1. 4

    I’m happy to see FTP die. But aren’t some websites still providing download links over FTP? I think it was just a year ago when I noticed I was downloading an ISO file from an FTP server..

    1. 9

      There’s nothing wrong with downloading an ISO from an FTP server. You can verify the integrity of a download (as you should) independently of the mechanism (as many package managers do).

      1. 4

        I agree! The same goes for downloading files from plain HTTP, as long as you verify the download you know the file is okay.

        The reason I don’t like FTP has to do with the mode of operation; port 21 as control channel and then a high port for actual data transfer. Also the fact that there is no standard for directory listings (I think DOS-style listings are the most common?).

        1. 2

          The reason there’s no standard for directory listings is possibly more to do with the lack of convention on filesystem representation as it took off. Not everything uses the same delimiter, and not everything with a filesystem has files behind it (e.g. Z-Series).

          I absolutely think that in the modern world we should use modern tools, but FTP’s a lot like ed(1): it’s on everything and works pretty much anywhere as a fallback.

          1. 1

            If you compare FTP to ed(1), I’d compare HTTP and SSH to vi(1). Those are also available on virtually anywhere.

            1. 1

              According to a tweet by Steven D. Brewer, it seems that at least modern Ubuntu rescue disks only ship nano, but not ed(1) or vi(1)/vim(1).

              1. 1

                Rescue disks are a special case. Space is a premium.

                My VPS running some Ubuntu version does return output from man ed. (I’m not foolish enough to try to run ed itself, I quite like have a usable terminal).

          2. 1

            Yes, FTP is a vestige of a time where there was no NAT. It was good until the 90s and has been terrible ever since

          3.  

            Most people downloading files over FTP using Chrome don’t even know what a hash is, let alone how to verify one.

            1.  

              There is everything wrong with downloading an ISO over FTP.

              Yeah, you can verify the integrity independently. But it goes against all security best practice to expect that users will do something extra to get security.

              Security should happen automatically whenever possible. Not saying that HTTPS is the perfect way to guarantee secure downloads. But at the very least a) it works without requiring the user to do anything special and b) it protects against trivial man in the middle attacks.

            2. 7

              You got it backwards.

              Yeah, some sites still ofter FTP downloads, even for software, aka code that you’re gonna execute. So it’s a good thing to create some pressure so they change to a more secure download method.

              1. 8

                Secure against what? Let’s consider the possibilities.

                Compromised server. Transport protocol security is irrelevant in that case. Most (all?) known compromised download incidents are of this type.

                Domain hijacking. In that case nothing prevents attacker from also generating a cert that matches the domain, the user would have to verify the cert visually and know what the correct cert is supposed to be—in practice that attack is undetectable.

                MitM attack that directs you to a wrong server. If it’s possible in your network or you are using a malicious ISP, you are already in trouble.

                I would rather see Chrome stop sending your requests to Google if it thinks it’s not a real hostname. Immense effort required to support FTP drains all their resources and keeps them from making this simple improvemen I guess.

                1.  

                  MitM attack that directs you to a wrong server. If it’s possible in your network or you are using a malicious ISP, you are already in trouble.

                  How so? (Assuming you mostly use services that have basic security, aka HTTPS.)

                  What you call “malicious ISP” can also be called “open wifi” and it’s a very common way for people to get online.

                  1.  

                    The ISP must be sufficiently malicious to know exactly what are you going to download and setup a fake server with modified but plausibly looking versions of the files you want. An attacker with a laptop in an open wifi network doesn’t have resources to do that.

                    Package managers already have signature verification built-in, so the attack is limited to manual downloads. Even with resources to setup fake servers for a wide range of projects, one can wait a long time for the attack to succeed.

            1. 1

              Patch notes say “TLS 1.0-1.2”.

              Any particular reason for the omission of TLS-1.3?
              Also, I thought TLS-1.0 was considered pretty insecure[1] at this point?

              [1]: from: wikipedia TLS_1.0

              The PCI Council suggested that organizations migrate from TLS 1.0 to TLS 1.1 or higher before June 30, 2018.[20][21] In October 2018, Apple, Google, Microsoft, and Mozilla jointly announced they would deprecate TLS 1.0 and 1.1 in March 2020.

              1. 2

                I don’t think Netflix is focusing on TLS 1.3 because it’s not widely implemented yet. And 1.0 is fallback for older devices. Netflix doesn’t really care so much of someone does a MITM of your movie.

                Edit: I’m sure there are smart TVs with the Netflix app that can’t go newer than TLS 1.0 and Netflix is contractually obligated to keep it functioning for now

                1. 2

                  In which way do you think TLS 1.3 is not widely implemented? According to [1] it’s supported by all mainstream browsers in the latest version.

                  Things have changed in this regard. For the majority of users these days it’s normal to have a browser that will update itself automatically on a regular basis. I’m pretty sure major sites already see >50% TLS 1.3 traffic.

                  Consider this is a performance feature. Which means a) you don’t need 100%, if you support it for 80% you’re already doing pretty fine and b) it seems strange to want the performance of in-kernel TLS and skip the performance benefits of TLS 1.3.

                  [1] https://caniuse.com/#feat=tls1-3

                  1. 4

                    You’re thinking browsers and I’m thinking devices:

                    AppleTV/iOS - not yet

                    Roku - not yet

                    Etc

                    And who watches Netflix in their browser? In all the years I’ve been a customer I don’t think I’ve ever watched in my browser :)

                    1. 1

                      I occasionally watch Netflix in Firefox on Linux. Not happy about the DRM aspect of it all, but…

                  2. 1

                    Ah right, forgot this is a Netflix thing. That makes sense that they would want to support TLS 1.0 for a while yet.
                    Still seems weird to import a possible footgun (TLS-1.0) that will have to be maintained for 5 years (minimum release support guarantee under the new support model?).

                    1. 2

                      Still seems weird to import a possible footgun (TLS-1.0) that will have to be maintained for 5 years (minimum release support guarantee under the new support model?).

                      Like linux, the key negotiation is still done in userland, it’s just the encryption of packets that is being moved to kernel space and closer to the network driver. I wouldn’t exactly call TLS 1.0 a footgun in that regard.

