Threads for grawlinson

  1. 9

    I keep grumbling about this in different contexts, but I wish people would stop writing push-model lexers. This one is another instance. The lexer is responsible for deciding the type of the token. This pushes a lot of complexity into the parser for situations where there is some context sensitivity. You have to check against identifier and all of the context-dependent token types.

    A pull-model lexer takes the expected token type as an argument and returns either no token or a valid token as an argument. This makes it trivial to handle ambiguous token types, because the parser (which has parse state) is able to request the most specialised token type that makes sense in the current context.

    As a minor nit, it looks as if the token returns a null-terminated C string, which requires a copy, so it is easy to leak memory. If this is not a copy, then it lacks a length and so the parser has to re-lex to find the end. I prefer the Token type to contain a source location pair. I typically use something inspired by clang here, where the source location is a 32-bit integer that uses 1 bit as a discriminator to differentiate between values that encode a source, column, and file tulle in 31 bits, or a 31-bit index into a table of source locations that don’t fit in this encoding. You can then expose APIs for getting the length of a token and copying it as a string (into a caller-provided buffer). These can be static inline functions. This looks like it requires a single C string as an input, so you’d need something extra for building an include stack and your source locations can just be offsets into the stream.

    In general, it’s a good idea to allow the input to be pulled in in chunks, rather then the whole thing provided at once. In C, I’d write this as a structure with a pointer, a start location, a length, an internal buffer, and a callback to update the pointer to point to the requested location (and another void* for stream context).

    1. 1

      I haven’t found many pull-model lexers, are you aware of any that would be great to learn from?

      The only one I’ve really looked at is pulldown-cmark.

      1. 1

        Most real compilers end up writing an ad-hoc one. I’ve not found a general-purpose tool for writing them, so I’ve tended to write ad-hoc ones in various places.

    1. 11

      This feels less like “Lisp is useful for devops” than “Here are three devops tools that use Lisp”. My area knowledge isn’t that great, but I’ve never heard of any of these three, so I assume they aren’t terribly common. If one is likely to find different, non-Lisp tools solving the same problems in the wild, and there’s no killer advantage to using these Lisp-based tools, then it doesn’t seem to me that the existence of these tools actually makes it true that Lisp is useful for devops.

      I suspect that the author was more interested in sharing Lisp and these tools than making a specific claim about the relative utility of Lisp to a devops engineer, so I’m being overly nitpicky. But the post would be more compelling with at least a paragraph offering some advantages Lisp might have for devops, like the utility of declarative or functional languages for configuration. The lone comment on the post mentions Guix, which I have heard of, and which does press those specific advantages.

      1. 2

        Great feedback, thank you!

        1. 5

          If you’re looking for article ideas, I would love to see an article that takes a standard and realistic Chef / Puppet / Docker setup and is fully replaced by bass. I think that might make it easier to get behind.

          1. 2

            Definitely seconded, plaze halp.

        2. 1

          And a fourth tool: newLISP

          1. 3

            Please don’t use newlisp for anything, ever.

            1. 5

              Why not? Is it because it hasn’t seen a new release for a while?

            2. 1

              What makes newLISP well suited for dev ops tasks?

              1. 2

                I’d say the will of the creator to make it feel more like a scripting language. At the time I first encountered it, it seemed promising enough for some stuff, but I never got the chance to test it in production.

                1. 2

                  I use it all the time. newlisp is fun. It feels like LISP that has the good stuff from Perl and C and shell scripting pulled into it.

          1. 3

            I’ve been using yarr which is in the same vein as miniflux, but even more minimalist. (Cons: it doesn’t work without Javascript) I’m now considering switching to miniflux due to how barebone it is.

            But if you’re looking for a barebone RSS reader, I think yarr should be considered.

            1. 2

              I’ve been looking for a replacement for rawdog (http://offog.org/code/rawdog/) since it’s Python 2 only. Yarr looks good in that it uses sqlite but the front-end looks overwrought. Miniflux looks good, too, but I don’t have any other need for a full-blown RDBMS so I’m hesitant to run Postgresql just for that app.

              1. 1

                You can probably run miniflux + postgresql on fly.io. 256 MB x 2 isn’t much, but more than enough in this case.

                1. 1

                  Porting rawdog to Python3 honestly might not be too difficult. All the libs are there by now, and I’ve had quite good success rates with 2to3 and such.

                  1. 2

                    There seems to be an active fork here.

                    Last commit was a few days ago, so it’s more promising than doing it all yourself. :)

                2. 1

                  Looks nice! Maybe I’ll give it a go. I love miniflux but there are a few small things that bother me. Does yarr work well on mobile layouts too?

                  1. 3

                    I don’t read RSS feeds on mobile. So I tried it for the first time on my phone browse, and it looks really nice and mobile-friendly. So to answer your question, yes it does work on mobile layouts too :)

                    1. 1

                      Thank you for checking! I tried to find docs but couldn’t find any.

                1. 9

                  Second, the software distribution - docker definitely made things easier to ship.

                  This is quite the understatement.

                  Linux’s approach of making everything dynamically linked and depend on everything else, combined with the general complexity explosion we’ve seen in software means Linux has degraded to the point where you basically can’t run software on it.

                  Static linking has solved this problem for longer than it has even been a problem, but for GNU flavoured historical reasons you can’t use it for most software. So instead people have reinvented it but worse, and the default way to ship software is to ship a tarball but worse containing a disposable operating system that only runs your app.

