1. 5

    The sad thing is, I suspect this isn’t the “world’s worst” or in fact much worse at all than any other smartlock–I bet they’re all this bad.

    1. 1

      Yeah, I mean, this might be a local maxima of awful, but as software metastasizes through all sorts of new ecosystems, we’ll have to continue to revise the bar upwards.

    1. 17

      This design decision seems pretty hard to defend:

      At 1.3 seconds before impact, the self-driving system determined that an emergency braking maneuver was needed to mitigate a collision (see figure 2). According to Uber, emergency braking maneuvers are not enabled while the vehicle is under computer control, to reduce the potential for erratic vehicle behavior. The vehicle operator is relied on to intervene and take action. The system is not designed to alert the operator.

      1. 2

        “I can’t figure out why, when the emegency stop code is enabled, the car gets all erratic. I know, I’ll just comment it out. Okay, next bug…”

        1. 0

          Holy smokes this sounds bad!

        1. 19

          Kind of funny to see this coming from Gruber, who has been a consistent defender of keeping systems closed in the name of user experience. Facebook used to have RSS feeds, too, and Google Chat used to support XMPP; the writing’s been on the wall for a while. I am surprised that he (and the third-party app maintainers) are really naïve enough to imagine that Twitter can be talked into maintaining these APIs (which allow people to use their service without being advertised to) in the long term.

          1. 7

            Indeed. The problem (for both Twitter and Gruber) is that Twitter started out as a classic Web 2.0 play with open APIs, and only later realized that can be a money drain. Later services like Instagram only offer API access for the real customers - the advertisers.

            1. 12

              Yup. This alone makes Mastodon a superior alternative. Now the trick is getting the masses to move over :) (Though, I’m not REALLY sure I want that :)

              1. 3

                Yeah, or Twitter could have a paid tier that allowed 3rd party apps, better privacy tools, etc. But that’s not the way they want to roll, apparently.

                1. 2

                  (Though, I’m not REALLY sure I want that :)

                  I know the feeling! I kinda liked Twitter better when my acquaintances weren’t in it, and we had actual meetups of Twitter users

                2. 3

                  Later services like Instagram only offer API access for the real customers - the advertisers.

                  Instagram is an even worse example of API bait-and-switch than Twitter - they offered API access to developers (in 2014), deprecated it this January ¹, and then completely removed access this spring, months before the deprecation deadline ².

                3. 2

                  I honestly never understood why anyone cares what Gruber has to say. I give him credit for inventing markdown. Really great idea!

                  All the rest he produces seems to be some variation of “apples is so amazing” and “google is so awful”. Most probably that is confirmation bias on my end, but really: Why does anyone care what Gruber has to say?

                1. 21

                  Gosh, I couldn’t make it very far into this article without skimming. It goes on and on asking the same ‘why’ but mentally answering it in the opposite direction of the quoted comments.

                  Docker is easy, standard isolation. If it falls, something will replace it. We’re not going in the opposite direction.

                  The article doesn’t explain to me what other ways I have of running 9 instances of an app without making a big mess of listening ports and configuration.

                  Or running many different PHP apps without creating a big mess of PHP installs and PHP-FPM configs. (We still deal with hosting setups that share the same install for all apps, then want to upgrade PHP.)

                  Or how to make your production setup easy to replicate (roughly) for developers who actually work on the codebase. (Perhaps on macOS or Windows, while you deploy on Linux.)

                  We’re not even doing the orchestration dance yet, these are individual servers that run Docker with a bunch of shell scripts to provision the machine and manage containers.

                  But even if we only use 1% of the functionality in Docker, I don’t know how to do that stuff without it. Nevermind that I’d probably have to create a Vagrantbox or something to get anyone to use it in dev. (I’ve come to dislike Vagrant, sorry to say.)

                  Besides work, I privately manage a little cloud server and my own Raspberry Pi, and sure they don’t run Docker, but they don’t have these requirements. It’s fine to not use Docker in some instances. And even then, Docker can be useful as a build environment, to document / eliminate any awkward dependencies on the environment. Makes your project that much easier to pick up when you return to it months later.

                  Finally, I’m sorry to say that my experiences with Ansible, Chef and Puppet have only ever been bad. It seems to me like the most fragile aspect of these tools is all the checks of what’s what in the current environment, then act on it. I’m super interested in trying NixOS sometime, because from what I gather, the model is somewhat similar to what Docker does: simply layering stuff like we’ve always done on software.

                  1. 1

                    For the php part it’s not that complex. Install the required versions (Debian and Ubuntu both have 5.6 through 7.2 “major” releases available side by side that’s to Ondrej Sury’s repo. Then just setup a pool per-app (which you should do anyway) and point to the apps specific Unix domain socket for php-fpm in the vhost’s proxy_fcgi config line.

                    I’ve used this same setup to bring an app from php5.4 (using mod_php) up through the versions as it was tested/fixed too.

                    Is there some config/system setup required? You betcha. Ops/sysadmins is part of running a site that requires more than shared hosting.

                    What are you gonna do with docker, have each developer just randomly writing whatever the fuck seems like a good idea and pushing their monolithic images to prod with no ops supporting it?

                    1. 12

                      What are you gonna do with docker, have each developer just randomly writing whatever the fuck seems like a good idea and pushing their monolithic images to prod with no ops supporting it?

                      Yes. The whole point of “DevOps”/docker is to deploy softwares certified by “Works on My Machine” certification program. This eliminates coordination time with separate Ops team.

                      1. 2

                        Is this sarcasm, or are you actually in favour of the definition “DevOps = Developers [trying to] do Ops” ?

                        1. 7

                          Descriptively, that’s what DevOps is. I am prescriptively against such DevOps, but describing what’s currently happening with docker is unrelated to whether I am in favor of it.

                          1. 3

                            I don’t disagree that it’s a definition used by a lot of places (whether they call it devops or not). But I believe a lot of people who wax poetic about “DevOps” don’t share this same view - they view it as Operations using ‘development’ practices: i.e. writing scripts/declarative state files/etc to have reproducible infrastructure, rather than a “bible” of manual steps to go through to setup an environment.

                            I’m in favour of the approach those people like, but I’m against the term simply because it’s misleading - like “the cloud” or “server less”.

                      2. 2

                        I don’t understand your last point, that’s exactly what developers do all day.

                        In Docker, the PHP version the app depends on is set in code. It doesn’t even take any configuration changes when the app switches to a new PHP version.

                        But if there’s one gripe I have with the Docker way of things, baking everything into an image, it’s security. There are no shared libraries in any way, upgrading a dependency minor version requires baking a new image.

                        I kinda wish we had a middle road, somewhere between Debian packages and Docker images.

                        1. 3

                          the PHP version the app depends on is set in code

                          And of course we all know Docker is the only way to define dependencies for software packages.

                          1. 4

                            Did anyone say it was? Docker is just one of the easiest ways to define the state of the whole running environment and have it defined in a text file which you can easily review to see what has been done.

                          2. 1

                            You can share libraries with Docker by making services share the same Docker image. You can actually replicate Debian level of sharing by having a single Docker image.

                            1. 2

                              Well, I guess this is just sharing in terms of memory usage? But what I meant with security is that I’d like if it were possible to have, for example, a single layer in the image with just OpenSSL, that you can then swap out with a newer version (with, say, a security fix.)

                              Right now, an OpenSSL upgrade means rebuilding the app. The current advantage managing your app ‘traditionally’ without Docker is that a sysadmin can do this upgrade for you. (Same with PHP patch versions, in the earlier example.)

                              1. 4

                                And this is exactly why I don’t buy into the whole “single-use” container shit show.

                                Want to use LXC/LXD for lightweight “VM’s”? Sure, I’m all for it. So long as ops can manage the infra, it’s all good.

                                Want to have developers having the last say on every detail of how an app actually runs in production? Not so much.

                                What you want is a simpler way to deploy your php app to a server and define that it needs a given version of PHP, an Apache/Nginx config, etc.

                                You could literally do all of that by just having your app packaged as a .deb, have it define dependencies on php-{fpm,moduleX,moduleY,moduleZ} and include a vhost.conf and pool.conf file. A minimal (i.e. non-debian repo quality but works for private installs) package means you’ll need maybe half a dozen files extra.

                                And then your ops/sysadmin team can upgrade openssl, or php, or apache, or redis or whatever other thing you use.

                                1. 2

                                  I actually do think this is a really good idea. But what’s currently there requires a lot more polish for it to be accessible to devs and small teams.

                                  Debian packaging is quite a pain (though you could probably skip a lot of standards). RPM is somewhat easier. But in both cases, the packages typically bundle default app configuration and systemd unit files, which is a model that sort of assumes things only have 1 instance.

                                  You could then go the LXC route, and have an admin manage each instance in a Debian container. That’s great, but we don’t have the resources to set up and manage all of this, and I expect that is the case for quite a lot of small teams out there.

                                  Maybe it’s less complicated than I think it is? If so, Docker marketing got something very right, and it’d help if there was a start-to-finish guide that explains things the other way.

                                  Also remember that Docker for Mac/Windows makes stuff really accessible for devs that are not on Linux natively. Not having to actually manage your VM is a blessing, because that’s exactly my gripe with Vagrant. At some point things inside the VM get hairy, because of organic growth.

                                  1. 3

                                    But in both cases, the packages typically bundle default app configuration and systemd unit files, which is a model that sort of assumes things only have 1 instance.

                                    In the case of the context - it is one instance. Either you build your packages with different names for different stages (e.g. acme-corp-foo-app-test, acme-corp-foo-app-staging, acme-corp-foo-app-prod) or use separate environments for test/stage/prod - either via VMs, LXC/LXD, whatever.

                                    Nothing is a silver bullet, Docker included. It’s just that Docker has a marketing team with a vested interest in glossing over it’s deficiencies.

                                    If you want to talk about how to use the above concept for an actual project, I’m happy to talk outside the thread.

                                    1. 2

                                      Also remember that Docker for Mac/Windows makes stuff really accessible for devs that are not on Linux natively. Not having to actually manage your VM is a blessing, because that’s exactly my gripe with Vagrant. At some point things inside the VM get hairy, because of organic growth.

                                      This is exactly why at work we started to use Docker (and got rid of Vagrant).

                                      1. 1

                                        At some point things inside the VM get hairy, because of organic growth.

                                        Can you define “hairy”?

                                        1. 2

                                          The VM becomes a second workstation, because you often SSH in to run some commands (test migrations and the like). So people install things in the VM, and change system configuration in the VM. And then people revive months old VMs, because it’s easier than vagrant up, which can take a good 20 minutes. There’s no reasoning about the state of Vagrant VMs in practice.

                                          1. 3

                                            So people install things in the VM, and change system configuration in the VM

                                            So your problem isn’t vagrant then, but people. Either the same people are doing the same thing with Docker, or not all things are equal?

                                            because it’s easier than vagrant up, which can take a good 20 minutes

                                            What. 20 MINUTES? What on earth are you doing that causes it to take 20 minutes to bring up a VM and provision it?

                                            There’s no reasoning about the state of Vagrant VMs in practice.

                                            You know the version of the box that it’s based on, what provisioning steps are configured to run, and whether they’ve run or not.

                                            Based on everything you’ve said, this sounds like blaming the guy who built a concrete wall, when your hammer and nails won’t go into it.

                                            1. 1

                                              I suppose the main difference is that we don’t build images for Vagrant, but instead provision the machine from a stock Ubuntu image using Ansible. It takes a good 3 minutes just to get the VirtualBox VM up, more if you have to download the Ubuntu image. From there, it’s mostly adding repos, installing deps, creating configuration. Ansible itself is rather sluggish too.

                                              Compare that to a 15 second run to get a dev environment up in Docker, provided you have the base images available.

                                              A people problem is a real problem. It doesn’t sound like you’ve used Docker for Mac/Windows, but the tool doesn’t give you a shell in the VM. And you don’t normally shell into containers.

                                              1. 1

                                                That’s interesting that it takes you 20 minutes to get to something usable. I never had that experience back when I used VMware and VirtualBox. I can’t remember having it anyway. I decided to see what getting Ubuntu up on my box takes with the new version for comparison to your experience. I did this experiment on my backup laptop: a 1.5GHz Celeron with plenty of RAM and older HD. It’s garbage far as performance goes. Running Ubuntu 16-17 (one of them…), VirtualBox, and Ubuntu 18.04 as guest in the a 1GB VM. That is, the LiveCD of Ubuntu 18.04 that it’s booting from.

                                                1. From power on to first Ubuntu screen: 5.7 seconds.

                                                2. To get to the Try or Install screen: 1 min 47 seconds.

                                                3. Usable desktop: 4 min 26 seconds.

                                                So, it’s up in under 5 minutes on the slowest-loading method (LiveCD) on some of the slowest hardware (Celeron) you can get. That tells me you could probably get even better startup time than me if you install and provision your stuff into a VirtualBox VM that becomes a base image. You use it as read-only, snapshot it, whatever the feature was. I rarely use VirtualBox these days so can’t remember. I know fully-loaded Ubuntu boots up in about a minute on this same box with the VirtualBox adding 5.7s to get to that bootloader. Your setup should just take 1-2 minutes to boot if doing it right.

                                                1. 0

                                                  It takes a good 3 minutes just to get the VirtualBox VM up

                                                  What? Seriously? Are your physical machines running on spinning rust or with only 1 or 2 GB of RAM or something? That is an inordinate amount of time to boot a VM, even in the POS that is Virtualbox.

                                                  but the tool doesn’t give you a shell in the VM.

                                                  What, so docker attach or docker exec /bin/bash are just figments of my imagination?

                                                  you don’t normally shell into containers

                                                  You don’t normally just change system settings willy nilly in a pre-configured environment if you don’t know what you’re doing, but apparently you work with some people who don’t do what’s “normal”.

                                                  1. 2

                                                    Physical machines are whatever workstation the developer uses. Typically a Macbook Pro in our case. Up until Vagrant has SSH access to the machine, I’m not holding my breath.

                                                    You’re confusing shell access to the VM with shell access to containers. The Docker commands you reference are for container access.

                                                    People do regularly make changes to vhost configuration, or installed packages in VMs when testing new features, instead of changing the provisioning configuration. Again, because it takes way longer to iterate on these things with VMs. And because people do these things from a shell inside the VM, spending time there, they start customizing as well.

                                                    And people do these things in Docker too, and that’s fine. But we’re way more comfortable throwing away containers than VMs, because of the difference in time. In turn, it’s become much easier to iterate on provisioning config changes.

                                                    1. 2

                                                      If time was a problem, sounds like the Docker developers should’ve just made VM’s faster in existing stacks. The L4Linux VM’s in Dresden’s demo loaded up about one a second on old hardware. Recently, LightVM got it down to 2.3 milliseconds on a Xen variant. Doing stuff like that also gives the fault-isolation and security assurances that only come with simple implementations which Docker-based platforms probably won’t have.

                                                      Docker seems like it went backwards on those properties vs just improving speed or usability of virtualization platforms.

                                                      1. 1

                                                        You’re confusing shell access to the VM with shell access to containers. The Docker commands you reference are for container access.

                                                        No. Your complaint is that people change configuration inside the provisioned environment. The provisioned environment with Docker isn’t a VM - that’s only there because it requires a Linux kernel to work. The provisioned environment is the container, which you’ve just said people are still fucking around with.

                                                        So your complaint still boils down to “virtualbox is slow”, and I still cannot imagine what you are doing to take twenty fucking minutes to provision a machine.

                                                        That’s closer to the time to build a base box from nothing than the time to bring up an instance and provision it.

                                                        1. 2

                                                          Look, this is getting silly. You can keep belittling every experience I’ve had, as if we’ve made these choices based on a couple of tiny bad aspects in the entire system, but that’s just not the case, and that’s not a productive discussion.

                                                          I did acknowledge that in practice Docker images a lot more things, which factors into a lot of the slowness of provisioning in the Vagrant case for us. There’s just a lot more provisioning has to do compared to Docker.

                                                          And while we could’ve gone another route, I doubt we would’ve been as happy, considering where we all are now as an industry. Docker gets a lot of support, and has a healthy ecosystem.

                                                          I see plenty of issues with Docker, and I can grumble about it all day. The IPv6 support is terrible, the process management is limited, the Docker for Mac/Windows filesystem integrations leave a lot to be desired, the security issue I mentioned in this very thread. But it still has given us a lot more positives than negatives, in terms of developer productiveness and managing our servers.

                                                          1. 1

                                                            You can keep belittling every experience I’ve had Every ‘issue’ you raised boils down to ‘vagrant+virtualbox took took to long to bring up/reprovision’. At 20 minutes, that’s not normal operation, it’s a sign of a problem. Instead of fixing that, you just threw the whole lot out.

                                                            This is like saying “I can’t work out why apache keeps crashing under load on Debian. Fuck it, I’m moving everything to Windows Server”.

                                                            But it still has given us a lot more positives than negatives The linked article seems to debunk this myth.

                                                          2. 2

                                                            I have the same experience as @stephank with VirtualBox. Every time I want to restart with a clean environment, I restart with a standard Debian base box and I run my Ansible playbooks on it. This is slow because my playbooks have to reinstall everything (I try to keep a cache of the downloaded packages in a volume on the host, shared with the guest). Docker makes this a lot easier and quicker thanks to the layer mechanism. What do you suggest to keep using Vagrant and avoid the slow installation (building a custom image I guess)?

                                                            1. 2

                                                              Please tell me “the same experience” isn’t 20 minutes for a machine to come up from nothing?

                                                              I’d first be looking to see how old the base box you’re using is. I’m guessing part of the process is an apt-get update && apt-get upgrade - some base boxes are woefully out of date, and are often hard-coded to use e.g. a US based mirror, which will hurt your update times if you’re elsewhere in the world.

                                                              If you have a lot of stuff to install, then yes I’d recommend making your own base-box.

                                                              What base-box are you using, out of interest? Can you share your playbooks?

                                                              1. 2

                                                                Creating a new VM with Vagrant just takes a few seconds, provided that the base box image is already available locally.

                                                                Provisioning (using Ansible in my case) is what takes time (installing all the services and dependencies required by my app). To be clear, in my case, it’s just a few minutes instead of 20 minutes, but it’s slow enough to be inconvenient.

                                                                I refresh the base box regularly, I use mirrors close to me, and I’ve already checked that apt-get update/upgrade terminates quickly.

                                                                My base box is debian/jessie64.

                                                                I install the usual stuff (nginx, Python, Go, Node, MySQL, Redis, certbot, some utils, etc.).

                                                                1. 2

                                                                  Reading all yours comments, you seem deeply interested by convincing people that VMs are solving all the problems people think Docker is solving. Instead of debating endlessly on comments here, I’d be (truly) interested to read about your work-flow as a an ops and as a dev. I’ve finished my studies using Docker and never had to use VMs that much on my machines, so I’m not an expert and would be really interested to have a good article/post/… that I could learn from on the subject on how VM would be better than Docker.

                                        2. 1

                                          I think the point is to use something like ansible, so you put some ansible config in a git repo then you pull the repo, build the docker image, install apps, apply the config and run, all via ansible.

