developers who refuse to cooperate with package managers, and instead force users to get their warez through flatpak or something similar.

                                                                      1. 3

                                                                        I think the core of the refactor/rewrite conversation is how long you’re comfortable working on a branch without getting end-user feedback.

                                                                        I’ve only been working as a software engineer for about 10 years, but I’ve always known long-running branches as an anti-pattern that teams try to avoid. Instead, my teams always aimed to merge our code as soon as we have some problem solved — usually multiple times each day.

                                                                        (When I say “long-running branches” I mean both unmerged Git branches and code in the default branch that isn’t getting run in production. TODO: Find a better phrase to capture this.)

                                                                        On larger projects there are sometimes components that will take days or weeks to complete, so we try to break that work down into smaller pieces that can be worked on individually. Some things are hard to break down, so we make the trade-off to work in a big branch, but this is generally a last resort and a code/culture smell.

                                                                        I think of the decision to refactor or rewrite the same way:

                                                                        • If the system is small enough then it doesn’t matter because you aren’t working in a long-running branch.
                                                                        • Otherwise, try to refactor/rewrite one subsystem at a time in a way that users (and other engineers) can give you feedback. At every step you should have a working system, and if you break something then you find out immediately instead of when you launch (i.e. months later after you’ve forgotten how the broken thing was supposed to work).
                                                                        1. 1

                                                                          Fant Model… patch it until it utterly collapses under its own weight. I was not fond of this model, but I feel reality has encroached upon what would be a perfectly good time dreaming about how I will make the next iteration more efficient and better.

                                                                          That doesn’t mean you shouldn’t design things to be replaced and have well modeled APIs. Once upon a time I was witness to a complete engine rewrite piecemeal over a staggering period of time. Well, really, the rewrite never ended once the api gateway was silently proxied out by api and other conditionals. That fate also has potential issues as calls zig and zag through the api gateway.

                                                                          1. 3

                                                                            What’s the Fant Model? I tried looking it up but couldn’t find anything relevant.

                                                                          1. 12

                                                                            Counter-argument: Automatic code formatting tools and rules make fixes easier to backport, not harder. Without consensus on code formatting you’ll end up with trivial syntax differences between branches, which breaks git cherry-pick.

                                                                            The trick is to apply any code formatting rule to every supported release. If you’re backporting a patch from Linux 5.13 to 4.4 then you shouldn’t have any issues with syntax because 4.4 should already have the same code style as 5.13. Now the diff between the two branches represents the semantic differences, none of the syntactic litter you’ve picked up between release. (Most code formatters are non-deterministic, which isn’t ideal, but they’re a huge improvement over the Wild West of inconsistent syntax.)

                                                                            Do automated code formatted cause problems with git cherry-pick, or are large ‘rewrite every file’-type changes incompatible with email-based patch workflows? /semi-s

                                                                            1. 1

                                                                              I like this

                                                                            1. 1

                                                                              I’m quite curious about how semver snuck into the license name. Is that common? I love it.

                                                                              1. 6

                                                                                The article starts with a classy appeal to authority.

                                                                                At its core, all software is about manipulating data to achieve a certain goal. The goal determines how the data should be structured, and the structure of the data determines what code is necessary.

                                                                                Yes, exactly. Therefore, you can first define a logical data structure, and then add methods that operate on said structure. This idea does not conflict with OOP. In fact, prototype-inheritance languages take this a step further and separate data and code, just like you want it; it’s called a “traits object”, and it looks like this:

                                                                                "Assume this is traits yourObject."
                                                                                  parent*= traits clonable.
                                                                                  doSomethingWith: foo = (
                                                                                    bar: foo baz.
                                                                                    "Code to do something with foo goes here."
                                                                                  "More code here as necessary."
                                                                                "Then, let's have a prototype for this object. Assume it is globals yourObject."
                                                                                  parent* = traits yourObject.
                                                                                  bar <- nil.
                                                                                  "More constant or mutable slots go here."
                                                                                "Now, let's use this object."
                                                                                | obj |
                                                                                obj: yourObject copy.
                                                                                obj doSomethingWith: foo copy.
                                                                                "etc. etc."

                                                                                This “traits object” method allows you to keep code and data in two separate objects. You can even make the parent slot (the one with the star) assignable, so you can use the same object with a different set of methods.

                                                                                In my experience, the biggest problem with OOP is that encourages ignoring the data model architecture and applying a mindless pattern of storing everything in objects, promising some vague benefits.