                  You still need a host OS to run the on the hardware itself, which will have a half-life measured in months before it self destructs. You can push this out if you never, ever touch it, but even as someone who has repeatedly learned this lesson the hard way (still using Firefox 52, iOS 13, etc) I still can’t keep myself from occasionally updating my home server, which is generally followed by having to reinstall it.

                  1. 8

                    It really only holds when you’re talking about software which hasn’t been packaged by your host OS tho, right?

                    If I want to run something that’s in apt, it’s much, much easier to install using apt.

                    1. 4

                      I find it’s easier to bring up a PostgreSQL instance in a Docker container, ready to go, than to install and configure it from apt. Both are pretty easy though.

                      1. 3

                        I’m on the opposite side of this matter: I have a dev db, I put everything in it, single version, configured once, run since then. When I played with docker and considered how useful it could be I decided to not go that direction, because for my use-case, docker didn’t seem added value.

                        1. 2

                          The difference is that you have to learn how apt works if you run an apt-based system. If you learned to use Docker for some other reason (probably for work, because why else would you?) that’s not as widely applicable.

                          1. 2

                            But learning apt and learning docker, it’s still a huge difference.

                            If you want to do an extensive customization, you still have to learn apt to fiddle with the things in the image itself, plus a lot of docker things on top.

                            1. 2

                              that’s not as widely applicable.

                              actually, you might argue that docker (and podman) are more applicable because what you learn there can be used on any distro running docker, whereas only knowing how to use apt limits you to only distros that use apt…

                          2. 3

                            Not at all, in the last year or so I’ve had two installs with almost nothing on them (htop process list comfortably fits on 1 page) self destruct (boot into unusable state/refuse to boot) on their equivalents of apt-get upgrade.

                            1. 6

                              I’d recommend trying to understand what exactly happened and what’s failing when you run into situations like that, especially if it happened more than once. Things don’t normally self destruct. Sure, you can run into a bug that renders the system unbootable, but those are pretty rare. A significant part of the world computing runs on Linux and it runs for years. If your experience is “will have a half-life measured in months before it self destructs”, it may be worth learning why it happens to you.

                              1. 4

                                Wellllll… Debian systems don’t self-destruct on apt upgrade, but there are many other downstream variants that still use apt but don’t believe in old-fashioned ideas like … making sure things actually work before releasing.

                                1. 1

                                  Debian systems don’t self-destruct on apt upgrade

                                  At least, not if you upgrade them regularly. I’ve hit a failure mode with older Debian systems because apt is dynamically linked and so when the package / repo format changes you end up not being able to upgrade apt. This isn’t a problem on FreeBSD, where pkg is statically linked and has a special case for downloading a new version of the statically linked binary that works even if the repo format changes.

                                2. 2

                                  Frankly, why would I?

                                  15 years ago I probably would have. Nowadays I understand my time is too valuable for this. When I spend my time to learn something there are so many wonderful and useful ideas in the world to immerse myself in. Understanding why my almost completely vanilla OS nuked itself for the nth time after I used it normally is not one of them.

                                  Windows and Mac both have comfortable access to the good parts of Linux through WSL/docker (WSL is by far the most unreliable thing on my PC despite not even needing to be a complete OS) while also not dropping the ball on everything else. For the one machine I have that does need to be Linux, the actual lesson to learn is to stop hitting myself and leave it alone.

                                  Things don’t normally self destruct. Sure, you can run into a bug that renders the system unbootable, but those are pretty rare.

                                  In other circles:

                                  1. 2

                                    Frankly, why would I?

                                    For me that’s: because I can do something about it, as opposed to other systems. For you the bad luck hit on Linux. I’ve had issues with updates on Linux, Windows, Macs. Given enough time you’ll find recurring issues with the other two as well. The big difference is that I can find out what happened on my Linux boxes and work around that. When Windows update service cycles at 100% CPU, manually cleaning the cache and the update history is the only fix (keep running into that on multiple servers). When macos after an update can’t install dev tools anymore, I can’t debug the installers.

                                    In short: everything is eventually broken, but some things are much easier to understand and fix. For example the first link is trivially fixable and documented (https://wiki.archlinux.org/title/Pacman/Package_signing#Upgrade_system_regularly)

                                    1. 3

                                      To largely rehash the discussion on https://lobste.rs/s/rj7blp/are_we_linus_yet, in which a famous tech youtuber cannot run software on Linux:

                                      Given enough time you’ll find recurring issues with the other two as well.

                                      This is dishonest, the rate and severity of issues you run into while using Linux as intended are orders of magnitude worse than on other OS. In the above, they bricked their OS by installing a common piece of third-party software (Steam). Software which amusingly ships with its own complete Linux userspace, another implementation of static linking but worse, to protect your games from the host OS.

                                      because I can do something about it, as opposed to other systems

                                      This is untrue, Windows at least has similarly powerful introspection tools to Linux. But even as someone who ships complex software on Windows (games) I have no reason to learn them, let alone anyone trying to use their computer normally.

                                      For example the first link is trivially fixable and documented

                                      In this case you can trivially fix it, you can also trivially design the software such that this never happens under normal conditions, but the prevailing Linux mentality is to write software that doesn’t work then blame the user for it.

                                      1. 3

                                        This is dishonest, the rate and severity of issues you run into while using Linux as intended are orders of magnitude worse than on other OS.