                                        3. 2

                                          How do you manage easily 3 different versions of PHP with 3 different version of MariaDB? I mean, this is something that Docker solves VERY easily.

                                          1. 4

                                            Maybe if your team requires 3 versions of a database and language runtime they’ve goofed…

                                            1. 8

                                              It’s always amusing to have answers pointing the legacy and saying “it shouldn’t exist”. I mean, yes it’s weird, annoying but it exists now and will exists later.

                                              1. 6

                                                it exists now and will exists later.

                                                It doesn’t have to exist at all–like, literally, the cycles spent wrapping the mudballs in containers could be spent just…you know…cleaning up the mudballs.

                                                There are cases (usually involving icky third-party integrations) where maintaining multiple versions of runtimes is necessary, but outside of those it’s just plan sloppy engineering not to try and cleanup and standardize things.

                                                (And no, having the same container interface for a dozen different snowflakes is not standardization.)

                                                1. 2

                                                  I see it more like, the application runs fine, the team that was working on it doesn’t exist anymore, instead of spending time to upgrade it (because I’m no java 6 developer), and I still want to benefit from bin packing, re-scheduling, … (and not only for this app, but for ALL the apps in the enterprise) I just spend time to put it in a container, and voila. I still can deploy it in several different cloud and orchestrator without asking for a team to spend time on a project that already does the job correctly.

                                                  To be honest, I understand that containers are not the solution to everything, but I keep wondering why people don’t accept that it has some utility.

                                                2. 2

                                                  I think the point is that there is often little cost/benefit analysis done. Is moving one’s entire infrastructure to Docker/Kubernetes less work than getting all one’s code to run against the same version of a database? I’m sure sometimes it is, but my experience is that these questions are rarely asked. There is a status-quo bias toward solutions that allow existing complexity to be maintained, even when the solutions cost more than reducing that complexity.

                                                  1. 4

                                                    Totally agreed, but I’m also skeptical on the reaction of always blaming containers to add complexity. From my point of view, many things that I do with containers is way easier than if I had to do it another way (I also agree that some things would be easier without them too).

                                              2. 2

                                                Debian solves three different versions of php with Ondrej’s packages (or ppa on Ubuntu).

                                                In anything but dev or the tiniest of sites you’ll have you database server on a seperate machine anyway - what possible reason is there to have three different versions of a database server on the same host for a production environment?

                                                If you need it for testing, use lx{c,d} or vms.

                                                1. 3

                                                  Especially MySQL has broken apps in the past, going from 5.5 -> 5.6, or 5.6 -> 5.7. Having a single database server means having to upgrade all apps that run on top of it in sync. So in practice, we’ve been running a separate database server per version.

                                                  Can’t speak for other systems, though.

                                                  1. 1

                                                    As you said, testing is a good example of such use case. Then why using VMs when I can bin-pack containers on 1 (or many) machine, using less resources?

                                                    1. 1

                                                      That still isn’t a reason to use it in prod, and it isn’t that different from using LXC/LXD style containers.

                                                      1. 1

                                                        Do you have rational arguments to be against Docker which is using LXC? For now I don’t see any good reason not too. It’s like saying that you don’t want to use a solution because you can use the technologies it uses underneath.

                                                        1. 6

                                                          It’s like saying that you don’t want to use a solution because you can use the technologies it uses underneath.

                                                          That’s a reasonable position though. There are people who have good reasons to prefer git CLI to Github Desktop, MySql console to PHPMyAdmin, and so forth. Abstractions aren’t free.

                                                          1. 1

                                                            Exactly! But I don’t see such hatred for people using Github Desktop or PHPmyadmin. It’s not because you don’t want to use it that it doesn’t fit the usecase of someone.

                                                            1. 1

                                                              As someone who usually ends up having to ‘cleanup’ or ‘fix’ things after someone has used something like a GUI git client or PHPMyAdmin, I wouldn’t use the word hatred, but I’m not particularly happy if someone I work with is using them.

                                                              1. 1

                                                                I can do interactive staging on the CLI, but I really prefer a GUI (and if I find a good one, would probably also use a GUI for rebasing before sending a pull request).

                                                          2. 2

                                                            If I want a lightweight machine, LXC provides that. Docker inherently is designed to run literally a single process. How many people use it that way? No, they install supervisord or whatever - at which point, what’s the fucking point?

                                                            You’re creating your own ‘mini distribution’ of bullshit so you can call yourself devops. Sorry, I don’t drink the koolaid.

                                                            1. 1

                                                              Your argument is purely flawed. You justify the initially of Docker by generalizing what a (narrow) subset of users is doing. Like I said, I’m ready to hear rational arguments.

                                                              1. 2

                                                                generalizing what a (narrow) subset of users is doing

                                                                I found you 34K examples in about 30 seconds: https://github.com/search?l=&q=supervisord+language%3ADockerfile&type=Code

                                                                1. 1

                                                                  Hummm okay you got me on this one! Still, I really think there is some real utility for such a solution, even if yes it can be done in many other ways.

                                              1. 9

                                                Maybe I’m just getting old and cranky but it seems like everything takes vastly more work, time, and ceremony than it used to back in the dark ages of pets-not-cattle and mutable infrastructure, with no real improvement in reliability or cost. (I know the customary response is that we’re solving harder problems at greater scale, and of course some folks are, but a lot of us are working on problems and at scales not that different than ones we were working on ten years ago.)

                                                1. 8

                                                  At the scale I operate at, this is definitely true. I used to run jobs on local university clusters, but eventually moved to Cloud stuff out of necessity. It was the thing everyone was doing, and in the face of declining support for local clusters, it was the best way to quickly spin up a cluster-like computing environment. But recently, I was given access to an old-fashioned university cluster again, with traditional job-submission tools, and it’s been great. I can submit a job that runs across 64 CPUs with almost no configuration. I don’t manage any infrastructure! There are no containers! I love it.

                                                  1. 5

                                                    I think containers have been pretty badly pitched in some cases because people end up seeing containers as VMs, when in fact they’re more like virtual filesystems for a program + some isolation. Like containers can be extremely lightweight

                                                    If you are able to set up the container infrastructure properly you end up being able to isolate a lot of tricky components and share this configuration. This actually isn’t much of an issue with newer programs (I don’t understand people who put Go programs into containers…).

                                                    But, if you have software that depends on things like the host system’s font stack (PDF rendering, for example), or something that needs to be running with an old set of libraries (but you don’t want to pollute the host system with this stuff) containers work extremely well. For certain purposes, the isolation lets you provide (basically) single binaries to get things working and destroy the “works on my machine”-style issues in a lot of scenarios.

                                                    A bit ironically, containers are great for old software and a lot less useful for newer software.

                                                    EDIT: also, RE mutable infrastructure… even when you get to a relatively small setup (like 8 or so servers), it’s extremely easy to start having issues where your configuration is desynced from the reality in mutable infrastructure land. Trying to recover a server’s state after a reboot, only to realise that you did a one-time fix when you first deployed your software 2 years ago and it got lost in the reboot is really rough.

                                                    kubernetes is complated for sure, but if you really get into the headspace of something like salt stack it can feel nicer. There’s a big learning curve but after you get it, it can even be faster even for a single server.

                                                    1. 3

                                                      Well you’ve still got to choose tech appropriate for your problem, that problem will never go away :)

                                                    1. 3

                                                      Thanks for posting this. Some of these kinds of visualizations work better than others, but I thought this one was really good at communicating some tricky dynamics. (I could complain about the use of scrolling to control things other than the position of the viewport, but that battle seems thoroughly lost.)

                                                      1. 75

                                                        Capitalism is killing us in a very literal sense by destroying our habitat at an ever accelerating rate. The fundamental idea of needing growth and having to constantly invent new things to peddle leads to ever more disposable products, that are replaced for the sake of being replaced. There’s been very little actual innovation happening in the phone space. The vendors are intentionally building devices using the planned obsolescence model to force the upgrade cycle.

                                                        The cancer of consumerism affects pretty much every aspect of society, we’ve clear cut unique rain forests and destroyed millions of species we haven’t even documented so that we can make palm oil. A product that causes cancer, but that’s fractionally cheaper than other kinds of oil. We’ve created a garbage patch the size of a continent in the ocean. We’re poisoning the land with fracking. The list is endless, and it all comes down to the American ethos that making money is a sacred right that trumps all other concerns.

                                                        1. 22

                                                          Capitalism is killing us in a very literal sense by destroying our habitat at an ever accelerating rate.

                                                          The cancer of consumerism affects pretty much every aspect of society, we’ve clear cut unique rain forests and destroyed millions of species we haven’t even documented so that we can make palm oil.

                                                          One can get into a big debate about this, but the concept of externalities has existed for a long time and specifically addresses these concerns. Products do not cost what they should when taken their less tangible environment impact into account. It’s somewhat up to the reader to decide if the inability of society to take those into account is capitalism’s fault, or just human nature, or something else. I live in a country that leans much more socialist than the US but is unequivocally a capitalist country and they do a better job of managing these externalities. And China is not really capitalistic in the same way the US is but is a pretty significant polluter.

                                                          1. 5

                                                            Indeed, it’s not the fault of the economic system (if you think Capitalistic societies are wasteful, take a look at the waste and inefficiency of industry under the USSR). If externalities are correctly accounted for, or to be safe, even over-accounted for by means of taxation or otherwise, the market will work itself out. If the environmental cost means the new iPhone costs $2000 in real costs, Apple will work to reduce environmental cost in order to make an affordable phone again and everyone wins. And if they don’t, another company will figure it out instead and Apple will lose.

                                                            Currently, there is basically no accounting for these externalities, and in some cases (although afaik not related to smart phones), there are subsidies and price-ceiling regulations and subsidies that actually decreases the cost of some externalities artificially and are worse for the environment than no government intervention at all.

                                                            The easy example of this is California State water subsidies for farmers. Artificially cheap water for farmers means they grow water-guzzling crops that are not otherwise efficient to grow in arid parts of the state, and cause environmental damage and water shortage to normal consumers. Can you imagine your local government asking you to take shorter showers and not wash your car, when farmers are paying 94% less than you to grow crops that could much more efficiently be grown in other parts of the country? That’s what happens in California.

                                                            Step 1 and 2 are to get rid of the current subsidies and regulations that aggravate externalities and impose new regulation/taxes that help account for externalities.

                                                            1. 2

                                                              I have talked to a factory owner in china. He said China is more capitalist than the USA. He said China prioritizes capital over social concerns.

                                                              1. 1

                                                                Ok? I can talk to lots of people with lots of opinions. That doesn’t make it true.

                                                                1. 1

                                                                  It’s just impressive that a capitalist would say. If China was even remotely communist, don’t you find it interesting that most capitalists who made deals with China seem ok helping ‘the enemy’ become the second largest economy in the world? I prefer to believe the simpler possibility that China is pretty darn capitalist itself.

                                                                  1. 2

                                                                    I did not say China was not capitalist, I said it’s not in the same way as the US. There is a lot more state involvement in China.

                                                                    1. 2

                                                                      Is your claim then that state involvement means you have more pollution? Maybe I’m confused by what you were trying to get at, sorry :-/

                                                                      1. 2

                                                                        No, I was pointing out that different countries are doing capitalism differently and some of them are better at dealing with externalities and some of them are worse. With the overall point being that capitalism might be the wrong scapegoat.

                                                              1. 7

                                                                I think the consumer could be blamed more than capitalism, the companies make what sells, the consumers are individuals who buy products that hurt the environment, I think that it is changing though as people become more aware of these issues, they buy more environmentally friendly products.

                                                                1. 30

                                                                  You’re blaming the consumer? I’d really recommend watching Century of the Self. Advertising has a massive impact and the mass of humans are being fed this desire for all the things we consume.

                                                                  I mean, this really delves into the deeper question of self-awareness, agency and free will, but I really don’t think most human beings are even remotely aware.

                                                                  Engineers, people on Lobster, et. al do really want standard devices. Fuck ARM. Give me a god damn mobile platform. Microsoft for the love of god, just publish your unlock key for your dead phone line so we can have at least one line of devices with UEFI+ARM. Device tree can go die in a fire.

                                                                  The Linux-style revolution of the 2000s (among developers) isn’t happening on mobile because every device is just too damn different. The average consumer could care less. Most people like to buy new things, and we’re been indoctrinated to that point. Retailers and manufactures have focus groups geared right at delivering the dopamine rush.

                                                                  I personally hate buying things. When my mobile stopped charging yesterday and the back broke again, I thought about changing it out. I’ve replaced the back twice already and the camera has spots on the sensor under the lenses.

                                                                  I was able to get it charging when I got home on a high amp USB port, so instead I just ordered yet another back and a new camera (I thought it’d be a bitch to get out, but a few YouTube videos show I was looking at the ribbon wrong and it’s actually pretty easy to replace).

                                                                  I feel bad when I buy things, but it took a lot of work to get to that point. I’ve sold or given away most of my things multiple times to go backpacking, I run ad block .. I mean if everyone did what I’d did, my life wouldn’t be sustainable. :-P

                                                                  We are in a really solidly locked paradigm and I don’t think it can simply shift. If you believe the authors of The Dictators Handbook, we literally have to run our of resources before the general public and really push for dramatically different changes.

                                                                  We really need more commitment to open standards mobile devices. The Ubuntu Edge could have been a game changer, or even the Fairphone. The Edge never got funded and the Fairphone can’t even keep parts sourced for their older models.

                                                                  We need a combination of people’s attitudes + engineers working on OSS alternatives, and I don’t see either happening any time soon.

                                                                  Edit: I forgot to mention, Postmarket OS is making huge strides into making older cellphones useful and I hope we see more of that too.

                                                                  1. 7

                                                                    I second the recommendation for The Century of the Self. That movie offers a life-changing change of perspective. The other documentaries by Curtis are also great and well worth the time.

                                                                    1. 3

                                                                      Century of the Self was a real eye opener. Curtis’s latest documentary, HyperNormalisation, also offers very interesting perspectives.

                                                                    2. 26

                                                                      Capitalism, by it’s very nature, drives companies to not be satisfied with what already sells. Companies are constantly looking to create new markets and products, and that includes creating demand.

                                                                      IOW, consumers aren’t fixed actors who buy what they need; they are acted upon to create an ever increasing number of needs.

                                                                      There are too many examples of this dynamic to bother listing.

                                                                      1. 12

                                                                        It’s also very difficult for the consumer to tell exactly how destructive a particular product is. The only price we pay is the sticker price. Unless you really want to put a lot of time into research it is hard to tell which product is better for the environment.

                                                                        1. 14

                                                                          It’s ridiculous to expect everyone to be an expert on every supply chain in the world, starting right from the mines and energy production all the way to the store shelf. That’s effectively what you are requiring.

                                                                          I’m saying this as a very conscious consumer. I care about my carbon footprint, I don’t buy palm oil, I limit plastic consumption, I limit my consumption overall, but it’s all a drop in the ocean and changes nothing. There are still hundreds of compounds in the everyday items I buy whose provenance I know nothing about and which could be even more destructive. Not to mention that manufacturers really don’t want you to know, it’s simply not in their interest.

                                                                          You’re creating an impossible task and setting people up to fail. It is not the answer.

                                                                          1. 2

                                                                            “It’s ridiculous to expect everyone to be an expert on every supply chain in the world, starting right from the mines and energy production all the way to the store shelf. That’s effectively what you are requiring.”

                                                                            I don’t think it is what they’re requiring and it’s much easier than you describe. Here’s a few options:

                                                                            1. People who are really concerned about this at a level demanding much sacrifice to avoid damaging the environment should automatically avoid buying anything they can’t provably trust by default. The Amish are a decent example that avoids a lot of modern stuff due to commitment to beliefs.

                                                                            2. There’s groups that try to keep track of corporate abuse, environmental actions, and so on of various companies. They maintain good and bad lists. More people that supposedly care can both use them and join them in maintaining that data. It would be split among many people to lessen each’s burden. Again, avoid things by default until they get on the good lists. Ditch them if they get on the bad ones.

                                                                            3. Collectively push their politicians for laws giving proper labels, auditing, etc that help with No 2. Also, push for externalities to be charged back to the companies somehow to incentivize less-damaging behavior.

                                                                            4. Start their own businesses that practice what they preach. Build the principles into their charters, contracts, and so on. Niche businesses doing a better job create more options on the good lists in No 2. There’s entrepreneurs doing this.

                                                                            So, not all-knowing consumers as you indicated. Quite a few strategies that are less impossible.

                                                                            1. 4

                                                                              @ac specifically suggested consumer choice as the solution to environmental issues, and that’s what I disagreed with.

                                                                              Your point number 3 is quite different from the other three, and it’s what I would suggest as a far more effective strategy than consumer choice (along with putting pressure on various corporations). As an aside, I still wouldn’t call it easy - it’s always a hard slog.

                                                                              Your points 1, 2 and 4 still rely on consumer choice, and effectively boil down to: either remove yourself from modern civilisation, or understand every supply chain in the world. I think it’s obvious that the first choice is neither desirable nor “much easier” for the vast majority of people (and I don’t think it’s the best possible solution). The second is impossible, as I said before.

                                                                              1. 1

                                                                                “consumer choice as the solution to environmental issues”

                                                                                edit to add: consumer choice eliminated entire industries worth of companies because they wanted something else. It’s only worsened environmental issues. That’s probably not an argument against consumer choice so much as in favor of them willing to sacrifice the environment overall to get the immediate things they want.

                                                                                “either remove yourself from modern civilisation, or understand every supply chain in the world”

                                                                                This is another false dichotomy. I know lots of people who are highly-connected with other people but don’t own lots of tech or follow lots of fads. In many cases, they seem to know about them enough to have good conversations with people. They follow what’s going on or are just good listeners. Buying tons of gadgets or harmful things isn’t necessary for participation. You can get buy with a lot less than average middle or upper class person.

                                                                                What you said is better understood as a spectrum to be in like most things. Lots of positions in it.

                                                                                1. 2

                                                                                  I think we might actually be mostly in agreement, but we’re talking past each other a bit.

                                                                                  That’s probably not an argument against consumer choice so much as in favor of them willing to sacrifice the environment overall to get the immediate things they want.

                                                                                  I agree with this. But even when consumer choice is applied with environmental goals in mind, I believe its effect is very limited, simply because most people won’t participate.

                                                                                  This is another false dichotomy.

                                                                                  Yeah, but it was derived from your points :) I was just trying to hammer the point that consumer choice isn’t an effective solution.

                                                                                  You can get buy with a lot less than average middle or upper class person.

                                                                                  Totally. I’ve been doing that for a long time: avoiding gadgets and keeping the stuff I need (eg a laptop) as long as I can.

                                                                                  1. 1

                                                                                    “But even when consumer choice is applied with environmental goals in mind, I believe its effect is very limited, simply because most people won’t participate.”

                                                                                    Oh OK. Yeah, I share that depressing view. Evidence is overwhelmingly in our favor on it. It’s even made me wonder if I should even be doing the things I’m doing if so few are doing their part.

                                                                          2. 5

                                                                            The blame rests on the producers, not on the consumers.

