1. 4

    Most of the large resolver services such as Google. Quad9, OpenDNS and Cloudflare are all DNSSEC enabled.

    OpenDNS does not support DNSSEC at this time.

    1. 1

      Whoah. I could have sworn they did.

      1. 6

        OpenDNS does support DNSCurve, a protocol that faster, simpler, offers real incremental benefits (unlike DNSSEC which is all-or-nothing), and is easier to deploy than DNSSEC.

        DNSCurve however is unlikely to be implemented by ICANN for political reasons.

        1. 13

          I’m getting really sick of people talking about DNSCurve as if it was an alternative to DNSSEC, the two do completely different things. DNSCurve secures the traffic between the authoritative nameserver and a DNSCurve enabled resolver (the only one I know of being OpenDNS). DNSSEC authenticates the validity of the DNS responses themselves.

          1.  

            You’re right. DNSCurve protects all of your DNS traffic from tampering between you and the resolver and the resolver can implement their own security infrastructure for detecting and protecting from tampering and cache poisoning, while DNSSEC validates the DNS traffic of far less than 1% of all domains on the internet AND requires each client to not use a caching resolver if they want to be able to trust the results.

            So DNSCurve has a real world impact on protecting users, and DNSSEC is still vaporware.

          2. 3

            DJB threw a bunch of shade on DNSSEC when he announced DNSCurve, but he was (at best) misguided 1.

            DNSCurve however is unlikely to be implemented by ICANN for political reasons.

            DNSCurve doesn’t have anything for ICANN to implement as there is no signing of DNS records. It will validate that a response came from a specific DNS cache, but not that the records were produced by the owner of the domain.

            He’s right that we need privacy for DNS lookup and the adults in room created DNS over TLS.

          3. 1

            OpenDNS doesn’t support DNSSEC, and prevents doing the validation yourself if you wanted to do so, by stripping required records before forwarding a response to you. 1

            Their business model used to rely on NXDOMAIN hijacking, which DNSSEC prevents. They stopped doing that a while ago, but I just checked and they are still stripping out DNSSEC records 🤯!

            I really wish I hadn’t gotten sick, I was going to help work on a standard for DNS filtering. At any rate, these are bad actors in the DNS ecosystem.

        1. 15

          FreeBSD was used in 1999 to render The Matrix on 32 Pentium II boxes because the software in Linux Compatibility mode on FreeBSD was faster then natively on Linux, that is a fact:

          https://www.freebsd.org/news/press-rel-1.html

          FreeBSD can be several times faster then Linux when it comes to network stack:

          https://pbs.twimg.com/media/CzFfTSRUQAATwaq.jpg

          But often Linux is faster, you just need to find benchmark that favorites one or another, both are fast in general.

          1. 2

            Thanks for the link. I missed it when studying Beowulf clusters. The link doesn’t support your claim about Linux compatibility mode on FreeBSD for rendering, though. In the link, they said “reliability and ease of administration” were the benefits that made them choose FreeBSD. Do you have a reference showing FreeBSD ran Linux software better than Linux at that time or that this is why they chose it?

            1. 3

              I can personally attest that at one point it was faster. I originally switched from Linux to FreeBSD for a performance gain in the FPS game America’s Army. On the same hardware and Nvidia driver version the game on FreeBSD would get an increase of ~15fps.

              1. 1

                Interesting. Re AA, I quit that game pretty early since I couldn’t get enough practice to get better without a single-player mode. I’d have about a few minutes of moving/shooting, die from a distant headshot, and then watch others play. It was a neat game, though.

              2. 1

                I have read it somewhere on the FreeBSD Mailing Lists but do not have the source.

            1. 3

              There is a lot of bad information in this article. The FreeBSD network stack is usually considered better at certain workloads, but the processing performance is purely due to FreeBSD being behind on NUMA support.

              1. 1

                Hmm. Is this related to bsdcan?

                  1. 1

                    Yes, Theo gave an impromptu talk where he expressed frustration at rumors of openbsd being untrustworthy and then speculated on possible future intel problems. Screaming happened. But now it seems he was right.

                    Though the bigger issue of embargo’s and their value remains.

                    1. 4

                      Screaming happened.

                      To be clear, the screaming was not done by Theo.

                      1. 3

                        I wish people would stop saying he gave a talk / presentation because that’s not what it was. This was a BOF session. It is a group discussion about a predefined topic and Theo was the BOF organizer. This is why he was talking to the crowd and asking questions. It wasn’t to attack anyone or inflame the situation; it was entirely within the spirit of the BOF.

                    1. 6

                      This news caused the public release for XSA-267 / CVE-2018-3665 (Speculative register leakage from lazy FPU context switching) to be moved to today.

                      1. 16

                        These embargoed and NDA’d vulnerabilities need to die. The system is broken.

                        edit: Looks like cperciva of FreeBSD wrote a working exploit and then emailed Intel and demanded they end embargo ASAP https://twitter.com/cperciva/status/1007010583244230656?s=21

                        1. 8

                          Prgmr.com is on the pre-disclosure list for Xen. When a vulnerability is discovered, and the discoverer uses the responsible disclosure process, and the process works, we’re given time to patch our hosts before the vulnerability is disclosed to the public. On balance I believe participating in the responsible disclosure process is better for my customers.

                          Pre-disclosure gives us time to build new packages, run through our testing process, and let our users know we’ll be performing maintenance. Last year we found a showstopping bug during a pre-disclosure period: it takes time and effort to verify a patch can go to production. With full disclosure, we would have the do so reactively, with significantly more time pressure. That would lead to more mistakes and lower quality fixes.

                          1. 2

                            This is a bad response to the issue. The bad guys probably already have knowledge of it and can use it. A few players deemed important should not get advanced notification.

                            1. 15

                              Prgmr.com qualifies for being on the Xen pre-disclosure list by a) being a vendor of a Xen-based system b) willing and able to maintain confidentiality and c) asking. We’re one of 6 dozen organizations on that list–the criteria for membership is technical and needs-based.

                              If you discover a vulnerability you are not obligated to use responsible disclosure. If you run Xen you are not obligated to participate in the pre-disclosure list. The process consists of voluntary coordination to discover, report, and resolve security issues. It is for the people and organizations with a shared goal: removing security defects from computer systems.

                              By maintaining confidentiality we are given the ability, and usually the means to have security issues resolved before they are announced. Our customers benefit via reduced exposure to these bugs. The act of keeping information temporarily confidential provides that reduced exposure.

                              You have described a voluntary process with articulable benefits as “needing to die,” along with my response being “bad.” As far as I can tell from your comments you claim “the system is broken” because some people “should not get advanced notice.” I’ve described what I do with that knowledge, and why it benefits my users. I’m thankful the security community tells me when my users are vulnerable and works with me to make them safer.

                              Can you improve this process for us? Have I misunderstood you?

                              1. 11

                                Some bad guys might already have knowledge of it. Once it’s been disclosed, many bad guys definitely have knowledge of it, and they can deploy exploits far, far faster than maintainers, administrators and users can deploy fixes.

                                1. 8

                                  You’re treating “the bad guys” like they’re all one thing. In actuality, there’s a string of bad guys from people who will use a free, attack tool to people who will pay a few grand for one to people who can customize a kit if it’s just a sploit to people who can build a sploit from a description to rare people who had it already. There’s also a range in intent of attackers from DOS to data integrity to leaking secrets. The folks who had it already often just leak secrets in stealthy way instead of do actual damage. The also use the secrets in a limited way compared to average, black hat. They’re always weighing use vs detection of their access.

                                  The process probably shuts down quite a range of attackers even if it makes no difference for the best ones who act the sneakiest.

                                  1. 4

                                    The process probably shuts down quite a range of attackers even if it makes no difference for the best ones who act the sneakiest.

                                    I believe the process is so effective at shutting down “quite a range of attackers” that it works despite: a) accidental leaks [need for improvement of process] b) intentional leaks [abuse] c) black hats on the pre-disclosure list reverse engineering an exploit from a patch. [fraud] In aggregate, the benefit from following the process exceeds the gain a black hat would have from subverting it.

                              2. 9

                                Well, it’s complicated. (Disclosure: we were under the embargo.)

                                When a microprocessor has a vulnerability of this nature, those who write operating systems (or worse, provide them to others!) need time to implement and test a fix. I think Intel was actually doing an admirable job, honestly – and we were fighting for them to broaden their disclosure to other operating systems that didn’t have clear corporate or foundation backing (e.g., OpenBSD, Dragonfly, NetBSD, etc). That discussion was ongoing when OpenBSD caught wind of this – presumably because someone who was embargoed felt that OpenBSD deserved to know – and then fixed it in the worst possible way. (Namely, by snarkily indicating that it was to address a CPU vulnerability.) This was then compounded by Theo’s caustic presentation at BSDCan, which was honestly irresponsible: he clearly didn’t pull eager FPU out of thin air (“post-Spectre rumors”), and should have considered himself part of the embargo in spirit if not in letter.

                                For myself, I will continue to advocate that Intel broaden their disclosure to include more operating systems – but if those endeavoring to write those systems refuse to honor the necessary secrecy that responsible disclosure demands (and yes, this means “embargoed and NDA’d vulnerabilities”), they will make such inclusion impossible.

                                1. 18

                                  We could also argue Theo’s talk was helpful in that the CVE was finally made public.

                                  Colin Percival tweeted in his thread overview about the vulnerability that he learned enough from Theo’s talk to write an exploit in 5 hours.

                                  If Theo and and the OpenBSD developers pieced enough together from rumors to make a presentation that Colin could turn into an exploit in hours, how long have others (i.e., bad guys) who also heard rumors had working exploits?

                                  Theo alone knows whether he picked-up eager FPU from developers under NDA. Even if he did, there’s zero possibility outside of the law he lives under (or contracts he might’ve signed) that he’s part of the embargo. As to the “spirit” of the embargo, his decision to discuss what he knew might hurt him or OpenBSD in the future. That was his call to make. He made it.

                                  Lastly, I was at Theo’s talk. Caustic is not how I would describe it, nor would I categorize it as irresponsible. Theo was frustrated that OpenBSD developers who had contributed meaningfully to Spectre and Meltdown mitigation had been excluded. He vented some of that frustration in the talk. I’ve heard more (and harsher) venting about Linux in a 30 minute podcast than all the venting in Theo’s talk.

                                  On the whole Theo’s talk was interesting and informative, with a sideshow of drama. And it may have been what was needed to get the vulnerability disclosed and more systems patched.


                                  Disclosure: I’m an OpenBSD user, occasional port submitter, BSDCan speaker and workshop tutor, FreeNAS user and recommender, and have enjoyed many podcasts, some of which may have included venting.

                                  1. 4

                                    If Theo and and the OpenBSD developers pieced enough together from rumors to make a presentation that Colin could turn into an exploit in hours, how long have others (i.e., bad guys) who also heard rumors had working exploits?

                                    It was clear to me the day Spectre / Meltdown were disclosed that there would be future additional vulnerabilities of the same class based on that discovery. I think there is circumstantial evidence suggesting the discovery was productive for the people who knew about it in the second half of 2017 before it was publicly disclosed. One can safely assume black hats have had the ability to find and use novel variations in this class of vulnerability for at least six months.

                                    If Theo did pick up eager FPU from a developer under embargo that demonstrates just how costly it is to break embargo. Five hours, third hand.

                                    1. 4

                                      If Theo did pick up eager FPU from a developer under embargo that demonstrates just how costly it is to break embargo. Five hours, third hand.

                                      I have absolutely no idea what point you’re trying to make. Certainly, everyone under the embargo knew that this would be easy to exploit; in that regard, Theo showed people what they already knew. The only new information here is that Theo is every bit as irresponsible as his detractors have claimed – and those detractors would (of course) point out that that information is not new at all…

                                      1. 1

                                        With respect, how is Theo irresponsible for reducing the time the users of his OS are vulnerable?

                                        Like, the embargo thing sounds a lot to the ill-informed like some kind of super-secret clubhouse.

                                    2. 4

                                      Theo definitely wasn’t part of the embargo, but it’s also unquestionable that Theo was relying on information that came (ultimately) from someone who was under the embargo. OpenBSD either obtained that information via espionage or via someone trying to help OpenBSD out; either way, what Theo did was emphatically irresponsible. Of course, it was ultimately his call – but he is not the only user of OpenBSD, and is unfortunate that he has effectively elected to isolate the community to serve his own narcissism.

                                      As for the conjecture that Theo served any helpful role here: sorry, that’s false. (Again, I was under the embargo.) The CVE was absolutely going public; all Theo did was marginally accelerate the timeline, which in turn has resulted in systems not being as prepared as they otherwise could be. At the same time, his irresponsible behavior has made it much more difficult for those of us who were advocating for broader inclusion – and unfortunately it will be the OpenBSD community that suffers the ramifications of any future limited disclosure.

                                      1. 6

                                        Espionage? You’re suggesting one of:

                                        1. Someone stole the exploit information, leaked it to the OpenBSD team, a team known for proactively securing their code, on the off-chance Theo would then further leak it (likely with mitigation code), causing the embargoed details to be released sooner than expected,

                                        2. OpenBSD developers stole the exploit information, then leaked it (while committing mitigation code), causing the embargoed details to be released sooner than expected.

                                        The first doesn’t seem plausible. The second isn’t worthy of you or any of the developers on the OpenBSD team.

                                        I’m sure you’ve read Colin’s thread. He contacted folks under embargo after he wrote his exploit code based on Theo’s presentation. The release timeline moved forward. OSs that had no knowledge of the vulnerability now have patches in place. Perhaps those users view “helpful” in a different light.


                                        Edit: Still boggling over the espionage comment. Had to flesh that out more.

                                        1. 8

                                          Theo has replied:

                                          In some forums, Bryan Cantrill is crafting a fiction.

                                          He is saying the FPU problem (and other problems) were received as a leak.

                                          He is not being truthful, inventing a storyline, and has not asked me for the facts.

                                          This was discovered by guessing Intel made a mistake.

                                          We are doing the best for OpenBSD. Our commit is best effort for our user community when Intel didn’t reply to mails asking for us to be included. But we were not included, there was no reply. End of story. That leaves us to figure things out ourselves.

                                          Bryan is just upset we guessed right. It is called science.

                                          He’s also offered to discuss the details with Bryan by phone.

                                          1. 4

                                            Intel still has 7 more mistakes in the Embargo Execution Pipeline™️ according to a report^Wspeculation by Heise on May 3rd.

                                            https://www.heise.de/ct/artikel/Exclusive-Spectre-NG-Multiple-new-Intel-CPU-flaws-revealed-several-serious-4040648.html

                                            Let the games begin! 🍿

                                            1. 1

                                              What’s (far) more likely: that Theo coincidentally guessed now, or that he received a hint from someone else? Add Theo’s history, and his case is even weaker.