                                        It’s not dishonest. This is my experience from dealing with large number of servers and few desktops. Including the ability to find actual reasons/solutions for the problem in Linux, and mostly generic “have you tried dism /restorehealth, or reinstalling your system” answers for Windows.

                                        This is untrue, Windows at least has similarly powerful introspection tools to Linux.

                                        Kind of… ETL and dtrace give you some information about what’s happening at the app/system boundary. But they don’t help me at all in debugging issues where the update service hangs in a busy loop or logic bugs. You need either a lot of guesswork or the source for that one. (or reveng…)

                              2. 2

                                Meanwhile, the host OSes are refusing to properly package programs written in modern programming languages like Rust because the build system doesn’t look enough like C with full dynamic linking.

                                1. 11

                                  What do you mean by this?

                                  I’m a package maintainer for Arch Linux and we consistently package programs written in post-C languages without issue.

                                  Via collaboration and sharing with other distributions, we (package maintainers) seem to have this well under control.

                                  1. 3

                                    I mean, maybe some distros, but you seem to think all do? That’s incorrect :)

                              1. 3

                                Very interesting, thanks for sharing! Really cool that you took the time to write a technical paper about it as well. For anyone interested in the subject of Lisp for game development I can highly recommend this article about Naughty Dog’s use of a proprietary Lisp for their games: http://www.codersnotes.com/notes/disassembling-jak/

                                1. 2

                                  I’m not actually the author! that’d be Shinmera.

                                  1. 1

                                    Oops, my bad! Thanks for the clarification

                                  2. 1

                                    Here’s a link to Open GOAL, the ongoing attempt to reverse engineer this particular language.

                                    1. 1

                                      That’s really cool. TBH it feels like GOAL and its implications, ie the viability to use a “highly dynamic” language like Lisp for game development, has really flown under the radar. Hopefully this project can bring more attention to the fact that you don’t need to build your game in C++ 😉

                                  1. 2

                                    I seem to recall that there we an announcement from a pijul author that pijul was in maintenance mode and that he was working on a new VCS. I can’t find mention of this VCS now though. Does anyone remember this?

                                    1. 2

                                      I’m the author, this is totally wrong.

                                      1. 1

                                        Thank you for the clarification. I’m not sure how I ended up remembering something that never happened.

                                      2. 2

                                        I seriously doubt this is the case. There’s been a huge amount of work on pijul and it’s related ecosystem.

                                        If I’m wrong, I’d love to know otherwise.

                                      1. 4

                                        Is it comfortable to use the thumb to move all the time? I ask cause I have some pain to my thumbs after texting too much on my phone…

                                        I personally use a vertical mouse, and it changed my life. Used to have chronic wrist inflammations, they’re gone now.

                                        1. 6

                                          I use a kensington expert trackball for that reason. It was very alien at first, but now I love it.

                                          1. 4

                                            Same here, I am addicted to using the ring to scroll. I find it much easier on my wrist, but to be honest i have both a mouse and this guy which i’ll alternate between during the day.

                                            1. 3

                                              Ya same setup here, I use a regular mouse for gaming since I just can’t get used to using a trackball for that… but use the trackball for everything else. The kensington’s ring scroll is the bomb!

                                              1. 1

                                                I’m looking for a trackball to buy but I heard bad things about the kensington’s scroll ring. Can any of you confirm if it’s easy to scroll accidentally or not, or if it has any other flaws?

                                                  1. 1

                                                    I don’t think I’ve ever accidentally scrolled the ring.. Maybe with bad posture it’s easier to? But after looking at mine and just now trying to get it to scroll accidentally… I just don’t see an obvious way to do that with how I place my hand on it when in use. 🤷‍♂️

                                            2. 4

                                              I got thumb tendinitis from using one. I use a vertical mouse now, super happy.

                                              1. 1

                                                Vertical mice make my shoulder seize up something fierce, but I’m really happy with an old CST L-Trac finger trackball. It’s funny how wildly people’s ergonomic needs can vary.

                                                1. 1

                                                  CST L-Trac here too! I bought one based only on the internets and I wish it was a bit smaller. Definitely something to try out if you can, especially if your hands ain’t super big. Bought another for symmetry so I don’t end up in a rat race finding something as good but just a bit more fitting.

                                                  And there were the accessories aspect!

                                                  CST’s business is now owned by someone else who I don’t think have the back/forward-button accessory. I kinda regret not having got those. ISTR checking out what they had and it was lame.

                                                  What I’d really like to see are some specs and community creations for those ports, like horizontal scroll wheels, but I think Linux doesn’t really support that anyway.

                                              2. 4

                                                Having used an extensive range of input devices (regular mice, vertical mice, thumb trackballs, finger trackballs, touchpads, drawing tablets, and mouse keys), my thoughts on this are as follows:

                                                Regular mice are the worst for your health. Vertical mice are a bit better, but not that much. Thumb balls are a nice entry into trackballs, but you’ll develop thumb fatigue and it will suck (thumb fatigue can make you want to rip your thumb off). Finger balls don’t suffer from these issues, but often come in weird shapes and sizes that completely nullify their benefits. The build quality is usually also a mess. Gameball is a good finger trackball (probably the best out there), and even that one has issues. I also had a Ploopy and while OK, mine made a lot of noise and I eventually sold it.

                                                Touchpads are nice on paper, but in practice I find they have similar problems to regular mice, due to the need for moving your arm around. Drawing tablets in theory could be interesting as you can just tap a corner and the cursor jumps over there. Unfortunately you still need to move your arms/wrist around, and they take up a ton of space.