                                                                            Consumers are only able to select off of the menu of available products, so to speak. Most of the choices everyday consumers face are dictated by their employers and whatever is currently available to make it through their day.

                                                                            No person can reasonably trace the entire supply chain for every item they purchase, and could likely be impossible even with generous time windows. Nor would I want every single consumer to spend their non-working time to tracing these chains.

                                                                            Additionally, shifting this blame to the consumer creates conditions where producers can charge a premium on ‘green’ and ‘sustainable’ products. Only consumers with the means to consume ‘ethically’ are able to do so, and thus shame people with less money for being the problem.

                                                                            The blame falls squarely on the entities producing these products and the states tasked with regulating production. There will be no market-based solution to get us out of the climate catastrophe, and we certainly can’t vote for a green future with our dollars.

                                                                            1. 4

                                                                              Consumers are only able to select off of the menu of available products, so to speak. Most of the choices everyday consumers face are dictated by their employers and whatever is currently available to make it through their day.

                                                                              That’s not true even though it seems it is. The consumers’ past behavior and present statements play a major role in what suppliers will produce. Most of what you see today didn’t happen overnight. There were battles fought where quite a few companies were out there doing more ethical things on supply side. They ended up bankrupt or with less marketshare while the unethical companies got way ahead through better marketing of their products. With enough wealth accumulated, they continued buying the brands of the better companies remaking them into scumbag companies, too, in many cases.

                                                                              For instance, I strongly advise against companies developing privacy- or security-oriented versions of software products that actually mitigate risks. They’ll go bankrupt like such companies often always did. The companies that actually make lots of money apply the buzzwords customers are looking for, integrate into their existing tooling (often insecure), have features they demand that are too complex to secure, and in some cases are so cheap the QA couldn’t have possibly been done right. That has to be private or secure for real against smart black hats. Not going to happen most of the time.

                                                                              So, I instead tell people to bake cost-effective security enhancements and good service into an otherwise good product advertised for mostly non-security benefits. Why? Because that’s what demand-side responds to almost every time. So, the supply must provide it if hoping to make waves. Turns out, there’s also an upper limit to what one can achieve in that way, too. The crowds’ demands will keep creating obstacles to reliability, security, workers’ quality of life, supplier choice, environment… you name it. They mostly don’t care either where suppliers being honest about costs will be abandoned for those delivering to demand side. In face of that, most suppliers will focus on what they think is in demand across as many proven dimensions as possible.

                                                                              Demand and supply side are both guilty here in a way that’s closely intertwined. It’s mostly demand side, though, as quite a few suppliers in each segment will give them whatever they’re willing to pay for at a profit.

                                                                              1. 3

                                                                                I agree with a lot of your above point, but want to unpack some of this.

                                                                                Software security is a strange case to turn to since it has less direct implications on the climate crisis (sure anything that relies on a datacenter is probably using too much energy) compared to the production of disposable, resource-intensive goods.

                                                                                Demand and supply side are both guilty here in a way that’s closely intertwined. It’s mostly demand side, though, as quite a few suppliers in each segment will give them whatever they’re willing to pay for at a profit.

                                                                                I parse this paragraph to read: we should blame consumers for buying what’s available and affordable, because suppliers are incapable of acting ethically (due to competition).

                                                                                So should we blame the end consumer for buying a phone every two years and not the phone manufacturers/retailers for creating rackets of planned obsolescence?

                                                                                And additionally, most suppliers are consumers of something else upstream. Virtually everything that reaches an end consumer has been consumed and processed several times over by suppliers above. The suppliers are guilty on both counts by our separate reasoning.

                                                                                Blaming individuals for structural problems simply lets suppliers shirk any responsibility they should have to society. After all, suppliers have no responsibility other than to create profits. Suppliers’ bad behavior must be curtailed either through regulation, public education campaigns to affect consumption habits, or organizing within workplaces.

                                                                                (As an aside, I appreciate your response and it’s both useful and stimulating to hear your points)

                                                                                1. 2

                                                                                  “I parse this paragraph to read: we should blame consumers for buying what’s available and affordable, because suppliers are incapable of acting ethically (due to competition).”

                                                                                  You added two words, available and affordable, to what I said. I left affordable off because many products that are more ethical are still affordable. Most don’t buy them anyway. I left availability off since there’s products appearing all the time in this space that mostly get ignored. The demand side not buying enough of what was and currently is available in a segment sends a message to suppliers about what they should produce. Especially if it’s consistent. Under vote with your wallet, we should give consumers their share of credit or blame for anything their purchasing decisions as a whole are supporting or destroying. That most won’t deliberately try to obtain an ethical supplier of… anything… supports my notion demand side has a lot to do with unethical activities of financially-successful suppliers.

                                                                                  For a quick example, there are often coops and farmers markets in lots of rural areas or suburban towns in them. There’s usually a segment of people who buy from them to support their style of operation and/or jobs. There’s usually enough to keep them in business. You might count Costco in that, too, where a membership fee that’s fixed cost gets the customers a pile of stuff at a promised low-markup and great service. There’s people that use credit unions, esp in their industry, instead of banks. There’s people that try to buy from nonprofits, public beneit companies, companies with good track record, and so on. There’s both a demand side (tiny) and suppliers responding to it that show this could become a widespread thing.

                                                                                  Most consumers on demand side don’t do that stuff, though. They buy a mix of necessities and arbitrary stuff from whatever supplier is lowest cost, cheapest, most variety, promoting certain image, or other arbitrary reasons. They do this so much that most suppliers, esp market leaders, optimize their marketing for that stuff. They also make more money off these people that let them put lots of ethical, niche players out of business over time. So, yeah, I’d say consumer demand being apathetic to ethics or long-term thinking is a huge part of the problem given it puts tens of billions into hands of unethical parties. Then, some of that money goes into politicians’ campaign funds so they make things even more difficult for those companies’ opponents.

                                                                                  “Blaming individuals for structural problems simply lets suppliers shirk any responsibility they should have to society.”

                                                                                  Or the individuals can buy from different suppliers highlighting why they’re doing it. Other individuals can start companies responding to that massive stated demand. The existing vendors will pivot their operations. Things start shifting. It won’t happen without people willing to buy it. Alternatively, using regulation as you mentioned. I don’t know how well public education can help vs all the money put into advertising. The latter seems more powerful.

                                                                                  “(As an aside, I appreciate your response and it’s both useful and stimulating to hear your points)”

                                                                                  Thanks. Appreciate you challenging it so I think harder on and improve it. :)

                                                                              2. 2

                                                                                Only consumers with the means to consume ‘ethically’ are able to do so, and thus shame people with less money for being the problem.

                                                                                This is ignoring reality, removing cheaper options does not make the other options cheaper to manufacture. It is not shaming people.

                                                                                You are also ignoring the fact that in a free country the consumers and producers are the same people. A dissatisfied consumer can become a producer of a new alternative if they see it as possible.

                                                                              3. 3

                                                                                Exactly. The consumers could be doing more on issues like this. They’re complicit or actively contribute to the problems.

                                                                                For example, I use old devices for as long as I can on purpose to reduce waste. I try to also buy things that last as long as possible. That’s a bit harder in some markets than others. For appliances, I just buy things that are 20 years old. They do the job and usually last 10 more years since planned obsolescence had fewer tricks at the time. ;) My smartphone is finally getting unreliable on essential functions, though. Bout to replace it. I’ll donate, reuse, or recycle it when I get new one.

                                                                                On PC side, I’m using a backup whose age I can’t recall with a Celeron after my Ubuntu Dell w/ Core Duo 2 died. It was eight years old. Attempting to revive it soon in case it’s just HD or something simple. It’s acting weird, though, so might just become a box for VM experiments, fuzzing, opening highly-untrustworthy URLs or files, etc. :)

                                                                              4. 7

                                                                                Capitalism is killing us in a very literal sense by destroying our habitat at an ever accelerating rate

                                                                                Which alternatives would make people happier to consume less – drive older cars, wear rattier clothing, and demand fewer exotic vacations? Because, really, that’s the solution to excessive use of the environment: Be happier with less.

                                                                                Unfortunately, greed has been a constant of human nature far too long for capitalism to take the blame there.

                                                                                1. 9

                                                                                  Which alternatives would make people happier to consume less – drive older cars, wear rattier clothing, and demand fewer exotic vacations?

                                                                                  Why do people want new cars, the latest fashions, and exotic vacations in the first place? If it’s all about status and bragging rights, then it’s going to take a massive cultural shift that goes against at least two generation’s worth of cultural programming by advertisers on the behalf of the auto, fashion and travel industries.

                                                                                  I don’t think consumerism kicked into high gear until after the end of World War II when modern advertising and television became ubiquitous, so perhaps the answer is to paraphrase Shakespeare:

                                                                                  The first thing we do, let’s kill all the advertisers.

                                                                                  OK, maybe killing them (or encouraging them to off themselves in the tradition of Bill Hicks) is overkill. Regardless, we should consider the possibility that advertising is nothing but private sector psyops on behalf of corporations, and should not be protected as “free speech”.

                                                                                  1. 2

                                                                                    If there was an advertising exception for free speech, people would use it as an unprincipled excuse to ban whatever speech they didn’t like, by convincing the authorities to classify it as a type of advertising. After all, most unpopular speech is trying to convince someone of something, right? That’s what advertising fundamentally is, right?

                                                                                    Remember that the thing that Oliver Wendell Holmes called “falsely shouting fire in a crowded theater” wasn’t actually shouting “fire” in an actual crowded theater - it was a metaphor he used to describe protesting the military draft.

                                                                                    1. 9

                                                                                      I agree: there shouldn’t be an advertising exception on free speech. However, the First Amendment should only apply to homo sapiens or to organisms we might eventually recognize as sufficiently human to possess human rights. Corporations are not people, and should not have rights.

                                                                                      They might have certain powers defined by law, but “freedom of speech” shouldn’t be one of them.

                                                                                  2. 3

                                                                                    IMO, Hedonistic adaptation is a problem and getting worse. I try to actively fight against it.

                                                                                    1. 2

                                                                                      It would be a start if we designed cities with walking and public transportation in mind, not cars.

                                                                                      My neighborhood is old and walkable. I do shopping on foot (I have a bicycle but don’t bother with it). For school/work, take a single bus and a few minutes walking. Getting a car would be a hassle, I don’t have a place to park it, and I’d have to pay large annual fees for rare use.

                                                                                      Newer neighborhoods appear to be planned with the idea that you’ll need a car for every single task. “Residential part” with no shops at all, but lots of room for parking. A large grocery store with a parking lot. Even train stations with a large parking lot, but no safe path for pedestrians/cyclists from the nearby neighborhoods.

                                                                                    2. 4

                                                                                      The new features on phones are so fucking stupid as well. People are buying new phones to get animated emojis and more round corners. It’s made much worse with phone OEMs actively making old phones work worse by slowing them down.

                                                                                      1. 7

                                                                                        There has been no evidence to my knowledge that anyone is slowing old phones down. This continues to be an unfounded rumor

                                                                                        1. 2

                                                                                          There’s also several Lobsters that have said Android smartphones get slower over time at a much greater rate than iPhones. I know my Galaxy S4 did. This might be hardware, software bloat, or whatever. There’s phones it’s happening on and those it isn’t in a market where users definitely don’t want their phones slowing down. So, my theory on Android side is it’s a problem they’re ignoring on purpose or even contributing to due to incentives. They could be investing money into making the platform much more efficient across devices, removing bloat, etc. They ain’t gonna do that.

                                                                                          1. 3

                                                                                            Android smartphones get slower over time at a much greater rate than iPhones.

                                                                                            In my experience, this tends to be 3rd party apps that start at boot and run all the time. Factory reset fixes it. Android system updates also make phones faster most of the time.

                                                                                            1. 1

                                                                                              Hmm. I’ll try it since I just backed everything up.

                                                                                              1. 3

                                                                                                I’m still using a Nexus 6 I got ~2.5 years ago. I keep my phone pretty light. No Facebook or games. Yet, my phone was getting very laggy. I wiped the cache (Settings -> Storage -> Cached data) and that seemed to help a bit, but overall, my phone was still laggy. It seemed to get really bad in my text messaging app (I use whatever the stock version is). I realized that I had amassed a lot of text messages over the years, which includes quite a lot of gifs. I decided to wipe my messages. I did that by installing “SMS Backup & Restore” and telling it to delete all of my text messages, since apparently the stock app doesn’t have a way to do this in bulk. It took at least an hour for the deletion to complete. Once it was done, my phone feels almost as good as new, which makes me really happy, because I really was not looking forward to shelling out $1K for a Pixel.

                                                                                                My working theory is that there is some sub-optimal strategy in how text messages are cached. Since I switch in and out of the text messaging app very frequently, it wouldn’t surprise me if I was somehow frequently evicting things from memory and causing disk reads, which would explain why the lag impacted my entire phone and not just text messages. But, this is just speculation. And a factory reset would have accomplished the same thing (I think?), so it’s consistent with the “factory reset fixes things” theory too.

                                                                                                My wife is still on a Nexus 5 (great phone) and she has a similar usage pattern as me. Our plan is to delete her text messages too and see if that helps things.

                                                                                                Anyway… I realize this basically boils down to folk remedies at this point, but I’m just going through this process now, so it’s top of mind and figured I’d share.

                                                                                                1. 2

                                                                                                  I’ll be damned. I baked up and wiped the SMS, nothing else. The phone seems like it’s moving a lot snappier. Literally a second or two of delay off some things. Some things are still slow but maybe app just is. YouTube always has long loading time. The individual videos load faster now, though.

                                                                                                  Folk remedy is working. Appreciate the tip! :)

                                                                                                  1. 2

                                                                                                    w00t! Also, it’s worth mentioning that I was experiencing much worse delay than a second or two. Google Nav would sometimes lock up for many seconds.

                                                                                                    1. 1

                                                                                                      Maps seems OK. I probably should’ve been straight-up timing this stuff for better quality of evidence. Regardless, it’s moving a lot faster. Yours did, too. Two, strong anecdotes so far on top of factory reset. Far as we know, even their speed gains might have come from SMS clearing mostly that the reset did. Or other stuff.

                                                                                                      So, I think I’m going to use it as is for a week or two to assess this change plus get a feel for a new baseline. Then, I’ll factory reset it, reinstall some apps from scratch, and see if that makes a difference.

                                                                                                      1. 2

                                                                                                        Awesome. Please report back. :-)

                                                                                                        1. 2

                                                                                                          I’ll try to remember to. I’m just still stunned it wasn’t 20 Chrome tabs or all the PDF’s I download during the day. Instead, text messages I wasn’t even using. Of all things that could drag a whole platform down…

                                                                                                          1. 2

                                                                                                            Sms is stored on the SIM card, right? That’s probably not got ideal I/O characteristics…

                                                                                                            1. 1

                                                                                                              I thought the contacts were but messages were on phone. I’m not sure. The contacts being on there could have an effect. I’d have hoped they cached a copy of SIM contents onto in-phone memory. Yeah, SIM access could be involved.

                                                                                                  2. 2

                                                                                                    Now, that’s fascinating. I don’t go in and out of text a lot but do have a lot of text messages. Many have GIF’s. There’s also at least two other apps that accumulate a lot of stuff. I might try wiping them. Btw, folk remedies feel kind of justified when we’re facing a complex, black-box system with nothing else to go on. ;)

                                                                                            2. 2

                                                                                              Official from apple: https://www.apple.com/au/iphone-battery-and-performance/

                                                                                              They slow phones with older batteries but don’t show the user any indication that it can be fixed very cheaply by replacing the battery (Until after the recent outrage) and many of them will just buy a new phone and see it’s much faster.

                                                                                              1. 12

                                                                                                Wow, so much to unpack here.

                                                                                                You said they slow old phones down. That is patently false. New versions of iOS are not made to run slowly on older model hardware.

                                                                                                Apple did not slow phones down with old batteries. They throttled the CPU of phones with failing batteries (even brand new ones!) to prevent the phone from crashing due to voltage drops. This ensured the phone was still functional even if you needed your phone in an emergency. Yes it was stupid there was no notification to the user. This is no longer relevant because they now provide notifications to the user. This behavior existed for a short period of time in the lifespan of the iPhone: less than 90 days between introduction of release with throttling and release with controls to disable and notifications to users.

                                                                                                Please take your fake outrage somewhere else.

                                                                                                1. 5

                                                                                                  Apple did not slow phones down with old batteries. They throttled the CPU of phones with failing batteries (even brand new ones!) to prevent the phone from crashing due to voltage drops.

                                                                                                  In theory this affects new phones as well, but we know that as batteries grow older, they break down, hold less charge, and have a harder time achieving their design voltage. So in practice, this safety mechanism for the most part slows down older phones.

                                                                                                  You claim @user545 is unfairly representing the facts by making Apple look like this is some evil ploy to increase turnover for their mobile phones.

                                                                                                  However, given the fact that in reality this does mostly make older phones seem slower, and the fact that they put this in without ever telling anyone outside Apple and not allowing the user to check their battery health and how it affected the performance of their device, I feel like it requires a lot more effort not to make it look like an intentional decision on their part.

                                                                                                  1. 2

                                                                                                    Sure, but if you have an old phone with OK batteries, then their code did not slow it down. So I think it is still more correct to say they slowed down those with bad batteries than those that were old even if most of those with bad batteries were also bad which really depended on phone’s use.

                                                                                                    The difference is not just academic. For example I have “inherited” iPhone6 from my wife that still has a good battery after more than 2 years and performs fine.

                                                                                                    1. 2

                                                                                                      the fact that they put this in without ever telling anyone outside Apple

                                                                                                      It was in the release notes of that iOS release…

                                                                                                      edit: additionally it was known during the beta period in December. This wasn’t a surprise.

                                                                                                      1. 1

                                                                                                        Again, untrue. The 11.2 release notes make no mention of batteries, throttling, or power management. (This was the release where Apple extended the throttling to the 7 series of phones.) The 10.2.1 release notes, in their entirety, read thus:

                                                                                                        iOS 10.2.1 includes bug fixes and improves the security of your iPhone or iPad. It also improves power management during peak workloads to avoid unexpected shutdowns on iPhone.

                                                                                                        That does not tell a reader that long-term CPU throttling is taking place, that it’s restricted to older-model iPhones only, that it’s based on battery health and fixable with a new battery (not a new phone), etc. It provides no useful or actionable information whatsoever. It’s opaque and frankly deceptive.

                                                                                                        1. 0

                                                                                                          You’re right, because I was mistaken and the change was added in iOS 10.2.1, 1/23/2017

                                                                                                          https://support.apple.com/kb/DL1893?locale=en_US

                                                                                                          It also improves power management during peak workloads to avoid unexpected shutdowns on iPhone.

                                                                                                          A user on the day of release:

                                                                                                          Hopefully it fixes the random battery shutoff bug.

                                                                                                          src: https://forums.macrumors.com/threads/apple-releases-ios-10-2-1-with-bug-fixes-and-security-improvements.2028992/page-2#post-24225066

                                                                                                          additionally in a press release:

                                                                                                          In February 2017, we updated our iOS 10.2.1 Read Me notes to let customers know the update ‘improves power management during peak workloads to avoid unexpected shutdowns.’ We also provided a statement to several press outlets and said that we were seeing positive results from the software update.