                1. 49

                  One thing I think is useful:

                  It doesn’t matter what you were paid at your previous gig, and don’t answer if they ask.

                  “Since this is a different engagement, with different technical and team needs, my previous compensation is not a useful datapoint.”

                  1. 14

                    “My current compensation is part of the reason why am looking into other opportunities”

                    1. 12

                      I would avoid saying this. It provides signal that your current pay is low and will lead to a lowball offer, which is the opposite of its intention.

                      1. 1

                        Last week we had to get rid of a bunch no-demand electronic components, so we sent the spreasheet (with purchase prices removed) to one of the scavenger companies. First thing they asked was, what we paid for them originally?

                        Seriously, this is a super common tactic in purchasing, and you are a resource being purchased. They are minimizing the cost. No polite retort here would make your negotiation position worse vs revealing the figures.

                      2. 3

                        “My current compensation is part of the reason why am looking into other opportunities”

                        Respectfully, I see this as an anti-pattern. Here are things potential employers might well read between the lines of this statement:

                        “I only value money and don’t care about the work”

                        “I’m a self important primadonna”

                        “I’m not loyal and will cut and run if things are not precisely to my liking.”

                        I recognize that your statement doesn’t ACTUALLY say any of these things.

                        1. 1

                          Fair points I guess… but consider that asking your current salary is an attempt to gain negotiating leverage on you using power imbalance. You know it and the interviewer knows it, there is absolutely no other reason asking for it. And I mean it’s not something you blurted out of blue, the comp was the question they brought up in the first place. Only so much ways for a polite retort, and none of them is 100% safe if someone insists to read between the lines deep enough.

                          1. 1

                            Oh totally it’s a CRAPPY thing for a potential employer to do and should be a red flag to anyone looking, I’m just suggesting that explicitly saying that crappy salary is why you’re leaving your current gig, in my opinion, weakens your position.

                            YMMV.

                      3. 6

                        Also, in some places it’s not legal for them to ask (though they can still ask what salary range you want).

                        1. 4

                          It doesn’t matter what you were paid at your previous gig

                          Strong agree

                          don’t answer if they ask.

                          Or do answer, with a number that sets an expectation for future negotiations. Depends how you feel about lying.

                          1. 3

                            It can be dodgy to lie since that can be discovered, but “It would take $X to get me to leave” is probably always better than a lie and give you a lot more flexibility…

                            1. 2

                              Or do answer, with a number that sets an expectation for future negotiations. Depends how you feel about lying.

                              Problem with that one is that a new employer sees your old income on your P60 (in the UK at least,) with lying during an interview being grounds for dismissal.

                              That being said past wage shouldn’t matter to a new employer unless they are trying to lowball a potential hire. On principle I never ask during interviews I host and have in the past hired people on nearly double what they came from; usually wages are negotiated by an intermediary such as a recruiter.

                              1. 5

                                Your wage is not technically secret information in the US, but if you don’t share it yourself, there’s no plausible mechanism for a new employer to find out. Your previous employer almost certainly won’t share it, and if they do, you’ll have cause to be very upset with them. (A functional, professional HR department will confirm dates of employment and possibly job title, and nothing else.)

                                That said, I’m definitely more comfortable redirecting or answering “how much are you currently making” with “I’m looking to make $X” than lying outright.

                                1. 1

                                  Problem with that one is that a new employer sees your old income on your P60 (in the UK at least,) with lying during an interview being grounds for dismissal.

                                  So why dodge the question if employers have access to this information? I don’t know about the United States if companies also have this information.

                            2. 3

                              It doesn’t matter what you were paid at your previous gig, and don’t answer if they ask.

                              What if it’s required?

                              1. 9

                                Walk, if you can. There are fewer gestures more powerful than walking away for something that an HR person would believe is so small in order to convey how serious it actually is and how serious you are about your financial privacy.

                                When it’s been required for me for a job I was earnestly interested in seeking, I told them to put down “something absurd so we get past this hurdle” and when pressed for a real answer, I would say “one dollar” or “ten million dollars” to make it look like a typo on their part.

                                Also, I’d remind them that asking current salary is illegal in several states and there’s a bill in almost every state legislature now that would outlaw it.

                                1. 1

                                  For entry level folks at big big tech co’s, they’ll let them walk away, and offer to pay them much less if they don’t make up counter offer numbers.

                                  So to me the answer is obvious, and representative salary numbers aren’t hard to find these days.

                                  1. 2

                                    Entry level is a whole different game. You have essentially zero leverage at that point. Given that nearly half of job offers are at or near entry-level, I feel like these posts really should distinguish between the kinds of advice given.

                                2. 2

                                  Tell them you have an NDA

                              1. 1

                                Ask for what you think you’re worth (you’re probably worth it). And pad it. Then when it’s negotiated down, you still get what you wanted.

                                1. 2

                                  …Correct me if I’m wrong, but don’t nearly all of these attacks also exist in roughly-equivalent form against TCP, where they’re well-known and have been protected against for a very long time? Certainly window manipulation is a known technique to cause TCP connection exhaustion.

                                  This has shades of SystemD reimplementing Kaminsky’s DNS cache poisoning bug six years after it made headlines and was fixed everywhere else.

                                  1. 2

                                    we knew this was going to happen but nobody listened because the performance was too sexy

                                    1. 1

                                      Yes.

                                    1. 2

                                      Oh good, maybe FreeBSD will end up using this too

                                      1. 9

                                        Can someone explain why this email is an incredible internet wide sensation?

                                        1. 16

                                          Personally, I’ve been annoyed by this behaviour for years and just assumed I’d done something wrong. Finding out that it’s a widely-known problem, and that it’s not my fault, was tremendously validating.

                                          1. 6

                                            In my experience if you have used Solaris or a BSD professionally you’ll quickly observe this when you are forced to run Linux in production. The memory management of Linux is just awful.

                                          2. 4

                                            My guess is because at the surface level it is easy to understand the problem and people feel like it is a ‘gotcha’ on a successful project, which is entertaining I guess.

                                            1. 4

                                              The discussion on this on the orange website is terrible. The issue in the email is on systems with no swap that the kernel may thrash when forced into paging clean pages of code in and out in order to function. 90% of the discussion on the other site is about how terrible swapping is.