                                              1. 13

                                                While everyone is talking about Theo, the smart guys figuring this stuff out are Philip Guenther and Mike Larkin. Meet them over beer and discuss topics like ACPI, VMM, and Meltdown with them and you won’t doubt anymore that they can figure this stuff out.

                                                1. 6

                                                  In another reply you claim your approach is applied Bayesian reasoning, so let’s go with that.

                                                  Which is more likely:

                                                  1. A group of people skilled in the art, who read the relevant literature, have contributed meaningful patches to their own OS kernel and helped others with theirs, knowing that others besides themselves suspected there were other similar issues, took all that skill, experience and knowledge, and found the issue,

                                                  or

                                                  1. Theo lied.

                                                  Show me the observed distribution you based your assessment on. Show me all the times Theo lied about how he came to know something.

                                                  Absent meaningful data, I’ll go with team of smart people knowing their business.

                                                  1. 4

                                                    Absent meaningful data

                                                    Your “meaningful data” is 11 minutes and 5 seconds into Theo’s BSDCan talk: “We heard a rumor that this is broken.” That is not guessing and that is not science – that is (somehow) coming into undisclosed information, putting some reasonable inferences around it and then irresponsibly sharing those inferences. But at the root is the undisclosed information. And to be clear, I am not accusing Theo of lying; I am accusing him of acting irresponsibly with respect to the information that came into his possession.

                                                    1. 3

                                                      Here is at least one developer’s comment on the matter. He points to the heise.de article about Spectre-NG as an example of the rumors that were floating around. That article is a long way from “lazy FPU is broken”.

                                                      Theo has offered to discuss your concerns, what you think you know, what he knew, when and how. He’s made a good-faith effort to get his cellphone number to you. If you don’t have it, ask.

                                                      If you do have his number, call him. Ask him what he meant by “We heard a rumor that this is broken.” Ask him what rumor they heard. Ask him whether he was referring to the Spectre-NG article.

                                                      Seriously, how hard does this have to be? You engaged productively with me when I called you out. You’ve called Theo out. Talk to him.

                                                      And yes, I get it. Your chief criticism at this point is responsible disclosure. But as witnessed by the broader discussion in the security community, there’s no single agreed-upon solution.

                                                      While you’ve got Theo on the phone you can discuss responsible disclosure. Frankly, I suggest beer for that part of the discussion.


                                                      Edit: Clarify that Florian wasn’t saying he knew heise.de were the source.

                                                    2. 0

                                                      Reread the second sentence in my reply you linked.

                                                    3. 2

                                                      This is plain libel, pure and simple.

                                                      1. -2

                                                        It is Bayesian reasoning, pure and simple.

                                                        That said, this is a tempest in a teacup, so call it whatever you want; I’m gonna go floss my cat.

                                                  2. 6

                                                    Sorry – I’m not accusing anyone of espionage; apologies if I came across that way.

                                                    What I am saying is that however Theo obtained information – and indeed, even if that information didn’t originate with the leak but rather by “guessing” as he is now apparently claiming – how he handled it was not responsible. And I am also saying that Theo’s irresponsibility has made the job of including OpenBSD more difficult.

                                                    1. 9

                                                      The spectre paper made it abundantly clear that addtional side channels will be found in the speculative execution design.

                                                      This FPU problem is just one additonal bug of this kind. What I’d like to learn from you is:

                                                      1. What was the original planned public disclosure date before it was moved ahead to today?

                                                      2. Do you really expect that a process with long embargo windows has a chance of working for future spectre-style bugs when a lot of research is now happening in parallel on this class of bugs?

                                                      1. 5
                                                        1. The original date for CVE-2018-3665 was July 10th. After the OpenBSD commit, there was preparation for an earlier disclosure. After Theo’s talk and after Colin developed his POC, the date was moved in from July 10th to June 26th, with preparations being made to go much earlier as needed. After the media attention today, the determination was made that the embargo was having little effect and that there was no point in further delay.

                                                        2. Yes, I expect that long embargo windows can work with Spectre-style bugs. Researchers have been responsible and very accommodating of the acute challenges of multi-party disclosure when those parties include potentially hypervisors, operating systems and higher-level runtimes.

                                                        1. 10

                                                          Thanks for disclosing the date. I must say I am happy that my systems are already patched now, rather than in one month from now.

                                                          I’ll add that some new patches with the goal of mitigating spectre-class bugs are being developed in public without any coordinated disclosure:

                                                          http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/9474cbef7fcb61cd268019694d94db6a75af7dbe

                                                          https://patchwork.kernel.org/patch/10202865/

                                                      2. 5

                                                        Thanks for the clarification.

                                                        I don’t think early disclosure is always irresponsible (the details of what and when matter). Others think it’s never irresponsible; and some that it’s always irresponsible. Good arguments can be made for each position that reasonable people can disagree about and debate.

                                                        One thing I hope we can all agree on is that we need clear rules for how embargoes work (probably by industry). We need clear, public criteria covering who, what, when and how long. And how to get in the program, ideally with little or no cost.

                                                        It’s a given that large companies like Microsoft will be involved. Open-source representatives should have a seat at the table as well. But “open source” can’t just mean Red Hat and a few large foundations. OSs like OpenBSD have a presence in the ecosystem. We can’t just write the rules with a “You must be this high to ride” sign at the door.

                                                        And yeah, Theo’s talk might make this more difficult going forward. Hopefully both sides will use this event as an opportunity to open a dialog and discuss working together.

                                                        1. 6

                                                          Right, I completely agree: I’m the person that’s been advocating for that. I was furious with Intel over Spectre/Meltdown (despite our significant exposure, we learned about it when everyone else did), and I was very grateful for the work that OpenBSD and illumos did together to implement KPTI. This time around, I was working from inside the embargo to get OpenBSD included. We hadn’t been able to get to where we needed to get, but I also felt that progress was being made – and I remained optimistic that we could get OpenBSD disclosure under embargo.

                                                          All of this is why I’m so frustrated: the way Theo has done this has made it much more difficult to advocate this position – it has strengthened the argument of those who believe that OpenBSD should not be included because they cannot be trusted. And that, in my opinion, is a shame.

                                                          1. 11

                                                            Look at it from OpenBSD’s perspective though. They (apparently) tried emailing Intel to find out more, and were told “no”. What were they supposed to do? Just wait on the hope that someone, somewhere, was lobbying on their behalf to be included, with no knowledge of that lobbying?

                                          1. 2

                                            Glad Rick finally got this in. I chatted with him about it at BSDCan 2017. He’s been responsible for NFS in BSD since BSD existed.

                                            From an email 2.5 years ago:

                                            I develop on an old i386 with a 40Gbyte drive, so I don’t keep a full head online.

                                            Yes, you can develop bleeding edge software on old hardware. People still do it. Stop bloating up your codebases with stuff that takes forever to compile.

                                            1. 4

                                              filter malicious hosts using the hosts file

                                              Please stop telling people to do this. It’s very inefficient and often problematic

                                              1. 8

                                                What is a more efficient and/or less problematic alternative?

                                              1. 8

                                                I know where the author is heading, but some browsers building with one compiler doesn’t strike me as a monoculutre. Not too long ago “everyone” (with few exceptions) using or programming for Linux was using GCC and glibc. Now people use clang, gcc and probably others (icc, etc.). So it’s more like things became a lot less of a monoculture and probably mostly for the effort of BSD and MacOS users and developers making sure that software doesn’t only work with GCC.

                                                Yes, it’s at least Mozilla and Chrome now using clang, but these are neither the only browsers nor is big projects focusing mostly on a defined set of tools something very uncommon.

                                                It’s just a guess, but I also think that it will not suddenly become a huge undertaking to try to compile Firefox with another compiler. For the Rust parts maybe, but it’s already like that.

                                                Not to say it’s a good thing, but there of course are up- and downsides. Especially for such a big project and especially for a project already using said implementation, helping to develop it it makes a lot more sense than in various other cases where you often only have one supported version of GCC. People using source based approaches to install packages probably know this. Compiling some version of some compilers, maybe taking hours just to compile a little piece of software that absolutely requires it.

                                                Other than that, even if Mozilla now uses one compiler over different platforms I hope they won’t start “ruling out” compilation with other compilers or rejecting a few lines of code to keep or establish compatibility. At least from the article it sounds like that would be the case.

                                                1. 10

                                                  It makes me really appreciate the projects that require only a c89/c99 compliant compiler, like sqlite and lua. Admittedly their dependencies are also minimal, only require the c standard library iirc, but it sure is nice.

                                                  1. 5

                                                    I know where the author is heading, but some browsers building with one compiler doesn’t strike me as a monoculutre.

                                                    So, even for a “toy” project, we used to build again:

                                                    • MSVC on Windows 7, x32, x64
                                                    • GCC on Linux, x32, x64, Itanium
                                                    • Clang on Linux (iirc), x32, x64
                                                    • GCC on Irix, MIPS

                                                    And we would’ve built on an Alpha if we had one lying around–helps reveal the really thorny issues.

                                                    The thing is, not using multiple compilers (and architectures!) helps hide bugs.

                                                    1. 1

                                                      Completely agree, but it’s still not unusual for projects to use one compiler for their official releases.

                                                    2. 2

                                                      It’s just a guess, but I also think that it will not suddenly become a huge undertaking to try to compile Firefox with another compiler.

                                                      Suddenly? No, but I’m afraid that sooner or later having both clang and rust will become required for any platform that wants to ship firefox. Which is a shame, since Mozilla mission is:

                                                      Our mission is to ensure the Internet is a global public resource, open and accessible to all.

                                                      1. 1

                                                        Suddenly? No, but I’m afraid that sooner or later having both clang and rust will become required for any platform that wants to ship firefox. Which is a shame, since Mozilla mission is:

                                                        That’s already the case. Stylo needs clang to build. You can build some parts with GCC though.

                                                        1. 1

                                                          Clang and rust are both open projects, so I don’t see how it conflicts with their mission.

                                                          1. 1

                                                            I agree. Sadly the browser already without this has very big difference in platform support, even without that. For example WebRTC (the multimedia part), sandboxing capabilities, etc. But then of course supporting that on many platforms isn’t easy. Would be great of course, if that mission lead to a focus on not only supporting Windows, Linux and MacOS.

                                                            Maybe someone has more insights, but something that makes me wonder a lot about how things work internally at Mozilla is that there is quite a few bug reports with ready to integrate patches remaining unanswered for often years, yet there is often changes that completely surprise users, some of them being very far away from Mozilla’s stated mission.

                                                            While I get that not all the people working for Mozilla work in all areas it seems a bit like on the “accepting and integrating contributions” side of things there is a problem. As a foundation asking for monetary contribution it’s often a bad sign when contribution in form of work gets not taken care of. I hope Mozilla can fix this, so contributors don’t get too frustrated.

                                                          2. 0

                                                            So it’s more like things became a lot less of a monoculture and probably mostly for the effort of BSD and MacOS users and developers making sure that software doesn’t only work with GCC.

                                                            Not to belittle works of BSD people, a lot of Clang portability work was done by Debian before BSD decided on Clang. https://clang.debian.net/ goes back to Clang 2.9.

                                                            1. 3

                                                              FreeBSD initially imported Clang at revision r72732 into the tree June 2nd 2009:

                                                              https://svnweb.freebsd.org/base?view=revision&revision=193323 https://llvm.org/viewvc/llvm-project/?pathrev=72732

                                                              This was long before FreeBSD 9.0-RELEASE (January 2012).

                                                              The public documentation of the effort starts back in Feburary of 2009:

                                                              https://wiki.freebsd.org/action/recall/BuildingFreeBSDWithClang?action=recall&rev=2

                                                              As of June 2009, Clang was at version 2.5. Version 2.6 didn’t happen until October 2009.

                                                              http://lists.llvm.org/pipermail/llvm-announce/2009-March/000031.html http://lists.llvm.org/pipermail/llvm-announce/2009-October/000033.html

                                                              So this means the devs were working with the devel/llvm-devel FreeBSD port, which would have been based on HEAD or slightly newer than Clang 2.4.

                                                              https://docs.freebsd.org/cgi/getmsg.cgi?fetch=512205+0+/usr/local/www/mailindex/archive/2009/cvs-ports/20090222.cvs-ports

                                                              So I’m not sure that I believe the story that Debian was that invested in LLVM/Clang before FreeBSD was. There was no reason to; the Linux kernel had so many GCC-isms to overcome, what would be the gain? (other than some faster compiling of packages but poorer performing binaries)

                                                              edit: FreeBSD was trying to build all of the ports collection with Clang around May 2010. This still predates Debian by over a year

                                                              https://wiki.freebsd.org/action/recall/PortsAndClang?action=recall&rev=1

                                                              1. 1

                                                                Okay, wrong perspective then. From my angle I saw how tons of projects got pull requests, patches, etc. so they’d work with clang.

                                                                Do you have any background on why the Debian clang community even popped up early? I’d have considered them to be be philosophically closer to sticking to GCC (other than for where it’s necessary).

                                                                Also saw that Wikipedia actually does have a nice timeline. However it doesn’t mention where Debian starts only where it “finishes”: https://en.wikipedia.org/wiki/Clang#Status_history

                                                                1. 3

                                                                  Do you have any background on why the Debian clang community even popped up early?

                                                                  Debian is so large that it has a lot of (pardon me) crazy people. As an evidence, I submit the existence of Debian GNU/kFreeBSD.

                                                            1. 12

                                                              The problem with riot isn’t typography or that it’s ‘too busy’, the problem is that it’s really slow and heavy, and synapse is as well.

                                                              1. 11

                                                                Being slow is an issue but the old/current design is ultra ugly so this is one more issue off the list. Speed is being worked on currently with the rewrite of the server happening again.

                                                                1. 6

                                                                  https://www.joelonsoftware.com/2000/04/06/things-you-should-never-do-part-i/

                                                                  They should have never used Python in the first place. That was their big mistake. I honestly believe their rewrite will be a failure.

                                                                  1. 3

                                                                    I’ve been reading their code for quite a while now, and from what I can see, this is all just a new UI, but the problematic parts aren’t getting fixed at all. They admitted that they just don’t have the manpower for that.

                                                                    Matrix has so much potential, but with this, they won’t get anywhere.

                                                                    1. 3

                                                                      It’s not ideal but one benefit is they can run over the spec again and see if it’s possible to implement just from the docs and iron out any issues.

                                                                      1. 2

                                                                        Is Spolsky right, though? He only lists examples that confirm his point. For all we know, for every project that failed a complete rewrite there are ten that succeeded in one.