                                                                                                          Please stop trolling. It was absent from the release notes for a short period of time. It was fixing a known issue affecting users. Go away.

                                                                                                          1. 4

                                                                                                            Did you even read the comment you are responding to? I quoted the 10.2.1 release notes in full–the updated version–and linked them too. Your response is abusive and in bad faith, your accusations of trolling specious.

                                                                                                            1. [Comment removed by moderator pushcx: We've never had cause to write a rule about doxxing, but pulling someone's personal info into a discussion like this to discredit them is inappropriate.]

                                                                                                              1. 2

                                                                                                                I don’t hate Apple. I’m not going to sell my phone because I like it. The battery is even still in good shape! I wish they’d been a little more honest about their CPU throttling. I don’t know why this provokes such rage from you. Did you go through all my old comments to try to figure out what kind of phone I have? Little creepy.

                                                                                                                1. 2

                                                                                                                  I’m not angry about anything here. It’s just silly that such false claims continue to be thrown around about old phones intentionally being throttled to sell new phones. Apple hasn’t done that. Maybe someone else has.

                                                                                                                  edit: it took about 30 seconds to follow your profile link to your website -> to Flickr -> to snag image metadata and see what phone you own.

                                                                                                    2. -3

                                                                                                      They throttled the CPU of phones with failing batteries (even brand new ones!)

                                                                                                      This is untrue. They specifically singled out only older-model phones for this treatment. From the Apple link:

                                                                                                      About a year ago in iOS 10.2.1, we delivered a software update that improves power management during peak workloads to avoid unexpected shutdowns on iPhone 6, iPhone 6 Plus, iPhone 6s, iPhone 6s Plus and iPhone SE. [snip] We recently extended the same support to iPhone 7 and iPhone 7 Plus in iOS 11.2.

                                                                                                      In other words, if you buy an iPhone 8 or X, no matter what condition the battery is in, Apple will not throttle the CPU. (In harsh environments–for example, with lots of exposure to cold temperatures–it’s very plausible that an 8 or X purchased new might by now have a degraded battery.)

                                                                                                      1. 2

                                                                                                        You are making a claim without any data to back it up.

                                                                                                        Can you prove that the batteries in the new iPhones suffer voltage drops when they are degraded? If they use a different design with more/smaller cells then AIUI they would be significantly less likely to have voltage drops when overall capacity is degraded.

                                                                                                        But no, instead you continue to troll because you have a grudge against Apple. Take your crap elsewhere. It’s not welcome here.

                                                                                                        1. 3

                                                                                                          You’re moving the goalposts. You claimed Apple is throttling the CPU of brand new phones. You were shown this to be incorrect, and have not brought any new info to the table. Your claim that the newer phones might be designed so as to not require throttling is irrelevant.

                                                                                                          Please don’t accuse (multiple) people of trolling. It reflects poorly on yourself. All are welcome here.

                                                                                                          1. 3

                                                                                                            You can buy a brand new phone directly from Apple (iPhone 6S) with a faulty battery and experience the throttling. I had this happen.

                                                                                                  2. 1

                                                                                                    Google services update in the background even when other updates are disabled. Even if services updates are not intended to slow down the phone, they still do.

                                                                                                  3. 3

                                                                                                    The new features on phones are so fucking stupid as well.

                                                                                                    I think the consumer who pays for it is stupid.

                                                                                                    1. 3

                                                                                                      It’s both. The user wants something new every year and OEMs don’t have anything worthwhile each year so they change things for the sake of change like adding rounded corners on the LCD or cutting a chunk out of the top. It makes it seem like something is new and worth buying when not much worthwhile has actually changed.

                                                                                                      1. 4

                                                                                                        I think companies would always take the path of least resistance that works. If consumers didn’t fall for such stupid tricks the companies that did them would die off.

                                                                                                  4. 2

                                                                                                    Yep. I guess humanity’s biggest achievement will be to terraform itself out of existence.

                                                                                                    This planet does neither bargain nor care about this civilizations’ decision making processes. It will keep flying around the sun for a while, with or without humans on it.

                                                                                                    I’m amazed by the optimism people display in response to pointing out that the current trajectory of climate change makes it highly unlikely that our grand-grand-children will ever be born.

                                                                                                    1. 2

                                                                                                      The list is endless, and it all comes down to the American ethos that making money is a sacred right that trumps all other concerns.

                                                                                                      s/American/human

                                                                                                      You can’t fix a problem if you misunderstand what causes it.

                                                                                                      1. 5

                                                                                                        Ideology matters, and America has been aggressively promoting toxic capitalist ideology for many decades around the world. Humans aren’t perfect, but we can recognize our problems and create systems around us to help mitigate them. Capitalism is equivalent of giving a flamethrower to a pyromaniac.

                                                                                                        1. 3

                                                                                                          If you want to hash out how “toxic capitalism” is ruining everything, that’s fine–I’m just observing that many other countries (China, Germany, India, Mozambique, Russia, etc.) have done things that, to me at least, dispel the notion of toxic capitalism as purely being American in origin.

                                                                                                          And to avoid accusations of whataboutism, the reason I point those other countries out is that if a solution is put forth assuming that America is the problem–and hence itself probably grounded in approaches unique to an American context–it probably will not be workable in other places.

                                                                                                          1. 2

                                                                                                            Nobody is saying that capitalism alone is the problem or that it’s unique to America. I was saying that capitalism is clearly responsible for a lot of harm, and that America promotes it aggressively.

                                                                                                            1. 0

                                                                                                              Don’t backpedal. You wrote:

                                                                                                              The list is endless, and it all comes down to the American ethos that making money is a sacred right that trumps all other concerns.

                                                                                                              As to whether or not capitalism is clearly responsible for a lot of harm, it’s worth considering what the alternatives have accomplished.

                                                                                                              1. 0

                                                                                                                Nobody is backpedaling here, and pointing at other failed systems saying they did terrible things too isn’t much of an argument.

                                                                                                    1. 5

                                                                                                      Working remote requires trust. Trust can be built by long-term commitment, real interest and care for your (langage) community. Trust is often transitive: people there can recommend you so that’s easier for you to work remotely. Try to get closer to people who have talent : don’t pretend you’re interested if you’re not, don’t try to seduce them. Don’t try to be the brilliant jerk. Get better. Help people. Don’t pretend to be someone else, try to focus on what you like most, and learn to like what you need. Choose to get closer to good team players, avoid your local brilliant jerk. Pair program with them on open source projects. Add value. Target exotic yet super efficient functional languages, i.e. Elm if you’re focusing on web technologies. Be pragmatic. Once you’re rewarded by trust and perhaps a remote position, stay with them, take care of newbies. As a bonus : such a community also helps a lot on the social side of working remotely - that’s not easy for everyone.

                                                                                                      1. 2

                                                                                                        Trust can be built by long-term commitment, real interest and care for your (langage) community.

                                                                                                        That’s a really interesting point, thank you. I don’t think I’ve ever really been involved in a language community since I stopped using Perl, some years ago. I don’t see much community in my current areas.

                                                                                                        Don’t pretend to be someone else, try to focus on what you like most, and learn to like what you need.

                                                                                                        I’m good at the first two - that’s how I’ve ended up where I am. Now it sounds like I’ll have to learn to like something different. That isn’t necessarily bad though, different can be good.

                                                                                                        Target exotic yet super efficient functional languages, i.e. Elm if you’re focusing on web technologies.

                                                                                                        I would love to do that. I worry that if I target the exotic, I reduce my job opportunities too much. Perhaps this worry is unfounded.

                                                                                                        1. 2

                                                                                                          I worry that if I target the exotic, I reduce my job opportunities too much. Perhaps this worry is unfounded.

                                                                                                          I think it cuts both ways. There are fewer jobs in “exotic” languages, but that also usually means fewer (or no) local experienced candidates (especially for employers outside of Silicon Valley), so companies are forced to be a little more creative. If you’re writing Java or Ruby, it’s harder to stand out from the local talent pool. Also, I suspect employers who are more willing to try exotic languages are also more willing to try exotic working arrangements like distributed teams.

                                                                                                          1. 1

                                                                                                            Another way to state “learn to like what you need” is “take care of yourself”. I don’t think that’s optional. :)

                                                                                                            Exotic and efficient languages indeed narrow down job opportunities. It’s not a problem if you can count on trust, and it can even be an advantage WRT your income.

                                                                                                        1. 1

                                                                                                          I’ve been to Strange Loop twice and hope to make it again this year–highly recommended if you haven’t been. (Full disclosure: I know some of the organizers.) I’m also attending !!Con next weekend for the first time–not sure what to expect, but it seemed interesting, tickets were cheap, and it’s local to me.

                                                                                                          1. 39

                                                                                                            I don’t understand the author’s objection to Outreachy. As far as I can tell, they want to fund some interns from marginalized groups so that they can work on open-source. They are not preventing the author from working on open-source. They are not preventing the author from funding interns he approves of from working on open-source. What is the problem?

                                                                                                            1. 22

                                                                                                              Outreachy funds members of specific minority groups and would not fund a cisgender white guy’s internship. He decries this as discrimination.

                                                                                                              On this topic, the term discrimination has differing interpretations and it’s very easy for folks to talk past each other when it comes up. It sounds he’s using it in a way that means disfavoring people based on the sex or race they belong to. Another popular definition is that it only applies to actions taken against groups that have been historically discriminated against. This use gets really strong pushback from people who disagree with the aims or means of projects like Outreachy as begging the question, making an assumption that precludes meaningful discussion of related issues.

                                                                                                              1. 4

                                                                                                                It’s not only that Outreachy would not fund a cisgender white guy’s internship. Outreachy also would not fund Asian minority’s internship. Asian minority is a group that has been historically discriminated against. Outreachy is discriminating against specific minority. In summary, Outreachy is simply discriminating, it is not using alternative definition of discrimination.

                                                                                                                (Might be relevant: I am Asian.)

                                                                                                                1. 7

                                                                                                                  I asked Karen Sandler. This is the reason for the selection of groups:

                                                                                                                  <karenesq> JordiGH: I saw the lobsters thread. the expansion within the US to the non-gender related criteria was based on the publication by multiple tech companies of their own diversity statistics. We just expanded our criteria to the groups who were by far the least represented.

                                                                                                                  1. 2

                                                                                                                    Thanks a lot for clarifying this with Karen Sandler!

                                                                                                                    I think this proves beyond any shade of doubt that Outreachy is concerned with not historical injustice, but present disparity.

                                                                                                                  2. 3

                                                                                                                    He had a pretty fair description of where the disputes were coming from. Far as what you’re saying on Outreachy, the Asian part still fits into it as even cultural diversity classes I’ve seen say the stereotypes around Asians are positive for stuff like being smart or educated. Overly positive to the point that suicide due to pressure to achieve was a bit higher according to those sources. There’s lots of Asians brought into tech sector due to a mix of stereotypes and H1-B. The commonness of white males and Asians in software development might be why they were excluded with the white males. That makes sense to me if I look at it through the view they likely have of who is privileged in tech.

                                                                                                                    1. 3

                                                                                                                      Yes, it makes sense that way, but it does not make sense in “historical discrimination” sense pushcx argued. I believe this is an evidence that these organizations are concerned with the present disparity, not with the history. Therefore, I believe they should cease to (dishonestly, I think) argue history argument.

                                                                                                                    2. 2

                                                                                                                      Well, if you were a woman or identified as one they would accept you, regardless if you were Asian or not. I do wonder why they picked to outreach to the particular groups they picked.

                                                                                                                      And you have to pick some groups. If you pick none/all, then you’re not doing anything different than GSoC, and there already is a GSoC, so there would be no point for Outreachy.

                                                                                                                      1. 1

                                                                                                                        You can pick groups that have been historically discriminated against, as pushcx suggested. Outreachy chose otherwise.

                                                                                                                        1. 2

                                                                                                                          To nitpick, I was talking about the term “discrimination” because I’ve seen it as a source of people talking past each other, not advocating for an action or even a particular definition of the term. Advocating my politics would’ve compromised my ability to effectively moderate, though incorrect assumptions were still made about the politics of the post I removed and that I did so out of disagreement, so… shrug

                                                                                                                  3. 49

                                                                                                                    For those who are used to privilege, equality feels like discrimination.

                                                                                                                    1. 18

                                                                                                                      I think the author’s point is that offering an internship for only specific groups is discrimination. From a certain point of view, I understand how people see it that way. I also understand how it’s seen as fair. Whether that’s really discrimination or not is up for debate.

                                                                                                                      What’s not up for debate is that companies or people should be able to give their money however they feel like it. It’s their money. If a company wants to only give their money to Black Africans from Phuthaditjhaba, that’s their choice! Fine by me!

                                                                                                                      Edit: trying to make it clear I don’t want to debate, but make the money point.

                                                                                                                      1. 18

                                                                                                                        It is discrimination, that’s what discrimination means. But that doesn’t automatically make it unfair or net wrong.

                                                                                                                        1. 12

                                                                                                                          The alternative is inclusive supply plus random selection. You identify the various groups that exist. Go out of your way to bring in potential candidates of a certain number in each one. The selection process is blind. Whoever is selected gets the help. Maybe auditable process on top of that. This is a fair process that boosts minorities on average to whatever ratio you’re doing the invite. It helps whites and males, too.

                                                                                                                          That’s the kind of thing I push. Plus, different ways to improve the blindness of the evaluation processes. That is worth a lot of research given how much politics factors into performance evaluations in workplaces. It affects everyone but minority members even more per the data. Those methods, an equal pull among various categories, and blind select are about as fair as it gets. Although I don’t know exact methods, I did see GapJumpers describing something that sounds closer to this with positive results. So, the less-discriminating way of correcting imbalances still achieves that goal. The others aren’t strictly necessary.

                                                                                                                          The next scenario is specific categories getting pulled in more than everyone with organizations helping people in the other ones exclusively to boost them. That’s what’s going on here. Given the circumstances, I’m not going to knock them even if not as fair as other method. They’re still helping. It looks less discriminatory if one views it at a high level where each group addresses those they’re biased for. I did want to show the alternative since it rarely gets mentioned, though.

                                                                                                                          1. 13

                                                                                                                            I really agree with this. I was with a company who did a teenage code academy. I have a masters, and did a lot of work tutoring undergrads and really want to get back into teaching/academia.

                                                                                                                            I wanted to teach, but was actually pushed down the list because they wanted to give teaching positions to female staff first. I was told I could take a support role. The company also did a lot of promotion specifically to all girls schools and to try to pull women in. They had males in the classes too, but the promotion was pretty bias.

                                                                                                                            Also I want to point out that I had a stronger teaching background/qualifications than some of the other people put in those positions.

                                                                                                                            I’m for fairness and giving people opportunity, but I feel as if efforts to stop discrimination just lead to more discrimination. The thing is, we’re scientists and engineers. We know the maths. We can come up with better ways to pull in good random distributions of minorities/non-minorities and don’t have to resort to workshops that promote just another equal but opposite mono-culture. If anything you do potential developers a disservice by having workshops that are only women instead of half-and-half. You get a really one sided narrative.

                                                                                                                            1. 9

                                                                                                                              I appreciate you sharing that example. It mirrors some that have happened to me. Your case is a good example of sexism against a man that might be more qualified than a women being hired based on gender. I’ll also note that so-called “token hires” are often treated poorly once they get in. I’ve seen small organizations where that’s not true since the leadership just really believed in being good to people and bringing in different folks. They’re rare. Most seem to be environments people won’t want to be in since conflict or resentment increases.

                                                                                                                              In your case and most of those, random + blind selection might have solved the problem over time without further discrimination or resentment. If process is auditable, everyone knows the race or gender part gave everyone a fair shot. From there, it was performance. That’s a meaningful improvement to me in reducing the negative effects that can kick in when correcting imbalances. What I will say, though, is I don’t think we can always do this since performance in some jobs is highly face-to-face, based on how groups perceive the performer, etc. I’m still uncertain if something other than quotas can help with those.

                                                                                                                              Most jobs I see people apply for can be measured, though. If it can be measured, it can sometimes already be blinded or may be measured blindly if we develop techniques for that.

                                                                                                                              1. 3

                                                                                                                                I agree with these comments, plus, thanks for sharing a real life example. We are definitely fighting discrimination with more discrimination doing things the current way. For a bit I’ve thought that a blind evaluation process would be best. It may not be perfect, but it seems like a step in a better direction. It’s encouraging to see other people talking about it.

                                                                                                                                One other thought- I think we as society are handling race, gender, age, etc problems wrong. Often, it’s how a certain group ‘A’ has persecuted another group ‘B’. However, this isn’t really fair for the people in group ‘A’ that having nothing to do with what the other people are doing. Because they share the same gender/race/whatever, they are lumped in. Part of this seems to be human nature, and it’s not always wrong. But maybe fighting these battles in more specific cases would help.

                                                                                                                              2. 5

                                                                                                                                I think the problem here is that whites and males don’t need extra help. They already get enough help from their position in society. Sure, equal distribution sounds great, but adding an equal amount to everyone doesn’t make them equal; it doesn’t nullify the discrepancy that was there before. Is it good to do so? Yes, of course, but it would be better served and better for society to focus on helping those without built-in privilege to counteract the advantage that white males have.

                                                                                                                                1. 9

                                                                                                                                  There are lots of people in bad situations who are white and male. Saying someones race and gender determines how much help someone has had in life seems both racist and sexist.

                                                                                                                                  1. 2

                                                                                                                                    I’m not saying that it applies in all circumstances. But I am saying that they have a much larger support structure available to them, even if they didn’t get started on the same footing as other examples.

                                                                                                                                    It’s not directly because of their race and sex, it’s because of their privilege. That’s the fundamental difference.

                                                                                                                                    1. 6

                                                                                                                                      I don’t even know how much it matters if it was true. Especially in rural or poor areas of white people. Their support structure is usually some close friends, family, people they live with, and so on. Often food stamps, too. Their transportation or Internet might be unreliable. Few jobs close to them. They have to pack up and leave putting themselves or their family into the unknown with about no money to save for both the move and higher cost of living many areas with more jobs will entail. Lots of drug abuse and suicide among these groups relative to whites in general. Most just hope they get a decent job where management isn’t too abusive and the lowish wages cover the bills. Then, you talk about how they have “a much larger support structure available to them” “because of their privilege.” They’d just stare at you blinking wondering what you’re talking about.