                                            2. 1

                                              People tend to like performance improvements and this email may lead to better performance in some edge cases

                                            1. 3

                                              Correct me if I’m wrong, but couldn’t this be an amazing thing? If the Supreme Court agrees with the previous judgement that the ADA applies to websites, wouldn’t that mean it’s essentially set in stone that websites have to have some degree of machine readability and decent contrast and such?

                                              1. 2

                                                It would also set in stone more government regulation on the internet and it’s contents, and set further precedent for applying concepts made for the physical world onto the digital world.

                                                1. 7

                                                  In a world where more and more interactions with “utilities” such as banks, government agencies, grocery stores etc. are online, a baseline of functionality is desirable.

                                                  I’m inclined to hope that basic market competition and PR would enforce this functionality, but I’m sure that there are beancounters that decide that skipping accessibility is a cost worth paying.

                                                  Edit I was not aware that Domino’s is available in my city, but it is. As the partner of a blind person I’ll do my best to ensure we never buy anything from them in the future.

                                                  1. 6

                                                    Setting in stone pro-consumer regulation and set precedent for applying pro-consumer concepts made for the physical world onto the digital world doesn’t sound like the worst thing ever.

                                                    1. -1

                                                      There are far more regulations, many anti-consumer, the government will have precedent to apply. When you give government an inch, they take far more than a mile.

                                                      1. 5

                                                        I mean, that might be true in the US, I don’t know. You guys seem to have a pretty fucked up system of government. However, in Norway, and in the EU, I feel like the various governmental bodies are actually doing things to protect consumers from bad business practices, and those regulations seem to be largely a good thing.

                                                        1. 1

                                                          It is a shame that most technologists here aren’t at least pausing to think about the implications of what you’re saying. For example, the regulations might exclude teenagers from creating websites at all.

                                                          The solution might be to make an app designed for people with specific disabilities – an app which can use other apps. This is difficult on iOS, but doable on android.

                                                          1. 3

                                                            For example, the regulations might exclude teenagers from creating websites at all.

                                                            Making (minimally) accessible websites is trivially easy. I betcha the typical site a teenager would make would be good enough for the blind too.

                                                            But regardless, a teenager could argue that it isn’t a public accommodation too; it is just a personal toy instead.

                                                            1. 2

                                                              It might be a small website advertising baby sitting. Or grass cutting. Or some other public accommodation. With a picture of little Johnny or Susie smiling at the top. But oops. No alt text. That’ll be $5000 please.

                                                      2. 2

                                                        Not really. It’s case-law, not additional regulation: It would just be clarifying an existing regulation that Domino’s clearly should have been following in the first place.

                                                        1. 1

                                                          Isn’t the counter argument that the ADA has no jurisdiction over websites and mobile apps? I don’t think this could be a simple case law situation with that large of a leap.

                                                          1. 2

                                                            Why wouldn’t it? The ADA isn’t restricted to physical infrastructure, even though it does call out a number of specific requirements around transportation and architecture. The core of it is that public accommodations are forbidden from discrimination, including « failure to make reasonable modifications in policies, practices, or procedures, when such modifications are necessary to afford such goods, services, facilities, privileges, advantages, or accommodations to individuals with disabilities ». It was written in 1990, so of course it doesn’t talk about web accessibility. But online ordering is just as much a part of how Domino’s operates as a commercial entity catering to the public as walking into their storefronts is. And not only are they a public accommodation, they were exclusively offering some deals through their website, meaning ordering by phone was not an equivalent option; the website needs full accessibility.

                                                            When new technologies and social institutions arise, they don’t exist in a law-free zone. We have to figure out how they’re covered, or not, by existing law.

                                                            1. 1

                                                              Nah they’ll make the deals work over the phone because they’ll make the employees use the same site. I’ll be you a pizza they do this instead of anything else.

                                                              1. 1

                                                                That would have been a reasonable course of action, and possibly would have put them in compliance, but that’s not in fact what they’re doing.

                                                                1. 1

                                                                  You are aware that Dominoes didn’t file the amicus brief to take this to the Supreme Court, right?

                                                                  https://legalnewsline.com/stories/512767107-group-asks-scotus-to-overturn-profoundly-wrong-ada-ruling-against-domino-s

                                                    1. 3

                                                      Pardon my naivety but isn’t this a case of your load balancer not… balancing load?

                                                      What is the load balancer actually for, then?

                                                      How do other load balancers successfully handle stateful protocols like SSH?

                                                      1. 3

                                                        Who load balances SSH?

                                                        1. 1

                                                          What is the load balancer actually for, then?

                                                          For giving you a chance to use your resources, and justifying your on call team.

                                                        1. 4

                                                          currently reading ‘Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon’ is an excellent retelling of the entire incredible (at that time at least) incident, and ofcourse some minor information on cyber-weapons at the disposal of nation states. highly recommended.

                                                          1. 3

                                                            Currently reading this as well, but I wish a condensed version existed that didn’t have to explain computing concepts I already understand

                                                            1. 2

                                                              a fleeting glance for such sections is what i do. but, honestly, i felt that these were few, and far between.

                                                          1. 2

                                                            Was there a time that Intel / CISC was implemented on top of RISC with a translation layer in microcode or something? I swear I was told this once but maybe it was an urban legend

                                                            1. 3

                                                              Modern x86 is translated into microcode that is very similar to what you’d get if RISC and VLIW got frisky with eachother, IIRC ARM does that for some complicated instructions. Microcode lets you optimize the CPU usage more.

                                                              VLIW would be essentially taking out that translation layer, the compiler has to make use of what the hardware offers.

                                                            1. 11

                                                              Turns out having a monopoly is super problematic; who knew?

                                                              1. 15

                                                                This is unrelated to being a “monopoly” (not that GitHub is one, IMHO); every US-based company – and probably EU as well – will have to deal with these kind of restrictions. As people point out in that issue, the same problems exist with GitLab. You will encounter the same issue with SourceHut as well, as Drew confirmed.

                                                                Perhaps you’ll remember similar problems when there were US crypto export restrictions back in the 90s, which was similar.