                                                                        Case in point: the Netscape rewrite eventually lead to Mozilla, which lead to Firefox.

                                                                    2. 2

                                                                      This is just putting lipstick on a pig

                                                                    1. 5

                                                                      As exciting as this is, I’m wary about dependency in GNU tools, even though I understand providing an opembsd-culture-friendly implementation would require extra work and could be a nightmare maintainance, with two different codebases for shell scripts, but perhaps gmake could be replaced with something portable.

                                                                      1. 12

                                                                        This version of Wireguard was written in go, which means it can run on exactly 2 (amd64, i386) of the 13 platforms supported by OpenBSD.

                                                                        The original Wireguard implementation written in C is a Linux kernel module.

                                                                        A dependency on gmake is the least of all portability worries in this situation.

                                                                        1. 18

                                                                          While it’s unfortunate that Go on OpenBSD only supports 386 and amd64, Go does support more architectures that are also supported by OpenBSD, specifically arm64 (I wrote the port), arm, mips, power, mips. I have also implemented Go support for sparc64, but for various reasons this wasn’t integrated upstream.

                                                                          Go also supports power, and it used to run on the power machines supported by OpenBSD, but sadly now it only runs on more modern power machines, which I believe are not supported by OpenBSD. However, it would be easy to revert the changes that require more modern power machines. There’s nothing fundamental about them, just that the IBM maintainer refused to support such old machines.

                                                                          Since Go support both OpenBSD and the architectures mentioned, adding support in Go for OpenBSD+$GOARCH is about a few hours of work, so if there is interest there would not be any problem implementing this.

                                                                          I can help and offer advice if anyone is willing to do the work.

                                                                          1. 3

                                                                            Thanks for your response! I didn’t know that go supports so many platforms.

                                                                            Go support for sparc64, but for various reasons this wasn’t integrated

                                                                            Let me guess: Nobody wanted to pay the steep electricity bill required to keep a beefy sparc64 machine running?

                                                                            1. 23

                                                                              No, that wasn’t the problem. The problem was that my contract with Oracle (who paid me for the port) had simply run out of time before we had a chance to integrate.

                                                                              Development took longer then expected (because SPARC is like that). In fact it took about three times longer than developing the arm64 port. The lower level bits of the Go implementation have been under a constant churn which prevented us from merging the port because we were never quite synced up with upstream. We were playing a whack’a’mole game with upstream. As soon as we merged the latest changes, upstream had diverged again. In the end my contract with Oracle had finished before we were able to merge.

                                                                              This could all have been preventable if Google had let us have a dev.sparc64 branch, but because Google is Google, only Google is allowed to have upstream branches. All other development must happen at tip (impossible for big projects like this, also disallowed by internal Go rules), or in forks that then have to keep up.

                                                                              The Go team uses automated refactoring tools, or sometimes even basic scripts to do large scale refactoring. As we didn’t have access to any of these tools, we had to do the equivalent changes on our side manually, which took a lot of time and effort. If we had an upstream branch, whoever did these refactorings could have simply used the same tools on our code and we would have been good.

                                                                              I estimate we spent more effort trying to keep up with upstream than actually developing the sparc support.

                                                                              As for paying for electricity, Oracle donated one of the first production SPARC S7-2 machines (serial number less than 100) to the Go project. Google refused to pay for hosting this machine (that’s why it’s still sitting next to me as I type this).

                                                                              In my opinion after being involved with Go since the day of the public release, I’d say the Go team at Google is unfortunately very unsympathetic to large scale work done by non-Google people. Not actively hostile. They thanked me for the arm64 port, and I’m sure they are happy somebody did that work, but indirectly hostile in the sense that the way the Go team operates is not compatible with large scale outside contributions.

                                                                              1. 1

                                                                                Having to manually follow automated tools has to suck. I’d be overwhelmed by the tedium or get side-tracked trying to develop my own or something. Has anyone attempted a Go-to-C compiler developed to attempt to side-step all these problems? I originally thought something like that would be useful just to accelerate all the networking stuff being done in Go.

                                                                                1. 2

                                                                                  There is gccgo, which is a frontend for gcc. Not quite a transpiler but it does support more architectures than the official compiler.

                                                                                  1. 1

                                                                                    Yeah, that sounds good. It might have a chance of performing better, too. The thing working against that is the Go compiler is designed for optimizing that language with the gccgo just being coopted. Might be interesting to see if any of the servers or whatever perform better with gccgo. I’d lean toward LLVM, though, given it seems more optimization research goes into it.

                                                                                  2. 2

                                                                                    The Go team wrote such a (limited) transpiler to convert the Go compiler itself from C to Go.

                                                                                    edit: sorry, I misread your comment - you asked for Go 2 C, not the other way around.

                                                                                    1. 1

                                                                                      Hey, that’s really cool, too! Things like that might be a solution to security of legacy code whose language isn’t that important.

                                                                                2. 1

                                                                                  But these people are probably more than comfortable with cryptocurrency mining 🙃

                                                                                3. 3

                                                                                  Go also supports power, and it used to run on the power machines supported by OpenBSD, but sadly now it only runs on more modern power machines, which I believe are not supported by OpenBSD. However, it would be easy to revert the changes that require more modern power machines. There’s nothing fundamental about them, just that the IBM maintainer refused to support such old machines.

                                                                                  The really stupid part is that Go since 1.9 requires POWER8…. even on big endian systems, which is very pointless because most running big endian PPC is doing it on pre-POWER8 systems (there’s still a lot!) or a big endian only OS. (AIX and OS/400) You tell upstream, but they just shrug at you.

                                                                                  1. 3

                                                                                    I fought against that change, but lost.

                                                                                  2. 2

                                                                                    However, it would be easy to revert the changes that require more modern power machines.

                                                                                    Do you have a link to a revision number or source tree which has the code to revert? I still use a macppc (32 bit) that I’d love to use Go on.

                                                                                    1. 3

                                                                                      See issue #19074. Apparently someone from Debian already maintains a POWER5 branch.

                                                                                      Unfortunately that won’t help you though. Sorry for speaking too soon. We only ever supported 64 bit power. If macppc is a 32-bit port, this won’t work for you, sorry.

                                                                                      1. 3

                                                                                        OpenBSD/macppc is indeed 32-bit.

                                                                                        I kinda wonder if say, an OpenBSD/power port is feasible; fast-ish POWER6 hardware is getting cheap (like 200$) used and not hard to find. (and again, all pre-P8 POWER HW in 64-bit mode is big endian only) It all depends on developer interest…

                                                                                        1. 3

                                                                                          Not to mention that one Talos board was closer to two grand than eight or ten. Someone could even sponsor the OpenBSD port by buying some dev’s the base model.

                                                                                          1. 3

                                                                                            Yeah, thankfully you can still run ppc64be stuff on >=P8 :)

                                                                                  3. 2

                                                                                    This version of Wireguard was written in go, which means it can run on exactly 2 (amd64, i386)

                                                                                    That and syspatch make me regret of buying EdgeRouter Lite instead of saving up for an apu2.

                                                                                  4. 2

                                                                                    I’m a bit off with the dependency of bash on all platforms. Can’t this be achieved with a more portable script instead (POSIX-sh)?

                                                                                    1. 3

                                                                                      You don’t have to use wg-quick(8) – the thing that uses bash. You can instead set things up manually (which is really easy; wireguard is very simple after all), and just use wg(8) which only depends on libc.

                                                                                      1. 2

                                                                                        I think the same as you, I’m sure it is possibe to achieve same results using portable scripts. I’m aware of the conviniences bash offers, but it is big, slow, and prompt to bugs.

                                                                                    1. 1

                                                                                      I don’t understand why keepalived is being used instead of an exabgp watchdog script. You can write a simple health check utility in perl, python, etc and have that directly announce or withdraw the route in exabgp instead of having exabgp watch for files on a filesystem.

                                                                                      1. 1

                                                                                        Keepalived primary role is to configure IPVS. So, it needs to do healthchecking and ExaBGP can just reuse the results of these checks. The second reason is that healthchecking the VIP from the load-balancer itself may bring several small issues (among them, RP filtering, source address selection and routing).

                                                                                        1. 1

                                                                                          But why use IPVS and ExaBGP. Your router should be able to automatically do the load balancing for you with anycast? At work we do not use any hardware load balancers or layer 3 IPVS stuff like CARP/VRRP/HSRP. Everything is handled with ExaBGP for all services (web, database, etc) and it works beautifully.

                                                                                          1. 2

                                                                                            With just ECMP routing, any change will break existing connections. Add an additional node in your database cluster and many of your existing connections will break. This may or may not be acceptable depending on your use case. Also note IPVS and VRRP have no relation except being used together through Keepalived.

                                                                                            1. 1

                                                                                              Not using persistent database connections so I guess it wouldn’t matter.

                                                                                      1. 4

                                                                                        FreeBSD may also be affected

                                                                                        /* Based on:
                                                                                         * SHA512-based Unix crypt implementation. Released into the Public Domain by
                                                                                         * Ulrich Drepper <drepper@redhat.com>. */
                                                                                        

                                                                                        releng/11.1/lib/libcrypt/crypt-sha512.c

                                                                                        1. 3

                                                                                          It’s briefly mentioned in the article, but be very wary of the number of sockets in TIME_WAIT state. It’s bitten me more than I’d like admit.

                                                                                          1. 2

                                                                                            FreeBSD has a tunable for “no local time wait”

                                                                                            1. 1

                                                                                              The Linux kernel also has the following sysctl tunables which affect the behavior of sockets in TIME_WAIT (or more accurately, the kernel’s willingness to reuse them):

                                                                                              • net.ipv4.tcp_tw_reuse
                                                                                              • net.ipv4.tcp_tw_recycle (apparently removed in Linux 4.12+)

                                                                                              I have used the former without issue, but my understanding is they are best avoided as e.g., stateful packet filers will be confused.

                                                                                          1. 11

                                                                                            overreaching Code of Conducts.

                                                                                            The author realizes that you don’t have to follow the code of conduct to use the software? Also 80% of the items on the freebsd code of conduct are illegal. the four that stick out to me that aren’t are these.

                                                                                            Comments that reinforce systemic oppression related to gender, gender identity and expression, sexual orientation, disability, mental illness, neurodiversity, physical appearance, body size, age, race, or religion.

                                                                                            Unwelcome comments regarding a person’s lifestyle choices and practices, including those related to food, health, parenting, drugs, and employment.

                                                                                            Deliberate misgendering.

                                                                                            Deliberate use of “dead” or rejected names.

                                                                                            Author basically feels that if the developers can’t get intimately involved with another developer’s personal life without consent then the author does not want to use the software. Frankly it seems like you could just create a code of conduct with the line “Thinking code of conducts are bad” and you’d filter out everyone who apparently wants to get in your grill.

                                                                                            The other rules are okayish but would rule out basically everything if applied strictly.

                                                                                            1. 11

                                                                                              Also 80% of the items on the freebsd code of conduct are illegal.

                                                                                              Code’s of conduct don’t have anything to do with law, though. An organization can block your participation in it for any reason they see fit. There are restrictions for businesses and employers, but they don’t apply to open source projects.

                                                                                              1. 17

                                                                                                Right and if you don’t agree with those reasons you don’t have to contribute or you can create your own organization. I was saying 80% of them are illegal to do as an individual. Sexual harassment? Stalking? Threatening? A lot of the CoC is basically just “We won’t enable your criminal behavior and allow you to use the organization as a way to find targets”. The 4 here are basically, “Don’t purposely be an asshole to other members, here are four ways of being an asshole that are explicitly not allowed.”. If you think Open Source means “I get to be a dick to other people and get away with it because it’s not a job” then you’re honestly doing more harm than good and should do something else with your life.

                                                                                                1. 6

                                                                                                  Oh sorry, I misunderstood what you mean by illegal. I thought you were saying much of the CoC was illegal.

                                                                                                  1. 14

                                                                                                    The 4 here are basically, “Don’t purposely be an asshole to other members, here are four ways of being an asshole that are explicitly not allowed.”.

                                                                                                    That kind of playing with definitions is one of reasons I fight broad Codes of Conduct. It’s not how they play out. Instead, those promoting or enforcing will be specific groups of people having specific, political views on everything from words to identity to societal structures, expecting the entire world to comply with those views, and punishing anyone in their immediate setting who doesn’t using whatever methods are available. Those methods range from shaming to exclusion to removing their ability to pay bills.

                                                                                                    To me, that sounds like being assholes that shove their politics down others’ throats telling them to get lost if they don’t like it. Even more so when I see plenty of people be civil without going that far in mischaracterizing or banning other groups’ means of expressing themselves. Then, a person supporting such politics shows up saying it’s just about not being an asshole. People reading that get a different impression than “no political disagreement or differences are allowed in this list of categories whose reach increases whenever we say.” I don’t expect more honesty from most promoters about the goals since subterfuge and “end justifies the means” is the norm in that group.

                                                                                                    1. 12

                                                                                                      What about it shoves politics? I would think all the points I mentioned are basically apolitical. There’s no rule against “political disagreement” within the CoC. You can be super hard line conservative and still follow these rules. I’m specifically talking about the FreeBSD CoC.

                                                                                                      1. 7

                                                                                                        It’s not really based on “politics”, but on basic respect. If you’re a conservative who is respectful of people’s preferred names and doesn’t shit all over people because of their lifestyles, you won’t have a problem. If you’re a liberal or Leftist who is super racist, anti-Semitic (hello, tankies) or constantly judges poor people overly harshly (of which there are many), you will have one.

                                                                                                        That said, if you feel that trans people asserting that we should be called by the names we choose for ourselves is somehow a political act, then yes, the purpose of the CoC is to “shove politics down your throat”.

                                                                                                        1. 1

                                                                                                          if you feel that trans people asserting that we should be called by the names we choose for ourselves is somehow a political act

                                                                                                          Isn’t it? I have no problem with calling you as you like, really.

                                                                                                          And I’d like it would be the common ground of our international culture.

                                                                                                          But it is Politics. I’d argue that it’s the best expression of politics at all, as it establish a kind environment where we can confront on.

                                                                                                          On the other hand, “keep the discourse on topic or you will be banned” should be a pretty good CoC, everywhere.

                                                                                                          Now, if we can go off-topic, and you tell on a public space (say IRC or a mailing list) you do something I consider bad, you are engadging a discourse. You can’t say “I like eating people, cannibalism improve my health” and than invoke the CoC if anyone object.

                                                                                                          People should understanding that speaking in public implies a will to listen.
                                                                                                          More exactly, speaking implies a will to challenge own opinions, putting them at stake in the conversation.

                                                                                                          If you don’t want to listen any objection, if you don’t want to change your mind, why speak in the first place?
                                                                                                          Are you doing propaganda? Marketing? If so, you are the problem, not who engage with you.

