-
Nice write up on the
OpenStructobject in ruby!However, I have to do my due diligence here. For most (all?) cases, using
OpenStructis a terrible anti-pattern. AnyOpenStructobject will respond to any method you call on it and if it doesn’t exist, returnsnil. This causes uncertainty within the system and makes testing a nightmare.As I recommend to most people, you’re better off using a PORO (plain old ruby object)!
-
-
-
-
I thought so too, until a friend corrected me: That was fixed several years ago and isn’t still the case.
-
-
Thanks for sharing your precious experience with
OpenStruct:-)Anyway, the goal of my articles is just to describe a notion as deeply as possible. I prefer to keep a neutral point-of-view because each notion that I describe can be useful in many cases.
Implementing the notion in real use cases is just a matter of sensitivity for each developer.
That’s why I’m glad that you share your opinion and your experience with the
OpenStructclass here.-
-
Why do you want that neutral position? One of the things I really love in articles is seeing how people evaluate the benefits and risks of tools like OpenStruct. I get to understand when to use or not use something, learn general strategies useful for other tools. Let the documentation be non-judgemental description, I want experienced opinions. :)
-
Actually my articles are made to demystify a misunderstood or opaque notion. By doing so, developers can take the decision to apply the notion or not by knowing all the aspects of it.
Also, this enhances their general culture about the language.
After, your point of view is also correct. Maybe, in a near future I’ll start to share my experience with the notions that I treat in my articles.
Thanks for the feedback. It’s really appreciated :-)
-
-
-
-
LibertarianLlama
edited
3 days ago
|
link
| on:
Intel Publishes Microcode Security Patches, No Benchmarking Or Comparison Allowed
I don’t really think that you should be allowed to ask the users the sign a new EULA for security patches. You fucked up. People are being damaged by your fuck up and you should not use that as leverage to make the users do what you want so they can stop your fuck up from damaging them further.
Patches only count if they come with the same EULA as the original hardware/software/product.
-
Sure - you’re welcome to refuse the EULA and take your processor back to the retailer, claiming it is faulty. When they refuse, file a claim in court.
Freedom!
-
This suggestion reminds me of the historical floating point division bug. See https://en.m.wikipedia.org/wiki/Pentium_FDIV_bug
There was a debate about the mishandling by Intel. Also, there was debate over “real-world impact,” estimates were all over the charts.
Here, it seems that the impact is SO big, that almost any user of the chip can demonstrate significant performance loss. This might become even bigger than the FDIV bug.
-
They are being sued by over 30 groups (find “Litigation related to Security Vulnerabilities”). It already is.
As of February 15, 2018, 30 customer class action lawsuits and two securities class action lawsuits have been filed. The customer class action plaintiffs, who purport to represent various classes of end users of our products, generally claim to have been harmed by Intel’s actions and/or omissions in connection with the security vulnerabilities and assert a variety of common law and statutory claims seeking monetary damages and equitable relief. The securities class action plaintiffs, who purport to represent classes of acquirers of Intel stock between July 27, 2017 and January 4, 2018, generally allege that Intel and certain officers violated securities laws by making statements about Intel’s products and internal controls that were revealed to be false or misleading by the disclosure of the security vulnerabilities […]
As for replacing defective processors, I’d be shocked. They can handwave enough away with their microcode updates because the source is not publicly auditable.
-
The defense could try to get the people who are discovering these vulnerabilities in on the process to review the fixes. They’d probably have to do it under some kind of NDA which itself might be negotiable given a court is involved. Otherwise, someone who is not actively doing CPU breaks but did before can look at it. If it’s crap, they can say so citing independent evidence of why. If it’s not, they can say that, too. Best case is they even have an exploit for it to go with their claim.
-
-
-
-
I don’t really think that you should be allowed to ask the users the sign a new EULA for security patches.
A variation of this argument goes that security issues should be backported or patched without also including new features. It is not a new or resolved issue.
Patches only count if they come with the same EULA as the original hardware/software/product.
What is different here is that this microcode update also requires operating system patches and possibly firmware updates. Further not everyone considers the performance trade-off worth it: there are a class of users for whom this is not a security issue. Aggravating matters, there are OEMs that must be involved in order to patch or explicitly fail to patch this issue. Intel had to coordinate all of this, under embargo.
-
This reminds me of HP issuing a “security” update for printers that actually caused the printer to reject any third-party ink. Disgusting.
-
-
It’s worth thinking on more broadly since it’s the second-largest driver of insecurity. Demand being the first.
The easiest example is mobile phones. The revenue stream almost entirely comes from sales of new phones. So, they want to put their value proposition and efforts into the newest phones. They also want to keep costs as low as they can legally get away with. Securing older phones, even patching them, is an extra expense or just activity that doesn’t drive new phone sales. It might even slow them. So, they stop doing security updates on phones fairly quickly as extra incentive for people to buy new phones which helps CEO’s hit their goalposts in sales.