                                                Mouse keys are my current approach to the above problems, coupled with trying to rely on pointing devices as little as possible. It’s a bit clunky and takes some getting used to, but so far I hate it the least compared to the alternatives.

                                                QMK supposedly supports digitizer functionality (= you can have the cursor jump around, instead of having to essentially move it pixel by pixel), but I haven’t gotten it to work reliably thus far. There are also some issues with GNOME sadly.

                                                Assuming these issues are resolved, and you have a QMK capable keyboard, I think this could be very interesting. In particular you could use a set of hotkeys to move the cursor to a fixed place (e.g. you divide your screen in four areas, and use hotkeys to jump to the center of these areas), then use regular movement from there. Maybe one day this will actually work :)

                                                1. 1

                                                  you could use a set of hotkeys to move the cursor to a fixed place (e.g. you divide your screen in four areas, and use hotkeys to jump to the center of these areas),

                                                  isn’t it what keynav does? Never succeeded to get used to it though, couldn’t abandon my mouse.

                                                2. 2

                                                  I use an Elecom Deft Pro where the mouse is in the middle of the mouse. I generally use my index & middle finger to move the ball. For me, I find it more comfortable than a normal mouse or one with the ball on the side (thumb operated).

                                                  1. 1

                                                    everyone is probably different but I have a standard trackball mouse (Logitech, probably older version of this post) and it’s very comfortable. The main thing is to up the sensitivity a lot. Your thumb is precise, so little movement is needed!

                                                    No good for games, perfect for almost everything else.

                                                    (I have used fancy trackballs that a coworker has. It’s terrible for me, I do not get it at all even when trying for hours on end)

                                                    1. 1

                                                      Anything you overdo is bad for you.

                                                      I swap between a trackpad, a mouse and an M570 every few days.

                                                    1. 1

                                                      I wish I’d have known of this tool when I was dissecting multi MB json dumps.

                                                      1. 3

                                                        I can’t remember if it’s here or the orange site (or both), but this list has been making the rounds recently. Quite pleased with a few of these.

                                                      1. 1

                                                        I don’t see how this would ever happen, given that manufacturers love obsoleting things as soon as the blueprints are finalised.

                                                        1. 16

                                                          The diagramming support is one of the things I miss most after moving from gitlab to github.

                                                          1. 8

                                                            Interesting! Didn’t know GitLab flavored Markdown supported that (and more).

                                                            https://docs.gitlab.com/ee/user/markdown.html#diagrams-and-flowcharts

                                                            1. 10

                                                              Gitea also supports mermaid diagrams.

                                                            2. 5

                                                              Curious… why bother moving forges from open-core to closed-source?

                                                              1. 4

                                                                GitHub has a lot more social features. I’ve had a clue of projects on GitHub get issues and pull request with no marketing. So people are finding and using things.

                                                                I’ve considered if I should set up mirrors of my GitLab projects on GitHub for the marketing effects.

                                                                1. 2

                                                                  The social features are one of my biggest turn-offs, but you’re not the first to voice that opinion.

                                                                  1. 6

                                                                    I pretend that I don’t care about the social features. I really like that you can follow releases and the reaction option is kinda nice (so people can voice their support on new releases, without any comment noise).

                                                                    I don’t follow anyone, because that’s just adding a ton of stuff into my feed. But honestly it makes me happy when somebody does give me a “star” and I think it’s ok to have this vague indicator of credibility for projects.

                                                                    But I do actually search on github first when I’m looking for some kind of software I don’t find directly by using DDG. So the network effect is definitely there. Same goes for inter-project linking of issues or commits. And I won’t be surprised if moving my crates.io source to gitlab would decrease the amount of interaction as much as moving it to my private gogs/gitea instance.

                                                                  2. 2

                                                                    I’m curious what the social features are? I’ve used GitHub since it came out, but have never specifically noticed this

                                                                    1. 3

                                                                      follows. watches. stars. networks. there might be more. Github has been on my radar since it came up and these have long annoyed me. I think one of their early slogans was “social coding” and it was irritating then. Some people really like it though.

                                                                  3. 3

                                                                    For me it was largely about switching of culture of my work, shortly followed by me switching companies.

                                                                    Personally if I were to start again I think I would utilize gitlab again. While occasionally their solutions lack the polish and simplicity of github, The “whole package” of their offerings is really nice. The only consistent downside is performance of certain UI elements.

                                                                1. 6

                                                                  This looks extremely exhaustive. Afraid to dive in, bookmarking >.>

                                                                  1. 4

                                                                    It’s not too bad if you read it in bite sized chunks. I’m generally only interested in a subset of the documentation, so I’m reading that while skimming the rest.

                                                                  1. 7

                                                                    As an Arch Linux packager I can sympathize with the Gentoo folks here. It’s been quite frustrating to have working solutions deprecated before working replacements are in place.

                                                                    1. 9

                                                                      Honestly, this xkcd is the perfect summary of the entire Python ecosystem. Since that comic was authored, the situation has only got more complicated.

                                                                      1. 5

                                                                        Every time I’ve actually talked to someone who claimed to be fighting with that, their story inevitably led back to “well, first I looked at the single standard default tooling, and decided against using it”.