                                                                                                          Also, if we can go off-topic, and you tell you like to hurt your children, I’ll comment on that, whatever the CoC. After the denounce obviously, with all the reference I can get to find you (including your email, ip, os, whatever I can get through my technical knowledge and tools).

                                                                                                          So in general, the CoC is a political tool. It could be used for good or evil.

                                                                                                          But it doesn’t fix the lack of a democratic culture of dialoge in a community.

                                                                                                        2. 1

                                                                                                          Without a CoC you are at the mercy of the hidden political views of the project owners. Their decisions to ban start looking arbitrary. Either way, you deal with political views. Wouldn’t you prefer to know what they are before engaging? Worst would be spending a lot of your time on a project only to find out you get banned because you said something that was in disagreement with the owners of the project.

                                                                                                    2. 14

                                                                                                      They are too broad (e.g. large swaths of the population would violate it by with their daily interactions), which puts selective enforcement at charge. If its selective enforcement, then its just an power instrument with the rule makers at the power end, even if the contents of the CoC are all well-meaned and good in their intentions.

                                                                                                      Its not directly about the contents of the CoC, its about taking peoples moral autonomy.

                                                                                                      1. 12

                                                                                                        I think it’s reasonable to treat open source work within an organization with the same level of respect and dignity that you would expect from a job. You could get fired at a job for nearly every one of these. Using dead names even, if an employee asks you to stop and you don’t and they file a complaint against HR, HR might decide that you’re creating a hostile work environment for basically no reason. Most people don’t get fired for misconduct, so I’m going to actually say that you can’t possibly be right about that claim.

                                                                                                        Keep in mind that the responses are

                                                                                                        A private reprimand from the working group to the individual(s) involved.

                                                                                                        A public reprimand.

                                                                                                        An imposed vacation from FreeBSD Project controlled spaces (e.g. asking someone to “take a week off” from a mailing list or IRC).

                                                                                                        A permanent or temporary ban from some or all FreeBSD Project controlled spaces (events, meetings, mailing lists, IRC, etc.)

                                                                                                        A request for a public or private apology.

                                                                                                        A request to engage in mediation and/or an accountability plan.

                                                                                                        These aren’t that extreme. Sure you can be banned but that can happen in any OSS project where they can say “We won’t accept pull requests from dirt bags like you.”. In this case the things you can do wrong are at least actually laid out so that you know what behaviors to avoid and which ones to follow.

                                                                                                        1. 16

                                                                                                          Still, the CoC assumes moral authority over me, which is an no-go for freedom lovers and hackers like me. That people like you don’t exercise their own moral autonomy and fail to understand that others do (with different results) is the reason why CoC create unnecessary controversy and drama.

                                                                                                          And yes, the FreeBSD CoC makes me feel violated in my moral autonomy, and yes, the FreeBSD CoC embodies political views i do not share.

                                                                                                          1. 9

                                                                                                            A CoC has no moral authority and frankly morality isn’t even a real thing. It’s merely a set of rules that people who work together have agreed to follow while working together. You don’t have to work with them and you don’t have to use their software, but since you wanted to be on record disagreeing, I wanted to be on record agreeing with CoC and why I feel the way I do.

                                                                                                            1. 4

                                                                                                              Again, this is a strong pro-CoC statement. If they are successful in excluding people like you, they are working as intended.

                                                                                                              1. 10

                                                                                                                I was hoping to keep things civil. Perhaps there’s a more generous way you could phrase this?

                                                                                                                1. 5

                                                                                                                  Not really, given that the author has emphatically stated their disagreement with either the values motivating the rules, or the rules themselves. Regardless, such a person is a real risk to the health of the community, and it’s nice that there’s such an effective repellent.

                                                                                                                  1. 18

                                                                                                                    I’m honest about not being a feminist. I consider the concept of gender harmful (from an philosophical standpoint), but people like you seem seem convinced that not sharing your point on that makes me an bad person.

                                                                                                                    But thanks for determining i’m a hazard to community, it surely helped me to recognize the superiority of your standpoint.

                                                                                                                    1. 7

                                                                                                                      By “considering the concept of gender harmful” you are willfully ignorant to the way that society works and by effect you are a part of the problem creating inequality and fostering an environment where harassment and hate crimes can thrive.

                                                                                                                      You don’t get to invent your own reality and pretend this one doesn’t exist.

                                                                                                                      1. 16

                                                                                                                        Yeah also you can consider gender harmful without refusing to respect how other people would like to be referred to. For example I will now out of respect for your disdain for the concept of gender refer to you strictly in non-gendered nouns. Notice how I disagreed with your viewpoint but didn’t invalidate your identity.

                                                                                                                      2. 1

                                                                                                                        I don’t care about your honesty. I don’t care to have you recognize the superiority of my viewpoint; I know nothing I can say will sway you. I care to prevent you from contaminating the spaces I care about.

                                                                                                                        1. 22

                                                                                                                          You’ve and @liwakura have both explained well how you differ fundamentally, and I appreciate that. This comment is pulling that discussion into a dark place, please don’t continue on this theme casting someone as an unredeemable danger who must be eradicated. Lobsters is not good at being “Tinder, but for finding a nemesis”.

                                                                                                                        2. 2

                                                                                                                          You don’t fight the concept of gender by standing on the sidelines watching those that do have the concept of gender dominate half the population. Just because you believe there isn’t gender, doesn’t mean people who consider themselves women aren’t getting the short end of the stick in our society.

                                                                                                                        3. 3

                                                                                                                          thanks, that’s much clearer. :)

                                                                                                                  2. 6

                                                                                                                    You could get fired at a job for nearly every one of these.

                                                                                                                    Depends on the job. Many employers won’t punish people who have political differences. Especially in Mid-South where we’re quite a diverse bunch of liberals, conservatives, white, black, latino, etc. The rule is that we either avoid those topics entirely to keep things civil or you better be able to take the kind of discussion you were dishing out. Essentially, we recognize those claiming disagreement is “offensive” to just be silencing their opposition. They’re trying to attack and control the other person. People still try that but don’t get far.

                                                                                                                    So, in such a truly, inclusive environment, people will be saying things that bother others since there’s conflict on a deep level. My relatives and I have worked in many such places. They’ll have heated arguments sometimes. It almost always ends up “agree to disagree” with them making up for it being nice to each other later. Sometimes people figure out who each other are underneath, permanently dislike each other, work together just enough to get the job done, and avoid one another otherwise.

                                                                                                                    People almost never quit over this sort of thing. It’s also not what most gripe about. Those griping or quitting over assholes bring up people who folks in every group agree are assholes. We wouldn’t need a CoC to deal with them. Just decent managers or owners that respond to employee complaints. If managers or owners aren’t decent, then no policies or CoC’s are going to make the work environment better.

                                                                                                                    1. 13

                                                                                                                      I really don’t understand how you got this from the CoC mentioned. There is no rule in the CoC that you must conform politically. I would be very shocked to hear that the entire FreeBSD team is not conservative. The rule is merely that you treat other people with dignity. I live in the south and every single one of my workplaces would fit this CoC save for maybe the rules around transgendered folks. Frankly even when I was a deeply religious and hardline conservative I would have no trouble following these rules. I never treated anyone less than human because they had different views than me. Furthermore that “rule” you gave is a kind of CoC and CoC’s matter once the size of the organization grows. Its very easy to fall into a tyranny of structurelessness as an organization gets larger. This is because nobody can agree on what is right or wrong or what the response should be to a problem. By having a CoC you can agree as an org what actions are against the group and what a good response looks like. If you don’t have any response strategy mob mentality kicks in and things can escalate to threats and violence. After all if someone is a huge asshole and nobody is doing anything about it it would seem natural to find a way to make them stop.

                                                                                                                      Frankly there’s nothing in this CoC that has any bias against conservatives whatsoever. Nothing in the CoC says you have to be a liberal, and it specifically protects people from false claims. Your micro-CoC actually fails to protect individuals from false claims.

                                                                                                                      Publication of non-harassing private communication without consent.

                                                                                                                      Publication of non-harassing private communication with consent but in a way that intentionally misrepresents the communication (e.g., removes context that changes the meaning).

                                                                                                                      Knowingly making harmful false claims about a person.

                                                                                                                      1. 11

                                                                                                                        Depends on the job. Many employers won’t punish people who have political differences.

                                                                                                                        This is such a disingenuous frame shift of the issue that it invalidates everything else about your argument. Being respectful is not political. Enforcing consent in interactions is not political. Being gay or tolerant of same is not political. Asserting that any effort to shift culture away from the status quo is an out-of-bounds “political” act is a cowardly way to attempt to silence those that you disagree with. You are personally guilty, to an incredibly advanced degree, of every evil thing you claim to be against.

                                                                                                                        “Politics” is the process by which humans come to consensus for shared interests. Shitting on the less powerful and providing moral or intellectual cover for those that seek to do the same is not politics; it’s craven thuggery disguised as keeping things peaceful.

                                                                                                                        1. 0

                                                                                                                          Politics is whatever action affects the polis, and by extension any group of humans.

                                                                                                                          Thus being respectful is political.
                                                                                                                          Enforcing consent in interactions is political.
                                                                                                                          Being tolerant of anything is political.

                                                                                                                          In Italy we have the same kind of differences that @nickpsecurity describes, and we are used to joke about our differences a lot. And we debate harshly about many things, but usually these debates grow our relations.

                                                                                                                          As an example, I had a girlfriend that was a deeply religious Catholic when I was atheist (and rather angry at Church). And we talked a lot about religion and politics back then, without that affecting negatively the relation.

                                                                                                                          One of the best engineer I worked with voted for the worst political party we had in Italy for decades. I had the opposite view. We debated a lot. We debated so much about politics that when we had to design a framework together to under a huge pressure, we keep debating with the same style. And after 10 years in production, the framework still rocks the customers are satisfied and we can’t find anything remotely on par with it around.
                                                                                                                          Why? Because we were used to listen deeply and respectfully the other’s opinion.

                                                                                                                          1. 2

                                                                                                                            I grant that being tolerant is political, and so it follows that everything is political. Which means that my point is still relevant: it’s disingenuous to dismiss concerns about behavior as “political”, as though that made it irrelevant.

                                                                                                                            In Italy, you are allowed to have those debates because the stakes are much lower: you’re less likely to die from poverty, your livelihood is less contingent upon social approval, etc.

                                                                                                                            In the United States, it’s not like that. If you lose your job, you could die. If you are systematically excluded from high-paying industries, like digital technology, your quality of life massively suffers in comparison to those who are welcomed by that industry. All policies must be considered in the context of an entrenched and reactionary old guard that dominates all other effects. Any overt attempt to improve the lives of the marginalized is treated as a threat to the old order, and rightfully so. The stakes are literally life and death.

                                                                                                                            Mr. P. Security doesn’t work in the the industry, and largely speaks from a position of willful ignorance about these issues.

                                                                                                                            1. 0

                                                                                                                              In Italy, you are allowed to have those debates because the stakes are much lower

                                                                                                                              I do not know United States enough for a comparison, but sadly we have poverty here too. Our livelihood is not based on social approval, but it’s often strongly based on social relationships.

                                                                                                                              We just know we are all on the same boat.

                                                                                                                              So I don’t know if we are free to talk because we have lower stakes, or we have lower stakes because we are free to talk.

                                                                                                                              In any case, an international project should not be ruled according to the issues of a single country.

                                                                                                                              1. 1

                                                                                                                                In any case, an international project should not be ruled according to the issues of a single country.

                                                                                                                                I don’t understand what this is in reference to, or what it could possibly mean in terms of what kind of governance structure or details. I was pointing out that there are cultural differences that make it easier or harder for people who are forced together to have disagreements about their values, or be able to set aside those differences in order to do something together.

                                                                                                                        2. 10

                                                                                                                          The CoC is about civility, not politics. And I can’t believe you don’t know that. So what is your purpose? Are you standing up for the right to humiliate people or be rude to them? That’s a principle for you?

                                                                                                                          1. 0

                                                                                                                            Just decent managers or owners that respond to employee complaints…

                                                                                                                            Poor employees, at the mercy of their benevolent dictators.

                                                                                                                        3. 3

                                                                                                                          Wait, you believe without a CoC, owners of a project have less power? An owner of a project already has views of what kind of behavior they think is good and what they think is bad. If they don’t write it down in CoC, you are still at their mercy, but now you have to guess what the hell they are thinking.

                                                                                                                          I’m not sure how a CoC increases any power they already have. You still don’t have moral agency because we live in a society where there are owners and non-owners. There is still a power differential. If you want democratic rule, then you need to fight against ownership by paper.

                                                                                                                          1. 2

                                                                                                                            Even without a CoC the project owners selectively enforce hidden rules. I’m not sure how making the rules hidden is better than making them explicit.

                                                                                                                        1. 2

                                                                                                                          This seems to be a massive failure of the GPL as it has not been enforced and it has been some years since the violation was identified. I struggle to believe that the GPL ensures the freedoms promised within when enforcement is such a joke.

                                                                                                                          1. 3

                                                                                                                            Not sure it can be a “failure of the GPL”. The GPL is just a license, it sets the rules for good actors.

                                                                                                                            The rampant, long-lived violations in every single electronic product most people own is a failure of enforcement, which is mostly due to lack of resources and/or lack of contributor action.

                                                                                                                          1. 12

                                                                                                                            When people tell me to stop using the only cryptosystem in existence that has ever - per the Snowden leaks - successfully resisted the attentions of the NSA, I get suspicious, even hostile. It’s triply frustrating when, at the end of the linked rant, they actually recognize that PGP isn’t the problem:

                                                                                                                            It also bears noting that many of the issues above could, in principle at least, be addressed within the confines of the OpenPGP format. Indeed, if you view ‘PGP’ to mean nothing more than the OpenPGP transport, a lot of the above seems easy to fix — with the exception of forward secrecy, which really does seem hard to add without some serious hacks. But in practice, this is rarely all that people mean when they implement ‘PGP’.

                                                                                                                            There is a lot wrong with the GPG implementation and a lot more wrong with how mail clients integrate it. Why would someone who recognises that PGP is a matter of identity for many of its users go out of their way to express their very genuine criticisms as an attack on PGP? If half the effort that went into pushing Signal was put into a good implementation of OpenPGP following cryptographic best practices (which GPG is painfully unwilling to be), we’d have something that would make everyone better off. Instead these people make it weirdly specific about Signal, forcing me to choose between “PGP” and a partially-closed-source centralised system, a choice that’s only ever going to go one way.