The earliest form I know of was software companies intentionally making broken software when they could spend a little more to make it better. Although I thought CTO’s were being suckers, Roger Schell (co-founder of INFOSEC) found out otherwise when meeting a diverse array of them under Black Forrest Group. When he evangelized high-assurance systems, the CTO’s told him they believed they’d never be able to buy them from the private sector even though they were interested in them. They elaborated that they believed computer manufacturers and software suppliers were intentionally keeping quality low to force them to buy support and future product releases. Put/leave bugs in on purpose now, get paid again later to take them out, and force new features in for lock-in.
They hit the nail on the head. Biggest examples being IBM, Microsoft, and Oracle. Companies are keeping defects in products in every unregulated sub-field of IT to this day. It should be default assumption with default mitigation being open API’s and data formats so one can switch vendors if encountering a malicious one.
EDIT: Come to think of it, the hosting industry does the same stuff. The sites, VPS’s, and dedi’s cost money to operate in a highly-competitive space. Assuming they aren’t loss-leaders, I bet profitability on the $5-10 VM’s might get down to nickles or quarters rather than dollars. There’s been products on market touting strong security like LynxSecure with Linux VM’s. The last time I saw price of separation kernels w/ networking and filesystems it was maybe $50,000. Some supplier might take that a year per organization just to get more business. They all heavily promote the stuff. Yet, almost all hosts use KVM or Xen. Aside from features, I bet the fact that they’re free with commoditized support and training factors into that a lot. Every dollar in initial profit you make on your VM’s or servers can further feed into the business’s growth or workers’ pay. Most hosts won’t pay even a few grand for a VMM with open solutions available, much less $50,000. They’ll also trade features against security like management advantages and ecosystem of popular solutions. I’m not saying any of this is bad choices given how demand side works: just that the business model incentivizes against security-focused solutions that currently exist.
-
-
-
-
-
-
One thing about SPAs…they seemed to be really popular starting with the rise of Rails, mostly as a way of compensating for Rails amazingly slow rendering.
-
-
Server-side rendering is a thing.
-
-
-
Also, there’s (eg)
react-railswhich does server-rendering of a react SPA (so you get the HTML which your react code would generate, served by rails).
-
-
-
-
-
-
I don’t understand how/if webmentions are significantly different from the pingbacks everbody used to have on their WordPress blog (because I think they were enabled by default?) and then promptly disabled because of too much spam.
-
Webmentions have been modeled after pingback. They are basically a refinement.
Regarding spam, well, as always when you are exposing a write permission though the web, you are more or less vulnerable. This problem has and is still discussed within the indieweb community. A protocol, Vouch has been proposed to address this problem.
And as mentioned below, you still can moderate or simply not display your webmentions altogether.
-
-
Presumably? I mean, they got implemented, right? Someone spent the time to make that happen.
-
Did anyone ever care about pingbacks though? Even the non-spammy ones?
I can only speak for myself, but I did. It often gave me access to blogs by people with similar interests that I would have otherwise never known about to visit. It used to be that a large percentage of bloggers would list their favourite blogs somewhere on every page (sidebar/footer) so finding one blog with an author who shared similar interests could end up in a twenty five link binge.
I guess it was a different time, then again it was over a decade ago.
-
-
-
I was wondering that, unless these aren’t intended to be published in verbose and instead used more as a notification for the author and only really published publicly as a counter?
If the pingbacks had been used simply to list in the authors admin places where their articles had been mentioned and not published alongside comments to the article then there would have been a lot less spam.
-
-
-
I much prefer the idea of using something like transparent content negotiation or other similar means of letting the client and server of a website determine which content is necessary given a device’s preferences and capabilities.
I’ve never actually seen this implemented unfortunately (outside of certain APIs, but not web pages), but I can dream…
-
Unfortunately, despite browsers and servers supporting negotiation, most CDNs do not obey the
Varyheader even if you set it.
-
-
Everytime I see a post for Nim I am hoping for a Golang competitor that can actually bring something new to the table. But then I look at the library support and community and walk back disappointed. I am still hoping for nim to take off and attract Python enthusiasts like me to a really fast compiled language.
-
But then I look at the library support and community and walk back disappointed.
It’s very hard to get the same momentum that Go achieved, just by the sheer fact that it is supported and marketed by Google. All I can say is: please consider helping Nim grow its community and library support, if everyone sees a language like Nim and gives up because the community is small then all new mainstream languages will be owned by large corporations like Google and Apple. Do you really want to live in a world like that? :)
-
How about https://crystal-lang.org
-
Have tried it; GC is way to optimistic so under high loads you would see memory being wasted. I love the syntax and power of language but it still stands shy when you can’t compile single binary (like golang) and end up with weird cross compile issues. Nim is way more efficient in terms of memory and GC overhead.