                                                                                                                                      Put Your Solutions Where Your Ideology Is

                                                                                                                                      Since you talk about advantages of privilege and support structures, I’m curious what you’d recommend to a few laypeople in my white family who will work, have basic to good people skills, and are non-technical. They each have a job in area where there aren’t lots of good jobs. They make enough money to make rent. I often have trouble contacting them because they “have no minutes” on their phones. The areas they’re in have no wired Internet directly to renters (i.e. pay extra for crap), satellite, spotty connections, or they can’t afford it. Some have transportation, others lost theirs as it died with four digit repairs eclipsing 1-2 digits of surplus money. All their bosses exploit them to whatever extent possible. All the bosses underschedule them where the work couldn’t get done then try to work them to death to do it. The schedules they demand are horrible with at least two of us having schedules that shift anywhere from morning to evening to graveyard shift in mid-week. It kills people slowly over time. Meanwhile, mentally drains them in a way that prevents them learning deep stuff that could get them in good jobs. Most of them and their friends feel like zombies due to scheduling with them just watching TV, chilling with friends/family, or something otherwise comfortable on off days. This is more prevalent as companies like Khronos push their optimizations into big businesses with smaller ones following suit. Although not among current family now, many of them in the past worked 2-3 jobs with about no time to sleep or have fun just to survive. Gets worse when they have an infant or kids.

                                                                                                                                      This is the kind of stuff common among poor and working classes throughout America, including white people. Is this the average situation of you, your friends, and/or most white males or females you know of? These people “don’t need help?” I’m stretching my brain to try to figure out how what you’re saying fits their situation. In my view, they don’t have help so much as an endless supply of obstacles ranging from not affording bills to their evil bosses whose references they may depend on to police or government punishing them with utility bill-sized tickets for being poor. What is your specific recommendation for white people without any surplus of money, spotty Internet, unreliable transportation, and heavily-disrupted sleep?

                                                                                                                                      Think quickly, too, because white people in these situations aren’t allowed much time to think between their stressful jobs (often multiple) and families to attend to. Gotta come up with solutions about on instinct. Just take the few minutes of clarity a poor, white person might have to solve a problem while in the bathroom or waiting in line at a store. It’s gotta work with almost no thought, energy, savings, or credit score. What you got? I’ll pass it on to see if they think it’s hopeful or contributes to the entertainment for the day. Hope and entertainment is about the most I can give to the person I’m visiting Saturday since their “privilege” hasn’t brought them much of anything else.

                                                                                                                                      1. 2

                                                                                                                                        I’m not saying that it’s applicable in every situation; I am specifically talking about the tech industry. I don’t think it’s about prejudice in this case. I think it’s about fixing the tech culture, which white males have an advantage in, regardless of their economic background. White males don’t always have privilege, that would be a preposterous claim. But it’s pretty lopsided in their favor.

                                                                                                                                        1. 2

                                                                                                                                          I am specifically talking about the tech industry.

                                                                                                                                          It’s probably true if narrowed to tech industry. It seems to favor white and Asian males at least in bottom roles. Gets whiter as it goes up. Unfortunately, they also discriminate more heavily on age, background, etc. They want us in there for the lower-paying stuff but block us from there in a lot of areas. It’s why I recommend young people considering tech avoid it if they’re worried about age discrimination or try to move into management at some point. Seems to reduce the risk a bit.

                                                                                                                                        2. 2

                                                                                                                                          Your comment is a great illustration of the danger of generalizing things on the basis of racis or gender, mistakenly classifying a lot of people as “privileged”. Ideally, the goal of a charity should be to help unprivileged people in general, for whatever reason they are unprivileged, not because of their race or gender.

                                                                                                                                        3. 4

                                                                                                                                          “It’s not directly because of their race and sex, it’s because of their privilege. That’s the fundamental difference.”

                                                                                                                                          But that’s not a difference to other racist/sexist/discriminatory thinking at all. Racists generally don’t dislike black people because they’re black. They think they’re on average less intelligent, undisciplined, whatever, and that this justifies discriminating against the entirety of black people, treating individuals primarily as a product of their group membership.

                                                                                                                                          You’re doing the exact same thing, only you think “white people are privileged, they don’t need extra help” instead of “black people are dumb, they shouldn’t get good jobs”. In both cases the vast individual differences are ignored in favor of the superficial criteria of group membership. That is exactly what discrimination is.

                                                                                                                                          1. 2

                                                                                                                                            You’re right in that I did assume most white males are well off, and it is a good point that they need help too. However, I still think that the ideas of diversifying the tech industry are a worthy goal, and I think that having a dedicated organization that focuses on only the underrepresented groups is valuable. I just don’t think that white males have the same kind of cultural bias against them in participating in this industry that the demographics that Outreachy have, and counteracting that is Outreachy’s goal. Yes, they are excluding groups, but trying to help a demographic or collection of demographics necessarily excludes the other demographic. How could it work otherwise?

                                                                                                                                      2. 1

                                                                                                                                        Why exclude Asians then? Do Asians also already get enough help from their position in society?

                                                                                                                                        1. 5

                                                                                                                                          Asians are heavily overrepresented in tech. To be fair, the reason we are overrepresented in tech (as in medicine) is likely because software development (like medicine) is an endeavour that requires expertise in challenging technical knowledge to be successful, which means that (unlike Hollywood) you can’t just stick with white people because there simply aren’t enough of them available to do all the work. So Asians who were shut out of other industries (like theatre) flocked to Tech. Black men are similarly overrepresented in the NBA but unfortunately the market for pro basketball players is a bit smaller than the market for software developers.

                                                                                                                                          1. 2

                                                                                                                                            Do they exclude Asians? I must have missed that one. I don’t think excluding that demographic is justified.

                                                                                                                                            1. 2

                                                                                                                                              Do they exclude Asians?

                                                                                                                                              Yes they do. Quoting Outreachy Eligibility Rules:

                                                                                                                                              You live in the United States or you are a U.S. national or permanent resident living aboard, AND you are a person of any gender who is Black/African American, Hispanic/Latin@, Native American/American Indian, Alaska Native, Native Hawaiian, or Pacific Islander

                                                                                                                                              In my opinion, this is carefully worded to exclude Asians without mentioning Asians, even going so far as mentioning Pacific Islander.

                                                                                                                                      3. 4

                                                                                                                                        It’s a simple calculus of opprotunity. Allowing those who already have ample opprotunity (i.e. white, cis, males) into Outreachy’s funding defeats the point of specifically targeting those who don’t have as much opprotunity. It wouldn’t do anything to help balance the amount of opprotunity in the world, which is Outreachy’s end goal here.

                                                                                                                                        It’s the author’s idea that they deserve opprotunity which is the problem. It’s very entitled, and it betrays that the author can’t understand that they are in a priviledged position that prevents them from receiving aid. It’s the same reason the wealthy don’t need tax cuts.

                                                                                                                                        1. 1

                                                                                                                                          Outreachy’s end goal seems to be balancing the amount of opportunity in the world for all, except for Asian minority.

                                                                                                                                          1. 4

                                                                                                                                            Each of us gets to choose between doing good and doing best. The x is the enemy of the y. If Outreachy settles for acting against the worst imbalance (in its view) and leaving the rest that’s just their choosing good over best.

                                                                                                                                            You’re also confusing their present action with their end goals. Those who choose “best” work directly towards their end goal, but Outreachy is in the “good” camp. By picking a worst part of the problem and working on that part, they implicitly say that their current work might be done and there’ll still be work to do before reaching the end goal.

                                                                                                                                        2. 4

                                                                                                                                          What’s not up for debate is that companies or people should be able to give their money however they feel like it.

                                                                                                                                          That is debatable. But, I too think Outreachy is well within their rights.

                                                                                                                                        3. 6

                                                                                                                                          I’m not going to complain about discrimination in that organization since they’re a focused group helping people. It’s debatable whether it should be done differently. I’m glad they’re helping people. I will note that what you just said applies to minority members, too. Quick example.

                                                                                                                                          While doing mass-market, customer service (First World slavery), I ran an experiment treating everyone in a slightly-positive way with no differences in speech or action based on common events instead of treating them way better than they deserved like we normally did. I operated off a script rotating lines so it wasn’t obvious what I was doing. I did this with different customers in new environment for months. Rather than appreciation, I got more claims of racism, sexism, and ageism then than I ever did at that company. It was clear they didn’t know what equal treatment or meritocracy felt like. So many individuals or companies must have spoiled them that experiencing equality once made them “know” people they interacted with were racist, sexist, etc. There were irritated people among white males but they just demanded better service based on brand. This happened with coworkers in some environments, too, when I came in not being overly selfless. The whites and males just considered me slightly selfish trading favors where a number of non-whites or women suspected it was because they were (insert category here). They stopped thinking that after I started treating them better than other people did and doing more of the work myself. So, it was only “equal” when the white male was doing more of the work, giving more service in one-way relationships, etc.

                                                                                                                                          I’d love to see a larger study done on that kind of thing to remove any personal or local biases that might have been going on. My current guess is that their beliefs about what racism or sexism are shifted their perceptions to mis-label the events. Unlike me, they clearly don’t go out of their way to look for more possibilities for such things. I can tell you they often did in the general case for other topics. They were smart or open-minded people. Enter politics or religion, the mind becomes more narrow showing people what they want to see. I spent most of my life in that same mental trap. It’s a constant fight to re-examine those beliefs looking at life experiences in different ways.

                                                                                                                                          So, I’m skeptical when minority members tell me something was about their status because I’ve personally witnessed them miscategorizing so many situations. They did it by default actually any time they encountered provable equality or meritocracy. Truth told, though, most things do mix forms of politics and merit leaning toward politics. I saw them react to a lot of that, too. I’m still skeptical since those situations usually have more political biases going on than just race or gender. I can’t tell without being there or seeing some data eliminating variables what caused whatever they tell me.

                                                                                                                                          1. 17

                                                                                                                                            So, in your anecdotal experience, other people’s anecdotal experience is unreliable? 😘

                                                                                                                                            1. 5

                                                                                                                                              You got jokes lol. :) More like I’m collecting this data on many views from each group to test my hypotheses whereas many of my opponents are suppressing alternative views in data collection, in interpretation, and in enforcement. Actually, it seems to be default on all sides to do something like that. Any moderate listening closely to those that disagree looking for evidence of their points is an outlier. Something wrong with that at a fundamental level.

                                                                                                                                              So, I then brought in my anecdotes to illustrate it given I never see them in opponents’ data or models. They might be wrong with their anecdotes right. I just think their model should include the dissent in their arguments along with reasons it does or doesn’t matter. The existence of dissent by non-haters in minority categories should be a real thing that’s considered.

                                                                                                                                            2. 3

                                                                                                                                              I think that the information asymmetry that you had with your anecdotes affected some of the reactions you got. For one, if someone considers your actions negative in some way, they are conditioned by society to assume that you were being prejudiced. If your workplace was one that had more of a negative connotation (perhaps a debt collection service or what have you) that goes double. That’s a reason for the percieved negativity that your white male colleagues didn’t even have to consider, and they concluded that you were just being moderately nice. Notice that you didn’t have to be specifically discriminatory, nor was it necessarily fair. It’s just one more negative thing that happens because prejudice does exist. I would imagine that you would not have so many negative reactions if you explained exactly what you were doing vis-a-vis the randomization of greetings and such. I think I would discount percieved discrimination if someone did that to me.

                                                                                                                                          2. 14

                                                                                                                                            Yes, it’s a ludicrous hissy fit. Especially considering that LLVM began at UIUC which, like many (most? all?) universities, has scholarships which are only awarded to members of underrepresented groups–so he’d have never joined the project in the first place if this were truly a principled stand and not just an excuse to whine about “the social injustice movement.” (I bet this guy thinks it’s really clever to spell Microsoft with a $, too.)

                                                                                                                                            1. 6

                                                                                                                                              That jab “Microsoft with a $” was really uncalled for. You have no evidnece of this. Please stop.

                                                                                                                                              1. 6

                                                                                                                                                The point is a bit bluntly made, but it’s for a reason. There’s a certain kind of internet posting style which uses techniques like changing “social justice movement” to “social injustice movement” to frame the author’s point of view. Once upon a time “Micro$oft” was common in this posting style.

                                                                                                                                                For extreme cases of this, see RMS’ writing (Kindle=Swindle, etc).

                                                                                                                                                (The problem with these techniques, IMO, is that they’re never as clever and convincing as the person writing them thinks that they are. Maybe they appeal to some people who already agree with that point of view, but they can turn off anyone else…)

                                                                                                                                                1. 2

                                                                                                                                                  I think there is a difference here. “Microsoft” is not framing any point of view. “social justice movement”, on the other hand, is already framing certain point of view. I think “social injustice movement” is an acceptable alternative to “so-called social justice movement”, because prefixing “so-called” every time is inconvenient.

                                                                                                                                            2. 0

                                                                                                                                              Without more info it seems persecution complex.

                                                                                                                                            1. 28

                                                                                                                                              After reading the article and many HN comments, I found the headline to be highly misleading as if they’re targeting Signal for their activities in fighting censorship. It’s actually more incidental. They’re targeting a fraudulent practice Signal is doing that violates terms of service. Signal is doing it for good reasons but others might not. Google and Amazon are trying to stop it wholesale. A proper headline might be that “Several providers threaten to suspend anyone doing ‘domain fronting’ via hacks, including us.” Average person reading something like that would think it sounds totally to be expected. A technical person liking Signal or not should also notice the MO is an operational inconsistency that shouldn’t exist in the first place.

                                                                                                                                              So, they’re not doing a bad thing given the situation. They’re just an apathetic, greedy party in a business context fixing a technical problem that some good folks were using to help some other good folks deal with evil parties in specific countries. Sucks for those specific people that they did it but they’re not aiming at Signal to stop their good deeds. They’re just addressing an infrastructure problem that affects anyone hacking around with their service. Like they should.

                                                                                                                                              I wish Signal folks the best finding another trick, though.

                                                                                                                                              1. 16

                                                                                                                                                I think the correct headline would be “AWS is fixing a bug allowing domain fronting and calling it Enhanced Domain Protections”. An analogous situation would be console homebrew people exploiting buffer overflows in Nintendo games. Of course Nintendo should fix them, and like you, I root for console homebrew people to find another one.

                                                                                                                                                1. 3

                                                                                                                                                  That’s another good one. It’s just a bug in their services. Them not fixing it would be more questionable to me.

                                                                                                                                                2. 9

                                                                                                                                                  I found the headline to be highly misleading as if they’re targeting Signal for their activities in fighting censorship. It’s actually more incidental.

                                                                                                                                                  And that’s why they immediately sent signal an email containing a threat to close the account immediately, instead of a regretful email telling them that this will stop working due to abuse prevention measures.

                                                                                                                                                  1. 1

                                                                                                                                                    It my experience that’s generally how they treat literally any issue.

                                                                                                                                                  2. 5

                                                                                                                                                    Signal is doing it for good reasons but others might not.

                                                                                                                                                    I’m failing to think of a way to use domain fronting for a not good reason, especially one where the provider being fronted is still happy to host the underlying service.

                                                                                                                                                    1. 4

                                                                                                                                                      There is nothing fraudulent about domain fronting. Show me one court anywhere in the world which has convicted someone of fraud for domain fronting. That’s a near-libelous claim.

                                                                                                                                                      Can you provide an example of a “bad reason” for domain fronting?

                                                                                                                                                      As the article points out, the timing of Amazon’s decision relative to the publicity about Signal’s use of domain fronting suggests that Signal is in fact the likely intended target of this change, not incidental fallout.

                                                                                                                                                      The headline is accurate. Your comment really mischaracterizes what is happening.

                                                                                                                                                      1. 3

                                                                                                                                                        I meant it in the popular definition of lying while using something. Apparently, a lot of people agree its use isn’t what was intended, the domains supplied are certainly not them, and service providers might negatively react to that. It would probably be a contract law thing as a terms of use violation if it went to court. I’m not arguing anything more than that on the legal side. I’m saying he was doing something deceptive that they didn’t want him to do with their services. Big companies rarely care about the good intentions behind that.

                                                                                                                                                        “the timing of Amazon’s decision relative to the publicity about Signal’s use of domain fronting suggests that Signal is in fact the likely intended target of this change”

                                                                                                                                                        The article actually says he was bragging online in a way that reached highly-visible places like Hacker News about how he was tricking Amazon’s services for his purposes. Amazon employees stay reading these outlets partly to collect feedback from customers. I see the cloud people on HN all the time saying they’ll forward complaints or ideas to people that can take action. With that, I totally expected Amazon employees to be reading articles about him faking domains through Amazon services. Equally unsurprising that got to a decision-maker, technical or more lay person, who was worried about negative consequences. Then, knowing a problem and seeing a confession online by Signal author, they took action against a party they knew was abusing the system.

                                                                                                                                                        We can’t just assume a conspiracy against Signal looking for everything they could use against it with domain fronting being a lucky break for their evil plans. One they used against Signal while ignoring everyone else they knew broke terms of service using hacker-like schemes. If you’re insisting targeted, you’d be ignoring claims in the article supporting my position:

                                                                                                                                                        “A month later, we received 30-day advance notice from Google that they would be making internal changes to stop domain fronting from working entirely.

                                                                                                                                                        “a few days ago Amazon also announced what they are calling Enhanced Domain Protections for Amazon CloudFront Requests. It is a set of changes designed to prevent domain fronting from working entirely, across all of CloudFront.

                                                                                                                                                        It’s a known problem they and Google were apparently wanting to deal with across the board per his own article. Especially Google. They also have employees reading forums where Signal was bragging about exploiting the flaw for its purposes. I mean, what did you expect to happen? Risk-reducing, brand-conscious companies that want to deal with domain fronting were going to leave it on in general or for Signal since that one party’s deceptions were for good reasons according to claims on their blog?

                                                                                                                                                        Although I think that addresses it, I’m still adding one thing people in cryptotech-media-bubble might not consider: the manager or low-level employee who made the decision might not even know what Signal is. Most IT people I’ve encouraged to try it have never heard of it. If you explain what it does, esp trying to get things past the governments, then that would just further worry the average risk manager. They’d want a brick wall between the company’s operations and whatever legal risks the 3rd party is taking to reduce their own liabilities.

                                                                                                                                                        So, there’s at least several ways employees would react this way ranging from a general reaction to an abuse confession online to one with a summary of Signal about dodging governments. And then, if none of that normal stuff that happens every day at big firms, you might also think about Amazon targeting Signal specifically due to their full knowledge of what they’re doing plus secret, evil plans to help governments stop them. I haven’t gotten past the normal possibilities, though, with Amazon employees reading stuff online and freaking out being most likely so far.

                                                                                                                                                        1. 3

                                                                                                                                                          This rings true to me (particularly the middle-management banality-of-evil take), bar one nitpick:

                                                                                                                                                          The article actually says he was bragging online in a way that reached highly-visible places like Hacker News about how he was tricking Amazon’s services for his purposes.

                                                                                                                                                          How did you get that impression? The article states:

                                                                                                                                                          We’re an open source project, so the commit switching from GAE to CloudFront was public. Someone saw the commit and submitted it to HN. That post became popular, and apparently people inside Amazon saw it too.

                                                                                                                                                          I haven’t read the mentioned HN thread, but that hardly constitutes “bragging online”.

                                                                                                                                                          1. 2

                                                                                                                                                            I can’t remember why I originally said it. He usually blogs about his activities. I might have wrongly assumed they got it out of one of his technical write-ups or comments instead of a commit. If it was just a commit, then I apologize. Thanks for the catch regardless.