                                                                                                                            1. 9

                                                                                                                              I am deeply concerned about the push towards Signal. I am not a cryptographer, so all I can do is trust other people that the crypto is sound, but as we all know, the problems with crypto systems are rarely in the crypto layers.

                                                                                                                              On one hand we know that PGP works, on the other hand we have had two game over vulnerabilities in Signal THIS WEEK. And the last Signal problem was very similar to the one in “not-really-PGP” in that the Signal app passed untrusted HTML to the browser engine.

                                                                                                                              If I were a government trying to subvert secure communications, investing in Signal and tarnishing PGP is what I would try to do. What better strategy than to push everyone towards closed systems where you can’t even see the binaries, and that are not under the user’s control. The exact same devices with GPS and under constant surveilance.

                                                                                                                              My mobile phone might have much better security mechanisms in theory, but I will never know for sure because neither I, nor anyone else can really check. In the meantime we know for sure what a privacy disaster these mobile phones are. We also know for sure the the various leaks that government implant malware on mobile devices, and we know that both manufacturers and carriers can install software, or updates, on devices without user consent.

                                                                                                                              Whatever the PGP replacement might be, moving to the closed systems that are completely unauditable and not under the user’s control is not the solution. I am not surprised that some people advocate for this option. What I find totally insane is that a good majority of the tech world finds this position sensible. Just find any Hacker News thread and you will see that any criticism towards Signal is downvoted to oblivion, while the voices of “experts” preach PGP hysteria.

                                                                                                                              PGP will never be used by ordinary people. It’s too clunky for that. But it’s used by some people very successfully, and if you try to dissuade this small, but very important group of people to move towards your “solution”, I can only suspect foul play. Signal does not compete with PGP. It’s a phone chat app. As Signal does not compete with PGP, why do you have to spend all this insane ammount of effort to convince an insignificant amount of people to drop PGP for Signal?

                                                                                                                              1. 4

                                                                                                                                I can’t for the life of me imagine why a CIA-covert-psyops-agency funded walled garden service would want to push people away from open standards to their walled garden service.

                                                                                                                                Don’t get me wrong, Signal does a lot of the right things but a lot of claims are made about it implying it’s as open as PGP, which it isn’t.

                                                                                                                                1. 2

                                                                                                                                  What makes Signal a closed system?

                                                                                                                                  https://github.com/signalapp

                                                                                                                                  1. 12

                                                                                                                                    Not Signal, iOS and Android, and all the secret operating systems that run underneath.

                                                                                                                                    As for Signal itself, moxie forced F-Droid to take down Signal, because he didn’t want other people to compile Signal. He said he wanted people only to use his binaries, which even if you are ok with in principle, on Android it mandates the use of the Google Play Store. If this is not a dick move, I don’t know what is.

                                                                                                                                    1. 3

                                                                                                                                      I’m with you on Android and especially iOS being problematic. That being said, Signal has been available without Google Play Services for a while now. See also the download page; I couldn’t find it linked anywhere on the site but it is there.

                                                                                                                                      However, we investigated this for PRISM Break, and it turns out that there’s a single Google binary embedded in the APK I just linked to. Which is unfortunate. See this GitHub comment.

                                                                                                                                      1. 2

                                                                                                                                        because he didn’t want other people to compile Signal. He said he wanted people only to use his binaries

                                                                                                                                        Ehm… he chose the wrong license in this case.

                                                                                                                                  2. 4

                                                                                                                                    As I understand it, the case against PGP is not with PGP in and of itself (the cryptography is good), but the ecosystem. That is, the toolchain in which one uses it. Because it is advocated for use in email and securing email, it is argued, is nigh on impossible, then it is irresponsible to recommend using PGP encrypted email for general consumption, especially for journalists.

                                                                                                                                    That is, while it is possible to use PGP via email effectively, it is incredibly difficult and error-prone. These are not qualities one wants in a secure system and thus, it should be avoided.

                                                                                                                                    1. 4

                                                                                                                                      But the cryptographyisn’t good. His case in the blog post is intentionally besides all of the crypto badness.example: the standard doesn’t allow any other hash function than sha1, which has been proven broken. The protocol itself disallows flexibility here to avoid ambiguity and that means there is no way to change it significantly without breaking compatibility.

                                                                                                                                      And so far, it seems, people wanted compatibility (or switched to something else, like Signal)

                                                                                                                                    2. 4

                                                                                                                                      Until this better implementation appears, an abstract recommendation for PGP is a concrete recommendation for GPG.

                                                                                                                                      Imagine if half the effort spent saying PGP is just fine went into making PGP just fine.

                                                                                                                                      1. 2

                                                                                                                                        I guess that’s an invitation to push https://autocrypt.org/

                                                                                                                                      2. 3

                                                                                                                                        When people tell me to stop using the only cryptosystem in existence that has ever - per the Snowden leaks - successfully resisted the attentions of the NSA, I get suspicious, even hostile.

                                                                                                                                        Without wanting to sound rude, this is discussed in the article:

                                                                                                                                        The fact of the matter is that OpenPGP is not really a cryptography project. That is, it’s not held together by cryptography. It’s held together by backwards-compatibility and (increasingly) a kind of an obsession with the idea of PGP as an end in and of itself, rather than as a means to actually make end-users more secure.

                                                                                                                                        OpenPGP might have resisted the NSA, but that’s not a unique property. Every modern encryption tool or standard has to do that or it is considered broken.

                                                                                                                                        I think most people unless they are heavily involved in security research don’t know how encrytion/auth/integrity protection are layered. There are a lot of layers in what people just want to call “encryption”. OpenPGP uses the same standard crypto building blocks as everything else and unfortunately putting those lower level primitives together is fiendishly difficult. Life also went on since OpenPGP was created meaning that those building blocks and how to put them together changed in the last few decades, cryptographers learned a lot.

                                                                                                                                        One of the most important things that cryptographers learned is that the entire ecosystem / the system as a whole counts. Even Snowden was talking about this when he said that the NSA just attacks the endpoints, where most of the attack surface is. So while the cryptography bits in the core of the OpenPGP standard are safe, if dated, that’s not the point. Reasonable people can’t really use PGP safely because we would have to have a library that implements the dated OpenPGP standard in a modern way, clients that interface with that modern library in a safe and thought-through way and users that know enough about the system to satisfy it’s safety requirements (which are large for OpenPGP)

                                                                                                                                        Part of that is attitude, most of the existing projects for implementing the standard just don’t seem to take a security-first stance. Who is really looking towards providing a secure overall experience to users under OpenPGP? Certainly not the projects bickering where to attribute blame.

                                                                                                                                        I think people kept contrasting this with Signal because Signal gets a lot of things right in contrast. The protocol is modern and it’s not impossibly demanding on users (ratcheting key rotation, anyone?), there is no security blame game between Signal the desktop app vs signal the mobile app vs the protocol when a security vulnerability happens, OWS just fixes it with little drama. Of course Signal-the-app has downsides too, like the centralization, however that seems like a reasonable choice. I’d rather have a clean protocol operating through a central server that most people can use than an unuseable (from the pov of most users) standard/protocol. We’re not there yet where we can have all of decentralization, security and ease of use.

                                                                                                                                        1. 2

                                                                                                                                          OpenPGP might have resisted the NSA, but that’s not a unique property. Every modern encryption tool or standard has to do that or it is considered broken.

                                                                                                                                          One assumes the NSA has backdoors in iOS, Google Play Services, and the binary builds of Signal (and any other major closed-source crypto tool, at least those distributed from the US) - there’s no countermeasure and virtually no downside, so why wouldn’t they?

                                                                                                                                          there is no security blame game between Signal the desktop app vs signal the mobile app vs the protocol when a security vulnerability happens, OWS just fixes it with little drama.

                                                                                                                                          Not really the response I’ve seen to their recent desktop-only vulnerability, though I do agree with you in principle.

                                                                                                                                          1. 3

                                                                                                                                            Signal Android has been reproducible for over two years now. What I don’t know is whether anyone has independently verified that it can be reproduced. I also don’t know whether the “remaining work” in that post was ever addressed.

                                                                                                                                            1. 2

                                                                                                                                              The process of verifying a build can be done through a Docker image containing an Android build environment that we’ve published.

                                                                                                                                              Doesn’t such process assume trust on who created the image (and on who created each of layers it was based on)?

                                                                                                                                              A genuine question, as I see the convenience of Docker and how it could lead to more verifications, but on the other hand it create a single point of failure easier to attack.

                                                                                                                                              1. 1

                                                                                                                                                That question of trust is the reason why, if you’re forced to use Docker, build every layer for yourself from the most trustworthy sources. It isn’t even hard.

                                                                                                                                        2. 1

                                                                                                                                          the only cryptosystem in existence that has ever - per the Snowden leaks - successfully resisted the attentions of the NSA

                                                                                                                                          I’m pretty ignorant on this matter, but do you have any link to share?

                                                                                                                                          There is a lot wrong with the GPG implementation

                                                                                                                                          Actually, I’d like to read the opinion of GPG developers here, too.

                                                                                                                                          Everyone makes mistakes, but I’m pretty curious about the technical allegations: it seems like they did not considered the issue to be fixed in their own code.

                                                                                                                                          This might have pretty good security reasons.

                                                                                                                                          1. 3

                                                                                                                                            To start with, you can’t trust the closed-source providers since the NSA and GHCQ are throwing $200+ million at both finding 0-days and paying them to put backdoors in. Covered here. From there, you have to assess open-source solutions. There’s a lot of ways to do that. However, the NSA sort of did it for us in slides where GPG and Truecrypt were worst things for them to run into. Snowden said GPG works, too. He’d know given he had access to everything they had that worked and didn’t. He used GPG and Truecrypt. NSA had to either ignore those people or forward them to TAO for targeted attack on browser, OS, hardware, etc. The targeted attack group only has so much personnel and time. So, this is a huge increase in security.

                                                                                                                                            I always say that what stops NSA should be good enough to stop the majority of black hats. So, keep using and improving what is a known-good approach. I further limit risk by just GPG-encrypting text or zip files that I send/receive over untrusted transports using strong algorithms. I exchange the keys manually. That means I’m down to trusting the implementation of just a few commands. Securing GPG in my use-case would mean stripping out anything I don’t need (most of GPG) followed by hardening the remaining code manually or through automated means. It’s a much smaller problem than clean-slate, GUI-using, encrypted sharing of various media. Zip can encode anything. Give the files boring names, too. Untrusted, email provider is Swiss in case that buys anything on any type of attacker.

                                                                                                                                            Far as the leaks, I had a really-hard time getting you the NSA slides. Searching with specific terms in either DuckDuckGo or Google used to take me right to them. They don’t anymore. I’ve had to fight with them narrowing terms down with quotes trying to find any Snowden slides, much less the good ones. I’m getting Naked Security, FramaSoft, pharma spam, etc even on p 2 and 3 but not Snowden slides past a few, recurring ones. Even mandating the Guardian in terms often didn’t produce more than one, Guardian link. Really weird that both engines’ algorithms are suppressing all the important stuff despite really-focused searches. Although I’m not going conspiracy hat yet, the relative-inaccuracy of Google’s results compared to about any other search I’ve done over past year for both historical and current material is a bit worrying. Usually excellent accuracy.

                                                                                                                                            NSA Facts is still up if you want the big picture about their spying activities. Ok, after spending an hour, I’m going to have to settle for giving you this presentation calling TAILS or Truecrypt catastrophic loss of intelligence. TAILS was probably temporary but the TrueCrypt derivatives are worth investing effort in. Anyone else have a link to the GPG slide(s)? @4ad? I’m going to try to dig it all up out of old browser or Schneier conversations in near future. Need at least those slides so people knows what was NSA-proof at the time.

                                                                                                                                            1. 2

                                                                                                                                              Why would TAILS be temporary? If anything this era of cheap devices makes it more practical than ever.

                                                                                                                                              1. 3

                                                                                                                                                It was secure at the time since either mass collection or TAO teams couldnt hack it. Hacking it requires one or more vulnerabilities in the software it runs. The TAILS software includes complex software such as Linux and a browser with history of vulnerabilities. We should assume that was temporary and/or would disappear if usage went up enough to budget more attacks its way.

                                                                                                                                                1. 2

                                                                                                                                                  I’d still trust it more than TrueCrypt just due to being open-source.

                                                                                                                                                  What would it take to make an adequate replacement for TAILS? I’m guessing some kind of unikernel? Are there any efforts in that direction?

                                                                                                                                                  1. 1

                                                                                                                                                    Well, you have to look at the various methods of attack to assess this:

                                                                                                                                                    1. Mass surveillance attempting to read traffic through protocol weaknesses with or without a MITM. They keep finding these in Tor.

                                                                                                                                                    2. Attacks on the implementation of Tor, the browser, or other apps. These are plentiful since it’s mostly written in non-memory safe way. Also, having no covert, channel analysis on components processing secrets means there’s probably plenty of side channels. There’s also increasingly new attacks on hardware with a network-oriented one even being published.

                                                                                                                                                    3. Attacks on the repo or otherwise MITMing the binaries. I don’t think most people are checking for that. The few that do would make attackers cautious about being discovered. A deniable way to see who is who might be a bitflip or two that would cause the security check to fail. Put it in random, non-critical spots to make it look like an accident during transport. Whoever re-downloads doesn’t get hit with the actual attack.

                                                                                                                                                    So, the OS and apps have to be secure with some containment mechanisms for any failures. The protocol has to work. These must be checked against any subversions in the repo or during transport. All this together in a LiveCD. I think it’s doable minus the anonymity protocol working which I don’t trust. So, I’ve usually recommended dedicated computers bought with cash (esp netbooks), WiFi’s, cantennas, getting used to human patterns in those areas, and spots with minimal camera coverage. You can add Tor on top of it but NSA focuses on that traffic. They probably don’t pay attention to average person on WiFi using generic sites over HTTPS.

                                                                                                                                                    1. 1

                                                                                                                                                      Sure. My question was more: does a live CD project with that kind of aim exist? @josuah mentioned heads which at least avoids the regression of bringing in systemd, but doesn’t really improve over classic tails in terms of not relying on linux or a browser.

                                                                                                                                                      1. 2

                                                                                                                                                        An old one named Anonym.OS was an OpenBSD-based, Live CD. That would’ve been better on code injection front at least. I don’t know of any current offerings. I just assume they’ll be compromised.

                                                                                                                                                    2. 1

                                                                                                                                                      I think it is the reason why https://heads.dyne.org/ have been made: Replacing the complex software stack with a simpler one with aim to avoid security risks.

                                                                                                                                                      1. 1

                                                                                                                                                        Hmm. That’s a small start, but still running Linux (and with a non-mainstream patchset even), I don’t think it answers the core criticism.

                                                                                                                                                2. 2

                                                                                                                                                  Thanks for this great answer.