                                                                        (yes, there is a simple default stack of packaging tools: setuptools as the builder, pip as the installer, venv as the managed/isolated environment. They work well and do their tasks. No, I don’t know why people seem to go to nearly any lengths and unimaginable levels of pain and frustration to try to avoid them)

                                                                        1. 2

                                                                          The “standard” tooling changes extremely often in the Python ecosystem. Distutils, setuptools, PEP-517 (and even this is ridiculously fragmented with flit, poetry and a whole bunch of other options). None of it is “standard” by any means. There is also no clear migration path for each of these methods, and most Python projects really don’t care.

                                                                          1. 1

                                                                            The “standard” tooling changes extremely often in the Python ecosystem. Distutils, setuptools, PEP-517 (and even this is ridiculously fragmented with flit, poetry and a whole bunch of other options). None of it is “standard” by any means.

                                                                            I don’t really know where this idea comes from.

                                                                            Well, actually, I do, and I said so above: pip is 13 years old, setuptools is 17 years old, virtualenv is 14 years old (and the venv module containing its core functionality has been in the Python standard library for 9 years). The problem isn’t “Python” or lack of a “standard”. Those are the standard tools. They’ve been around for ages, they’re battle-tested, they do their jobs extremely well, and their end-user interfaces evolve extremely slowly (when they evolve at all). I’ve been writing pip install for literally over a decade at this point!

                                                                            And that’s it. That’s the whole thing. People seem to get in this vicious loop where for whatever reason they utterly refuse to even look at the core standard tooling and then go cobble together their own monstrosity out of baling twine and duct tape, and then blame Python or “Python packaging” for the resulting problems.

                                                                        2. 3

                                                                          I honestly assumed you were linking to XKCD 927 but figured I’d click through for the laugh anyway. I had no idea there was a Python specific variant.

                                                                      1. 15

                                                                        Note: this article contains inline images of marked classified documents.

                                                                        This comment is not intended to spark a discussion; simply put, some people may want to avoid the article for this reason.

                                                                        1. 9

                                                                          Those images are the same as those found on this webpage: https://nsa.gov1.info/dni/nsa-ant-catalog/usb/index.html which is the first hit for a web search.

                                                                          There is a wikipedia page on them https://en.wikipedia.org/wiki/NSA_ANT_catalog which says they were leaked in 2013 by Der Speigel.

                                                                          I can see that NDA being applied to “I took a peek at my bosses desk” or “I went on the dark web and paid 10 bitcoins for this information”. I can not see that being applied to “I did a web search and found it on wikipedia.”

                                                                          And in any case, I don’t know if those are authentic or made up by a teenager hoping to get money from Der Speigel.

                                                                          1. 5

                                                                            Out of curiosity… why?

                                                                            1. 12

                                                                              IANAL etc etc… My understanding is something along the lines of… those holding US clearances sign an NDA to agree not to access classified documents for which they are not authorized nor need to access. I understand these people may want to avoid marked classified documents leaked online, for example because they may not have the “need to know”.

                                                                              I’m not here to dictate or judge, just to note for those who care about this material.

                                                                              1. 4

                                                                                Correct! It’s generally the same reason why prominent emulator developers won’t look at or access leaked documents/source code. It’s a whole can of beans that nobody should ever put themselves near.

                                                                            2. 1

                                                                              Good point, it would be polite to put up a “spoiler warning” if you’re going to do this. And there are plenty of publicly available examples they could have used to make the same point. Ah well.

                                                                            1. 9

                                                                              I’m one of the package maintainers of Nix for Arch Linux and it’s been a real headache getting this version to compile from source, beginning with the source tarball on the homepage returning a 404.

                                                                              There’s also 5 unspecified compulsory dependencies:

                                                                              • autoconf-archive
                                                                              • jq
                                                                              • libcpuid
                                                                              • gtest
                                                                              • lowdown

                                                                              And lowdown is patched in Nixpkgs, which adds another package that package maintainers have to juggle. The patches haven’t been accepted upstream either, which makes it difficult for me to justify including them in Arch Linux. What does lowdown even do anyway?

                                                                              I’ve spent a few hours today attempting to get this to compile, and it’s been one issue after the other.

                                                                              1. 7

                                                                                We no longer release source tarballs. If you want to build from source, please build from the tags in the Git repository.

                                                                                From the post.

                                                                                Looks like Lowdown might be used for the new documentation generation. Necessary for generating the man pages, I imagine.

                                                                                nixpkgs hacks up a lot of packages to enable dynamic linking but I don’t think that’s relevant to your Arch work. Just use the static version. Doesn’t matter.

                                                                                1. 4

                                                                                  I use Arch Linux and am eagerly awaiting this working so I can upgrade to 2.4 with my normal arch package manager. Thank you for your service.

                                                                                  1. 2

                                                                                    I’ve managed to get it working, the blocker was generally just me being super tired and juggling multiple responsibilities!

                                                                                    It’s been through the testing repository, and now in the community repository. 🎉

                                                                                    1. 1

                                                                                      Awesome, thanks!

                                                                                  2. 3

                                                                                    What’s the goal of a nix package in arch? I thought nix is pretty much self-managing / self-updating in its own environment. That would make the nix package more of a nuisance than useful.

                                                                                    Or am I missing some use case where you’d want pacman managing it?

                                                                                    1. 2

                                                                                      All that linked lowdown patch does is help split up package outputs more finely, which is a Nixpkgs-specific thing. You can have hello.bin, hello.lib, hello.dev, hello.man, &c. Arch doesn’t concern itself with that when packaging.