-
-
-
I think that’s more a result of Go having the manpower to develop and maintain an SSL library written in Go. As far as I understand, if you were to write an SSL library in 100% Crystal you wouldn’t have this problem.
By the way, Nim goes a step further. Because it compiles to C you can actually statically embed C libraries in your binary. Neither Go nor Crystal can do this as far as I know and it’s an awesome feature.
-
Is there a distinction between “statically embed C libraries in your binary” and “statically link with C libraries”? Go absolutely can statically link with C libraries. IIRC, Go will still want to link with libc on Linux if you’re using cgo, but it’s possible to coerce Go into producing a full static executable—while statically linking with C code—using something like
go install -ldflags "-linkmode external -extldflags -static".-
There is a difference. Statically linking with C libraries requires a specially built version of that library: usually in the form of a
.aor.libfile.In my experience, there are many libraries out there which are incredibly difficult to statically link with, this is especially the case on Windows. In most cases it’s difficult to find a version of the library that is statically linkable.
What I mean by “statically embed C libraries in your binary” is: you simply compile your program’s C sources together with the C sources of all the libraries you depend on.
As far as Go is concerned, I was under the impression that when you’re creating a wrapper for a C library in Go, you are effectively dynamically linking with that library. It seems to me that what you propose as a workaround for this is pretty much how you would statically compile a C program, i.e. just a case of specifying the right flags and making sure all the static libs are installed and configured properly.
-
-
-
-
You have to jump through quite a few hoops to get dynamic linking in go.
By default it statically links everything, doesn’t have a libc, etc.
-
-
It’s not uncommon or difficult in go to compile a webapp binary that bakes all assets (templates, images, etc) into the binary along with a webserver, HTTPS implementation (including provisioning its own certs via ACME / letsencrypt), etc.
-
-
There are different approaches, https://github.com/GeertJohan/go.rice for example supports 3 of them (see “tool usage”)
-
-
-
-
I think he mentions the ability to statically build [1] binaries in Golang. I’d note that this is a feature that is not so common and hard to achieve. You can do this with C/C++ (maybe Rust), but it has some limits, and it’s hard to achieve with big libraries. Not having statically built binaries often means that you need a strong sense of what you need and to what point or using good packaging/distribution workflows (fpm/docker/…).
It’s a super nice feature when distributing software (for example tooling) to the public, so it feels like “here you are your binary, you just have to use it”.
-
-
-
-
The “programming by duct taping 30 pip packages together” method of development is pretty new, and it isn’t the only way to program. Instead, you grow the dependencies you need as you build your app, and contribute them back once they’re mature enough.
More time consuming, but you have total control.
-
-
One way I’ve seen daily standups work well is when you have an imminent release or a P0 bug that the team is working to address. The standup is set up for an explicit and temporary purpose and dissolves after the situation is gone.
Otherwise, I’ve seen standups devolve into people just mentioning what they’re working on, prioritizing looks over substantiative progress.
-
Yep - even when I was in a 100% waterfall environment, when something really important was looming management would come past every morning and gather everyone to discuss the plan.
I feel like perhaps standup is at its most useful when you’re working on something that makes the C-level execs nervous.
-
-
-
-
After writing Go for 5 years, I’d recommend Rust for C developers. It’s more complicated than Go for sure, but also has more to offer. The lack of garbage collection and support of generics are definitely a plus compared to Go.
Go is a better language for junior devs, but I wouldn’t call C programmers junior. They should be able to digest Rust’s complexity.
-
-
Rust can definitely get overly complex if the developers show no constraint (i.e. type golf), but the control afforded by manual memory management makes up for it, IMHO. Unless it’s a one-run project, performance will eventually matter, and fixing bad allocation practices after the fact is a lot harder than doing it right from the beginning.
-
Couldn’t they just start with a C-like subset of Rust adding from there to their arsenal what extra features they like? It’s what I was going to recommend to those trying it for safety-critical use since they likely know C.
-
-
I think C++ as a better C works because you still have libc besides the STL, etc. The Rust standard library uses generics, traits, etc. quite heavily and type parameters and lifetime parameters tend to percolate to downstream users.
Though I think a lot of value in Rust is in concepts that may initially add some complexity, such the borrow checker rules.
-
The problem with C++ is its complexity at the language level. I have little hope of teams of people porting various tools for static analysis, verification, and refactoring to it that C and Java already have. Certifying compilers either. C itself is a rough language but smaller. The massive bandwagon behind it caused lots of tooling to be built, esp FOSS. So, I now push for low-level stuff either safer C or something that ties into C’s ecosystem.