                                                                                                                                                  Really weird that both engines’ algorithms are suppressing all the important stuff despite really-focused searches.

                                                                                                                                                  If you can share a few of your search terms I guess that a few friends would find them pretty interesting, with their research.

                                                                                                                                                  For sure this teach us a valuable lesson. The web is not a reliable medium for free speech.

                                                                                                                                                  From now on, I will download from the internet interesting documents about such topics and donate them (with other more neutral dvds) to small public libraries around the Europe.

                                                                                                                                                  I guess that slowly, people will go back to librarians if search engines don’t search carefully enough anymore.

                                                                                                                                                  1. 2

                                                                                                                                                    It was variations, with and without quotes, on terms I saw in the early reports. They included GPG, PGP, Truecrypt, Guard, Documents, Leaked, Snowden, and catastrophic. I at least found that one report that mentions it in combination with other things. I also found, but didn’t post, a PGP intercept that was highly-classified but said they couldn’t decrypt it. Finally, Snowden kept maintaining good encryption worked with GPG being one he used personally.

                                                                                                                                                    So, we have what we need to know. From there, just need to make the programs we know work more usable and memory safe.

                                                                                                                                            1. [Comment removed by author]

                                                                                                                                              1. 13

                                                                                                                                                You realize it’s OK to agree with someone on one topic and disagree with them on another? A single opinion cannot invalidate everything a person has to contribute. I see a lot of people doing that these days. It’s dangerous and unhealthy.

                                                                                                                                                1. 5

                                                                                                                                                  Sean Blanchfield and Johnny Ryan are the same person? Could you elaborate on that?

                                                                                                                                                  1. 4

                                                                                                                                                    It’s a conspiracy I tell you.

                                                                                                                                                1. 3

                                                                                                                                                  It would be interesting to compare it with ejabberd in Erlang.

                                                                                                                                                  1. 2

                                                                                                                                                    indeed. I’ve used ejabberd as well as openfire in the past. Cert-Handling (as an example) was hell with openfire.

                                                                                                                                                    1. 1

                                                                                                                                                      Surely there is some good solution by now for the mess that is (was?) certificate trust stores on JVM based languages?

                                                                                                                                                      1. 2

                                                                                                                                                        Not that I’ve found. You have to live with keytool.

                                                                                                                                                  1. 75

                                                                                                                                                    Capitalism is killing us in a very literal sense by destroying our habitat at an ever accelerating rate. The fundamental idea of needing growth and having to constantly invent new things to peddle leads to ever more disposable products, that are replaced for the sake of being replaced. There’s been very little actual innovation happening in the phone space. The vendors are intentionally building devices using the planned obsolescence model to force the upgrade cycle.

                                                                                                                                                    The cancer of consumerism affects pretty much every aspect of society, we’ve clear cut unique rain forests and destroyed millions of species we haven’t even documented so that we can make palm oil. A product that causes cancer, but that’s fractionally cheaper than other kinds of oil. We’ve created a garbage patch the size of a continent in the ocean. We’re poisoning the land with fracking. The list is endless, and it all comes down to the American ethos that making money is a sacred right that trumps all other concerns.

                                                                                                                                                    1. 22

                                                                                                                                                      Capitalism is killing us in a very literal sense by destroying our habitat at an ever accelerating rate.

                                                                                                                                                      The cancer of consumerism affects pretty much every aspect of society, we’ve clear cut unique rain forests and destroyed millions of species we haven’t even documented so that we can make palm oil.

                                                                                                                                                      One can get into a big debate about this, but the concept of externalities has existed for a long time and specifically addresses these concerns. Products do not cost what they should when taken their less tangible environment impact into account. It’s somewhat up to the reader to decide if the inability of society to take those into account is capitalism’s fault, or just human nature, or something else. I live in a country that leans much more socialist than the US but is unequivocally a capitalist country and they do a better job of managing these externalities. And China is not really capitalistic in the same way the US is but is a pretty significant polluter.

                                                                                                                                                      1. 5

                                                                                                                                                        Indeed, it’s not the fault of the economic system (if you think Capitalistic societies are wasteful, take a look at the waste and inefficiency of industry under the USSR). If externalities are correctly accounted for, or to be safe, even over-accounted for by means of taxation or otherwise, the market will work itself out. If the environmental cost means the new iPhone costs $2000 in real costs, Apple will work to reduce environmental cost in order to make an affordable phone again and everyone wins. And if they don’t, another company will figure it out instead and Apple will lose.

                                                                                                                                                        Currently, there is basically no accounting for these externalities, and in some cases (although afaik not related to smart phones), there are subsidies and price-ceiling regulations and subsidies that actually decreases the cost of some externalities artificially and are worse for the environment than no government intervention at all.

                                                                                                                                                        The easy example of this is California State water subsidies for farmers. Artificially cheap water for farmers means they grow water-guzzling crops that are not otherwise efficient to grow in arid parts of the state, and cause environmental damage and water shortage to normal consumers. Can you imagine your local government asking you to take shorter showers and not wash your car, when farmers are paying 94% less than you to grow crops that could much more efficiently be grown in other parts of the country? That’s what happens in California.

                                                                                                                                                        Step 1 and 2 are to get rid of the current subsidies and regulations that aggravate externalities and impose new regulation/taxes that help account for externalities.

                                                                                                                                                        1. 2

                                                                                                                                                          I have talked to a factory owner in china. He said China is more capitalist than the USA. He said China prioritizes capital over social concerns.

                                                                                                                                                          1. 1

                                                                                                                                                            Ok? I can talk to lots of people with lots of opinions. That doesn’t make it true.

                                                                                                                                                            1. 1

                                                                                                                                                              It’s just impressive that a capitalist would say. If China was even remotely communist, don’t you find it interesting that most capitalists who made deals with China seem ok helping ‘the enemy’ become the second largest economy in the world? I prefer to believe the simpler possibility that China is pretty darn capitalist itself.

                                                                                                                                                              1. 2

                                                                                                                                                                I did not say China was not capitalist, I said it’s not in the same way as the US. There is a lot more state involvement in China.

                                                                                                                                                                1. 2

                                                                                                                                                                  Is your claim then that state involvement means you have more pollution? Maybe I’m confused by what you were trying to get at, sorry :-/

                                                                                                                                                                  1. 2

                                                                                                                                                                    No, I was pointing out that different countries are doing capitalism differently and some of them are better at dealing with externalities and some of them are worse. With the overall point being that capitalism might be the wrong scapegoat.

                                                                                                                                                          1. 7

                                                                                                                                                            I think the consumer could be blamed more than capitalism, the companies make what sells, the consumers are individuals who buy products that hurt the environment, I think that it is changing though as people become more aware of these issues, they buy more environmentally friendly products.

                                                                                                                                                            1. 30

                                                                                                                                                              You’re blaming the consumer? I’d really recommend watching Century of the Self. Advertising has a massive impact and the mass of humans are being fed this desire for all the things we consume.

                                                                                                                                                              I mean, this really delves into the deeper question of self-awareness, agency and free will, but I really don’t think most human beings are even remotely aware.

                                                                                                                                                              Engineers, people on Lobster, et. al do really want standard devices. Fuck ARM. Give me a god damn mobile platform. Microsoft for the love of god, just publish your unlock key for your dead phone line so we can have at least one line of devices with UEFI+ARM. Device tree can go die in a fire.

                                                                                                                                                              The Linux-style revolution of the 2000s (among developers) isn’t happening on mobile because every device is just too damn different. The average consumer could care less. Most people like to buy new things, and we’re been indoctrinated to that point. Retailers and manufactures have focus groups geared right at delivering the dopamine rush.

                                                                                                                                                              I personally hate buying things. When my mobile stopped charging yesterday and the back broke again, I thought about changing it out. I’ve replaced the back twice already and the camera has spots on the sensor under the lenses.

                                                                                                                                                              I was able to get it charging when I got home on a high amp USB port, so instead I just ordered yet another back and a new camera (I thought it’d be a bitch to get out, but a few YouTube videos show I was looking at the ribbon wrong and it’s actually pretty easy to replace).

                                                                                                                                                              I feel bad when I buy things, but it took a lot of work to get to that point. I’ve sold or given away most of my things multiple times to go backpacking, I run ad block .. I mean if everyone did what I’d did, my life wouldn’t be sustainable. :-P

                                                                                                                                                              We are in a really solidly locked paradigm and I don’t think it can simply shift. If you believe the authors of The Dictators Handbook, we literally have to run our of resources before the general public and really push for dramatically different changes.

                                                                                                                                                              We really need more commitment to open standards mobile devices. The Ubuntu Edge could have been a game changer, or even the Fairphone. The Edge never got funded and the Fairphone can’t even keep parts sourced for their older models.

                                                                                                                                                              We need a combination of people’s attitudes + engineers working on OSS alternatives, and I don’t see either happening any time soon.

                                                                                                                                                              Edit: I forgot to mention, Postmarket OS is making huge strides into making older cellphones useful and I hope we see more of that too.

                                                                                                                                                              1. 7

                                                                                                                                                                I second the recommendation for The Century of the Self. That movie offers a life-changing change of perspective. The other documentaries by Curtis are also great and well worth the time.

                                                                                                                                                                1. 3

                                                                                                                                                                  Century of the Self was a real eye opener. Curtis’s latest documentary, HyperNormalisation, also offers very interesting perspectives.

                                                                                                                                                                2. 26

                                                                                                                                                                  Capitalism, by it’s very nature, drives companies to not be satisfied with what already sells. Companies are constantly looking to create new markets and products, and that includes creating demand.

                                                                                                                                                                  IOW, consumers aren’t fixed actors who buy what they need; they are acted upon to create an ever increasing number of needs.

                                                                                                                                                                  There are too many examples of this dynamic to bother listing.

                                                                                                                                                                  1. 12

                                                                                                                                                                    It’s also very difficult for the consumer to tell exactly how destructive a particular product is. The only price we pay is the sticker price. Unless you really want to put a lot of time into research it is hard to tell which product is better for the environment.

                                                                                                                                                                    1. 14

                                                                                                                                                                      It’s ridiculous to expect everyone to be an expert on every supply chain in the world, starting right from the mines and energy production all the way to the store shelf. That’s effectively what you are requiring.

                                                                                                                                                                      I’m saying this as a very conscious consumer. I care about my carbon footprint, I don’t buy palm oil, I limit plastic consumption, I limit my consumption overall, but it’s all a drop in the ocean and changes nothing. There are still hundreds of compounds in the everyday items I buy whose provenance I know nothing about and which could be even more destructive. Not to mention that manufacturers really don’t want you to know, it’s simply not in their interest.

                                                                                                                                                                      You’re creating an impossible task and setting people up to fail. It is not the answer.

                                                                                                                                                                      1. 2

                                                                                                                                                                        “It’s ridiculous to expect everyone to be an expert on every supply chain in the world, starting right from the mines and energy production all the way to the store shelf. That’s effectively what you are requiring.”

                                                                                                                                                                        I don’t think it is what they’re requiring and it’s much easier than you describe. Here’s a few options:

                                                                                                                                                                        1. People who are really concerned about this at a level demanding much sacrifice to avoid damaging the environment should automatically avoid buying anything they can’t provably trust by default. The Amish are a decent example that avoids a lot of modern stuff due to commitment to beliefs.

                                                                                                                                                                        2. There’s groups that try to keep track of corporate abuse, environmental actions, and so on of various companies. They maintain good and bad lists. More people that supposedly care can both use them and join them in maintaining that data. It would be split among many people to lessen each’s burden. Again, avoid things by default until they get on the good lists. Ditch them if they get on the bad ones.

                                                                                                                                                                        3. Collectively push their politicians for laws giving proper labels, auditing, etc that help with No 2. Also, push for externalities to be charged back to the companies somehow to incentivize less-damaging behavior.

                                                                                                                                                                        4. Start their own businesses that practice what they preach. Build the principles into their charters, contracts, and so on. Niche businesses doing a better job create more options on the good lists in No 2. There’s entrepreneurs doing this.

                                                                                                                                                                        So, not all-knowing consumers as you indicated. Quite a few strategies that are less impossible.

                                                                                                                                                                        1. 4

                                                                                                                                                                          @ac specifically suggested consumer choice as the solution to environmental issues, and that’s what I disagreed with.

                                                                                                                                                                          Your point number 3 is quite different from the other three, and it’s what I would suggest as a far more effective strategy than consumer choice (along with putting pressure on various corporations). As an aside, I still wouldn’t call it easy - it’s always a hard slog.

                                                                                                                                                                          Your points 1, 2 and 4 still rely on consumer choice, and effectively boil down to: either remove yourself from modern civilisation, or understand every supply chain in the world. I think it’s obvious that the first choice is neither desirable nor “much easier” for the vast majority of people (and I don’t think it’s the best possible solution). The second is impossible, as I said before.

                                                                                                                                                                          1. 1

                                                                                                                                                                            “consumer choice as the solution to environmental issues”

                                                                                                                                                                            edit to add: consumer choice eliminated entire industries worth of companies because they wanted something else. It’s only worsened environmental issues. That’s probably not an argument against consumer choice so much as in favor of them willing to sacrifice the environment overall to get the immediate things they want.

                                                                                                                                                                            “either remove yourself from modern civilisation, or understand every supply chain in the world”

                                                                                                                                                                            This is another false dichotomy. I know lots of people who are highly-connected with other people but don’t own lots of tech or follow lots of fads. In many cases, they seem to know about them enough to have good conversations with people. They follow what’s going on or are just good listeners. Buying tons of gadgets or harmful things isn’t necessary for participation. You can get buy with a lot less than average middle or upper class person.

                                                                                                                                                                            What you said is better understood as a spectrum to be in like most things. Lots of positions in it.

                                                                                                                                                                            1. 2

                                                                                                                                                                              I think we might actually be mostly in agreement, but we’re talking past each other a bit.

                                                                                                                                                                              That’s probably not an argument against consumer choice so much as in favor of them willing to sacrifice the environment overall to get the immediate things they want.

                                                                                                                                                                              I agree with this. But even when consumer choice is applied with environmental goals in mind, I believe its effect is very limited, simply because most people won’t participate.

                                                                                                                                                                              This is another false dichotomy.

                                                                                                                                                                              Yeah, but it was derived from your points :) I was just trying to hammer the point that consumer choice isn’t an effective solution.

                                                                                                                                                                              You can get buy with a lot less than average middle or upper class person.

                                                                                                                                                                              Totally. I’ve been doing that for a long time: avoiding gadgets and keeping the stuff I need (eg a laptop) as long as I can.

                                                                                                                                                                              1. 1

                                                                                                                                                                                “But even when consumer choice is applied with environmental goals in mind, I believe its effect is very limited, simply because most people won’t participate.”