                                                                                    1. 7

                                                                                      This attack would be history once and for ever if DNSSEC was widely deployed… sigh…

                                                                                      1. 2

                                                                                        Forgive me if I sound ignorant, but how does one ensure DNSSEC and a BIND-RPZ co-exist? RPZs are widely used to return NXDOMAIN to any DNS lookup for ad/tracking networks on a lot of private/VPN networks.

                                                                                        1. 1

                                                                                          In this case, the recursive resolver could resolve domains and check their DNSSEC signature. But you could connect to your recursive resolver using DNS over TLS and remove the DNSSEC signatures, which is supported by systemd-resolved.

                                                                                          If it’s unclear, here is an example how it would work:

                                                                                          • Your DNS resolver on your local machine is set to 192.0.2.1#noads.dns.example.com.
                                                                                          • You go to example.com in Firefox.
                                                                                          • Firefox queries (through systemd-resolved but this is a detail) 192.0.2.1 over TLS: What is the IP for ‘example.com’?
                                                                                          • 192.0.2.1 asks b.gtld-servers.net.: What is the name server and the DNSSEC keys for ‘example.com’?
                                                                                          • b.gtld-servers.net. says it’s b.iana-servers.net. and the DNSSEC key is “f00bar”.
                                                                                          • 192.0.2.1 asks b.iana-servers.net.: What is the IP for ‘example.com’?
                                                                                          • b.iana-servers.net. answers 93.184.216.34, and the signature is “quux”.
                                                                                          • 192.0.2.1 checks that sign("93.184.216.34", "f00bar") is “quux”.
                                                                                          • 192.0.2.1 answers to Firefox “The IP is 93.184.216.34” over TLS and removes the DNSSEC information.

                                                                                          If the domain is blocked, 192.0.2.1 replies NXDOMAIN right away.

                                                                                      1. 1

                                                                                        From the “update” at the bottom:

                                                                                        Go on, bag on me for being ignorant. I know what that really means.

                                                                                        What does that really mean?

                                                                                        1. 6

                                                                                          I took it as a gender bias comment. This is a successful woman in tech who has faced harsh criticism from her peers, over the years, for being a woman in a male dominated industry.

                                                                                          1. 5

                                                                                            I agreed with you since it made sense, but after reading THE ONE from the other comment, I no longer agree. It seems just a screed against internet trolls who work in positions where they never could break prod or, in this case, make database design decisions.

                                                                                            1. 1

                                                                                              Good catch! I bet we’re both right to some extent, however! ;)

                                                                                            2. 2

                                                                                              And how were we to know the gender of the author just by reading the article?

                                                                                              1. 4

                                                                                                Well, that’s easy. She just wrote this post for you.

                                                                                                1. 1

                                                                                                  Touche, missed that line :)

                                                                                                2. 1

                                                                                                  They’re quite a well known blogger and their blog is called “Rachel by the bay”.

                                                                                              2. 5

                                                                                                Her post THE ONE, which she links to in the first paragraph, should make it clearer.

                                                                                                1. 3

                                                                                                  That the commenter is more interested in putting someone down to make themselves feel/appear better than in actually engaging with the content of the article.

                                                                                                  1. 1

                                                                                                    I’m not entirely sure, but I hope the author isn’t too harsh on themselves.

                                                                                                  1. 4

                                                                                                    There’s a lot of ideological language there, but I don’t see the actual point, I.e. how winning this suit would benefit users.

                                                                                                    How does access to the GPL’d source code used in Vizio TVs make it possible to repair the TV? It doesn’t make it any easier to modify the proprietary software in the TV, and it doesn’t provide access to the build system or docs of the specs of the internal hardware.

                                                                                                    And how likely is a TV to fail because of a flaw in the firmware? Usually it’s a hardware failure, or else network-based services fail because the manufacturer turns off the servers they talk to, neither of which is related to this.

                                                                                                    The most likely outcome seems to be that Vizio will just avoid copyleft software in the future.

                                                                                                    1. 21

                                                                                                      IANAL, but if successful, it would set a precedent allowing for companies violating software licenses to be sued by or on behalf of their users, as opposed to the current situation where only the copyright holders themselves are considered to have standing.

                                                                                                      This would be a Good Thing.

                                                                                                      1. 16

                                                                                                        There are some other good comments about direct benefits to users, but I think it’s worth keeping in mind that these kind of enforcement actions can have really positive indirect benefits as well. For example, a successful enforcement action against Cisco/Linksys years ago laid the groundwork for the OpenWRT project, an open-source wireless router firmware project that supports a wide range of devices today. OpenWRT, in turn, fueled a bunch of important work on low-cost wireless radio equipment in the years since, and shows up routinely in mesh networking and long-distance WiFi projects that support efforts expand low-cost access to the Internet today (as, of course, one small piece of a larger, mostly non-technical, puzzle).

                                                                                                        1. 5

                                                                                                          Users are entitled to the source code. You shouldn’t have to justify the benefits - they are entitled to it, because that’s the license terms and Vizio is not living up to them.

                                                                                                          If Vizio would rather take on the costs of maintaining another set of software rather than live up to the terms of the license, that’s on them. Their use of GPLed software doesn’t benefit the community if they don’t live up to the license, so there’s no loss if they decide to go that route.

                                                                                                          1. 5

                                                                                                            How does access to the GPL’d source code used in Vizio TVs make it possible to repair the TV?