-
-
You could argue the same for C++ (start with C and add extra features). Complexity comes with the whole ecosystem from platform support (OS, arch), compiler complexity (and hence subtle difference in feature implementations) to the language itself (C++ templates, rust macros). It’s challenging to limit oneself to a very specific subset on a single person project, it’s exponentially harder for larger teams to agree on a subset and adhere to it. I guess I just want a safer C not a new C++ replacement which seems to be the target for newer languages (like D & Rust).
-
It’s challenging to limit oneself to a very specific subset on a single person project, it’s exponentially harder for larger teams to agree on a subset and adhere to it.
I see your overall point. It could be tricky. It would probably stay niche. I will note that, in the C and Java worlds, there’s tools that check source code for compliance with coding standards. That could work for a Rust subset as well.
“I guess I just want a safer C not a new C++ replacement which seems to be the target for newer languages (like D & Rust).”
I can’t remember if I asked you what you thought about Cyclone. So, I’m curious about that plus what you or other C programmers would change about such a proposal.
I was thinking something like it with Rust’s affine types and/or reference counting when borrow-checking sucks too much with performance acceptable. Also, unsafe stuff if necessary with the module prefixed with that like Wirth would do. Some kind of module system or linking types to avoid linker errors, too. Seemless use of existing C libraries. Then, an interpreter or REPL for the productivity boost. Extracts to C to use its optimizing and certifying compilers. I’m unsure of what I’d default with on error handling and concurrency. First round at error handling might be error codes since I saw a design for statically checking their correct usage.
-
I can’t remember if I asked you what you thought about Cyclone. So, I’m curious about that plus what you or other C programmers would change about such a proposal.
I looked at it in the past and it felt like a language built on top of C similar to what a checker tool with annotations would do. It felt geared too much towards research versus use and the site itself states:
Cyclone is no longer supported; the core research project has finished and the developers have moved on to other things. (Several of Cyclone’s ideas have made their way into Rust.) Cyclone’s code can be made to work with some effort, but it will not build out of the box on modern (64 bit) platforms).
However if I had to change Cyclone I would at least drop exceptions from it.
I am keeping an eye on zig and that’s closest to how I imagine a potentially successful C replacement - assuming it takes up enough community drive and gets some people developing interesting software with it.
That’s something Go had nailed down really well. The whole standard library (especially their crypto and http libs) being implemented from scratch in Go instead of being bindings were a strong value signal.
-
re dropping exceptions. Dropping exceptions makes sense. Is there another way of error handling that’s safer or better than C’s that you think might be adoptable in a new, C-like language?
re Zig. It’s an interesting language. I’m watching it at a distance for ideas.
re standard library of X in X. Yeah, I agree. I’ve been noticing that pattern with Myrddin, too. They’ve been doing a lot within the language despite how new it is.
-
Dropping exceptions makes sense. Is there another way of error handling that’s safer or better than C’s that you think might be adoptable in a new, C-like language?
Yes, I think Zig actually does that pretty well: https://andrewkelley.me/post/intro-to-zig.html#error-type
edit: snippet from the zig homepage:
A fresh take on error handling that resembles what well-written C error handling looks like, minus the boilerplate and verbosity.
-
Thanks for the link and tips!
-
-
-
-
-
-
-
-
-
-
Junior and senior developers also enjoy language features such as map, reduce, filter, and generics.
Those are great!
deterministic memory allocation, soft realtime, forced error checking, zero-cost abstractions, and (of course) memory safety.
Where are you finding juniors who care about this stuff? (no, really - I would like to know what kind of education got them there).
-
-
-
Map, reduce and filter are easily implemented in Go
How? Type safe versions of these, that is, without
interface{}and hacky codegen solutions?-
Here are typesafe examples for Map, Filter etc: https://gobyexample.com/collection-functions
Implementing one Map function per type is often good enough. There is some duplication of code, but the required functionality is present. There are many theoretical needs that don’t always show up in practice.
Also, using
go generate(which comes with the compiler), generic versions are achievable too. For example like this: https://github.com/kulshekhar/fungen-
When people say “type safe map/filter/reduce/fold” or “map, reduce, filter, and generics” they are generally referring to the ability to define those functions in a way that is polymorphic, type safe, transparently handled by the compiler and doesn’t sacrifice runtime overhead compared to their monomorphic analogs.
Whether you believe such facilities are useful or not is a completely different and orthogonal question. But no, they are certainly not achievable in Go and this is not a controversial claim. It is by design.
-
-
The implementation of generics in C++ also works by generating the code per required type.
But they are not really comparable. In C++, when a library defines a generic type or function, it will work with any conforming data type. Since the Go compiler does not know about generics, with
go generateone can only generate ‘monomorphized’ types for a set of predefined data types that are defined an upstream package. If you want different monomorphized types, you have to import the generic definitions and rungo generatefor your specific types.unless you consider code generation
By that definition, any language is a generic language, there’s always Bourne shell/make/sed for code generation ;).