                                                                                                                                                      2. 3

                                                                                                                                                        “Service provider warns misbehaving customer to knock it off after repeated RFC violations.”

                                                                                                                                                      1. 9

                                                                                                                                                        Not sure I agree with the article. Sure, I’ve seen that kind of code before and it is mildly annoying, but most of the code I’ve seen uses proper structs or classes. It seems that people who like LISP always try to find “problems” in the language that make people not want to adopt it.

                                                                                                                                                        I actually think that the problem with LISP (i.e., Common Lisp) is that it is a language that stopped in time. As examples:

                                                                                                                                                        • There’s no reasonable package manager (I know of quicklisp, but it is not nearly as convenient as Rust’s Cargo, for example).
                                                                                                                                                        • No friendly language documentation. Hyperspec is complete, but it is in no way pleasant to use. I know there are efforts to improve it, but it would have to get at least close to Go/Rust documentation quality to attract people. Lack of examples is also a deal breaker.
                                                                                                                                                        • No centralised community. Pretty much everybody ends up reinventing the wheel, possibly due to the lack of a good package manager and docs.

                                                                                                                                                        Clojure is arguably successful, but it comes with the “cost” of being bound to the Java VM – which pretty much requires a PhD to properly tune.

                                                                                                                                                        1. 2

                                                                                                                                                          Hyperspec is complete, but it is in no way pleasant to use.

                                                                                                                                                          Funny, I find myself missing the Hyperspec every single day (I now write mostly Clojure). It remains the standard against which I judge most other documentation. (And I’m not sure what you mean when you say it doesn’t have examples; the Hyperspec page for defstruct has over a dozen separate examples of different uses.)

                                                                                                                                                          Yes, it’s unfortunate that there is no realistic way to change or grow the language, but as far as documenting what does exist in the standard the Hyperspec does a great job.

                                                                                                                                                        1. 6

                                                                                                                                                          I use Hugo, and I’m surprised how content I’m with it. I switched from a Jekyll clone, and despite its quirks (mostly originating from its Go ancestry) it is pretty usable and also pretty fast.

                                                                                                                                                          What really interest me is why would I not use S3 and Cloudfront? Not that my blog written in a language spoken by a tiny population could possibly get overwhelmed with traffic, but my monthly fees are below 1$, and the site could handle practically unlimited load, should it face it. Also no hassle with hosting, security upgrades, SSL certificates. I have hosted it on a simple DO instance, and it was totally OK, yet AWS is superior in every possible respect for serving purely static pages.

                                                                                                                                                          Instead of rsync the aws cli can be used to sync the bucket, it is incremental, and also pretty fast.

                                                                                                                                                          1. 4

                                                                                                                                                            I think it would be simple to use this tool in conjunction with S3/Cloudfront. I use Jekyll to build a local version of my site and then s3_website to push it to AWS. I like that the tool I use for building the site doesn’t tie me to a particular hosting strategy. (AFAICT the linked script only uses rsync to build the site locally in a target directory, not to deploy it to some remote host.)

                                                                                                                                                            1. 2

                                                                                                                                                              Sure it would be simple, it is just as simple as using rsync, I’m curious why would anybody run httpd and self-host given the drawbacks. Maybe I have a different usecase in mind, and that doesn’t let me see, or simply a matter of different preferences…

                                                                                                                                                              1. 4

                                                                                                                                                                I don’t think httpd is for self-hosting. I think it’s for previewing things locally (similar to jekyll’s serve feature).

                                                                                                                                                                1. 2

                                                                                                                                                                  Thank you for your comments.

                                                                                                                                                                  Yes, rsync(1) is just to copy source files (html, css, md, etc) to ssg working directory. Yes, I use httpd(8) in debug mode (not like a daemon) locally, just for previewing. Why httpd -d? It’s already installed on OpenBSD by default. On macOS you can use python -m SimpleHTTPServer for the same purpose.

                                                                                                                                                                  1. 2

                                                                                                                                                                    I ran into problems with SimpleHTTPServer because it has no concurrency: a single client can block everything. You can work around this with the threading mixin, something like: https://kdecherf.com/blog/2012/07/29/multithreaded-python-simple-http-server/

                                                                                                                                                                2. 1

                                                                                                                                                                  I’m curious why would anybody run httpd and self-host given the drawbacks.

                                                                                                                                                                  We are talking about serving static files, for a personal blog (out if a disk cache)…what are the drawbacks again?

                                                                                                                                                                  1. 1

                                                                                                                                                                    Even if you have only http facing the public internet you need to track the security reports. I found having to track CVEs for the few services I had on my machine too burdensome. Also you may need TLS, which also has its overhead, and hosting costs more than on S3 imho. If you need the machine for other purposes that may make the equation a bit different though.

                                                                                                                                                                    1. 3

                                                                                                                                                                      All true. But of course, some people do this kind of thing as a hobby, or as part of their jobs. Others might find it a fun learning exercise, and even rewarding.

                                                                                                                                                                      1. 2

                                                                                                                                                                        Oh, it totally fell out of my sight. My bad.

                                                                                                                                                                        I abandoned the pet server approach to have more of my limitd freetime devoted to my blog, creating content, as I already did enough ops at work.

                                                                                                                                                              2. 2

                                                                                                                                                                +1 to Hugo, I’d say “pretty fast” is underselling how ridiculously fast it is (at least compared to other popular static site generators).

                                                                                                                                                                Re: why not S3+Cloudfront?

                                                                                                                                                                I started with this a while ago. The problem is you end up using something like Route53 to get your custom domain and TLS, which ultimately ends up costing you $2-3/mo per domain altogether, which adds up pretty quickly when you have a bunch of domains. Not to mention the ordeal of managing AWS and their massive dashboards and weird config syntax.

                                                                                                                                                                These days I use Github pages + Cloudflare for DNS/TLS in their free tier. If I were up for migrating again, I’d consider using Netlify which is great by all accounts and supports some basic dynamic forms that are handy for static sites (contact form, etc).

                                                                                                                                                                1. 2

                                                                                                                                                                  I agree that Route53 costs can add up, but if your DNS provider can serve “APEX entries” you can get away without that, if I recall correctly (or maybe you can use Cloudfare then?). My single domain site takes <1€/mo, (Route53 + S3 + Cloudfront).

                                                                                                                                                                  Regarding Netlify: recently I have seen some useful/impressive tools they have open-sourced, so I’d also consider their services.

                                                                                                                                                              1. 19

                                                                                                                                                                The best way to combat this is to not answer the questions for password reset at all. Use a password manager, and when a company asks something like “what was the name of your favorite teacher” give an answer like “zod the destroyer 7899” and never mention or tell anyone about this. Even if someone knows your favorite teacher, it won’t help them.

                                                                                                                                                                1. 3

                                                                                                                                                                  I generate all the answers with my password manager too - and don’t re-use them between systems. It’s a bit of a pain to generate them but they’re not often asked for and I don’t want to have to inform my mother her maiden name is part of a data breach.

                                                                                                                                                                  1. 3

                                                                                                                                                                    Unfortunately you do need to be a bit careful with this. It’s possible (however dumb) that these answers are stored in plaintext and then presented to the user either as-is (multiple choice) or partially obscured (complete this name).

                                                                                                                                                                    If an attacker is trying to get through the reset process and are confronted with “What’s your mother’s maiden name? a) Jones, b) Smith or c) F32djsb/.$%” they might have better than 1-in-3 odds :-)

                                                                                                                                                                    1. 2

                                                                                                                                                                      I’m partial to being born somewhere like: Earth Sol System Orion Minor Galactic Arm Milky Way Galaxy

                                                                                                                                                                      And my favorite pet sometimes has ended up being something like: Leeloominai ekatariba tchai ekbat de sebat

                                                                                                                                                                      And favorite colors being Steve.

                                                                                                                                                                      I just plug all that crap into my password manager so that all my random “copy something from an open webpage” answers don’t go away.

                                                                                                                                                                      1. 1

                                                                                                                                                                        I do this (except the answers are randomly generated) and it turns out it mostly doesn’t matter. I’ve had to call services that use them and talk to customer service representatives. They’ve asked me the questions, along with other identifying information, and I told them that I didn’t know the answer. All I said was that it was probably random junk. They just ignored it and continued to deal with my problem.

                                                                                                                                                                        What’s even more interesting is that rep on the phone would admonish me for forgetting the answer, telling me that they ask these things for my own security. It didn’t seem to register, even after I mentioned it, that it obviously doesn’t since I just bypassed them.

                                                                                                                                                                        1. 1

                                                                                                                                                                          A number of sites now do “identity verification” through (I believe) the credit agencies, where they’ll ask you questions about previous addresses based on the records those agencies have–not based on answers you provided yourself at any point.

                                                                                                                                                                          1. 2

                                                                                                                                                                            Yeah but that costs money and it still doesn’t fix the problem because your previous addresses can be know by the attacker.

                                                                                                                                                                            1. 2

                                                                                                                                                                              Right, my point was that it’s not enough to use fake answers to security questions, because the real answers (at least regarding previous addresses) are still useful to attackers against these identity verification systems.

                                                                                                                                                                            2. 1

                                                                                                                                                                              Not that you nor I can do anything about it here and now, but that practice should be heavily discouraged. The whole point of security questions is to answer stuff only I know. Which also makes 90% of the currently available choices (“Mother’s maiden name”, “First pet”, etc.) really poor choices. Allow me to make my own question and answer, and it should improve handily for some people, whereas people who fall back to the default questions are no worse off.

                                                                                                                                                                          1. 5

                                                                                                                                                                            It’s nice of them to release the sourcecode (I remember the kerfuffle when they ported to python), but, wow, the lack of documentation hurts. I remember being in the “lisp is so readable it doesn’t need comments” camp, and I may have been wrong.

                                                                                                                                                                            Honestly, though, a place to start might be enough. IIRC, they were using CMUCL and Hunchentoot. Anybody know/remember the build process for those?

                                                                                                                                                                            1. 5

                                                                                                                                                                              I think that was wrong because understandability often goes down as complexity and power go up. LISP is super-powerful with people applying that power in many complex ways. Especially the difference between what you see and what’s going on underneath macros. So, I’d say it needs more documentation or source control if aiming for easily-approachable or predictable codebases.

                                                                                                                                                                              1. 5

                                                                                                                                                                                It used ASDF to build (see the .asd file).

                                                                                                                                                                                1. 3

                                                                                                                                                                                  At the risk of being snarky those are actively maintained projects and you can simply check their respective websites for how to install and use them.

                                                                                                                                                                                  Hunchentoot is in quicklisp and installs easily with (ql:quickload :hunchentoot). The SBCL fork of CMUCL is more widely used than CMUCL, and can be installed with “apt-get install sbcl”, or pre-built binaries for 5 or 6 platforms can be downloaded from their website.

                                                                                                                                                                                  1. 1

                                                                                                                                                                                    The SBCL fork of CMUCL is more widely used than CMUCL

                                                                                                                                                                                    Sure, but SBCL forked, like, twenty years ago, and this code is from more like 10-15. That is, I’m sure they were aware of SBCL, but I’m pretty sure they chose CMUCL instead.

                                                                                                                                                                                    And, yes, if I’m certain they’re using CMUCL and Hunchentoot, and am familiar with both tools, and am familiar with ASDF, and know I need quicklisp, and am also familiar with that, then I suspect I wouldn’t have too much trouble scrapping together a build method that might work. However, I haven’t been in the lisp ecosystem for years, and don’t know for certain which lisp and which web framework they were using.

                                                                                                                                                                                    Looking at the asd file, it seems they were using TBNL, which predates Hunchentoot (in name). Will it build with Hunchentoot? Not sure – how API-compatible is modern Hunchentoot with that old version of TBNL? For that matter, what version of TBNL was used? Are we certain this code can build at all?

                                                                                                                                                                                    A note saying “you need the following versions of the following things to build this: x,y,z, …” would be useful if they don’t have the resources to put together a modern README document.

                                                                                                                                                                                    Also more useful than the current lack of documentation would be a note saying: “this has not been built in years, we don’t know the needed library versions, and it’s not clear whether this can be built at all, but we wanted to provide the source anyway”.

                                                                                                                                                                                    So, I appreciate the fact that some of this is discoverable, but 1- it’s only discoverable if you’re already an up-to-date lisp hacker, 2- even then it might not be fully discoverable, and 3- standards for documentation have changed over the past couple decades, and this doesn’t even meet the standards of many years ago.

                                                                                                                                                                                  2. 2

                                                                                                                                                                                    eh .. the whole platform use to be open source but they closed it a while back. They claimed it was simply too difficult to run the entire thing and there was no point in keeping it OSS.

                                                                                                                                                                                    I dunno .. After Reddit started banning tons of communities, removed their warrant canary and their CEO was caught editing comments, I dismissed the entire platform. I rarely use it; maybe really specific communities.

                                                                                                                                                                                  1. 7

                                                                                                                                                                                    Should be treated like an airliner crash: Investigation, lessons learned, improvements to make sure it’s not repeated.

                                                                                                                                                                                      1. 2

                                                                                                                                                                                        I don’t know what more we can ask for.

                                                                                                                                                                                        Improvements will be made.

                                                                                                                                                                                        No company wants this liability.

                                                                                                                                                                                        1. 8

                                                                                                                                                                                          I don’t know what more we can ask for.

                                                                                                                                                                                          At least one human in jail.

                                                                                                                                                                                          And if Uber cannot prove that it was the first time a test driver was distracted during drive, at least the whole board of directors of Uber in jail.

                                                                                                                                                                                          1. 4

                                                                                                                                                                                            At least one human in jail.

                                                                                                                                                                                            It’s very likely that there will be a scapegoat or two.

                                                                                                                                                                                            But I think this is probably good for the industry.

                                                                                                                                                                                            I’m no historian, but I imagine that this is a little bit like when the first airplanes were invented. At first there were no rules. You just made and airplane and flew around.

                                                                                                                                                                                            Until some bystander got hurt or killed. In those days, we were not such a litigious society, so most people probably said tough luck.

                                                                                                                                                                                            But eventually we had passenger travel, and the government decided we needed rules and the FAA (or whatever came before it) was created. They make the rules.

                                                                                                                                                                                            At first, air travel was not so safe. But after every accident we improved.

                                                                                                                                                                                            And when there were accidents, there were liability lawsuits. If gross negligence could be proven, then maybe even some airline company executives went to jail???

                                                                                                                                                                                            Even now, when there is human error and an airliner crashes, I don’t think anyone goes to jail?

                                                                                                                                                                                            We are still in the early days.

                                                                                                                                                                                            1. 1

                                                                                                                                                                                              What does that solve?

                                                                                                                                                                                              1. 9

                                                                                                                                                                                                It has a net-positive social effect.

                                                                                                                                                                                                1. Giustice.
                                                                                                                                                                                                2. the U.S.A. would prove to their citizens that they hold the monopoly of the legitimate use of physical force: otherwise, if you accept that a company can kill, killers will all become entrepreneurs
                                                                                                                                                                                                3. all the future boards of directors of any robotics company will take human safety very seriously and will continue to take it seriously every time a board of director go in jail
                                                                                                                                                                                                4. the whole DataScience/AI industry will learn to sell just what they can explain (aka debug) and prove correct (which is much more than you think, actually!)
                                                                                                                                                                                                5. the whole software industry will begin to take software quality as a serious topic
                                                                                                                                                                                                6. ISIS won’t have a very good reason to infiltrate AI software companies in the U.S.A. …

                                                                                                                                                                                                I think I could go on for a while…

                                                                                                                                                                                                1. 1

                                                                                                                                                                                                  if you accept that a company can kill, killers will all become entrepreneurs

                                                                                                                                                                                                  It’s called a private milicia. They’ve been there before Uber and Google. 🙄

                                                                                                                                                                                                  1. 3

                                                                                                                                                                                                    Are you stating that in the U.S.A. a private militia has the right to kill people without questions from courts?

                                                                                                                                                                                                    I really did not knew that!

                                                                                                                                                                                                    Because, you know, some people says you should not require explanations from an AI!

                                                                                                                                                                                                    And if a private militia can kill people with that same freedom… I can suddenly understand U.S.A. problems with guns!

                                                                                                                                                                                                    1. 2

                                                                                                                                                                                                      It’s the 2nd Amendment: final check against government corruption when all three branches fail to do their job. Given how divided the media keeps US, it will basically turn into a shooting gallery with each side taking on their media-designated enemies.

                                                                                                                                                                                                      The only neutral scenario I could think of where it may apply is people taking out politicians that took bribes to pass laws that harmed consituents. And were immune to prosecution. People on both sides tend to look down on whoever takes bribes for laws. As in, it enforces integrity of essential system with everything else handled within the system.

                                                                                                                                                                                                      Id still be afraid to see any use of 2nd Amendment play out, though. Will be a lot of collateral murder.

                                                                                                                                                                                                      1. 0

                                                                                                                                                                                                        @nickpsecurity I read your reply three times, looked at wikipedia and still I do not understand what you mean.

                                                                                                                                                                                                        The monopoly of legittimate use of violence is given to states by their people.

                                                                                                                                                                                                        No State is obliged to respond in courts about each single life it takes to preserve law.
                                                                                                                                                                                                        That’s because the state itself represent the Giustice (on behalf of its people, in a democracy).

                                                                                                                                                                                                        The state does not need to explain why it kill: the explainations are due for the people that reppresent the state (police, judges and so on..) to ensure they do not abuse the power the state give them.

                                                                                                                                                                                                        Does the 2nd Amendment give the U.S.A. citizens the same right of the state?
                                                                                                                                                                                                        That would explain @oz comment, but still it sound extremely strange.

                                                                                                                                                                                                        For example, why killers do not always appeal to it when in court?

                                                                                                                                                                                                        1. 3

                                                                                                                                                                                                          Quick request: If you reply to someone, they get an email saying that your replied. If you use @ in front of name, they get another email saying they were “mentioned” in same thread. I suggest leaving out the @ when it’s the person you were replying to so they just get one email. I also leave it off if it’s another party if they’re already reading the thread.

                                                                                                                                                                                                          Regarding 2nd Amendment, the wording of the Amendment was ambiguous leading to two interpretations:

                                                                                                                                                                                                          1. It’s an individual’s right to bear arms to use in self-defense against all enemies. That might include people attacking them, corrupt politicians, or foreign invaders. Some of these organize into unofficial militias that are basically groups that share this belief in a specific locale. There’s over 200 of them.

                                                                                                                                                                                                          2. It’s about a state-level, military organization governed by the laws of that state and controlled by its governor. That’s basically the Army and Air National Guard. These often also have police powers in a state, too.

                                                                                                                                                                                                          There’s no consensus on the subject. No 1 is used to justify gun ownership. Presidents also used to shoot people on the streets in less-civil times. No 2 is implemented across the states, too. I’m in No 1 territory just because I doubt U.S. military personnel make a good check against U.S. military personnel: probably see each other like cousins in a big family. There are some court opinions from long ago suggesting No 1 is OK when three branches fail to do their job. Anyone trying it will be imprisoned for murder, though, after being villified by whatever side voted for that person. Generally, most just move to a state that runs things the way they like tolerating the government’s abuses.