                                                                                                            The article says so:

                                                                                                            Copyleft licensing was designed as an ideological alternative to the classic corporate software model because it: allows people who receive the software to fix their devices, improve them and control them; entitles people to curtail surveillance and ads; and helps people continue to use their devices for a much longer time (instead of being forced to purchase new ones).

                                                                                                            “run this same nice software, but without ads and data grabbing” is already a very nice proposition for many customers I would say. And having a way to keep the TV (and more importantly, its apps) functioning properly is important as well if you don’t intend to buy a new TV every 5 or so years or however soon the manufacturer decides to stop providing software updates.

                                                                                                            The most likely outcome seems to be that Vizio will just avoid copyleft software in the future.

                                                                                                            I agree that’s probably the net effect of all these GPL law suits, and the GPL in general. If a company doesn’t have good intentions, copyleft vs non-copyleft isn’t going to make much of a difference in the end.

                                                                                                            1. 2

                                                                                                              The article answered “why” — I’m asking how technically. What is necessary to allow someone to rebuild a TV’s firmware? It seems likely it would require Vizio to make public some of their proprietary code, which I bet they wouldn’t do. They’d just pay damages instead (assuming that’s an option; IANAL.)

                                                                                                              “run this same nice software, but without ads and data grabbing” is already a very nice proposition for many customers I would say

                                                                                                              Again, ain’t gonna happen. There was a news story a few months ago about how Vizio is making more money from ads and data grabbing than from hardware sales. Making their TVs hackable would imperil their biggest revenue source.

                                                                                                              1. 2

                                                                                                                It seems likely it would require Vizio to make public some of their proprietary code, which I bet they wouldn’t do.

                                                                                                                This was spoken to in a previous post: https://sfconservancy.org/blog/2021/jul/23/tivoization-and-the-gpl-right-to-install/

                                                                                                                1. 2

                                                                                                                  The article answered “why” — I’m asking how technically. What is necessary to allow someone to rebuild a TV’s firmware?

                                                                                                                  Ah, I misunderstood. Well, that’s a good question. Typically though, there are always tinkerers willing to take apart the TV and figure out how to access the flash memory that stores the firmware. But you’re right, Vizio is not likely to tell you how to do it.

                                                                                                              2. 2

                                                                                                                Most smart TVs I’ve ever worked with were rendered useless by unmaintained apps no longer working, especially the browser/YouTube apps. With access to replace the firmware we could put Kodi, Firefox, chromium, whatever is needed on the TV and make it usable again.

                                                                                                                The most likely outcome seems to be that Vizio will just avoid copyleft software in the future.

                                                                                                                I hope so.

                                                                                                                1. 7

                                                                                                                  My LG smart TV purchased recently (last 2 years) does not have support for Lets Encrypt’s new root certificate, so the situation is much worse than imagined.

                                                                                                                  1. 1

                                                                                                                    not have support for Lets Encrypt’s new root certificate

                                                                                                                    Oh gosh. Does that mean the TV just can’t open an HTTPS connection to any site using a Let’s Encrypt derived cert anymore?

                                                                                                                    1. 1

                                                                                                                      Yeah, I get a whole bunch of SSL handshake failures in my server-side logs. It’s extremely infuriating!

                                                                                                                2. 1

                                                                                                                  How does access to the GPL’d source code used in Vizio TVs make it possible to repair the TV? It doesn’t make it any easier to modify the proprietary software in the TV, and it doesn’t provide access to the build system or docs of the specs of the internal hardware.

                                                                                                                  If the code is GPLv3 (the article doesn’t say), they would have to provide instructions for installing modified versions of the software.

                                                                                                                  If it’s an earlier GPL version, it would still let consumers know what the software is doing, which could be relevant to privacy concerns or developing external tools to interface with the TV.

                                                                                                                  1. 2

                                                                                                                    If the code is GPLv3 (the article doesn’t say), they would have to provide instructions for installing modified versions of the software.

                                                                                                                    This is also true for GPLv2

                                                                                                                    1. 2

                                                                                                                      No, it’s not - see Tivoization, a problem which GPLv3 was explicitly designed to address.

                                                                                                                      Perhaps you’re thinking of GPLv2’s provisions that (at least IIRC) require distributing any build systems, etc. needed to build the software? Just because you can build it doesn’t mean you can install it on the actual device.

                                                                                                                      1. 2

                                                                                                                        https://sfconservancy.org/blog/2021/jul/23/tivoization-and-the-gpl-right-to-install/

                                                                                                                        Tivoization unfortunately is widely misunderstood. It’s understandable, I’ve never seen a TiVo and I have seen a locked Android bootloader, and the way many people talk about it these sound the same on the surface.

                                                                                                                        What TiVo did was use technical measure to ensure that if you did install your own versions of the freedomware components, their nonfree components would stop working. They did not, it turns out, wholesale block installation of modified freedomware components. This is not a violation of GPLv2 (or, arguably, GPLv3).

                                                                                                                        What many manufacturers do now is block installation entirely. It’s not that the nonfree components will stop working but that the device will reject the installation attempt (or brick itself in some cases). This is a violation of both GPLv2 and GPLv3.

                                                                                                                1. 8

                                                                                                                  I’ve been looking for articles like this. It’s a good article but only covers the outages from one angle. I’d love to see a writeup on what products were affected and why. For instance a bunch of coffeeshops stopped being able to take credit cards because they were using old iPad-based POS terminals that couldn’t handle the certificate change. Things like that broke all over the world, would love to see an analysis.

