1. 2

    I’ve noticed this a coupe of weeks ago, but mentally filed it under “crates-io already has a squatting problem” and didn’t think of reporting it.

    1. 2

      I wonder what would be a good anti-squatting approach. Keep track of requests for packages that aren’t there (hmm, caches would interfere) and then alert if someone creates one with that name? And then what, edit distance stuff?

      1. 5

        I mean github doesn’t have a problem because packages are user/package . It seems that would have been better than what crates.io does imo.

        1. 6

          Original rationale for not using namespacing:

          https://internals.rust-lang.org/t/crates-io-package-policies/1041

          1. 1

            Interesting to read, don’t agree with it, but thank you for linking.

            1. 2

              The discussion comes up every now and then to the point where everyone gets annoyed. That’s obviously a bit unfair to people that don’t have the history.

              Not that I don’t see the point (and it’s fine to raise it), but mostly because the discussion does not move forward and every argument was there already.

              I do, btw. not agree that the GH model solves many things, there’s an additional bit of info you need: whether a repos is a fork or an orginal, etc. It also has problems, as it uses that namespace as the only way to differentiate, GitLab, with it’s habit of using teams and tags, is much better in that regard, IMHO.

              1. 1

                I specifically meant to stop name squatting and impersonation in the parent comment, there are tradeoffs sure.

        2. 1

          In this particular case crates-io could have blocked/reserved renamed crate names. Someone has grabbed getrandom_package already (the juiciest target — name used in the top rand crate). Unfortunately, crates-io doesn’t want to get involved in crate ownership disputes/squatting/spam (I get why — it’s a slippery slope & huge resource drain on “customer support”, but I’d prefer them to at least show some teeth in the most obvious cases).

          For squatting in general there’s no good solution. Some people called for GitHub-like namespacing, but that a) moves the goalpost from grabbing good crate names to grabbing good usernames, b) popular crates are by users with bizarre usernames you wouldn’t remember, c) is a huge question mark what to do with existing 30000 crates, without ending up with some 2-tiered/legacy system.

          The closest one that I could think of was allowing people to reserve name prefixes, such as tokio-*. That is backwards compatible with existing Cargo and Rust syntax.

          1. 2

            You can grab a good username, but you can’t steal a name from an existing account.

            On crates.io I can just take hyper2, on github I can’t take hyperium/hyper2 . To me that is a pretty big difference.

            1. 1

              Spitball idea that no one wants: Add a “checksum” to package names. You might typo “foobar” as “foobaz”, but you won’t typo “foobar-2js” as “foobaz-z1h”. :-P

              1. 2

                We should just name every package a GUID, that way no one will confuse them!

                1. 2

                  The 2 is not a typo, it is a successor version. Similar to how sqlite is actually sqlite3. I’m not sure how your checksum idea would help at all.

                  1. 1

                    Ah, yeah, wouldn’t help with successor versions, that’s a good point.

          2. 1

            An implementation of a tiered namespace wouldn’t be too hard to implement. You just use double-underscore in the crate name as a name separator, which could be translated to / as sugar in Cargo if you want. Crate names remain valid Rust identifiers and Everything Just Works. There’s no real legacy problem ‘cause there’s a grand total of one crate that has __ in its name, and existing crates just live in their own top-level namespace separate from user namespaces. A proof of concept wouldn’t even be hard, ’cause you just reject crates from user foo that titled foo__cratename.

          1. 1

            While interesting, this guide is severely outdated. GitHub supports changing the base branch of a PR. While I agree that it’s nice to use stacked PRs, I can’t agree with the approach here, for it advises to merge into PRs, making the history a total mess.

            1. 3

              I think the merging they’re talking about is merging changes made in response to review comments “down” into the downstream PRs; they’re then squashing and merging back up the chain, so in the end on master you get the whole series in a single commit.

              1. 1

                Oh, I miss the last squashing. But that kind of defeats the whole purpose of having small, isolated commits. Now, when there is an issue in production, and bisect pinpoints to this commit, good luck to whomever needs to deal with it to pinpoint the exact change that caused the failure.

            1. 3

              This looks pretty great! Moving to CMake seems like the smart move, and I’m super psyched at their continued level of investment in Python.

              Kinda sad about their intent to move away from OpenGL and to Vulcan, Metal and Direct3D though. I guess the idea of one 3D graphics API to rule them all is dead?