                                                                In other words, the problem is a political one. Complaints about an alleged “GitHub monopoly” – whatever merit they may or may not have – are entirely misplaced and deeply uninformed. It looks like you just read the title, and knee-jerked to “GitHub bad!” Well, okay, but this isn’t reddit and I would expect a higher standard here

                                                                1. 19

                                                                  It’s a monopoly problem because if you are blocked from GitHub, you are essentially blocked from working in the entire software industry. Git was designed to be a distributed system that should be resilient to authoritarian censorship like this, but we as an industry managed to snatch defeat from the jaws of victory. A decentralized network of git servers wouldn’t have this problem.

                                                                  You will encounter the same issue with SourceHut as well, as Drew confirmed.

                                                                  If you have this problem with SourceHut, you spin up your own instance or pay someone in another jurisdiction to run one for you; no problem. But realistically it’s very unlikely that these laws would be enforced in a healthy ecosystem anyway even for servers hosted within US jurisdiction.

                                                                  1. 5

                                                                    It’s a monopoly problem because if you are blocked from GitHub, you are essentially blocked from working in the entire software industry.

                                                                    Apart for that being a massive exaggeration, it’s also doesn’t make Github a monopoly.

                                                                    1. 7

                                                                      if you are blocked from GitHub, you are essentially blocked from working in the entire software industry.

                                                                      This is massive hyperbole.

                                                                      1. 8

                                                                        I mean… it’s the intent of the sanctions, isn’t it? That’s the reason to put sanctions in place, to block economic cooperation. A Crimean resident working for a US-based company is economic cooperation. A Crimean resident working for a non-US-based company which relies on infrastructure provided by a US-based company is economic cooperation. If there are alternatives to the existing arrangements but companies have to spend time and money switching to them, that’s an intended effect. If the cost of switching causes some companies to fire people rather than switch, that’s an intended effect.

                                                                        Generally, economic sanctions are imposed thoughtfully and narrowly, because their effects are so great and because the people most affected by them are almost always private citizens with no power to change the situation the sanctions are intended to protest. There have been many books and PhD theses written on the ethics of this. When the decision to impose sanctions is taken, broadly speaking, the more arduous it is for people to comply, the more likely it is the sanctions will achieve their policy objective.

                                                                        You can certainly argue that there are alternatives to GitHub, and that in that sense the statement is exaggerated, but the political objective of the sanctions is precisely to block people from working in the software industry, to the extent that the US “owns” the software industry - and I can assure you that many policymakers do feel that sense of ownership. I do not think it’s hyperbole.

                                                                        1. 5

                                                                          “This is massive hyperbole” “I mean… it’s the intent of the sanctions, isn’t it?”

                                                                          There’s all kinds of software engineering positions which don’t require you to be on Github. Massive hyperbole indeed. Now, you might be locked out of Silicon Valley or any other area that puts too much weight into Github activity along with other buzzword tech. Not coding projects you show them but Github specifically. I’m not even sure S.V. requires that in general.

                                                                          Certainly useful if one wants to pull tech in from Github projects. There’s bypasses to do that, though.

                                                                          1. 3

                                                                            Thanks for this thoughtful expansion. I agree that sanctions can hit some parts of the targeted population harder than others. They are weapons after all. They’re also predicated by the notion that economic hardship can lead to a change of attitude for the targeted regime, which is problematic to say the least when regimes are authoritarian and control public opinion.

                                                                            However, I was not discussing sanctions in general, nor even the specific sanctions against the Russian Federation in regards to its annexation of Crimea from Ukraine.

                                                                            I was reacting to the perceived notion that software development is impossible without access to GitHub. Git was developed in 2005, GitHub launched in 2008, and presumably took a few years to reach its current dominant position. Yet people managed to develop software just fine before they existed.

                                                                            1. 2

                                                                              That is certainly a fair position.

                                                                          2. 3

                                                                            Its not hyperbole for people that use Golang.

                                                                            How are they supposed to install dependencies using go get while most of the packages are stored on GitHub?

                                                                            1. 4

                                                                              That does seem to be an issue, yes. But Go and its ecosystem is not “the entire software industry”.

                                                                          3. 6

                                                                            You can still do all of that. No one – certainly not GitHub – is stopping you from self-hosting your git service using one of many publicly available tools, and many do exactly this. You’re certainly not “blocked from working in the entire software industry”, although you might run in to trouble if you’re working for a company that uses GitHub. But then again, that’ll most likely be a Western company, and they probably wouldn’t be able to hire you in the first place, so the point is rather moot.

                                                                            authoritarian censorship

                                                                            This is neither censorship nor authoritarian. It’s a sanction imposed due to the highly dubious annexation of Crimea by Russia. Whether it’s a good measure is debatable, but it’s not “authoritarian censorship”.

                                                                            1. 3

                                                                              You can still do all of that.

                                                                              I can do that, but unless it’s being done by organizations who can employ Crimean residents, it does no good for them.

                                                                              This is neither censorship nor authoritarian

                                                                              You’re right that it’s not censorship, but I would say that forcing US citizens to punish the residents of a particular region for the crime of having their home invaded is authoritarian.

                                                                              1. 6

                                                                                All people are victims of circumstances, and it’s sad that some people have to suffer for decisions of other people. That said, staying in Crimea is career limiting, and it wasn’t the US who got that ball rolling.

                                                                            2. 2

                                                                              But realistically it’s very unlikely that these laws would be enforced in a healthy ecosystem anyway even for servers hosted within US jurisdiction.

                                                                              I guess it would be impractical to enforce laws against whatever server @technomancy or @notriddle spins up, but that’s mostly a matter of the gov’t never noticing that we exist enough to check in. But for commercially hosted servers (which is always going to dominate the mainstream, because most people don’t want to mess with running a server themselves), it seems perfectly feasible for the US government to enforce trade sanctions against any realistic number of companies. Arguing otherwise would require you to either argue that the government doesn’t have enough resources to enforce trade laws in any of the many industries that are subject to regulation, or arguing that there don’t exist “healthy ecosystems” in any industry (both of those positions actually have merit, but they’re huge, general, political problems that aren’t going to be solved with improved tech).

                                                                              1. 3

                                                                                arguing that there don’t exist “healthy ecosystems” in any industry

                                                                                I think the closest thing to a healthy ecosystem we have to compare against is the Fediverse.