                                                                                                                                                                                Oh OK. Yeah, I share that depressing view. Evidence is overwhelmingly in our favor on it. It’s even made me wonder if I should even be doing the things I’m doing if so few are doing their part.

                                                                                                                                                                      2. 5

                                                                                                                                                                        The blame rests on the producers, not on the consumers.

                                                                                                                                                                        Consumers are only able to select off of the menu of available products, so to speak. Most of the choices everyday consumers face are dictated by their employers and whatever is currently available to make it through their day.

                                                                                                                                                                        No person can reasonably trace the entire supply chain for every item they purchase, and could likely be impossible even with generous time windows. Nor would I want every single consumer to spend their non-working time to tracing these chains.

                                                                                                                                                                        Additionally, shifting this blame to the consumer creates conditions where producers can charge a premium on ‘green’ and ‘sustainable’ products. Only consumers with the means to consume ‘ethically’ are able to do so, and thus shame people with less money for being the problem.

                                                                                                                                                                        The blame falls squarely on the entities producing these products and the states tasked with regulating production. There will be no market-based solution to get us out of the climate catastrophe, and we certainly can’t vote for a green future with our dollars.

                                                                                                                                                                        1. 4

                                                                                                                                                                          Consumers are only able to select off of the menu of available products, so to speak. Most of the choices everyday consumers face are dictated by their employers and whatever is currently available to make it through their day.

                                                                                                                                                                          That’s not true even though it seems it is. The consumers’ past behavior and present statements play a major role in what suppliers will produce. Most of what you see today didn’t happen overnight. There were battles fought where quite a few companies were out there doing more ethical things on supply side. They ended up bankrupt or with less marketshare while the unethical companies got way ahead through better marketing of their products. With enough wealth accumulated, they continued buying the brands of the better companies remaking them into scumbag companies, too, in many cases.

                                                                                                                                                                          For instance, I strongly advise against companies developing privacy- or security-oriented versions of software products that actually mitigate risks. They’ll go bankrupt like such companies often always did. The companies that actually make lots of money apply the buzzwords customers are looking for, integrate into their existing tooling (often insecure), have features they demand that are too complex to secure, and in some cases are so cheap the QA couldn’t have possibly been done right. That has to be private or secure for real against smart black hats. Not going to happen most of the time.

                                                                                                                                                                          So, I instead tell people to bake cost-effective security enhancements and good service into an otherwise good product advertised for mostly non-security benefits. Why? Because that’s what demand-side responds to almost every time. So, the supply must provide it if hoping to make waves. Turns out, there’s also an upper limit to what one can achieve in that way, too. The crowds’ demands will keep creating obstacles to reliability, security, workers’ quality of life, supplier choice, environment… you name it. They mostly don’t care either where suppliers being honest about costs will be abandoned for those delivering to demand side. In face of that, most suppliers will focus on what they think is in demand across as many proven dimensions as possible.

                                                                                                                                                                          Demand and supply side are both guilty here in a way that’s closely intertwined. It’s mostly demand side, though, as quite a few suppliers in each segment will give them whatever they’re willing to pay for at a profit.

                                                                                                                                                                          1. 3

                                                                                                                                                                            I agree with a lot of your above point, but want to unpack some of this.

                                                                                                                                                                            Software security is a strange case to turn to since it has less direct implications on the climate crisis (sure anything that relies on a datacenter is probably using too much energy) compared to the production of disposable, resource-intensive goods.

                                                                                                                                                                            Demand and supply side are both guilty here in a way that’s closely intertwined. It’s mostly demand side, though, as quite a few suppliers in each segment will give them whatever they’re willing to pay for at a profit.

                                                                                                                                                                            I parse this paragraph to read: we should blame consumers for buying what’s available and affordable, because suppliers are incapable of acting ethically (due to competition).

                                                                                                                                                                            So should we blame the end consumer for buying a phone every two years and not the phone manufacturers/retailers for creating rackets of planned obsolescence?

                                                                                                                                                                            And additionally, most suppliers are consumers of something else upstream. Virtually everything that reaches an end consumer has been consumed and processed several times over by suppliers above. The suppliers are guilty on both counts by our separate reasoning.

                                                                                                                                                                            Blaming individuals for structural problems simply lets suppliers shirk any responsibility they should have to society. After all, suppliers have no responsibility other than to create profits. Suppliers’ bad behavior must be curtailed either through regulation, public education campaigns to affect consumption habits, or organizing within workplaces.

                                                                                                                                                                            (As an aside, I appreciate your response and it’s both useful and stimulating to hear your points)

                                                                                                                                                                            1. 2

                                                                                                                                                                              “I parse this paragraph to read: we should blame consumers for buying what’s available and affordable, because suppliers are incapable of acting ethically (due to competition).”

                                                                                                                                                                              You added two words, available and affordable, to what I said. I left affordable off because many products that are more ethical are still affordable. Most don’t buy them anyway. I left availability off since there’s products appearing all the time in this space that mostly get ignored. The demand side not buying enough of what was and currently is available in a segment sends a message to suppliers about what they should produce. Especially if it’s consistent. Under vote with your wallet, we should give consumers their share of credit or blame for anything their purchasing decisions as a whole are supporting or destroying. That most won’t deliberately try to obtain an ethical supplier of… anything… supports my notion demand side has a lot to do with unethical activities of financially-successful suppliers.

                                                                                                                                                                              For a quick example, there are often coops and farmers markets in lots of rural areas or suburban towns in them. There’s usually a segment of people who buy from them to support their style of operation and/or jobs. There’s usually enough to keep them in business. You might count Costco in that, too, where a membership fee that’s fixed cost gets the customers a pile of stuff at a promised low-markup and great service. There’s people that use credit unions, esp in their industry, instead of banks. There’s people that try to buy from nonprofits, public beneit companies, companies with good track record, and so on. There’s both a demand side (tiny) and suppliers responding to it that show this could become a widespread thing.

                                                                                                                                                                              Most consumers on demand side don’t do that stuff, though. They buy a mix of necessities and arbitrary stuff from whatever supplier is lowest cost, cheapest, most variety, promoting certain image, or other arbitrary reasons. They do this so much that most suppliers, esp market leaders, optimize their marketing for that stuff. They also make more money off these people that let them put lots of ethical, niche players out of business over time. So, yeah, I’d say consumer demand being apathetic to ethics or long-term thinking is a huge part of the problem given it puts tens of billions into hands of unethical parties. Then, some of that money goes into politicians’ campaign funds so they make things even more difficult for those companies’ opponents.

                                                                                                                                                                              “Blaming individuals for structural problems simply lets suppliers shirk any responsibility they should have to society.”

                                                                                                                                                                              Or the individuals can buy from different suppliers highlighting why they’re doing it. Other individuals can start companies responding to that massive stated demand. The existing vendors will pivot their operations. Things start shifting. It won’t happen without people willing to buy it. Alternatively, using regulation as you mentioned. I don’t know how well public education can help vs all the money put into advertising. The latter seems more powerful.

                                                                                                                                                                              “(As an aside, I appreciate your response and it’s both useful and stimulating to hear your points)”

                                                                                                                                                                              Thanks. Appreciate you challenging it so I think harder on and improve it. :)

                                                                                                                                                                          2. 2

                                                                                                                                                                            Only consumers with the means to consume ‘ethically’ are able to do so, and thus shame people with less money for being the problem.

                                                                                                                                                                            This is ignoring reality, removing cheaper options does not make the other options cheaper to manufacture. It is not shaming people.

                                                                                                                                                                            You are also ignoring the fact that in a free country the consumers and producers are the same people. A dissatisfied consumer can become a producer of a new alternative if they see it as possible.

                                                                                                                                                                          3. 3

                                                                                                                                                                            Exactly. The consumers could be doing more on issues like this. They’re complicit or actively contribute to the problems.

                                                                                                                                                                            For example, I use old devices for as long as I can on purpose to reduce waste. I try to also buy things that last as long as possible. That’s a bit harder in some markets than others. For appliances, I just buy things that are 20 years old. They do the job and usually last 10 more years since planned obsolescence had fewer tricks at the time. ;) My smartphone is finally getting unreliable on essential functions, though. Bout to replace it. I’ll donate, reuse, or recycle it when I get new one.

                                                                                                                                                                            On PC side, I’m using a backup whose age I can’t recall with a Celeron after my Ubuntu Dell w/ Core Duo 2 died. It was eight years old. Attempting to revive it soon in case it’s just HD or something simple. It’s acting weird, though, so might just become a box for VM experiments, fuzzing, opening highly-untrustworthy URLs or files, etc. :)

                                                                                                                                                                          4. 7

                                                                                                                                                                            Capitalism is killing us in a very literal sense by destroying our habitat at an ever accelerating rate

                                                                                                                                                                            Which alternatives would make people happier to consume less – drive older cars, wear rattier clothing, and demand fewer exotic vacations? Because, really, that’s the solution to excessive use of the environment: Be happier with less.

                                                                                                                                                                            Unfortunately, greed has been a constant of human nature far too long for capitalism to take the blame there.

                                                                                                                                                                            1. 9

                                                                                                                                                                              Which alternatives would make people happier to consume less – drive older cars, wear rattier clothing, and demand fewer exotic vacations?

                                                                                                                                                                              Why do people want new cars, the latest fashions, and exotic vacations in the first place? If it’s all about status and bragging rights, then it’s going to take a massive cultural shift that goes against at least two generation’s worth of cultural programming by advertisers on the behalf of the auto, fashion and travel industries.

                                                                                                                                                                              I don’t think consumerism kicked into high gear until after the end of World War II when modern advertising and television became ubiquitous, so perhaps the answer is to paraphrase Shakespeare:

                                                                                                                                                                              The first thing we do, let’s kill all the advertisers.

                                                                                                                                                                              OK, maybe killing them (or encouraging them to off themselves in the tradition of Bill Hicks) is overkill. Regardless, we should consider the possibility that advertising is nothing but private sector psyops on behalf of corporations, and should not be protected as “free speech”.

                                                                                                                                                                              1. 2

                                                                                                                                                                                If there was an advertising exception for free speech, people would use it as an unprincipled excuse to ban whatever speech they didn’t like, by convincing the authorities to classify it as a type of advertising. After all, most unpopular speech is trying to convince someone of something, right? That’s what advertising fundamentally is, right?

                                                                                                                                                                                Remember that the thing that Oliver Wendell Holmes called “falsely shouting fire in a crowded theater” wasn’t actually shouting “fire” in an actual crowded theater - it was a metaphor he used to describe protesting the military draft.

                                                                                                                                                                                1. 9

                                                                                                                                                                                  I agree: there shouldn’t be an advertising exception on free speech. However, the First Amendment should only apply to homo sapiens or to organisms we might eventually recognize as sufficiently human to possess human rights. Corporations are not people, and should not have rights.

                                                                                                                                                                                  They might have certain powers defined by law, but “freedom of speech” shouldn’t be one of them.

                                                                                                                                                                              2. 3

                                                                                                                                                                                IMO, Hedonistic adaptation is a problem and getting worse. I try to actively fight against it.

                                                                                                                                                                                1. 2

                                                                                                                                                                                  It would be a start if we designed cities with walking and public transportation in mind, not cars.

                                                                                                                                                                                  My neighborhood is old and walkable. I do shopping on foot (I have a bicycle but don’t bother with it). For school/work, take a single bus and a few minutes walking. Getting a car would be a hassle, I don’t have a place to park it, and I’d have to pay large annual fees for rare use.

                                                                                                                                                                                  Newer neighborhoods appear to be planned with the idea that you’ll need a car for every single task. “Residential part” with no shops at all, but lots of room for parking. A large grocery store with a parking lot. Even train stations with a large parking lot, but no safe path for pedestrians/cyclists from the nearby neighborhoods.

                                                                                                                                                                                2. 4

                                                                                                                                                                                  The new features on phones are so fucking stupid as well. People are buying new phones to get animated emojis and more round corners. It’s made much worse with phone OEMs actively making old phones work worse by slowing them down.

                                                                                                                                                                                  1. 7

                                                                                                                                                                                    There has been no evidence to my knowledge that anyone is slowing old phones down. This continues to be an unfounded rumor

                                                                                                                                                                                    1. 2

                                                                                                                                                                                      There’s also several Lobsters that have said Android smartphones get slower over time at a much greater rate than iPhones. I know my Galaxy S4 did. This might be hardware, software bloat, or whatever. There’s phones it’s happening on and those it isn’t in a market where users definitely don’t want their phones slowing down. So, my theory on Android side is it’s a problem they’re ignoring on purpose or even contributing to due to incentives. They could be investing money into making the platform much more efficient across devices, removing bloat, etc. They ain’t gonna do that.

                                                                                                                                                                                      1. 3

                                                                                                                                                                                        Android smartphones get slower over time at a much greater rate than iPhones.

                                                                                                                                                                                        In my experience, this tends to be 3rd party apps that start at boot and run all the time. Factory reset fixes it. Android system updates also make phones faster most of the time.

                                                                                                                                                                                        1. 1

                                                                                                                                                                                          Hmm. I’ll try it since I just backed everything up.

                                                                                                                                                                                          1. 3

                                                                                                                                                                                            I’m still using a Nexus 6 I got ~2.5 years ago. I keep my phone pretty light. No Facebook or games. Yet, my phone was getting very laggy. I wiped the cache (Settings -> Storage -> Cached data) and that seemed to help a bit, but overall, my phone was still laggy. It seemed to get really bad in my text messaging app (I use whatever the stock version is). I realized that I had amassed a lot of text messages over the years, which includes quite a lot of gifs. I decided to wipe my messages. I did that by installing “SMS Backup & Restore” and telling it to delete all of my text messages, since apparently the stock app doesn’t have a way to do this in bulk. It took at least an hour for the deletion to complete. Once it was done, my phone feels almost as good as new, which makes me really happy, because I really was not looking forward to shelling out $1K for a Pixel.

                                                                                                                                                                                            My working theory is that there is some sub-optimal strategy in how text messages are cached. Since I switch in and out of the text messaging app very frequently, it wouldn’t surprise me if I was somehow frequently evicting things from memory and causing disk reads, which would explain why the lag impacted my entire phone and not just text messages. But, this is just speculation. And a factory reset would have accomplished the same thing (I think?), so it’s consistent with the “factory reset fixes things” theory too.

                                                                                                                                                                                            My wife is still on a Nexus 5 (great phone) and she has a similar usage pattern as me. Our plan is to delete her text messages too and see if that helps things.

                                                                                                                                                                                            Anyway… I realize this basically boils down to folk remedies at this point, but I’m just going through this process now, so it’s top of mind and figured I’d share.