-
-
That’s why I said “transparently handled by the compiler.” ;-)
-
-
Yes. And for the reasons mentioned by @iswrong.
My larger point here really isn’t a technicality. My point is that communication is hard and not everyone spells out every point is precise detail, but it’s usually possible to infer the meaning based on context.
-
-
I mean, I’ve written Go code nearly daily since before it was 1.0. I don’t need to argue with you about whether generics are “needed,” which is a pretty slimy way to phrase this.
Seems to me like you’re trying to pick a fight. I already said upthread that the description of generics is different from the desire for them.
-
-
-
-
-
-
-
-
-
-
-
-
-
Compiling a very large go project with a cold cache might take a minute (sub-second once the cache is warm).
Compiling a fairly small rust app with a warm cache has taken me over a minute (I think it’s a little better than that now).
-
-
-
-
-
For those intrigued by HyperCard, there is a modern day descendant that is able to produce standalone software for macs, windows, linux, iOS and Android called LiveCode. It is a joy to use, specially when you’re just building tools for your personal use, more focused in solving your own problems than building the next unicorn thing. Nothing is faster, IMHO, than dragging and droping a bunch of controls, writing some glue script, and scratching some itch. It can (and is) used to ship real products in all platforms. I think it shines in Desktop cross-platform development and for internal tools, those are my preferred use-cases for it.
-
-
You can actually have it for free. They have an open source GPL version at https://livecode.org/, it is targeted at professional developers but I know a ton of non-developers using it (I used to be a quite active member of their community) and techers in K12 space using it as well so you can still have that feeling of using stacks in HC.
-
-
-
I always use it when I need to transform data for some other stuff I am doing, or to scrape stuff for personal use, or to do some form of batch processing.
A recent example, I was building a little API backend server for a project that is not related to LiveCode, just normal web stuff. It was easier for me to cook up a little stack with buttons, fields and some diagnostics and debug my little server while I was building it than use those generic tools such as insomnia.
Those generic tools are awesome, pretty and powerful, but my own handmade tools, which I create specifically to a given project have the advantage of being tailored to whatever I am building, so they might be ugly but they are my special-purpose tools that help me develop and debug my own projects. There is a lot of developer ergonomics when you can quickly come up with GUI tools to debug whatever you’re doing.
Another example is when I had to do some complex batch renaming of thousand of files. The process involved a little crawler going on disk into the folders, inspecting some configuration files relative to the folders and renaming stuff inside them. I could do this with visual feedback, progress bars, etc…
I am quite bad at design but I am scratching my itches, not selling itch scratchers. My little stacks help me a lot.
-
-
-
-
What the hell, @rain1.
Find something kinder to do with your time.
Bringing other people down while adding nothing to the conversation isn’t something we need here.
-
-
-
Would there be interest in a “advertising” flag option?
-
-
How would it be different to “spam” or “show”?
-
-
Would cubicles be better? That’s one cost efficient way to turn an office to a non-open office, I think 🤔
-
Cubes combine the distracting background noise of an open plan office with having to sit by yourself :/
-
-
Agreed - while headphones can at least block out audible distractions in an open-office plan, there’s nothing to be done for people shooting hoops and reenacting last night’s Warriors game, or people trying to circumvent my “do not disturb” notice on Slack by waving their hands in front of my monitor (both actual examples at $OLDJOB). Visual distractions, at least for me, are just as bad!
-
-
-
-
What does this do better than the canvas element? And why is it specifically part of CSS?
-
The
houdiniproject aims to let you polyfill (future) CSS features rather than waiting for them to be implemented everywhere.Once
houdinisupport rolls out to all your target browsers, you won’t have to write a bunch of fallback CSS. -
This is what happens when excitement overrules sane design principles. People seem to have all but forgotten about why we tried to separate HTML, CSS and JS. Now it seems to converge on the idea of everything being a JS library and JS being a structure of the Web, instead of HTML.
-
I don’t see it that way at all. The practical implication of the Houdini features (viewed in total, not just this piece of them), at least aspirationally, will be that it’s easier to factor custom design elements into their declarative parts and their procedural parts. There’s a lot of black-box complexity within CSS as it currently stands, and it makes sense to open that up so it can be extended and modified.
-
-
-
-
Just git?
I was kind of hoping that if we’re going to break the github hegemony, we might also start to reconsider git at least a little. Mercurial has so many good ideas worth spreading, like templates (DSL for formatting the output of every command), revsets (DSL for querying commits), filesets (DSL for querying files and path) and changeset evolution (meta-graph of commit rewriting).
-
Don’t forget pijul!
Seriously, though, I don’t think there is any “github plus something” that is going to break the github hegemony. Github won because it offered easy forking while Sourceforge was locked in a centralized model. Sourceforge won because it was so much easier than hosting your own repo + mailing list.