                                                                                                                                                                                                          The militias are doing nothing waiting for The Big Moment when the federal government does something so bad it justifies them going to war. We’ve had smaller moments over and over and over: Feds like so-called “fait accompli” strategy where they do a little bit of evil at a time building up power slowly with each move independently justified with media narrowly focusing on it in isolation. Like the boiling frog metaphor, the citizens tolerate more corruption that way with them not seeing bigger picture or slowly forgetting why certain things happened to begin with. The Big Moment won’t come because it already did over time. A worse situation will down the road. I found it illuminating to compare the abuses listed in Declaration of Independence that justified war on British rule against the abuses of current U.S. government. There’s too many similarities.

                                                                                                                                                                                                          The militias haven’t done anything about anything, though. Mostly just drink, socialize, and sport shoot in the woods that I can tell. The folks that have shot politicians have usually been crazy or evil doing it for their own reasons. They’re really random. They definitely don’t help justify any legitimate use of 2nd Amendment when that happens: every shooting has people try to roll back No 1 on the list. Who knows what will happen in future but that’s the relevant background on the subject.

                                                                                                                                                                                                          1. 2

                                                                                                                                                                                                            Thanks nickpsecurity.
                                                                                                                                                                                                            Sorry for the duplicated mails… my fault, but maybe Lobste.rs misses a DISTINCT clausole.

                                                                                                                                                                                                            Your post gave me an interesting and deep historical perspective over a U.S.A. issue that I cannot really understand as an European.

                                                                                                                                                                                                            This deeply improve my understanding, thanks!

                                                                                                                                                                                                            Anyone trying it will be imprisoned for murder, though…

                                                                                                                                                                                                            This is the point, I think: a State cannot allow anybody to kill without responding in court for murder. That’s just because otherwise it would loose the key of its own power: legitimacy over its use of violence.

                                                                                                                                                                                                            This does not means that each person responding on court of a murder is guilty and will go to jail. Just that he has to prove that the death was not reconducible to his own actions.

                                                                                                                                                                                                            So, in this case, Uber must prove that they had no way to prevent the death.

                                                                                                                                                                                                            Eg they cannot test the car in roads closed to the public traffic, they had never observed another driver distracted at the driving seat before, that the car was correctly manutened, that the LIDAR system was tested to work at that speed and lighting conditions, that the various AI component had no bug and so on…

                                                                                                                                                                                                            1. 2

                                                                                                                                                                                                              Yeah, they should have to explain that stuff if they were to get tried for it. The case for many companies is they just get investigated and sued with their lawyers holding it off. Sometimes they loose a lot of money on it. Their next move is to do the minimum necessary to avoid a similar loss. This might achieve real, risk reduction. Or it will be a dodge with another disaster down the road.

                                                                                                                                                                                                              Most of the time these are mechanical processes we understand really well. Self-driving cars aren’t. So, I have no idea what will happen just because a robust version of the concept hasn’t been demonstrated even by academics. They might even be able to use that as a defense: “we did all we could. Not even cutting-edge R&D was doing much better on correctness.” Of course, the LIDAR results vs the Grand Challenge I read about long ago makes me think there were some truly reckless acquisition and testing practices. Hopefully, lots of LIDAR experts can chip in testimony saying it’s total garbage to set some kind of baseline for what’s acceptable.

                                                                                                                                                                                                              Seeing and responding to a big-ass object right in front of it should probably be in the baseline. ;)

                                                                                                                                                                                      1. 21

                                                                                                                                                                                        I would go one step further–I only grudgingly sign NDAs and assignments of invention too and would prefer if they weren’t there.

                                                                                                                                                                                        This single issue is the thing that most makes me think we need collective bargaining and unions.

                                                                                                                                                                                        Given the MO of modern companies, our ideas and skills are all that we have.

                                                                                                                                                                                        1. 8

                                                                                                                                                                                          Yeah I don’t think i’d work anywhere that did Assignments of invention. I just don’t think I could be paid enough to make me give that up. I once signed a noncompete though but it wasn’t this restrictive, it only applied to business that were making the exact same kind of product (Laboratory information Management Systems).

                                                                                                                                                                                          1. 7

                                                                                                                                                                                            When I joined my last company they had an assignment of invention section in their paperwork, but provided a place to list exemptions. I listed so many things on that form: github side projects to theoretical ideas I’d been kicking around. When I handed in the packet to HR they didn’t know how to handle the fact that I actually filled that stuff out. They ended up removing the assignment of invention section completely.

                                                                                                                                                                                            I see a distinction between companies that prey on their employees and those that build in language and terms like this because legal told them to, or it’s “boilerplate”. Nether is acceptable and in many regions that take workers’ rights seriously they are explicitly illegal. I don’t see that happening in the US anytime soon, though.

                                                                                                                                                                                            If it’s important to you, don’t sign. If it’s important to you and your company is a bunch of idiots, change the contract before you sign it and watch them blindly put a signature on it. Who knows, maybe you’ll end up owning all their IP instead.

                                                                                                                                                                                            1. 0

                                                                                                                                                                                              I can definitely understand why a company would want you to sign an assignment of invention and I don’t think they’re inherently good or bad. They’re just a trade off like anything else. If you really want to start your own company one day or side projects are really important to you than that’s something to consider strongly before signing an assignment of invention. Just like flexibility would be something to consider before taking a job if you really wanted to be able to take off work, with no advanced notice, to surf if the waves happen to be good and then make up those hours later.

                                                                                                                                                                                              1. 11

                                                                                                                                                                                                Safety bars on looms and e-stops on lathes are a trade off like anything else…

                                                                                                                                                                                                This is a local minima of error that companies are stuck in due to investors and lawyers (and greedy founders) trying to cover their own asses.

                                                                                                                                                                                                It’s basically become industry standard, but seeing as how we’re all getting screwed in compensation (giving the growth we enable) compared to older days the bargain no longer makes sense. Further, the troubling trend is “Well, it’s probably no big deal to work on , just let us know and/or we don’t care anyways” is basically living with a gun to your head.

                                                                                                                                                                                                If it is such a non-issue that most companies will overlook it, fucking leave it off the conditions of employment. If it is such an issue, compensate the engineers properly.

                                                                                                                                                                                                1. 3

                                                                                                                                                                                                  I think we need to create a list of businesses that do this so that I can avoid ever applying to them and also ones that don’t do this so that I can weigh applying for them.

                                                                                                                                                                                                  1. 1

                                                                                                                                                                                                    Safety bars on looms and e-stops on lathes are a trade off like anything else…

                                                                                                                                                                                                    Apples and oranges. Those safety features don’t really affect the employer, but they have a huge effect on how safe the job is for all of the employees that use looms and lathes. Assignments of invention do have an effect on the employer and if you happen to be an employee without any aspirations of starting you own business then they don’t really affect you. Even if you do have that aspiration, a good company will be more than happy to stamp prior discovery paperwork to approve side projects that don’t have anything to do with the company’s area of business so an assignment of invention will only affect you if you want to compete with your employer.

                                                                                                                                                                                                    Edit:

                                                                                                                                                                                                    If it is such an issue, compensate the engineers properly.

                                                                                                                                                                                                    If you compare the software engineering salaries with those of other fields it appears that we are compensated for signing non-competes and assignments of invention. Nurses, for comparison, are also highly educated salaried workers but they make on average $20,000 less per year then software engineers [Source] [Source]. It is entirely possible that the gap in pay is a result of a high demand for and low supply of software engineers. But there is a high demand for and low supply of nurses as well.

                                                                                                                                                                                                    1. 8

                                                                                                                                                                                                      a good company

                                                                                                                                                                                                      Where, where are these good companies? “Not all companies”, indeed!

                                                                                                                                                                                                      There is no upside to for the employer to do this once they have the paperwork in hand, and relying on the charity/largess of a company is foolish–especially once belts start tightening. Even companies that aren’t terrible can often punt forever on this sort of thing because of limited time to devote to non-business issues, because legal’s job is to provide maximal cover and push back on anything that might create risk, etc.

                                                                                                                                                                                                      I suggest that the overall tone of how employee engineers are viewed, for the good of all engineers, needs to change. Hell, most of the innovation people claim to care about so much would be strangled in the crib under the agreements that are common today!

                                                                                                                                                                                                      1. 3

                                                                                                                                                                                                        Assignments of invention do have an effect on the employer and if you happen to be an employee without any aspirations of starting you own business then they don’t really affect you.

                                                                                                                                                                                                        And without any intention of ever contributing to open source, and without any intention of ever writing an article or a story or a book, and without any intention of ever painting a painting, and without any intention of ever singing a song, etc., etc. (Ever assignment of invention I’ve ever seen has covered any and all copywritable works, not just code. Most have tried to claim assignment of works created before employment began.)

                                                                                                                                                                                                        1. 1

                                                                                                                                                                                                          Ever assignment of invention I’ve ever seen has covered any and all copywritable works, not just code. Most have tried to claim assignment of works created before employment began.

                                                                                                                                                                                                          That is an entirely different story. The assignments of invention that I’ve seen strictly pertain to ip related to the company’s products and services, during your period of employment with the company. Although they have all asked for a list of prior work as a practical means of proving that any such ip of yours was created before your time of employment. That said, my comments above were made with that understanding of what an assignment of invention is.

                                                                                                                                                                                                          1. 6

                                                                                                                                                                                                            “Related” is way too open-ended for my comfort. If I contribute to an open-source project at night that is written in the same language I use at work, is that related? What about if they’re both web applications? What if they both use the same framework? If I write healthcare software during the day and I want to write a novel where somebody goes to the doctor, is that related?

                                                                                                                                                                                                            In the contracts I’ve been presented with it’s been explicit that any work done prior to employment with the company that is no on your list of prior inventions becomes the property of the company. I’ve been programming since I was 12; there is no conceivable way I can list every piece of code I’ve written in 20+ years (much less other forms of copywriteable expression).

                                                                                                                                                                                                            I have hired lawyers on two occasions to review assignment-of-invention contracts with provisions like these and on both occasions the advice I got was that “related” is pretty much a blank check for the employer.

                                                                                                                                                                                                            1. 3

                                                                                                                                                                                                              The ones I’ve seen (and signed) have been restricted to inventions created at work or on company equipment, which amounts to roughly “we own the things we’re paying (or providing infrastructure for) you to create”. Within the context of capitalist employment, I think that’s essentially reasonable.

                                                                                                                                                                                                              1. 2

                                                                                                                                                                                                                The fuzzy bit is, when you’re a salaried worker who is remote, what exactly is “company equipment”? What is “at work”?

                                                                                                                                                                                                                How many of us have, in an evening say, made a commit to wrap up a thought after dinner from our laptops or desktops?

                                                                                                                                                                                                                1. 3

                                                                                                                                                                                                                  If you’re a salaried remote worker, the company should be providing your work machine, which is either a laptop you can take with you, or a desktop that you remote into. If you’re providing all the equipment out of pocket, why are you on salary, rather than working as a contractor?

                                                                                                                                                                                                                  The only exception I could think would be a very early stage startup, but in that case you’re probably coming from a place of having a better negotiating position anyway.

                                                                                                                                                                                                                  I’ve worked remotely for 3 jobs, and have always been provided a development machine, and have done my best to avoid doing anything that is strictly a side project on it for that reason.

                                                                                                                                                                                                                  1. 1

                                                                                                                                                                                                                    One of the selling points vendors of separation kernels pushed was separation of Personal and Work on one device (“BYOD”). They mainly pushed it under the illusion that it would provide security at reduced costs on consumer-grade devices. They also pushed it for GPL isolation to reduce IP risks to them. Your comment makes me think that can be flipped: use of dedicated, virtual work environment for (typical benefits here) with additional benefit of isolating I.P. considerations to what’s in the VM. If you want something generic, do it on your own time in your own VM just importing an instance of it into the work VM and/or its codebase. Anything created in the work VM they or you can assume will belong to them.

                                                                                                                                                                                                                    I’m ignoring how time is tracked for now. Far as clarity on intent of I.P. ownership, what do you think of that as basic approach? Spotting any big risks?

                                                                                                                                                                                                                2. 1

                                                                                                                                                                                                                  I’ve never consulted a lawyer so I’ll concede to you on this. Thank you for posting about your experience!

                                                                                                                                                                                                            2. 2

                                                                                                                                                                                                              If safety equipment did not affect the employer, then why did it take so long for employers to adopt them? Why did they fight so hard against them?

                                                                                                                                                                                                              And if it isn’t a big deal to a good company to make exceptions, why bother with the clause?

                                                                                                                                                                                                              If developers are being fairly compensated for these burdens, why do we still hear about a shortage of devs?

                                                                                                                                                                                                              1. 0

                                                                                                                                                                                                                If safety equipment did not affect the employer, then why did it take so long for employers to adopt them? Why did they fight so hard against them?

                                                                                                                                                                                                                The same reason anyone makes a fuss when you force them to do anything. People don’t like to be told what do to. Add to that the slow moving nature of large organizations and there is going to be a huge fight to get them to do absolutely anything.

                                                                                                                                                                                                                And if it isn’t a big deal to a good company to make exceptions, why bother with the clause?

                                                                                                                                                                                                                Because trusting every employee to be honest about signing over ip to anything they’re working on that is related to the company is not practical and it opens up the company to a huge amount of liability. If you don’t bother with the clause what happens if you inadvertently use your ip your day to day work, fail to notice, and fail to sign it over?

                                                                                                                                                                                                                If developers are being fairly compensated for these burdens, why do we still hear about a shortage of devs?

                                                                                                                                                                                                                Because there is a shortage. Paying more isn’t going to magically create more senior devs. It’ll increase the amount of people that get into the field (and it has) but there is still going to be a large lag time before they have the experience that employers are looking for. That said, if you compare the salaries of software developers to the salaries of other professions with shortages you’ll see that software developers make more. So we might not be compensated as much as you would like, but we are being compensated.

                                                                                                                                                                                                                1. 5

                                                                                                                                                                                                                  It took so long to do it because it costs money to replace your lathes with ones with E-Stops. It has nothing to do with being told what to do or being slow. Corporations can actually do things quite quickly when there’s a financial incentive to do so. They struggle to do things which they have a financial disincentive to do. This is precisely why unions are necessary for a healthy relationship between corporations and employees.

                                                                                                                                                                                                                  1. 2

                                                                                                                                                                                                                    It has nothing to do with being told what to do or being slow.

                                                                                                                                                                                                                    It’s both. Companies regularly waste money on stuff that doesn’t benefit the company or refuse to switch to things with known benefits that are substantially different. These are both big problems in companies that aren’t small businesses. They’re also problems in small businesses, but often in different ways. Egos and/or ineptitude of people in charge are usually the source. On programming side, it’s why it took so much work to get most companies to adopt memory-safe languages even when performance or portability wasn’t a big deal in their use cases. Also, why many stayed on waterfall or stayed too long despite little evidence development worked well that way. It did work for managers’ egos feeling a sense of control, though.

                                                                                                                                                                                                                    Can’t forget these effects when assessing why things do or don’t happen. They’re pervasive.

                                                                                                                                                                                                                  2. 4

                                                                                                                                                                                                                    I don’t think a ‘company’ has any feelings at all. I think companies have incentives and that is it, full stop. The people within a company may have feelings, but I think it is amazing the extent that a person will suppress or distort their feelings for money or the chance at promotion.

                                                                                                                                                                                                                    I would be surprised if liability was what companies had in principally in mind about ip assignment. I suspect the main drivers are profitability and the treat of competition.

                                                                                                                                                                                                                    In terms of compensation, I don’t think anyone is saying programmers are poorly compensated. The question is whether non-competes and and sweeping ip assignments are worth it. Literally everyone who works is compensated, of course it is reasonable to dicker over the level of compensation and the tradeoffs involved in getting it. …

                                                                                                                                                                                                                    I think there is a tendency to feel that the existence of an explanation for a company’s behavior is sufficient justification for it’s actions. Because there is an explanation, or an incentive for a company to do a thing has little to no bearing on whether it is good or right for a company to do a thing. It has even less bearing on whether a thing is good from the perspective of a worker for the company.

                                                                                                                                                                                                                    If there is a shortage of software developers, and they are worth a lot of dollars, it is in the interest of software developers to collectively negotiate for the best possible treatment they can get from a company without killing the company. That could include pay, it could be defined benefits, it could be offices with doors on it, or all of the above and more.

                                                                                                                                                                                                                    There is a strong strain of ‘the temporarily embarrassed millionaire’ in programmer circles, though. It seems like many empathize with the owner class on the assumption that they are likely to enter the owner ranks, but I don’t see the numbers bearing that assumption out.

                                                                                                                                                                                                                    1. 6

                                                                                                                                                                                                                      If there is a shortage of software developers, and they are worth a lot of dollars, it is in the interest of software developers to collectively negotiate for the best possible treatment they can get from a company without killing the company.

                                                                                                                                                                                                                      And as you know, employers colluded to secretly and collectively depress labor wages and mobility among programmers in Silicon Valley (Google, Apple, Lucasfilm, Pixar, Intel, Intuit, eBay), on top of the intrinsic power and resource advantage employers have over employees, further underscoring the need for an IT union.

                                                                                                                                                                                                                      https://www.hollywoodreporter.com/news/pixar-lucasfilm-apple-google-face-suit-285282 (2012)

                                                                                                                                                                                                                      https://www.theverge.com/2013/7/13/4520356/pixar-and-lucasfilm-settle-lawsuit-over-silicon-valley-hiring

                                                                                                                                                                                                                      https://www.theguardian.com/technology/2014/apr/24/apple-google-settle-antitrust-lawsuit-hiring-collusion

                                                                                                                                                                                                                      1. 4

                                                                                                                                                                                                                        A very good reason for a union.

                                                                                                                                                                                                                        Given a union, I wouldn’t necessarily even start with salary, so much as offices with doors and agreements around compensation for work outside of core hours, parental leave and other non-cash quality of life issues.

                                                                                                                                                                                                                      2. 2

                                                                                                                                                                                                                        In terms of compensation, I don’t think anyone is saying programmers are poorly compensated. The question is whether non-competes and and sweeping ip assignments are worth it. Literally everyone who works is compensated, of course it is reasonable to dicker over the level of compensation and the tradeoffs involved in getting it. …

                                                                                                                                                                                                                        Whether or not it is worth it is an individual decision. But at the end of the day we are compensated significantly more than our peers in other fields with shortages (accounting staff, nurses, teachers, etc). If you don’t believe that we’re being compensated enough, then what we really need to be doing is advocating for our peers in those other fields. Because if we’re not getting paid enough, they sure as hell aren’t getting paid anywhere close to enough. And if we improve the culture around valuing employees in general, that will translate into improvements for us as well. A rising tide raises all boats. But as it is, I don’t know anyone but programmers who think programmers are underpaid.