              1. 4

                Apple claims that they’re going to remove opengl support from MacOS at some unknown point in the future, Qt is just preparing for that I guess.

                1. 4

                  Apple is super annoying these days :) (I mean, I know they always have been, but lately I feel like they’ve turned it to 11, or maybe just in areas I care about!)

                  I wonder if Vulcan is a possibility on OSX. Betcha it will be once all the game studios start writing for Google Stadia (Ungh.)

                  1. 10

                    There is moltenvk, which implements (a subset of) vulkan on top of metal.

                    1. 8

                      And gfx-portability too.

                2. 2

                  My understanding is that OpenGL is a pain to use in general, not just cuz of driver stuff but that the API itself is not something that (notably) game developers enjoy using.

                  So there aren’t too many people going to bat for OpenGL

                  1. 1

                    I thought that Vulcan is supposed to be the new “one 3D graphics API to rule them all”?

                    1. 3

                      Not without Apple’s buy-in it won’t be.

                    2. 1

                      Moving to CMake seems like the smart move

                      I’m a little disappointed that they’re dumping QBS development on the “community”. My impression is they went straight from “Technology preview” to “We’re not going to continue developing QBS because noone’s using it” without any sort of “QBS is ready now, please try it” announcement.

                      1. 1

                        Aren’t you supposed to be able to throw away prototypes?

                        1. 1

                          Absolutely, but not with the justification that customers weren’t using them.

                          Edit: “details” can be found in this mailing list thread if you’re interested: https://lists.qt-project.org/pipermail/development/2018-October/thread.html#34023

                    1. 3

                      I’m at SIGGRAPH this week! If any other graphics lobsters (or geo-ducks) want to grab a coffee or something you should message me.

                      1. 1

                        Generally, there’s a way to ‘work-around’ warnings like that on a case-by-case basis. For instance, [[fallthrough]] (or __attribute__((fallthrough))) for fallthrough in switch; or if ((a=b)) instead of if (a=b). Will there be such a thing for this? If what I actually want is 2^32? I saw proposed in the thread that the warning shouldn’t be present for hex/binary literals, but I don’t consider that a full solution.

                        1. 2

                          If what I actually want is 2^32?

                          2^32 == 2 | 32, so why not just use the latter?

                          1. 1

                            10^7 != 10|7, so what do you do there?

                            1. 2

                              It’s 13.

                          2. 2

                            It is hard for me to imagine a use-case for 2^32, and very easy for me to imagine use cases for 1 << 32; when are you thinking you would use int-constant '^' int-constant? I could see xor-ing bitfield flags or something, but then usually you’re doing something like MASK1 ^ MASK2 using names instead of literals.

                            1. 1
                              #include <stdint.h>
                              #include <stdio.h>
                              int main() {
                                 printf("%u\n", UINT32_MAX);
                              }
                              
                            1. 2

                              This is great, I’ve wanted something like this for almost a decade!

                              1. 2

                                I love the word “hobbiest” in the print ad; it feels like they’re trying to distinguish it from the others, which are presumably not as hobby as the hobbiest one.

                                1. 1

                                  There seems to be no way to open/close the details element based on display dimensions (css media queries), which is a real shame.

                                  My intent is to have a collapsible navigation (nav) element that only defaults to opened, when there is enough space. My current approach is using a heavily styled/misused checkbox elemen with onclick event handling, which feels a bit wrong to me

                                  1. 1

                                    You should be able to do the checkbox hacks method with no JS (clickable area is a label, checkbox itself is adjacent to the bit that needs unrolling). Pretty yuck though.

                                    1. 1

                                      I did that with just CSS before, following some online guide. It works, even if it feels hacky.

                                      But at least there is no JavaScript.

                                      1. 1

                                        Ah, true. But still a bit meh :)

                                      2. 1

                                        Another Bad Hack you could do is put the same content in a details tag and a <div class=nodetails>, and use a media query to display:none either details or .nodetails depending on browser size, but that also kind of sucks, because now you’re sending two identical copies of the same data.

                                        1. 1

                                          It’s just a tiny navigation element. I’ll consider it. Thanks.