The thing that will get people away from github has to have a new idea, a new use case that isn’t being met by github right now, and which hasn’t been proposed before. That means that adding hg won’t do it – not because hg is worse than git (honestly, git’s terrible, and hg is fine), but because hg’s already been an option and people aren’t using it.
Adding email commits won’t do it, because that use case has been available for a long time (as pointed out elsewhere in these comments) and people aren’t using it.
Until something new is brought to the table, it’s all “let’s enter a dominated market with a slight improvement over the dominant tech”, and that’s just not going to be enough.
-
So, one thing that I would use a new contender for is being able to put my work under my own domain.
The “new thing” here is “have your personal branding on your site” (which is clearly fairly popular given how common personal domain/sites are among developers).
If I could CNAME
code.daniel.heath.ccto your host to get my own github, I’d do it today (as long as any issues/wiki/PR state/etc remained usefully portable).-
-
-
I don’t mean corporate/design branding.
I want to use my own name (and be able to move providers without breaking links).
-
-
Yep - so it has to be oss too.
-
That makes sense actually. sr.ht supporting the ability to use your own domain name (presumably a subdomain of your personal domain name for personal projects?) would make it really easy to migrate away from sr.ht in the future if you felt it was more cost-effective to host your own. Although I don’t know what the pricing model is intended to be.
-
-
-
-
-
You can do that with Gitlab (or Gitea if you prefer something lightweight). Only thing is you need to take care of the hosting yourself. But I’m sure there are companies offering a one-click setup, to which you can later point your own domain.
-
If you host your own gitlab instance, can you fork and submit patches to a project that’s hosted on gitlab,com, as easily/seamlessly as if you were hosted there?
Centralization has benefits that self-hosting can’t always provide. If there were some federation which allowed self-hosting to integrate with central and other self-hosting sites, that seems like a new and interesting feature.
-
Git is already federated with email - it’s specific services like GitHub which are incompatible with git’s federation model (awfully conveniently, I might add). sr.ht is going to be designed to accomodate git’s email features, both for incoming and outgoing communication, so you’ll be able to communicate easily between sr.ht instances (or sr.ht and other services like patchworks or LKML).
-
-
The gitlab, gitea, and gogs developers are working on this but it’s still very much in the discussion stage at this point. https://github.com/git-federation/gitpub/
-
Oh, definitely no federation. Didn’t know that federation was what he was looking for.
-
-
-
It’s currently awkward to run multiple domains on most OSS servers which might otherwise be suitable.
-
-
-
-
-
I’m afraid you’re not going to find a sympathetic ear in sr.ht. I am deeply fond of git and deeply critical of hg.
The GitHug hegemony has nothing to do with its basis on git. If git were the product of GitHub, I might agree, but it’s not. If you really want to break the GitHub hegemony you should know well enough to throw your lot in with the winning tool rather than try to disrupt two things at once.
-
-
-
The GitHug hegemony has nothing to do with its basis on git.
Exactly; it’s the other way around. Git got popular because of github.
Git was much worse before github made it popular. It’s bad now and difficult to use now, but it was much worse before 2008. So if you just want to get away from Github, there’s no need to stay particulary enamoured with git either.
And whatever criticisms you may have about hg, you have to also consider that it has good ideas (those DSLs above are great). Those ideas are worth spreading, and git for a long time has tried to absorb some of them and hasn’t succeeded.
-
-
-
The main thing overlooked when comparing SPA and turbolinks is the perceived performance advantage of knowing which parts of the page are going to change.
On a turbolinks project the default loading indicator is a bar across the top of the page, vs an SPA where you can blank out the part of the page which will change. The latter looks way faster.
IMO this is unfortunate because turbolinks is much easier to get right. I’m interested in trying to improve the situation but it seems difficult without adding markup at template entry points and being able to statically determine what templates a route will hit.
-
I think this is a fun idea, and I think your stated goal of a middle ground between “everyone uses GitHub” and “everyone self hosts everything” is worth pursuing.
What could be a killer feature for this though is an API to export all a user’s data in a simple format, say a .tar.gz archive with directories for email, git repos, pastes and CI logs. If you keep your feature set small it should be possible to automate this so users who are interested can just download their archive using cron.
If I could easily integrate this with my own backup regime, I’d consider using it for real work.
-
-
You’ve hit the nail right on the head.
Data portability (export/import) and social-graph/link portability (custom domains) are the two preconditions to make this kind of thing work (and why I’m uninterested in having an account on a mastodon server - no custom domain support).
-
All of this is on my personal roadmap, as stages 1 and 2 are mentioned on the website I have a stage 3 in my head which includes all of this. The main roadblock is the fact that Asymptote Club is cobbled together from a bunch of third party projects, and they don’t always have fantastic export support. Though, they are all open source, so I could add support in the future.