                                                                                                                  1. 7

                                                                                                                    My smart TV (purchased in 2020!) no longer connects to my Plex server because of this.

                                                                                                                    All it requires is a firmware update that includes the new root certificate from Let’s Encrypt, but we all know how companies are once they’ve got your money.

                                                                                                                    1. 1

                                                                                                                      It looks like Plex is serving the cross-signed chain. If they can fix that I’d guess that at least some of those devices will work again. I don’t have a device that’s affected, but I’ve tried modifying the chain in my Plex server, and it seems to work and not make anything worse.

                                                                                                                      If you want to try that I’m happy to go into what I did. But the real solution would be for Plex to make that change themselves…

                                                                                                                      1. 1

                                                                                                                        It’s a bit late, have already switched over to Jellyfin because Plex have made it clear they’re not going to do anything to improve the situation.

                                                                                                                  1. 4

                                                                                                                    Some kind of clue as to what we’re looking at here and why it is interesting would be super useful.

                                                                                                                      1. 2

                                                                                                                        The search engine calculates a score that aggressively favors text-heavy websites, and punishes those that have too many modern web design features.

                                                                                                                        On my phone at the moment, the above is probably the shortest summary I can find on the About page.

                                                                                                                      1. 4

                                                                                                                        This circumvents Microsoft’s anti-hijacking protections that the company built into Windows 10 to ensure malware couldn’t hijack default apps. Microsoft tells us this is not supported in Windows

                                                                                                                        Uhhh…

                                                                                                                        1. 21

                                                                                                                          Beware companies claiming they do something for the security of their users when it also affects their bottom line. Security, “anti-hijacking” and related terms are often used manipulatively (especially in EULAs!).

                                                                                                                          Restricting browser defaults choice is not an effective security feature for protecting user security or privacy:

                                                                                                                          1. Situation: viewing malware sites and suffering a drive-by-attack: I have no reason to believe Edge to be better (on average) than other major browsers.
                                                                                                                          2. Situation: malware addons: I have no reason to believe Edge to be better (on average) than other major browsers, all addon sites have reports of malware addons or addon authors turning bad (eg selling control of their successful addon).
                                                                                                                          3. Situation: malware already running on your computer, wants to change your default browser: by this point it’s too late, making ‘changing the default browser’ more obscure is not an effective defence of a user’s security or privacy.

                                                                                                                          Making it harder for users to change browser (and directly suggesting they do not do it with a little info box when they try, as Win10 does) is an effective method of enforcing market security. That’s not user security.

                                                                                                                          You start to get a sense of manipulation when you read Microsoft’s statements about edge and privacy::

                                                                                                                          Like all modern browsers, Microsoft Edge lets you collect and store specific data on your device, like cookies, and lets you send information to us, like browsing history, to make the experience as rich, fast, and personal as possible.

                                                                                                                          That’s straight out false. Not “all modern browsers” send information like “browsing history” to their makers. Notice how they have designed this sentence to make it feel normal and acceptable.

                                                                                                                          Whenever we collect data, we want to make sure it’s the right choice for you.

                                                                                                                          Uhuh. Is that the only reason you share data? Somehow you must be making money off this, otherwise you wouldn’t be doing it, right?

                                                                                                                          https://privacy.microsoft.com/en-ca/privacystatement

                                                                                                                          For example, we share your content with third parties when you tell us to do so, such as when you send an email to a friend, share photos and documents on OneDrive, or link accounts with another service.

                                                                                                                          Manipulative writing by business’ like this makes me ill. In a different content (eg flyers in your letterbox) this style of writing would be considered scam material.

                                                                                                                          1. 12

                                                                                                                            Mozilla has been trying to convince Microsoft to improve its default browser settings in Windows since its open letter to Microsoft in 2015. Nothing has changed, and Windows 11 is now making it even harder to switch default browsers.

                                                                                                                            Microsoft and anti-competitive practises go hand in hand, nothing to be surprised about.

                                                                                                                            1. 4

                                                                                                                              Was more concerned about the obvious security implications! If ff can do it, what is stopping malware from doing it?

                                                                                                                              1. 15

                                                                                                                                Likewise if Edge can bypass the mechanisms in the background, what’s stopping malware from doing it? Or apparently Firefox 😆😭

                                                                                                                                1. 4

                                                                                                                                  Yep. I’m in a slightly weird position here: I think Microsoft is right to lock down that API; I just think they’re wrong for unlocking it for Edge. So I’d prefer neither Mozilla nor Edge could pull this stunt.

                                                                                                                                  1. 2

                                                                                                                                    Theoretically the mechanism could check that the software performing the bypass comes from microsoft (via cryptographic signature) and is therefore “safe”. It is possible for microsoft to allow Edge to bypass it and nothing else.

                                                                                                                                    I’m actually sort of surprised they didn’t, but I guess doing it properly would have taken more work.

                                                                                                                                    1. 2

                                                                                                                                      Or perhaps it was a silent protest by the engineers involved to allow firefox to do this.

                                                                                                                                  2. 6

                                                                                                                                    Nothing, of course, which isn’t too surprising, as this is pretty unlikely to have ever been about malware in the first place. If it had been, we’d have seen a real, secure API exposed to developers, whereas this is barely security by obscurity.

                                                                                                                                    1. 4

                                                                                                                                      Nothing is stopping malware engineers from adding associations; SetUserFTA has been available for years.