                                                                                It is in fact a great example of using a distributed ecosystem to work around problems with authoritarian crackdowns; in this case against sex workers in the wake of FOSTA: https://www.usatoday.com/story/news/world/2018/06/29/fosta-sex-workers-leave-twitter-switter-after-us-law/744989002/

                                                                                1. 8

                                                                                  I think the closest thing to a healthy ecosystem we have to compare against is the Fediverse.

                                                                                  That’s not an industry. I mean, the sex work is commercial, but Switter itself is not. Switter does not have employees, does not pay taxes, does not sign SLAs, and if a lawsuit was brought against them, they’d either fold or have to beg on Kickstarter for help. That’s just someone, who doesn’t count as “most people”, being willing to take on the complex nastiness of running a server. Stuff like Switter can never be mainstream, because individual hobbyists can’t run the world’s mainstream social network. There simply aren’t enough of us. (which is not actually meant as a knock on Switter specifically; sex work was on the fringes of society long before they decided to host a Mastodon instance, and I’m sure it’ll work fine; the point is that it can’t replace GitHub)

                                                                                  More importantly, I think the Fediverse as it exists is fundamentally unsustainable, because the spam problems (you’ll notice that Switter currently has registrations closed because of spam) are only going to get worse the more popular it gets. What happened to SMTP is just going to happen to ActivityPub.

                                                                                  1. 2

                                                                                    We’re not going to make the same mistakes as SMTP

                                                                                    1. 7

                                                                                      You already did make the same mistakes as SMTP:

                                                                                      • ActivityPub routes based on domain name, depriving users of the ability to transparently migrate from one instance to another. The best you can do is forward between two addresses, and that still means that if the node goes away, then so does your old identity. This incentivizes people to seek out instances that they expect to be around in ten years, since once you pick an instance, you’re committed. Contrast this with the humble phone number: if my current provider announces that they’re going to close up shop, I can port by existing number to a new provider, and even when they go out of business it continues to work.

                                                                                      • ActivityPub allows anyone with an IP address to inject content into public view (through follow-bots). You can layer on requirements, just like email does, but anyone who’s able to meet those requirements basically has a license to spam until you get around to blacklisting them. This is fundamentally true for all public-access push-based systems, including not only email, but blog comments, the phone network, and NNTP. It is importantly absent in systems with pull-based or immutable semantics like RSS, Freenet, and BitTorrent, and in closed systems like Lobsters and RetroShare.

                                                                                      • ActivityPub doesn’t really nail down what you can and can’t include in a message. Different clients will have different policies when they sanitize HTML, which can result in messages getting garbled.

                                                                                      1. 2

                                                                                        We are fixing much of this in LitePub.

                                                                          4. -1

                                                                            Every company has to comply.

                                                                            1. 3

                                                                              Every company has to comply, but there is no such requirement for a private person even in the US. Non-US companies and people alike don’t need to comply either.

                                                                              1. 11

                                                                                Are you sure that is correct? Because that’s not how I read it:

                                                                                Section 1. (a) The following are prohibited:

                                                                                [..]

                                                                                (iii) the exportation, reexportation, sale, or supply, directly or indirectly, from the United States, or by a United States person, wherever located, of any goods, services, or technology to the Crimea region of Ukraine; and

                                                                                (iv) any approval, financing, facilitation, or guarantee by a United States person, wherever located, of a transaction by a foreign person where the transaction by that foreign person would be prohibited by this section if performed by a United States person or within the United States.

                                                                                [..]

                                                                                Sec. 8. For the purposes of this order:

                                                                                (a) the term ‘‘person’’ means an individual or entity;

                                                                                (b) the term ‘‘entity’’ means a partnership, association, trust, joint venture, corporation, group, subgroup, or other organization;

                                                                                (c) the term ‘‘United States person’’ means any United States citizen, permanent resident alien, entity organized under the laws of the United States or any jurisdiction within the United States (including foreign branches), or any person in the United States

                                                                                Seems not just implied but pretty darn explicit that it applies to pretty much everyone and everything in the US, including private persons?

                                                                                1. 2

                                                                                  Ah, thanks for the correction. The latter part still applies though.

                                                                                  I wonder why github still allows access to public repos though, it’s against the letter of that law as well.

                                                                                  1. 5

                                                                                    The latter part still applies though.

                                                                                    I think it also applies for the EU and some non-EU European countries like Norway, Australia, New Zealand, based on a quick reading of https://en.wikipedia.org/wiki/International_sanctions_during_the_Ukrainian_crisis – I didn’t check the details though, so perhaps GitHub-like services may still be allowed from those countries.

                                                                                    I wonder why github still allows access to public repos though, it’s against the letter of that law as well.

                                                                                    My guess would be that GitHub doesn’t really want to deny service to the Crimean people, but is trying to “cover their ass” at least to some degree, and that this is considered a “reasonable compromise”. But that’s really just a guess.

                                                                                    1. 3

                                                                                      EU/EEC countries have separate sanctions regime and enforcement on the issue AFAIK.

                                                                          1. 24

                                                                            Today one of my engineers (who works for us out of Panama, via a contracting company) was locked out of our corporate Github account, as well as all his own personal repos, due to the sanctions restrictions. The best reason we can think of is that months ago he visited Cuba and accessed one of his repos from there. At the time there was no lockout policy and no warnings that this could be a consequence. It’s crazy. He’s filing an appeal of course, but if it doesn’t work I don’t know what the next step is. We’re a paying customer, but we can’t move off Github in any kind of hurry.

                                                                            I would really be thinking twice about using Github now, vs self-hosting something like Gitlab, if you have any employees who are remote or like to travel.

                                                                            1. 8

                                                                              You could always try writing your congresscritters about how the sanctions are hurting you. That’s theoretically how democracy is supposed to work.

                                                                              1. 4

                                                                                Edit/addendum: This was supposed to be mournful, not snarky. Might not have conveyed well, in retrospect.

                                                                                1. 1

                                                                                  Drift, but I thought it scanned the way you intended.

                                                                                2. 1

                                                                                  Just to clarify, you think that US citizens should petition their congressional representatives to lift or alleviate sanctions on foreign countries?

                                                                                  1. 4

                                                                                    If they want the sanctions lifted, yes. If they don’t, then no. Either way the representives are theoretically there act in the interests of those they represent, and can’t do that unless people speak up.