At least at the moment, you can rsync your home directory from the shell server, which includes mail. Pastes are meant to be ephemeral, for example to give someone a crash log, for now. I might be able to write a simple backup tool with the Gitea API to automatically clone a user’s repos.
As for custom domains, I could potentially add custom email domain support, but I’m not sure how I’d execute custom domains on the rest.
-
-
I’ve given some thought to this.
For apps which store a domain in a config file, you could launch an instance on-demand and terminate it after some inactivity.
Of course, that could start using a lot of RAM/CPU pretty quickly; much better to use software which was built with this use-case in mind.
-
-
-
-
-
-
lorddimwit
edited
1 month ago
|
link
| on:
How not to structure your database-backed web applications: a study of performance bugs in the wild
This is why I much prefer not to use an ORM. Database vendors have spent decades optimizing their engines, and the engines themselves are very well-suited to manipulating data in situ. ORMs encourage very generic operations and tend to require or encourage data manipulation on the client side, meaning more round-trips, more serialization, etc.
If you’re going to use an SQL database…use an SQL database. Write queries and statements that manipulate your data. Take advantage of your database’s ability to manipulate data in ways that aren’t just “return this list sorted”.
As a very simple example, you need to have a list of MD5 sums of a field in a database. A common ORM way would be to get a list of all the fields and then calculate the MD5 sums, or you could just do “SELECT MD5(foo) FROM bar” and have the database do it (assuming, of course, that your database supports MD5 calculation). You might be able to trick your ORM into doing it using some additional mechanism to have it apply functions to the returned result set, but at that point you’ve abandoned the database-agnostic part of the ORM and/or have to learn basically a whole new language on top of SQL when you could just…write SQL that you’re gonna end up writing anyway.
The only time, to me, ORMs really make sense is when your produce needs to support multiple database backends, but for things like web apps, how often do you really migrate your infrastructure to a different DB?
(Shameless plug: if you need lightweight database abstraction in Python but want to use your database as a database and not a hidden-away database serialization layer, try dpdb )
-
Huh, I see performance as one of the best reasons to use an ORM. There’s a lot of techniques that AR does like ‘select 1 from’ for testing existence that most developers don’t know and it precludes a lot of “eh, I don’t understand why this isn’t working so I’ll add
distinct”. It gets the 99% cases right better than developers. I know the answer is git gud but I find humans aren’t great at considering the non-obvious implications of every line of code they write, or they reuse existing code that does almost what they want, etc. The overwhelming majority of queries are boring and an ORM helps people focus on the couple that aren’t.-
Not only that; once you know AR well you can quickly generate relatively-well-optimized queries (eg
Foo.where(id: Bar.select(:foo_id)generates one query whereas using pluck would generate two).
-
-
-
As much as I would like a decentralised web to take over. I think I see a major issue with ActivityPub. Apparently, search doesn’t appear to be specified. And one advantage big centralised services will have is the ability to search all their network. For example, I would like to search all the network for a specific username, keyword, etc… Without that, it’s like going back to the net before google search.
-
Yeah, I’m curious if ActivityPub can support arbitrary aggregation over multiple nodes. It seems to me that in this kind of architecture, maybe nodes ought to support publishing changes over websocket to interested listeners. You could have aggregation nodes doing things like search, or post rankings, which could attach themselves in this fashion. Plus this would have the added benefit that if you didn’t like a particular aggregator’s implementation (a hotness formula for example, or search indexing algorithm) you could switch to a different one.
-
Usernames include the server, so I’m not sure that case makes sense.
Not supporting keyword search means I don’t get random and bots sealioning my conversations.
-
I was thinking about peer tube for example. It would be very nice if I was able to search only for the current node or on all fediverse for the things I’d like to find. Like niche programming languages for example. The goal of publishing something is to be read, even by bots. Also I’m not sure a federated network would be more robust in face of bots. Pretty sure it would be the opposite, because each node would have less data to analyze for bot detection. Still by the end, I’m pretty sure the only good solution would be to have a global “Web of Trust”.
-
Ahh, I see. 99% of my social media us is to connect with people I already know (or have in my extended network). For that use case, it’s a feature to be less easily discovered.
For publishing content it’s definitely the opposite; you want it to be found. Difficult though because now you’re competing for attention with spammers.
-
-
-
-
For me as a programmer, what I need is just a stable Operating System which can always provide latest software toolchains to meet my requirements, and I don’t want to spend much time to tweak it.
Why is this? As a programmer I find I rarely need bleeding edge. I’m sure not going to install bleeding edge to production. It can be fun for hacking around but I don’t see why as a programmer it’s needed.
-
-
-
I don’t want bleeding edge in general, but “your issue has been fixed in the latest version” get old quickly.