                                                                                An integer is an object, and so is a struct. Everything can be done wrong if applied poorly.

                                                                                Instead of building a good data architecture, the developer attention is moved toward inventing “good” classes, relations between them, taxonomies, inheritance hierarchies and so on. Not only is this a useless effort. It’s actually deeply harmful.

                                                                                Not if you use a top-down approach. With such an approach, you first think about what your application should look like, and then implement the layer below that, then the layer below that, and so on and so forth. Application architecture can be done poorly in non-OOP contexts as well.

                                                                                FizzBuzz Enterprise Edition

                                                                                Yes, it’s a meme that is purposefully verbose. I’m sure you can also spawn an abomination called FizzBuzz Academic Edition implements it in something like Haskell or Idris and turns it into type spaghetti instead.

                                                                                OOP apologists will respond that it’s a matter of developer skill, to keep abstractions in check.

                                                                                It’s a human skill to visit the toilet when one has to discharge. Everyone expects it, and there is no excuse other than a medical condition. Similarly, if you can’t keep your architecture in check then this is not the fault of a programming paradigm, but rather your application of it.

                                                                                Your class Customer has a reference to class Order and vice versa. class OrderManager holds references to all Orders, and thus indirectly to Customer’s. Everything tends to point to everything else because as time passes, there are more and more places in the code that require referring to a related object.

                                                                                I don’t really see how you would improve upon this in a non-OOP setting? You will need to manage those relations somehow. Are you implying that having references to other objects is bad? Also, an orderManager need not hold references to all orders, why would it? It would simply deliver you the order instances. This sounds like a strawman.

                                                                                Another appeal to authority.

                                                                                Example: when class Player hits() a class Monster, where exactly do we modify data?

                                                                                  hit = (|
                                                                                    parent* = traits clonable.
                                                                                    copyDamage: damage = (| c |
                                                                                      c: self copy.
                                                                                      c damage: damage.
                                                                                  player = (|
                                                                                    parent* = traits clonable.
                                                                                    "Fields etc."
                                                                                    hitsMonster: monster = (
                                                                                      monster receivedHit: defaultDamage.
                                                                                      monster dead ifTrue: [
                                                                                        kills: kills succ.
                                                                                  monster = (|
                                                                                    parent* = traits clonable.
                                                                                    receivedHit = (
                                                                                      "Do whatever you need to modify the state."
                                                                                  test = (| p. m. |
                                                                                    p: player copy.
                                                                                    p defaultDamage: damage copyDamage: 50.
                                                                                    m: monsters example.
                                                                                    p hitsMonster: m.

                                                                                encapsulation on a granularity of an object or a class often leads to code trying to separate everything from everything else (from itself).

                                                                                This can often have good reason. A property might have a very good reason to perform an operation when it’s set. I actually disagree with Python’s or C#‘s properties here, because they hide what’s actually going on. In Self, everything is a message pass; therefore, you can simply provide a message that performs the action you want.

                                                                                In my opinion classes and objects are just too granular, and the right place to focus on the isolation, APIs etc. are “modules”/“components”/“libraries” boundaries.

                                                                                That has its own share of problems. “Exporting” from a library is basically same thing as making a member public. I don’t quite understand the difference between having public and private methods on a “class”, and having public and private functions in a module.

                                                                                If program data is stored e.g. in a tabular, data-oriented form, it’s possible to have two or more modules each operating on the same data structure, but in a different way.

                                                                                See above for Self’s dynamic polymorphism.

                                                                                Combination of data scattered between many small objects, heavy use of indirection and pointers and lack of right data architecture in the first place leads to poor runtime performance. Nuff said.

                                                                                Not “nuff said”. Self’s generational GC concept has proven itself quite useful, and forms the basis of the Java HotSpot VM (one of the fastest VMs around, I think most would agree) along with the JIT. Object oriented programming languages do not create non-performant code; bad code creates non-performant code.

                                                                                The DataStore approach is just bizarre and seems like it’s implementing a slow, half-broken version of an RDBMS within the application. If you need to go brrrr fast then just use a query builder.

                                                                                All in all, 4/10, could use less inspirational quotes from figureheads.

                                                                                1. 1

                                                                                  Aside: What language are you using for your examples? It doesn’t look familiar so I’m having a hard time understanding what it’s meant to convey.