                                                                                    1. 1

                                                                                      Thanks for the clarification. I thought perhaps you were referring to the citizen/voters in the countries targeted by sanctions to appeal to their elected representatives (if applicable).

                                                                                      FWIW I highly doubt the the fate of foreign citizens is high on the priority of US congresspersons - at least if there’s no pressing humanitarian reason, and mostly not even then.

                                                                                      1. 2

                                                                                        Yeah, my hope was more that a lot of locals saying “this is hurting my business” would get their attention.

                                                                                3. 6

                                                                                  I would really be thinking twice about using Github now,

                                                                                  I understand where you’re coming from, but let me ask a different question.

                                                                                  Background: during the various attempts at implementing a certain policy – since people fought about what to name it, let’s say “targeted denial of entry to the United States to persons of certain national origins regardless of their prior immigration status” – in 2017, I had a co-worker who was A) originally from one of the targeted countries of origin and B) happened to be abroad (on his honeymoon) at the time the policy was first put into place. Meaning there was a very real chance, if not for some emergency court orders, that he would not have been allowed to return to his home and job, both of which were now in the US.

                                                                                  Would your response to this be “I would really be thinking twice about working for that company”?

                                                                                  And that’s not exactly an isolated incident. Daniel Stenberg has been repeatedly refused permission to come to the US for company gatherings of his employer (Mozilla). Adi Shamir was denied a visa to attend the RSA conference which is literally named after him.

                                                                                  Would your response be “I would really be thinking twice about working for Mozilla”, or “I would really be thinking twice about going to the RSA conference”?

                                                                                  Because for the most part these companies and events don’t get any choice in the matter. If you want to say “think twice about GitHub” because of concerns about monoculture, or Microsoft’s past relationship with open-source, or similar, then say that (and that’s fine). But GitHub can’t just choose not to follow US law, and it’s extremely difficult to find any alternative to GitHub that won’t be either directly or indirectly subject to US law in some fashion. One reason why US financial and computer-crime statutes are so far-reaching, for example, is that it’s hard to do the things that violate those laws without ever accidentally involving a computer or a financial institution that happens to be in the US.

                                                                                  1. 28

                                                                                    Your question wasn’t addressed to me, but I have a more general answer: Yes, I think that everyone in the world should be taking stock of the risks they face by doing business with US-based companies, and evaluating the extent to which they wish to continue doing so. Even US citizens should consider getting their essential services from more politically stable countries.

                                                                                    1. 12

                                                                                      Yes, I think that everyone in the world should be taking stock of the risks they face by doing business with US-based companies

                                                                                      100% agree. I’ll add… I’ll repeat this until blue in the face… that the U.S. is a police state after passing of the Patriot Act with all kinds of secret operations to backdoor companies shown by Snowden leaks. The feds can and sometimes do just show up grabbing all kinds of computers in shared spaces. At least one hosting company lost its customers, some of whom lost their customers, just because they were looking for one user or something. Then, there’s things like civil forfeiture, export licenses, and Patriot Act provisions that can be used to harass companies not complying with whatever they secretly require.

                                                                                      Better to operate in a democracy instead of a police state that considers all people with privacy plus a subset with different beliefs a potential enemy.

                                                                                      1. 6

                                                                                        As a practical matter, for US citizens, I’m not sure there is a more “stable” country where you’d want to get essential services from. Any country can be declared “unstable” by the US, and then what do you do?

                                                                                        1. 2

                                                                                          Yeah. Depressing thought.

                                                                                        2. 4

                                                                                          I personally wish some of the conferences I attend would switch from being “US” to being “North America” in order to reduce the travel friction.

                                                                                          I’m not convinced that disentangling from entities subject to US law is reasonably possible on a useful time scale, though. You’d really be talking about a decade-plus of not just switching who you contract with but also building a huge amount of technical infrastructure (some of it physical), moving or cloning a bunch of companies and products and services, etc. And it raises questions of where to move it; the EU also imposes sanctions on a number of countries, for example, so just doing “github-clone.eu” won’t eliminate this category of problem.

                                                                                          1. 8

                                                                                            I know the cost is immense, yes, but I mean, it’ll happen a lot faster if these sanctions get stronger, as they very well might. It’s a question of whether to disentangle proactively, or shoulder the risk of being suddenly cut off.

                                                                                            Edit to add: I take your point about it being hard to find anywhere better. My point isn’t really about looking for countries that don’t impose sanctions; it’s about looking for politically stable countries. I admit that as a US resident, I am not up to date on how stable the EU is. It may well be that there’s nowhere in the world that can truly be called stable, these days. I do think that the US is among the most rapidly destabilizing places, though.

                                                                                        3. 5

                                                                                          And that’s not exactly an isolated incident. Daniel Stenberg has been repeatedly refused permission to come to the US for company gatherings of his employer (Mozilla). Adi Shamir was denied a visa to attend the RSA conference which is literally named after him.

                                                                                          Would your response be “I would really be thinking twice about working for Mozilla”, or “I would really be thinking twice about going to the RSA conference”?

                                                                                          I’m not sure this is the same thing? I was meaning to express my concern for a company putting their ability to do their core work under the control of a third party that is erring very much on the side of caution with their compliance efforts. I don’t really blame Github for that, of course they have to try to comply. But neither my company, nor this particular individual, actually did anything that breaches the rules. Github applied their ban hammer, though, and today he couldn’t get any work done. They’ve undone the ban on appeal, but what if they hadn’t? Or if it had taken weeks? What if the US puts a new country under sanctions and Github decides to retroactively scan-and-geocode IP addresses (which is the only real way my colleague could have been banned in the first place) and bans a bunch of people who hadn’t even done anything wrong at the time?

                                                                                          it’s extremely difficult to find any alternative to GitHub that won’t be either directly or indirectly subject to US law in some fashion

                                                                                          The alternative is to self-host. As another commenter pointed out, even self-hosting GitHub Enterprise in the US would probably have avoided this problem. We know we’re compliant, and if we self-host then we’re not at the risk of a third-party company deciding we might not be compliant, when they don’t even have the relevant information to make that judgement, and are just being cautious.