                                      1. 3

                                        I am really not a fan of the “considered harmful” trope that people seem to love now, and the reasons presented here (matching ASR and a vague notion of “singularity”) are not motivations I find especially convincing, but I do agree with the pragmatic reasoning in the appendix thing: floored division/modulus makes array indexing a lot easier. I end up doing a lot of

                                        int idx = v % list.size();
                                        if (v < 0) v += list.size();
                                        return list[idx];
                                        

                                        When it sure would be nice to do list[v % list.size()]. I do wonder what the reasoning behind the default of symmetric division is; this article doesn’t get into it much, only focusing on the downsides, but I feel like smart people made this decision and they must have had their reasons, too.

                                        1. 4

                                          Personally I use floored division - but I get the reasoning. This will be surprising to some people:

                                          Math.floor(-7 / 3);
                                          -3
                                          

                                          versus the current status quo:

                                          Math.trunc(-7 / 3);
                                          -2
                                          
                                          1. 2

                                            Oh right, of course. Put another way, symmetric division has the property that it is the truncation of the proper real-number result, because truncation as an operation “rounds” towards zero. Thanks!

                                        1. 2

                                          One thing that hasn’t really been mentioned yet is Apple’s deprecation of OpenGL; when you’re playing catch-up (like MacOS is in the desktop gaming market), a good way to scare developers off is to signal that your distant-second platform is going to require more maintenance than the one most of your players are probably already using. Whatever you think about the reasoning behind the OpenGL deprecation, I think it’s bad dev-marketing to signal that you’re willing to get rid of really core APIs. It’s kind of similar to the complaint often lodged against Google when they shut down products: if you’re willing to shut this down, why would I trust you to not shut down the next one?

                                          Meanwhile in Windows-land, the APIs are rough around the edges and there’s a million ways to do everything because of all of the built-up cruft, but I can still run Age of Empires 2, a game that came out 20 years ago, on my Windows 10 machine. It’s definitely a different philosophy and there are reasons to prefer both, but I can certainly see the appeal of Windows’s strategy for game devs.

                                          1. 4

                                            I’m so excited for this. WSL is great, but I’ve gone through four or five different third-party console applications and none of them have been quite as good as my favorite terminal emulators from Linux-land; I just want a bare-bones, good-looking window, and most Windows consoles only give me one or the other (who wants two toolbars full of icons on a console?!). Here’s hoping Microsoft delivers!

                                            1. 6

                                              Ditto. cmder comes closest, but a good shell can’t hide the underlying suck that is the Windows CONSOLE in all its MSDOS compatible glory.

                                              1. 2

                                                I’ve enjoyed using mintty with WSL. It’s been able to handle most of my cases well (fancy colors/italics/relatively low latency).

                                                1. 1

                                                  Yes but can it handle cutting and pasting huge multi-page blocks of text without falling on its face?

                                                  1. 3

                                                    I regularly cut multiple page log outputs (stdout), and paste large chuncks of text into vim. I’ve not experienced any problems.

                                                    1. 2

                                                      That sounds like an XY problem. If you need something like that you should probably be using a file input, or redirecting the clipboard to standard input, or writing a script. I’m not excusing slow terminals but there is just not a good use case that I can think of, where pasting a big chunk into terminal is the best way to do it.

                                                      1. 1

                                                        I agree totally, this is a particularly sub optimal workflow which I have no choice but to use. We’re working to get away from it but for now we’re stuck.

                                                        1. 2

                                                          Why not a windows equivalent of pbcopy on MacOS? You can pipe anything to it and it goes straight into your C&P buffer.

                                                2. 3

                                                  Alacritty worked great for me, and it is the same terminal emulator as everywhere

                                                  1. 5

                                                    I had no idea alacritty worked on Windows! That’s what I use on Linux and I love it. Thank you thank you myfreeweb :)

                                                1. 4

                                                  If it’s a reputable organization, they’re serious about hiring, and you want this position then do the exercise.

                                                  I ask folks all the time in interviews how’d they build something practical that I’m currently in the process of building. Or more precisely I’ll ask about a difficult piece. I want to know how the applicant thinks compared to myself.

                                                  Now I don’t believe in giving homework. Any coding/design exercises done onsite.

                                                  1. 1

                                                    That makes sense to me, and I’ve done the same as an interviewer. I was willing to go with the questions that they asked me during the interview, because I understand that I need to demonstrate my expertise. I wonder, though: do you feel like there’s a line where that sort of questioning (pointed “how would you solve this problem that we’re stuck on” type questions) becomes unethical, or at least questionable?