                                                                                  1. 1

                                                                                    I am using the Self programming language, which is a prototype inheritance-based object oriented programming language.

                                                                                    1. 1


                                                                                1. 14

                                                                                  Meta: I’m shocked at the number of trolls in this thread. Lots of folks are contributing thoughtfully and in good faith, but a bunch of other people just want to stir the pot. I’m resisting the temptation to reply to them, so I’m commenting here to express my frustration.

                                                                                  Anyone else kinda shocked to see such bleh behavior on such a [usually] kind site?

                                                                                  1. 11


                                                                                    1. 1

                                                                                      Could you maybe expound a bit?

                                                                                  1. 7

                                                                                    Aside from regular work, I’m working on my code editor: cross platform, simple, modal and opinionated terminal code editor.

                                                                                    It’s been about 2 months that it’s now my main editor (just uninstalled neovim :D). It’s coded from scratch using rust, and today I removed the last non-platform dependency (fuzzy-matcher) and now the only dependencies are winapi and libc that are used in the platform layers.

                                                                                    My next milestone is updating the screenshots/gifs on github and some more polish before going 1.0

                                                                                    1. 1

                                                                                      Well done! Now I need to go digging for a link :D

                                                                                        1. 1

                                                                                          Thanks! Is it okay to link it here? Anyways, the project’s name is Pepper which is named after my cat :D

                                                                                          1. 1

                                                                                            It’s probably fine. After all; we are here to share our thoughts on technology!

                                                                                            Edit: it looks like a cool project, the opinionatedness is very much in line with my opinions.. leave everything to other tools and focus on the editor component.

                                                                                            1. 2

                                                                                              Thanks and thanks for taking a look! I took lots of inspiration from Kakoune on that

                                                                                              1. 2

                                                                                                That’s great, I love Kakoune’s take on vim commands. I wish it was supported in popular IDEs (there’s a buggy one for vscode, and that’s it I think).

                                                                                      1. 16

                                                                                        I think there’s an XY problem here. What’s the purpose of doing this? Is it because writing <a href> </a> is too much overhead to write? Too much overhead to read? Is “links can only be one word” a technical limitation, or a design goal?

                                                                                        1. 2

                                                                                          It’s for a 2D language. 2D langs work better when words are atomic. Matched delimiters (like parens, brackets, tags) are an anti-pattern in 2D langs. You gain a lot of nifty little features when you know words are atomic.

                                                                                          1. 9

                                                                                            Can you link to a resource that explains what you mean? I’m not familiar with 2D languages, but it sounds like you’re still using delimiters, they’re just white space instead?

                                                                                            1. 1

                                                                                              I have no idea how the listed syntax is associated with a 2D language, but is an example of a 2 dimensional language.

                                                                                        1. 2

                                                                                          Cool! I’d love an ortholinear board, but that’s okay. I’m happy to see them making cool stuff.

                                                                                          1. 1

                                                                                            interesting, are ortholinear keyboards better to type with?

                                                                                            1. 3

                                                                                              Ostensibly, yes. Ortholinear = less lateral finger movement = good, because lateral finger movement is bad.

                                                                                              1. 2

                                                                                                I like them a bit more, and I could see how they could be Objectively Better, but I don’t think I’ve seen it seriously studied. My understanding is that staggered keyboards are a byproduct of typewriters that couldn’t have vertically aligned keys, and since we don’t have that constraint then it’s reasonable to design around it.

                                                                                                I have an Ergodox that I enjoy a bunch, I can’t recommend it enough.

                                                                                            1. 1

                                                                                              I wonder which Docker images this was tested on. I seem to remember that the official python images are slower than ubuntu because of some detail around how it’s compiled. No link handy, though.

                                                                                                1. 1

                                                                                                  You got it, thanks.

                                                                                                2. 1

                                                                                                  fedora:33, in order to match the host operating system and remove that as a factor.

                                                                                                1. 4

                                                                                                  I’d be interested in the output of perf record/report here since it would presumably show what’s causing a slowdown.

                                                                                                  1. 5

                                                                                                    Yeah, I’m quite interested in why this is happening and would love to avoid the speculation in the article.

                                                                                                  1. 1

                                                                                                    This is great, and along the same lines I’ve been thinking for the past few months. I started writing an AST editor ( but it’s honestly not a quick and easy side project.

                                                                                                    I’m looking forward to seeing more developments in this space, I’m convinced that text editors <<< code editors.