                                                                                          1. 3

                                                                                            The alternative is to self-host. As another commenter pointed out, even self-hosting GitHub Enterprise in the US would probably have avoided this problem.

                                                                                            I think you’re putting way too much faith in technical solutions to non-technical problems, and I don’t think that ends well.

                                                                                            1. 6

                                                                                              When control over platform legalities is your concern, self-hosting is indeed the solution. It’s also not a technical one, in that case.

                                                                                              Moving the service into your legal space means you are responsible. You might still be forced to regulate access, but it is in your hands to comply or e.g. take legal action.

                                                                                              1. 2

                                                                                                I don’t agree. If we had a self-hosted git platform (even in the US) we would be the party responsible for controlling access to it. Since we know that the company and its staff are not in violation of the sanctions we would be correctly able to give everyone access. No-one except the US govt would realistically be able to intervene, and they wouldn’t, because we are not in violation of the sanctions.

                                                                                                To be clear, I am talking about the specific thing that happened to one of the engineers on my team today. I think you are talking about much bigger-picture, broad-strokes stuff. That’s a different discussion.

                                                                                            2. 4

                                                                                              Not exactly the same. GitHub denies access on their own turf, there isn’t any good explanation why it’s only now that they’re enforcing all of this without any sort of a warning, when restrictions have been in place for a pretty long time now.

                                                                                              The fact that many of these companies go as far as sweep all past IP addresses doesn’t add much confidence for the lack of false-positives, either.

                                                                                              1. 8

                                                                                                In this specific case I imagine it’s just continued implications of the Microsoft acquisition; probably they’ve gotten to the stage of internal integration where some MS compliance team started auditing whether GitHub was enforcing sanctions, and this is the result.

                                                                                                There were similar cases with Slack in the run up to their IPO, and I’m about as certain as I can be that the sudden “change” was mostly based on the need to be (or be seen as) focusing extra hard on compliance issues prior to going public.

                                                                                            3. 2

                                                                                              GitHub Enterprise is self-hosted and might be another option with relatively little migration difficulty.

                                                                                              1. 6

                                                                                                This was years ago, but at least then sysadmin who I know said that self hosted GH has been one of the most PITA systems they had ever managed. Unstable, came in VM image which you are not allowed to touch (-> lovely for security), hardcoded IPs everywhere and crazy expensive.

                                                                                                1. 1

                                                                                                  It’s not that bad, but I wouldn’t recommend it over GitLab anymore

                                                                                            1. 10

                                                                                              What’s stopping Apple from making Swift a system level language to start replacing C? They don’t have to worry about portability because they only support specific architectures and those have to support Swift anyway

                                                                                              1. 9

                                                                                                illumos, and moreover Triton/SmartOS from Joyent, is excellent.

                                                                                                Although I’ve done a recent rebuild of my home infrastructure and have moved on, I spent years running Joyent’s cloud platform: Triton, on a cluster of Intel NUCs. It’s great that they offer it open source, and I highly recommend people check it out, if they’re unfamiliar. Although we’re living in an ephemeral container-centric world, with lots of cool constructs and patterns evolving, the notion of having a container that acted just like a HVM was always a pleasurable and exciting one (illumos Zones, check them out!).

                                                                                                And of course, Joyent really pushed their engineering with a great Docker API solution, too! So, I had a bunch of services running in zones, and a fair few containers too. All wrapped up with Terraform, Packer, and Ansible for provisioning. A lone KVM instance running OpenBSD for my OpenIKED VPN. I’m just rambling now, but I’m sure people can tell I loved that stack, and it demonstrates how flexible it is for something you can set up at home/in a private DC.

                                                                                                TL;DR - if you’re not familiar with illumos, SmartOS, Triton (and Joyent in general), definitely check out their stuff. It’s all open source, and is really cool!

                                                                                                1. 4

                                                                                                  Illumos is in my top two companies I would trust to run a docker container in production along with Google. I trust them because

                                                                                                  1. They have really solid systems engineers.

                                                                                                  2. Neither of them actually run the docker engine in production.

                                                                                                  1. 2

                                                                                                    You also gain dtrace and the best ZFS implementation. I’ve never had to run Docker in prod but this has been my planned solution since this became possible.

                                                                                                    1. 2

                                                                                                      Absolutely! There are some fantastic technologies that you get at your fingertips. I also forgot to mention in my post how exciting the Linux syscall translation was when it hit. OS level virtualization (containers) of the Linux kernel… on an illumos host. Mindblowing stuff. There are some excellent talks out there from @bcantrill (that are always very entertaining) on many of the things I’ve noted. I’d urge anyone reading, who’s curious about any of this, go watch some of them :)

                                                                                                      1. 2

                                                                                                        I was jealous for a long time because Zones were a bit more “complete” than FreeBSD jails and then their Linux syscall translation was also more complete than FreeBSD’s…

                                                                                                        Things are better now in FreeBSD land but Illumos still has a more polished solution…. and a damn fine network stack… and a damn fine CPU scheduler… and a damn fine memory management…

                                                                                                        If Solaris was open sourced sooner I don’t know what the world would look like

                                                                                                      2. 1

                                                                                                        I’m a big fan of both of those technologies. So it only sweetens the deal for me.

                                                                                                      3. 1

                                                                                                        Doesn’t Google use Docker in production? That was surprising, to me.

                                                                                                        1. 4

                                                                                                          Nope, They use their own container technology which predates docker by over a decade. They just wrap it in a docker api facade for you to make it easier for you to interact with it.

                                                                                                      4. 1

                                                                                                        What are the reasons for moving?

                                                                                                        1. 2

                                                                                                          Good question! To be honest, although I loved the stack, it had gathered dust for a while. Certainly in a sense of the methods I was using to define my infrastructure. The landscape changed pretty drastically in a short period of time, in the Ops world. I was doing all this stuff with kubernetes and GitOps at work, and still deploying with Terraform and Ansible at home.

                                                                                                          A large part of why I have my home setup is to learn things, try things, develop things. I felt I wanted a stack that closer represented the things I was currently enjoying.

                                                                                                          I could have tried out running k8s on top of Triton, but to be honest, the implementation Joyent have blogged about looks a little hefty for my liking (and my resources). It leverages KVM instances to run various k8s components.