                                                  1. 35

                                                    If they want you to do consulting as part of your interview, they can pay.

                                                    1. 8

                                                      This is how I feel as well. I emailed them saying basically this: that I would be happy to prepare the presentation for my standard consulting rate. We’ll see what they say.

                                                      1. 3

                                                        This is what we do in our hiring process. We give the candidate 3 options:

                                                        • Pair-program/discuss a side-project of their own
                                                        • Pair-program/discuss our codebase (which is open-source)
                                                        • Pair-program an exercise like exercism.io (with follow-up discussion) We still didn’t decide on paying the other two, but we pay for the work they do on our project.
                                                        1. 3

                                                          This sounds fun, please interview me lol

                                                          Honestly, I have found that companies that offer a slew of offerings like this are usually have some of the best workplace cultures.

                                                          1. 2

                                                            I definitely feel like we do. The tech team is remote and it’s still early-days in building team culture (company is around 18 months old), so we have a lot of challenges ahead.

                                                            1. 2

                                                              Good luck!

                                                      1. 8

                                                        For the next two days, I’m gainfully unemployed, and then on Wednesday I’m starting a new job writing Kotlin for a small nonprofit, which will be a pretty big shift from my past few years of professional experience mostly writing CRUD apps in Java for large for-profits. Today has been mostly relaxing with a few household chores thrown in; tomorrow I think will be bootstrapping my knowledge of Kotlin (which I’ve never used before), with a few household chores thrown in.

                                                        In the spirit of giving and receiving advice, I’d like to offer: even if you’re happy with your current job, it’s worth it to look periodically at openings. I was happy with my previous job, but I’m far more excited about my next one. And I’d like to ask: what do people recommend when starting a new job? Little rituals, ways of making introductions or reigning in anxiety? I don’t have any plans more concrete than showing up, getting my laptop set up, and trying not to make an ass of myself in front of anyone who doesn’t know me yet.

                                                        1. 4

                                                          How does one find a job at a non-profit, any tips? I think it would be a good job for the soul. Good luck with your new start :)

                                                          1. 5

                                                            Thanks! In my case, it was “know people who are there, and apply”. The application process was not meaningfully distinguishable from that at the for-profit companies I’ve applied to. Based on what I’ve seen so far, I think my advice would be to find organizations you like and then check their job listings, like you would do with a for-profit entity.

                                                          2. 3

                                                            I have a plant and a keyboard that follow me from desk to desk when I change jobs, I find having a little bit of familiar desk detritus makes a new place feel less imposing!

                                                            1. 2

                                                              My keyboard and mouse will come on Thursday; I like to scope out my workspace before I haul them in. I have a goofy funko pop Vivec who watches over my desk, but I should get an office plant. My jade tree at home has a bunch of seedlings I could repot.

                                                            2. 2

                                                              Altruism. Congratulations!

                                                              I’m planning to do the same. To find a non-profit where my design and development skills would be more useful than now, when they serve profit. Right, website selling ads.

                                                              Any tips where to look at? Thanks :)

                                                            1. 10

                                                              Interesting that Zig is now specified with a PEG!

                                                              https://ziglang.org/documentation/0.4.0/#Grammar

                                                              https://github.com/ziglang/zig-spec/tree/master/grammar

                                                              Congrats on the release – it looks like there is a ton of momentum on the project!

                                                              1. 8

                                                                And not just any PEG; a delightfully short one. It’s so nice when languages have simple grammars.

                                                              1. 6

                                                                Applying for jobs :( My company is going out of business in slow motion (CEO just went to prison, company has run out of money, people are being asked to work for free) so I’m pretty much a full-time job seeker now. I hate to be That Guy, but if anyone is looking for a person who knows software engineering, graphics and geometry really well, message me!

                                                                1. 5

                                                                  Cross comment from HN:

                                                                  Show us the server: https://github.com/keybase/client/issues/6374

                                                                  1. 7

                                                                    this is not really relevant to the security claims in the article IMO. It is important separately of course.

                                                                    1. 6

                                                                      I would love it if drive-by passive aggression like that comment from HN stayed on HN.

                                                                      1. 12

                                                                        That was painful to read. Such entitled attitudes.

                                                                        1. 2

                                                                          yep, and unfortunately some of them come from lobsters.