-
-
pims
2 months ago
|
link
| on:
How not to structure your database-backed web applications: a study of performance bugs in the wild
Inefficient data accessing (ID) results in slow data transfers by either not getting enough data (resulting in the familiar N+1 selects problem), or getting too much data. This can be due to inefficient lazy loading (still prevalent in this study), or too-eager eager loading. Here’s an example of a patch in Lobsters that replaces 51 database queries with one:
-
There’s some really interesting theoretical work being done to compile template files into optimal queries.
In theory a templating language statically determine what data needs to be fetched ahead of time, but integrating it into an application framework is a significant job.
-
Can we not post scuttlebutt on twitter from a thread in the dedicated SomethingAwful technology shitposting forum?
how many comments of yours do you think are policing what people post here? 10%, 20%? Before you respond with something along the lines of “eternal september” or “hacker news” just know I’ve lurked at HN for almost as long as its been around and I had a computer in the late 80s.
It is kind of a garbage source. friendlysock is doing people a favor by pointing that out, and I wish I’d read his comment before I read the thread.
If you have any evidence that any of these claims are untrue (a rebuttal from Musk, Tesla, etc.), please share it with us.
Legal systems generally (not the French) go with innocent until proven guilty for a reason. CEOs would not have a lot of time in the day if they had to personally prove every accusation made against them or their company.
Funny, he seems to have time to respond to random twitter accounts all day.
Obviously means regular boring old CEOs, not the visionary ones aimed at Mars…
Taking your jab at French jurisprudence seriously, what do you mean by that? Is this some recent court case?
Because France basically invented the modern Continental legal framework (well, Napoleon overhauled the ancient Roman system) which is used all over Europe (and beyond!) today.
Sure, it is a well known fact that France is the European Guantanamo. 😏
I don’t think Tesla as a corporate entity or Musk as a private individual / CEO will dignify this source with any sort of acknowledgement. That’s a PR no-no.
However, if a personal actually trained in ferreting out the truth and presenting it in a verifiable manner (these people are usually employed as journalists) were to pull on this thread, who knows where it might lead?
The standards of evidence in most places, including science, are that you present evidence for your claims since (a) you should already have it and (b) it saves readers time. Bullshit spreads fast as both media and Facebook’s experiment show. Retractions and thorough investigations often don’t make it to same audience. So, strong evidence for source’s identity or claims should be there by default. It’s why you often see me citing people as I make controversial claims to give people something to check them with.
There’s nothing surprising about the employee’s claims. It’s like asking for evidence that Google spies on users. They admit to it, and so does Tesla. So there’s your evidence, and I think it’s sad that you’re taking these trolls here seriously.
Thanks for the link. Key point:
“Every Tesla has GPS tracking that can be remotely accessed by the owner, as well as by Tesla itself. That means that people will always know where a Tesla is. This feature can be turned off, by entering the car and turning off the remote access feature. I am not sure why you would want to do this, but you can. Unfortunately, there are ways for a thief to turn off the remote access feature, and this will blind you to the specific information about the car. It will not stop Tesla from being able to track the car. They will retain that type of access no matter what, and have the authority to use it in the instances of vehicle theft.”
re taking trolls seriously. We’re calling you out about posting more unsubstantiated claims via Twitter. If your goal is getting info out, then you will always achieve it by including links like you gave me in the first place. Most people aren’t going to endlessly dig to verify stuff people say on Twitter. They shouldn’t since the BS ratio is through the roof. Also, that guy didn’t just make obvious claims like they could probably track/access the vehicle: he made many about their infrastructure and management that weren’t as obvious or verifiable. He also made them on a forum celebrated for trolling. So, yeah, links are even more helpful here.
But the point isn’t to even say that everything written here is true. The point is to share a very interesting data point that likely constitutes primary source material, and force a reaction from Tesla to stop their dangerous practices (or offer them a chance to set the record straight if any of this is untrue, which we’ve established is unlikely).
“Dangerous” compared to what? Force how?
Low-effort regurgitation of screencaps is not some big act of rebellion, it is just a way of lowering quality and adding noise.
If we wanted to read fiction we could go enjoy the sister Lobster site devoted to that activity.
Being a troll is “a way of lowering quality and adding noise”.
Which is why several people are asking you to stop it.
Is there any evidence your tweets or Lobsters submissions have changed security or ethical practices of a major company?
If not, then that’s either not what you’re doing here or you should be bringing that content to Tesla’s or investors’ attention via mediums they look at. It’s just noise on Lobsters.
I agree with you in general, but this specific “article” is just garbage. (As far as I’m concerned, Twitter in general should be blacklisted from lobste.rs. Anything there is either content-free or so inconvenient to read as to be inaccessible.)
I agree. I did at least learn from your link that Arnnon Geshuri, Vice President of HR at Tesla, was a senior one at Google that some reports said was involved in the price fixing and abusive retention of labor here. That’s a great hire if your an honest visionary taking care of employees who enable your world-changing vision. ;)