                                                                                                          I’ve been thoroughly enjoying Nix (and NIxOS) for quite some time, so I decided I’d redesign my home cluster:

                                                                                                          • NixOS on the metal
                                                                                                          • All system expressions deployed to the servers via NixOps
                                                                                                          • Declarative setup of k8s and some accompanying ‘core’ services
                                                                                                          • k8s services defined with YAML/kustomize, slurped in and deployed via GitOps with ArgoCD

                                                                                                          I’ve been a massive nerd about it all and captured everything in a GitHub project, with a roadmap and issues for everything I plan to implement.

                                                                                                          Whilst I’m excited about it, it’s largely blocked at the moment by the state of k8s deployments on NixOS. The modules provided to bootstrap a k8s cluster are a bit wonky in their current state. I believe ‘offline hacker’ is doing a complete rework of it all in the background. So I’m very much looking forward to his work.

                                                                                                          1. 1

                                                                                                            Out of curiosity, is that GitHub project public?

                                                                                                      1. 3

                                                                                                        Glad to see they now offer binary releases!

                                                                                                        I tried installing Pleroma a while ago on an older server and had a hard time getting the right version of the Elixir compiler installed, which felt a bit silly because I shouldn’t have to compile anything from scratch; it makes a lot more sense to just get the VM installed and download precompiled bytecode and go.

                                                                                                        1. 4

                                                                                                          Releases are kinda beta because they’re new as of Elixir 1.9, but they are the future

                                                                                                        1. 0

                                                                                                          There was a TED talk about a headquarters in New Delhi that installed the correct type and quantity of plants to achieve total “survive in a sealed glass bottle” homeostasis.

                                                                                                          I can’t seem to find a link from mobile right now (and I have no expertise to determine the scientific merit), but it led to my purchase and care of several “air purifier plants” that I’m happy to advocate for, if only for the benefits from more greenery in your work space.

                                                                                                          The three plants are Areca Palm, Mother-in-Law’s Tongue, and Money Plant.

                                                                                                          1. 3

                                                                                                            https://www.ted.com/talks/kamal_meattle_on_how_to_grow_your_own_fresh_air

                                                                                                            Unfortunately the talk contains bold claims on the effectiveness of those plants and is suspiciously lacking any verifiable source. Other sources seem to often be based on hearsay or non-replicated studies.

                                                                                                            1. 2

                                                                                                              It’s bunk science. You can’t clean air in a building with plants. Requires far too many, and then you have to deal with all the co2 they release as well. And then ferns releasing spores… bad idea.

                                                                                                              1. 1

                                                                                                                Interesting, NASA also did a study about plants for cleaning air https://en.wikipedia.org/wiki/NASA_Clean_Air_Study

                                                                                                                1. 2

                                                                                                                  That study was disproven by another NASA study, but that one is the only one people find in google search results :)

                                                                                                                  1. 1

                                                                                                                    Yes, and many sources keep quoting the same study. The fact that there is very little follow up research is odd. Also, the discussion here is about CO2 while the study is focused on [other] VOCs.

                                                                                                                2. 1

                                                                                                                  Ah, that’s too bad. Thanks for sharing. If you do find any good sources on air purification, they’d be a good share here. I have a certified HEPA device, but I live close to a major highway in a dense urban environment, so even marginal improvements would be welcome.

                                                                                                                  1. 1

                                                                                                                    A HEPA filter? It might be the best option for particulate (if not too small) yet it does nothing for oxygen and CO2.

                                                                                                              1. 3

                                                                                                                As for what to do to improve CO2 levels at Recurse Center, one option would be to hire an HVAC person to install CO2-driven ventilation. Depending on how the building is currently ventilated, you may be able to install a simple damper that opens to let the HVAC system pull in fresh air when CO2 levels get too high, and and that closes when they are reasonable, trying to strike a balance between energy efficency and healthy air.

                                                                                                                Something like this: https://hvacsolutionsdirect.com/catalog/Duct-Smoke-CO-Detectors/CO-Duct-Detector-Kit/Young-Regulator-DEMAND-AIR-CO2-FRESH-AIR-Damper-SKU2669

                                                                                                                There’s fancier variants as well if energy efficiency is a concern.. but the basic idea anyway is to have something that regulates fresh air intake based on CO2

                                                                                                                Or.. you know, if someone happened to have a Raspberry Pi with a CO2 sensor laying around, just buying a motorized damper and controlling it with the Pi :)

                                                                                                                1. 1

                                                                                                                  Don’t do that. You want an ERV or an HRV. A simple air exchanger will cause humidity issues. As a bonus you’ll get filtered air with an ERV or an HRV

                                                                                                                  1. 1

                                                                                                                    Nah. HRV does nothing for humidity, it’s the same as regular ventilation as far as that goes. ERV will help retain whatever the indoor humidity is. So if you’re in a cold climate with no A/C or dehumidification, it’ll raise indoor humidity since it’ll “hold in” humidity that otherwise would have moved to balance with outside air.

                                                                                                                    Not necessarily a bad thing if you’re in a dry climate, but not something that helps with moisture problems.

                                                                                                                    If you’re in a hot/humid climate and you have dehumidification, then an ERV will help offload the dehumidifier/AC.. but then the A/C was already doing the work to keep mold at bay.

                                                                                                                    Basically once you start mixing in energy recovery, humidity becomes complex. It’s good stuff, but if you just want to keep CO2 levels down then just a regular old fresh-air intake for the HVAC is much cheaper and simpler.

                                                                                                                1. 2

                                                                                                                  although I think to really make a dent one would need to buy a lot of plants or perhaps acquire some vats of algae.

                                                                                                                  a LOT of plants. Infeasible.

                                                                                                                  I had an ERV installed at home to reduce the amount of co2 build up as I work from home. It’s crazy how much better you feel, how much more productive your sleep is, and how much more productive your work is with fresh air! I wake up every morning before my alarm now feeling very refreshed. So odd how a small change has a huge impact on your quality of life.

                                                                                                                  At over 2000ppm your cognitive skills can drop significantly – 40-95%, IIRC. What’s “safe” for humans is not necessarily what is good for humans.

                                                                                                                  1. 2

                                                                                                                    Could comments about Washington Post’s usability please be removed? It muddies the discussion of the content.