                                                                                                                                                                                                                        1. 1

                                                                                                                                                                                                                          I’m all for paying people more, but I’m unclear why you are focusing on these other fields, I was under the impression we were talking about programmers and the IT field

                                                                                                                                                                                                                          I also disagree that those fields constitute peers. Accountants may be the closes as white collared professionals, but they are in a field where everyone applies the same rules to the same data, which is an important difference. I’m all for labor solidarity, but I think it’s up for people in a given field to advocate for themselves. People elsewhere should lend support, sure

                                                                                                                                                                                                                          1. 2

                                                                                                                                                                                                                            I also disagree that those fields constitute peers.

                                                                                                                                                                                                                            They’re peers in that they’re fields with similar, if not more rigorous, educational requirements and they’re also experiencing labor shortages.

                                                                                                                                                                                                                            Accountants may be the closes as white collared professionals, but they are in a field where everyone applies the same rules to the same data, which is an important difference.

                                                                                                                                                                                                                            That doesn’t mean they provide any less value than programmers though. If you run a big business you absolutely need an accountant and a good accountant will more than pay for themselves. That said, given the pay gap, it’s unclear to me that programmers aren’t already getting compensated for signing non competes and assignments of invention. Especially when you consider how much lower the average compensation is for programmers in markets where non-competes and assignments of invention are not the norm [Source].

                                                                                                                                                                                                          2. 2

                                                                                                                                                                                                            I’d never sign an assignment of invention, I find the concept to be absurd, especially in an industry like software engineering.

                                                                                                                                                                                                            I sign NDA’s without complaint when they’re not over-reaching. Many are sensible enough to abide by. But I once had an employer who attempted to make their workforce sign an NDA that imposed restrictions on use of USB sticks retroactively, with huge penalties - up to $10 million - in a company where USB sticks were routinely used to transfer documents and debug builds between on-site third party suppliers and employees of the company. Basically everybody would have been liable.

                                                                                                                                                                                                          1. 9

                                                                                                                                                                                                            I’ve been working remotely for a few months, although only recently full time. I love it. I feel very confident that my employer is getting much higher quality hours out of me than when I worked in an office. I feel much more productive and I believe that I am much more productive. A lot of talking that I did in an office really didn’t matter so much for getting work done. For random conversations, I just send an email to someone or talk to them on a chat, that has worked fine for me.

                                                                                                                                                                                                            1. 2

                                                                                                                                                                                                              Now switch to 4 day work-weeks and be amazed that you can be even more productive!

                                                                                                                                                                                                              1. 3

                                                                                                                                                                                                                Already there actually :) And yes, I am more productive! But we’ll see how it works in the long run. Do I acclimate to 4 day work weeks as we did to 5 day work weeks so long ago and productivity drops once the novelty wears off?

                                                                                                                                                                                                                1. 2

                                                                                                                                                                                                                  The extra time you have to let your subconscious work on problems stays. And the potential extra sleep. And the burnout-prevention.

                                                                                                                                                                                                                  That’s how it works for me, anyway.

                                                                                                                                                                                                                  1. 3

                                                                                                                                                                                                                    I’m curious about how both of you ended up working four-day weeks. Does everyone at your employers do so? Are you contractors or employees? Have you always worked these hours at your current gigs or did you cut back from a five-day week?

                                                                                                                                                                                                                    1. 2

                                                                                                                                                                                                                      Employed. My last job had a 4-day-week, which was increased from 3-days before. I was one of the very few not working full time, but as far as I know it never gave real problems; people learned not to schedule meetings on Wednesdays if they wanted me to show up. The initial three-day setup was because there wasn’t enough money available for a fulltime position, but even once there was enough having a full day for my own stuff (or just catching up on sleep, so I don’t have to do that on the weekend) is worth the lower pay.

                                                                                                                                                                                                                      And I honestly think employers win with 4 days. I’m much happier, sharper and motivated. They have to pay less, and I doubt I do less (effective!) work. If you come from 5-days make sure they know they are better off with you in the team for 4-days then not in the team at all ;)

                                                                                                                                                                                                            1. 6

                                                                                                                                                                                                              I think the faulty assumption is that the happiness of users and developers is more important to the corporate bottom line than full control over the ecosystem.

                                                                                                                                                                                                              Linux distributions have shown for a decade that providing a system for reliable software distribution while retaining full user control works very well.

                                                                                                                                                                                                              Both Microsoft and Apple kept the first part, but dropped the second part. Allowing users to install software not sanctioned by them is a legacy feature that is removed – slowly to not cause too much uproar from users.

                                                                                                                                                                                                              Compare it to the time when Windows started “phoning home” with XP … today it’s completely accepted that it happens. The same thing will happen with software distributed outside of Microsoft’s/Apple’s sanctioned channels. (It indeed has already happened on their mobile OSes.)

                                                                                                                                                                                                              1. 8

                                                                                                                                                                                                                As a long-time Linux user and believer in the four freedoms, I find it hard to accept that Linux distributions demonstrate “providing a system for reliable software distribution while retaining full user control works very well”. Linux distros seems to work well for enthusiasts and places with dedicated support staff, but we are still at least a century away from the year of Linux on the desktop. Even many developers (who probably have some overlap with the enthusiast community) have chosen Macs with unreliable software distribution like Homebrew and incomplete user control.

                                                                                                                                                                                                                1. 2

                                                                                                                                                                                                                  I agree with you that Linux is still far away from the year of Linux on the desktop, but I think it is not related to the way Linux deals with software distribution.

                                                                                                                                                                                                                  There are other, bigger issues with Linux that need to be addressed.

                                                                                                                                                                                                                  In the end, the biggest impact on adoption would be some game studios releasing their AAA title as a Linux-exclusive. That’s highly unlikely, but I think it illustrates well that many of the factors of Linux’ success on the desktop hinge on external factors which are outside of the control of users and contributors.

                                                                                                                                                                                                                  1. 2

                                                                                                                                                                                                                    All the devs I know that use mac use linux in some virtualisation options instead of homebrew for work. Obviously thats not scientific study by any means.

                                                                                                                                                                                                                    1. 8

                                                                                                                                                                                                                      I’ll be your counter example. Homebrew is a great system, it’s not unreliable at all. I run everything on my Mac when I can, which is pretty much everything except commercial Linux-only vendor software. It all works just as well, and sometimes better, so why bother with the overhead and inconvenience of a VM? Seriously, why would you do that? It’s nonsense.

                                                                                                                                                                                                                      1. 4

                                                                                                                                                                                                                        Maybe a VM makes sense if you have very specific wishes. But really, macOS is an excellent UNIX and for most development you won’t notice much difference. Think Go, Java, Python, Ruby work. Millions of developers probably write on macOS and deploy on Linux. I’ve been doing this for a long time and ‘oh this needs a Linux specific exception’ is a rarity.

                                                                                                                                                                                                                        1. 4

                                                                                                                                                                                                                          you won’t notice much difference.

                                                                                                                                                                                                                          Some time ago I was very surprised that hfs is not case sensitive (by default). Due to a bad letter-case in an import my script would fail on linux (production), but worked on mac. Took me about 30 minutes to figure this out :)

                                                                                                                                                                                                                          1. 3

                                                                                                                                                                                                                            You can make a case sensitive code partition. And now with APFS, partitions are continuously variable size so you won’t have to deal with choosing how much goes to code vs system.

                                                                                                                                                                                                                            1. 1

                                                                                                                                                                                                                              A case sensitive HFS+ slice on a disk image file is a good solution too.

                                                                                                                                                                                                                            2. 2

                                                                                                                                                                                                                              Have fun checking out a git repo that has Foo and foo in it :)

                                                                                                                                                                                                                              1. 2

                                                                                                                                                                                                                                It was bad when microsoft did it in VB, and it’s bad when apple does it in their filesystem lol.

                                                                                                                                                                                                                            3. 2

                                                                                                                                                                                                                              Yeah definitely. And I’ve found that accommodating two platforms where necessary makes my projects more robust and forces me to hard code less stuff. E.g. using pkg-config instead of yolocoding path literals into the build. When we switched Linux distros at work, all the packages that worked on MacOS and Linux worked great, and the Linux only ones all had to be fixed for the new distro. 🙄

                                                                                                                                                                                                                            4. 2

                                                                                                                                                                                                                              I did it for awhile because I dislike the Mac UI a lot but needed to run it for some work things. Running in a full screen VM wasn’t that bad. Running native is better, but virtualization is pretty first class at this point. It was actually convenient in a few ways too. I had to give my mac in for repair at one point, so I just copied the VM to a new machine and I was ready to run in minutes.

                                                                                                                                                                                                                              1. 3

                                                                                                                                                                                                                                I use an Apple computer as my home machine, and the native Mac app I use is Terminal. That’s it. All other apps are non-Apple and cross-platform.

                                                                                                                                                                                                                                That said, MacOS does a lot of nice things. For example, if you try to unmount a drive, it will tell you what application is still using it so you can unmount it. Windows (10) still can’t do that, you have to look in the Event viewer(!) to find the error message.

                                                                                                                                                                                                                                1. 3

                                                                                                                                                                                                                                  In case it’s unclear, non-Native means webapps, not software that doesn’t come preinstalled on your Mac.

                                                                                                                                                                                                                                  1. 3

                                                                                                                                                                                                                                    It is actually pretty unclear what non-Native here really means. The original HN post is about sandboxed apps (distributed through the App Store) vs non-sandboxed apps distributed via a developer’s own website.

                                                                                                                                                                                                                                    Even Gruber doesn’t mention actual non-Native apps until the very last sentence. He just talks/quotes about sandboxing.

                                                                                                                                                                                                                                    1. 3

                                                                                                                                                                                                                                      The second sentence of the quoted paragraph says:

                                                                                                                                                                                                                                      Cocoa-based Mac apps are rapidly being eaten by web apps and Electron pseudo-desktop apps.

                                                                                                                                                                                                                                2. 1

                                                                                                                                                                                                                                  full-screen VM high-five

                                                                                                                                                                                                                                3. 1

                                                                                                                                                                                                                                  To have environment closer to production I guess (or maybe ease of installation, dunno never used homebrew). I don’t have to use mac anymore so I run pure distro, but everyone else I know uses virtualisation or containers on their macs.

                                                                                                                                                                                                                                  1. 3

                                                                                                                                                                                                                                    Homebrew is really really really easy. I actually like it over a lot of Linux package managers because it first class supports building the software with different flags. And it has binaries for the default flag set for fast installs. Installing a package on Linux with alternate build flags sucks hard in anything except portage (Gentoo), and portage is way less usable than brew. It also supports having multiple versions of packages installed, kind of half way to what nix does. And unlike Debian/CentOS it doesn’t have opinions about what should be “in the distro,” it just has up to date packages for everything and lets you pick your own philosophy.

                                                                                                                                                                                                                                    The only thing that sucks is OpenSSL ever since Apple removed it from MacOS. Brew packages handle it just fine, but the python package system is blatantly garbage and doesn’t handle it well at all. You sometimes have to pip install with CFLAGS set, or with a package specific env var because python is trash and doesn’t standardize any of this.

                                                                                                                                                                                                                                    But even on Linux using python sucks ass, so it’s not a huge disadvantage.

                                                                                                                                                                                                                                    1. 1

                                                                                                                                                                                                                                      Installing a package on Linux with alternate build flags sucks hard in anything except portage

                                                                                                                                                                                                                                      You mention nix in the following sentence, but installing packages with different flags is also something nix does well!

                                                                                                                                                                                                                                      1. 1

                                                                                                                                                                                                                                        Yes true, but I don’t want to use NixOS even a little bit. I’m thinking more vs mainstream distro package managers.

                                                                                                                                                                                                                                      2. 1

                                                                                                                                                                                                                                        For all its ease, homebrew only works properly if used by a single user who is also an administrator who only ever installs software through homebrew. And then “works properly” means “install software in a global location as the current user”.

                                                                                                                                                                                                                                        1. 1

                                                                                                                                                                                                                                          by a single user who is also an administrator

                                                                                                                                                                                                                                          So like a laptop owner?

                                                                                                                                                                                                                                          1. 1

                                                                                                                                                                                                                                            A laptop owner who hasn’t heard that it’s good practice to not have admin privileges on their regular account, maybe.

                                                                                                                                                                                                                                        2. 1

                                                                                                                                                                                                                                          But even on Linux using python sucks ass, so it’s not a huge disadvantage.

                                                                                                                                                                                                                                          Can you elaborate more on this? You create a virtualenv and go from there, everything works.

                                                                                                                                                                                                                                          1. 2

                                                                                                                                                                                                                                            It used to be worse, when mainstream distros would have either 2.4 or 2.6/2.7 and there wasn’t a lot you could do about it. Now if you’re on python 2, pretty much everyone is 2.6/2.7. Because python 2 isn’t being updated. Joy. Ruby has rvm and other tools to install different ruby versions. Java has a tarball distribution that’s easy to run in place. But with python you’re stuck with whatever your distro has pretty much.

                                                                                                                                                                                                                                            And virtualenvs suck ass. Bundler, maven / gradle, etc. all install packages globally and let you exec against arbitrary environments directly (bundle exec, mvn exec, gradle run), without messing with activating and deactivating virtualenvs. Node installs all it’s modules locally to a directory by default but at least it automatically picks those up. I know there are janky shell hacks to make virtualenvs automatically activate and deactivate with your current working directory, but come on. Janky shell hacks.

                                                                                                                                                                                                                                            That and pip just sucks. Whenever I have python dependency issues, I just blow away my venv and rebuild it from scratch. The virtualenv melting pot of files that pip dumps into one directory just blatantly breaks a lot of the time. They’re basically write once. Meanwhile every gem version has it’s own directory so you can cleanly add, update, and remove gems.

                                                                                                                                                                                                                                            Basically the ruby, java, node, etc. all have tooling actually designed to author and deploy real applications. Python never got there for some reason, and still has a ton of second rate trash. The scientific community doesn’t even bother, they use distributions like Anaconda. And Linux distros that depend on python packages handle the dependencies independently in their native package formats. Ruby gets that too, but the native packages are just… gems. And again, since gems are version binned, you can still install different versions of that gem for your own use without breaking anything. Python there is no way to avoid fucking up the system packages without using virtualenvs exclusively.

                                                                                                                                                                                                                                            1. 1

                                                                                                                                                                                                                                              But with python you’re stuck with whatever your distro has pretty much.

                                                                                                                                                                                                                                              I’m afraid you are mistaken, not only distros ship with 2.7 and 3.5 at same time (for years now) it is usually trivial to install newer version.

                                                                                                                                                                                                                                              let you exec against arbitrary environments directly (bundle exec, mvn exec, gradle run), without messing with activating and deactivating virtualenvs

                                                                                                                                                                                                                                              You can also execute from virtualenvs directly.

                                                                                                                                                                                                                                              Whenever I have python dependency issues, I just blow away my venv and rebuild it from scratch.

                                                                                                                                                                                                                                              I’m not sure how to comment on that :-)

                                                                                                                                                                                                                                              1. 1

                                                                                                                                                                                                                                                it is usually trivial to install newer version

                                                                                                                                                                                                                                                Not my experience? How?

                                                                                                                                                                                                                                                1. 1

                                                                                                                                                                                                                                                  Usually you have packages for all python versions available in some repository.

                                                                                                                                                                                                                                  2. 2

                                                                                                                                                                                                                                    Have they chosen Macs or have they been issued Macs? If I were setting up my development environment today I’d love to go back to Linux, but my employers keep giving me Macs.

                                                                                                                                                                                                                                    1. 3

                                                                                                                                                                                                                                      Ask for a Linux laptop. We provide both.

                                                                                                                                                                                                                                      I personally keep going Mac because I want things like wifi, decent power management, and not having to carefully construct a house of cards special snowflake desktop environment to get a useable workspace.

                                                                                                                                                                                                                                      If I used a desktop computer with statically affixed monitors and an Ethernet connection, I’d consider Linux. But Macs are still the premier Linux laptop.

                                                                                                                                                                                                                                      1. 1

                                                                                                                                                                                                                                        At my work place every employee is given a Linux desktop and they have to do a special request to get a Mac or Windows laptop (Which would be in addition to their Linux desktop).

                                                                                                                                                                                                                                    2. 3

                                                                                                                                                                                                                                      Let’s be clear though, what this author is advocating is much much worse from an individual liberty perspective than what Microsoft does today.

                                                                                                                                                                                                                                      1. 4

                                                                                                                                                                                                                                        Do you remember when we all thought Microsoft were evil for bundling their browser and media player? Those were good times.

                                                                                                                                                                                                                                    1. 39

                                                                                                                                                                                                                                      Perhaps build systems should not rely on URLs pointing to the same thing to do a build? I don’t see Github as being at fault here, it was not designed to provide deterministic build dependencies.

                                                                                                                                                                                                                                      1. 13

                                                                                                                                                                                                                                        Right, GitHub isn’t a dependency management system. Meanwhile, Git provides very few guarantees regarding preserving history in a repository. If you are going to build a dependency management system on top of GitHub, at the very least use commit hashes or tags explicitly to pin the artifacts you’re pulling. It won’t solve the problem of them being deleted, but at least you’ll know that something changed from under you. Also, you really should have a local mirror of artifacts that you control for any serious development.

                                                                                                                                                                                                                                        1. 6

                                                                                                                                                                                                                                          I think the Go build system issue is a secondary concern.

                                                                                                                                                                                                                                          This same problem would impact existing git checkouts just as much, no? If a user and a repository disappear, and someone had a working checkout from said repository of master:HEAD, they could “silently” recreate the account and reconstruct the repository with the master branch from their checkout… then do whatever they want with the code moving forward. A user doing a git pull to fetch the latest master, may never notice anything changed.

                                                                                                                                                                                                                                          This seems like a non-imaginary problem to me.

                                                                                                                                                                                                                                          1. 11

                                                                                                                                                                                                                                            I sign my git commits with my GPG key, if you trust my GPG key and verify it before using the code you pulled - that would save you from using code from a party you do not trust.

                                                                                                                                                                                                                                            I think the trend of tools pulling code directly from Github at build time is the problem. Vendor your build dependencies, verify signatures etc. This specific issue should not be blamed directly on Github alone.

                                                                                                                                                                                                                                            1. 3

                                                                                                                                                                                                                                              Doesn’t that assume that the GitHub repository owner is also the (only) committer? It’s unlikely that I will be in a position to trust (except blindly) the GPG key of every committer to a reasonably large project.

                                                                                                                                                                                                                                              If I successfully path-squat a well-known GitHub URL, I can put the original Git repo there, complete with GPG-signed commits by the original authors, but it only takes a single additional commit (which I could also GPG-sign, of course) by the attacker (me) to introduce a backdoor. Does anyone really check that there are no new committers every time they pull changes?

                                                                                                                                                                                                                                              1. 3

                                                                                                                                                                                                                                                Tags can be GPG signed. This proves all that all commits before the tag is what the person signed. That way you only need to check the people assigned to signing the tagged releases.

                                                                                                                                                                                                                                          2. [Comment removed by author]

                                                                                                                                                                                                                                            1. 2

                                                                                                                                                                                                                                              Seriously, if only GitHub would get their act together and switch to https, this whole issue wouldn’t have happened!

                                                                                                                                                                                                                                              1. 4

                                                                                                                                                                                                                                                I must have written this post drunk.