                                                                                                                                                                                            1. 2

                                                                                                                                                                                              I’ll be damned. I baked up and wiped the SMS, nothing else. The phone seems like it’s moving a lot snappier. Literally a second or two of delay off some things. Some things are still slow but maybe app just is. YouTube always has long loading time. The individual videos load faster now, though.

                                                                                                                                                                                              Folk remedy is working. Appreciate the tip! :)

                                                                                                                                                                                              1. 2

                                                                                                                                                                                                w00t! Also, it’s worth mentioning that I was experiencing much worse delay than a second or two. Google Nav would sometimes lock up for many seconds.

                                                                                                                                                                                                1. 1

                                                                                                                                                                                                  Maps seems OK. I probably should’ve been straight-up timing this stuff for better quality of evidence. Regardless, it’s moving a lot faster. Yours did, too. Two, strong anecdotes so far on top of factory reset. Far as we know, even their speed gains might have come from SMS clearing mostly that the reset did. Or other stuff.

                                                                                                                                                                                                  So, I think I’m going to use it as is for a week or two to assess this change plus get a feel for a new baseline. Then, I’ll factory reset it, reinstall some apps from scratch, and see if that makes a difference.

                                                                                                                                                                                                  1. 2

                                                                                                                                                                                                    Awesome. Please report back. :-)

                                                                                                                                                                                                    1. 2

                                                                                                                                                                                                      I’ll try to remember to. I’m just still stunned it wasn’t 20 Chrome tabs or all the PDF’s I download during the day. Instead, text messages I wasn’t even using. Of all things that could drag a whole platform down…

                                                                                                                                                                                                      1. 2

                                                                                                                                                                                                        Sms is stored on the SIM card, right? That’s probably not got ideal I/O characteristics…

                                                                                                                                                                                                        1. 1

                                                                                                                                                                                                          I thought the contacts were but messages were on phone. I’m not sure. The contacts being on there could have an effect. I’d have hoped they cached a copy of SIM contents onto in-phone memory. Yeah, SIM access could be involved.

                                                                                                                                                                                              2. 2

                                                                                                                                                                                                Now, that’s fascinating. I don’t go in and out of text a lot but do have a lot of text messages. Many have GIF’s. There’s also at least two other apps that accumulate a lot of stuff. I might try wiping them. Btw, folk remedies feel kind of justified when we’re facing a complex, black-box system with nothing else to go on. ;)

                                                                                                                                                                                        2. 2

                                                                                                                                                                                          Official from apple: https://www.apple.com/au/iphone-battery-and-performance/

                                                                                                                                                                                          They slow phones with older batteries but don’t show the user any indication that it can be fixed very cheaply by replacing the battery (Until after the recent outrage) and many of them will just buy a new phone and see it’s much faster.

                                                                                                                                                                                          1. 12

                                                                                                                                                                                            Wow, so much to unpack here.

                                                                                                                                                                                            You said they slow old phones down. That is patently false. New versions of iOS are not made to run slowly on older model hardware.

                                                                                                                                                                                            Apple did not slow phones down with old batteries. They throttled the CPU of phones with failing batteries (even brand new ones!) to prevent the phone from crashing due to voltage drops. This ensured the phone was still functional even if you needed your phone in an emergency. Yes it was stupid there was no notification to the user. This is no longer relevant because they now provide notifications to the user. This behavior existed for a short period of time in the lifespan of the iPhone: less than 90 days between introduction of release with throttling and release with controls to disable and notifications to users.

                                                                                                                                                                                            Please take your fake outrage somewhere else.

                                                                                                                                                                                            1. 5

                                                                                                                                                                                              Apple did not slow phones down with old batteries. They throttled the CPU of phones with failing batteries (even brand new ones!) to prevent the phone from crashing due to voltage drops.

                                                                                                                                                                                              In theory this affects new phones as well, but we know that as batteries grow older, they break down, hold less charge, and have a harder time achieving their design voltage. So in practice, this safety mechanism for the most part slows down older phones.

                                                                                                                                                                                              You claim @user545 is unfairly representing the facts by making Apple look like this is some evil ploy to increase turnover for their mobile phones.

                                                                                                                                                                                              However, given the fact that in reality this does mostly make older phones seem slower, and the fact that they put this in without ever telling anyone outside Apple and not allowing the user to check their battery health and how it affected the performance of their device, I feel like it requires a lot more effort not to make it look like an intentional decision on their part.

                                                                                                                                                                                              1. 2

                                                                                                                                                                                                Sure, but if you have an old phone with OK batteries, then their code did not slow it down. So I think it is still more correct to say they slowed down those with bad batteries than those that were old even if most of those with bad batteries were also bad which really depended on phone’s use.

                                                                                                                                                                                                The difference is not just academic. For example I have “inherited” iPhone6 from my wife that still has a good battery after more than 2 years and performs fine.

                                                                                                                                                                                                1. 2

                                                                                                                                                                                                  the fact that they put this in without ever telling anyone outside Apple

                                                                                                                                                                                                  It was in the release notes of that iOS release…

                                                                                                                                                                                                  edit: additionally it was known during the beta period in December. This wasn’t a surprise.

                                                                                                                                                                                                  1. 1

                                                                                                                                                                                                    Again, untrue. The 11.2 release notes make no mention of batteries, throttling, or power management. (This was the release where Apple extended the throttling to the 7 series of phones.) The 10.2.1 release notes, in their entirety, read thus:

                                                                                                                                                                                                    iOS 10.2.1 includes bug fixes and improves the security of your iPhone or iPad. It also improves power management during peak workloads to avoid unexpected shutdowns on iPhone.

                                                                                                                                                                                                    That does not tell a reader that long-term CPU throttling is taking place, that it’s restricted to older-model iPhones only, that it’s based on battery health and fixable with a new battery (not a new phone), etc. It provides no useful or actionable information whatsoever. It’s opaque and frankly deceptive.

                                                                                                                                                                                                    1. 0

                                                                                                                                                                                                      You’re right, because I was mistaken and the change was added in iOS 10.2.1, 1/23/2017

                                                                                                                                                                                                      https://support.apple.com/kb/DL1893?locale=en_US

                                                                                                                                                                                                      It also improves power management during peak workloads to avoid unexpected shutdowns on iPhone.

                                                                                                                                                                                                      A user on the day of release:

                                                                                                                                                                                                      Hopefully it fixes the random battery shutoff bug.

                                                                                                                                                                                                      src: https://forums.macrumors.com/threads/apple-releases-ios-10-2-1-with-bug-fixes-and-security-improvements.2028992/page-2#post-24225066

                                                                                                                                                                                                      additionally in a press release:

                                                                                                                                                                                                      In February 2017, we updated our iOS 10.2.1 Read Me notes to let customers know the update ‘improves power management during peak workloads to avoid unexpected shutdowns.’ We also provided a statement to several press outlets and said that we were seeing positive results from the software update.

                                                                                                                                                                                                      Please stop trolling. It was absent from the release notes for a short period of time. It was fixing a known issue affecting users. Go away.

                                                                                                                                                                                                      1. 4

                                                                                                                                                                                                        Did you even read the comment you are responding to? I quoted the 10.2.1 release notes in full–the updated version–and linked them too. Your response is abusive and in bad faith, your accusations of trolling specious.

                                                                                                                                                                                                        1. [Comment removed by moderator pushcx: We've never had cause to write a rule about doxxing, but pulling someone's personal info into a discussion like this to discredit them is inappropriate.]

                                                                                                                                                                                                          1. 2

                                                                                                                                                                                                            I don’t hate Apple. I’m not going to sell my phone because I like it. The battery is even still in good shape! I wish they’d been a little more honest about their CPU throttling. I don’t know why this provokes such rage from you. Did you go through all my old comments to try to figure out what kind of phone I have? Little creepy.

                                                                                                                                                                                                            1. 2

                                                                                                                                                                                                              I’m not angry about anything here. It’s just silly that such false claims continue to be thrown around about old phones intentionally being throttled to sell new phones. Apple hasn’t done that. Maybe someone else has.

                                                                                                                                                                                                              edit: it took about 30 seconds to follow your profile link to your website -> to Flickr -> to snag image metadata and see what phone you own.

                                                                                                                                                                                                2. -3

                                                                                                                                                                                                  They throttled the CPU of phones with failing batteries (even brand new ones!)

                                                                                                                                                                                                  This is untrue. They specifically singled out only older-model phones for this treatment. From the Apple link:

                                                                                                                                                                                                  About a year ago in iOS 10.2.1, we delivered a software update that improves power management during peak workloads to avoid unexpected shutdowns on iPhone 6, iPhone 6 Plus, iPhone 6s, iPhone 6s Plus and iPhone SE. [snip] We recently extended the same support to iPhone 7 and iPhone 7 Plus in iOS 11.2.

                                                                                                                                                                                                  In other words, if you buy an iPhone 8 or X, no matter what condition the battery is in, Apple will not throttle the CPU. (In harsh environments–for example, with lots of exposure to cold temperatures–it’s very plausible that an 8 or X purchased new might by now have a degraded battery.)

                                                                                                                                                                                                  1. 2

                                                                                                                                                                                                    You are making a claim without any data to back it up.

                                                                                                                                                                                                    Can you prove that the batteries in the new iPhones suffer voltage drops when they are degraded? If they use a different design with more/smaller cells then AIUI they would be significantly less likely to have voltage drops when overall capacity is degraded.

                                                                                                                                                                                                    But no, instead you continue to troll because you have a grudge against Apple. Take your crap elsewhere. It’s not welcome here.

                                                                                                                                                                                                    1. 3

                                                                                                                                                                                                      You’re moving the goalposts. You claimed Apple is throttling the CPU of brand new phones. You were shown this to be incorrect, and have not brought any new info to the table. Your claim that the newer phones might be designed so as to not require throttling is irrelevant.

                                                                                                                                                                                                      Please don’t accuse (multiple) people of trolling. It reflects poorly on yourself. All are welcome here.

                                                                                                                                                                                                      1. 3

                                                                                                                                                                                                        You can buy a brand new phone directly from Apple (iPhone 6S) with a faulty battery and experience the throttling. I had this happen.

                                                                                                                                                                                              2. 1

                                                                                                                                                                                                Google services update in the background even when other updates are disabled. Even if services updates are not intended to slow down the phone, they still do.

                                                                                                                                                                                              3. 3

                                                                                                                                                                                                The new features on phones are so fucking stupid as well.

                                                                                                                                                                                                I think the consumer who pays for it is stupid.

                                                                                                                                                                                                1. 3

                                                                                                                                                                                                  It’s both. The user wants something new every year and OEMs don’t have anything worthwhile each year so they change things for the sake of change like adding rounded corners on the LCD or cutting a chunk out of the top. It makes it seem like something is new and worth buying when not much worthwhile has actually changed.

                                                                                                                                                                                                  1. 4

                                                                                                                                                                                                    I think companies would always take the path of least resistance that works. If consumers didn’t fall for such stupid tricks the companies that did them would die off.

                                                                                                                                                                                              4. 2

                                                                                                                                                                                                Yep. I guess humanity’s biggest achievement will be to terraform itself out of existence.

                                                                                                                                                                                                This planet does neither bargain nor care about this civilizations’ decision making processes. It will keep flying around the sun for a while, with or without humans on it.

                                                                                                                                                                                                I’m amazed by the optimism people display in response to pointing out that the current trajectory of climate change makes it highly unlikely that our grand-grand-children will ever be born.

                                                                                                                                                                                                1. 2

                                                                                                                                                                                                  The list is endless, and it all comes down to the American ethos that making money is a sacred right that trumps all other concerns.

                                                                                                                                                                                                  s/American/human

                                                                                                                                                                                                  You can’t fix a problem if you misunderstand what causes it.

                                                                                                                                                                                                  1. 5

                                                                                                                                                                                                    Ideology matters, and America has been aggressively promoting toxic capitalist ideology for many decades around the world. Humans aren’t perfect, but we can recognize our problems and create systems around us to help mitigate them. Capitalism is equivalent of giving a flamethrower to a pyromaniac.

                                                                                                                                                                                                    1. 3

                                                                                                                                                                                                      If you want to hash out how “toxic capitalism” is ruining everything, that’s fine–I’m just observing that many other countries (China, Germany, India, Mozambique, Russia, etc.) have done things that, to me at least, dispel the notion of toxic capitalism as purely being American in origin.

                                                                                                                                                                                                      And to avoid accusations of whataboutism, the reason I point those other countries out is that if a solution is put forth assuming that America is the problem–and hence itself probably grounded in approaches unique to an American context–it probably will not be workable in other places.

                                                                                                                                                                                                      1. 2

                                                                                                                                                                                                        Nobody is saying that capitalism alone is the problem or that it’s unique to America. I was saying that capitalism is clearly responsible for a lot of harm, and that America promotes it aggressively.

                                                                                                                                                                                                        1. 0

                                                                                                                                                                                                          Don’t backpedal. You wrote:

                                                                                                                                                                                                          The list is endless, and it all comes down to the American ethos that making money is a sacred right that trumps all other concerns.

                                                                                                                                                                                                          As to whether or not capitalism is clearly responsible for a lot of harm, it’s worth considering what the alternatives have accomplished.

                                                                                                                                                                                                          1. 0

                                                                                                                                                                                                            Nobody is backpedaling here, and pointing at other failed systems saying they did terrible things too isn’t much of an argument.

                                                                                                                                                                                                1. 4

                                                                                                                                                                                                  He left out the verse that says he is the authoritarian leader of all things GNU I guess? A bit misleading…

                                                                                                                                                                                                  Join us now and share the software;
                                                                                                                                                                                                  You'll be free, hackers, you'll be free.
                                                                                                                                                                                                  Join us now and share the software;
                                                                                                                                                                                                  You'll be free, hackers, you'll be free.
                                                                                                                                                                                                  
                                                                                                                                                                                                  Hoarders can get piles of money,
                                                                                                                                                                                                  That is true, hackers, that is true.
                                                                                                                                                                                                  But they cannot help their neighbors;
                                                                                                                                                                                                  That's not good, hackers, that's not good.
                                                                                                                                                                                                  
                                                                                                                                                                                                  When we have enough free software
                                                                                                                                                                                                  At our call, hackers, at our call,
                                                                                                                                                                                                  We'll kick out those dirty licenses
                                                                                                                                                                                                  Ever more, hackers, ever more.
                                                                                                                                                                                                  
                                                                                                                                                                                                  Join us now and share the software;
                                                                                                                                                                                                  You'll be free, hackers, you'll be free.
                                                                                                                                                                                                  Join us now and share the software;
                                                                                                                                                                                                  You'll be free, hackers, you'll be free.