                                                                        2. 7

                                                                          This is important, IMHO. At this point keybase is yet another walled garden. Investing in them means that you are subjected 100% to their whims and future success (or lack thereof). It’s painful when your communication is shut down because a company decided to go do something else, or close up shop.

                                                                          1. 4

                                                                            It isn’t. If the claims are true, that things are encrypted on the devices, which they seem they are (and the source is open source) then it doesn’t matter what happens on the server from a security perspective.

                                                                            1. 1

                                                                              Nope, it definitely is. You may be able to recover your data, but you’ll then be searching quite urgently for a service to replace it since the proprietary server stuff is unavailable.

                                                                          2. 2

                                                                            How about you spend 8 hours a day and make a great library that Keybase will really want to use in their backend, and make your library use GPLv3. Then they will have to open source.

                                                                            That’s not true. If the backend is not distributed to anyone then it would not need to be open source.

                                                                            1. 1

                                                                              Is this also true of the AGPL?

                                                                            2. 0

                                                                              I don’t have a clear understanding of how keybase server works. Can someone provide details.

                                                                              1. 2

                                                                                https://keybase.io/docs/server_security has details about what the server is responsible for, and what clients trust and verify from them.

                                                                            1. 8

                                                                              I know the “Javascript is a memory hog” horse has been beaten to death over and over again, but truly, sincerely, purely from curiosity: what is causing node to use 600MB of memory for a static file server? Does node/v8 preallocate that much? Is there just 600MB worth of libraries that are loaded by default?

                                                                              1. 2

                                                                                Note: WireGuard is a registered trademark of Jason A. Donenfeld.

                                                                                Does that mean Jason Donenfeld can legally sue them for a noncompliant implementation?

                                                                                1. 10

                                                                                  It just means they can’t call it “wireguard”, which I suspect is why the name is BoringTun and not something more wireguard-ey. Trademark prevents other people from using your name (or logo or whatever) to make it seem as if something they’re selling came from you. It prevents me from calling my webmail service “gmail”, but it doesn’t prevent me from saying “gmail-compatible” or whatever.

                                                                                  1. 3

                                                                                    No, that’s not how trademark works. You are thinking about patent and licensing of patented API.

                                                                                  1. 7

                                                                                    While this is true, the simpler code encodes an assumption (only two kinds of things) And if that assumption is violated it fails silently.

                                                                                    Why not make that assumption explicit?

                                                                                    If lemon {
                                                                                      do lemon
                                                                                    }  else if lime {
                                                                                      do lime
                                                                                    } else {
                                                                                      panic("not a lime or lemon")
                                                                                    }
                                                                                    

                                                                                    (or a default case on your switch/case if you don’t don’t like switch-case).

                                                                                    In this case, as long as the code is at least run some time after the assumption is violated, you’ll find the place to fix. This is the same promise that exhaustive case handling for enumerations gives, except at runtime rather than compiletime.

                                                                                    I don’t think this adds any significant complexity and better documents what is going on (the code is more clear).

                                                                                    If you find lots of places where you need this panic, that’s probably a sign that this choice (lime/lemon) is being made in too many places and you perhaps need a different abstraction.

                                                                                    1. 5

                                                                                      It depends which language you’re using, but this can make the problem worse instead of better. For example, if you have a C++ switch stratement which switches on an enum type, most modern compilers will warn you about enum values which aren’t handled in the switch. This means that when you expand from lemons and limes to include oranges, without a “default: panic(…);”, the compiler will point out all the places where you haven’t handled oranges. With the “default: panic(…);”, you don’t find out until you happen to hit that particular bit of code with an orange at runtime.

                                                                                      Where possible, I would recommend using the compiler to check that your functions are total. e.g. Idris, Haskell’s -fwarn-incomplete-patterns, Rust’s pattern matching, etc.

                                                                                      1. 5

                                                                                        We’re getting kind of in the weeds here but there’s a GCC warning that handles this correctly, and lets you use default while still warning when you add a new enum value: -Wswitch-enum:

                                                                                        Warn whenever a switch statement has an index of enumerated type and lacks a case for one or more of the named codes of that enumeration. case labels outside the enumeration range also provoke warnings when this option is used. The only difference between -Wswitch and this option is that this option gives a warning about an omitted enumeration code even if there is a default label.

                                                                                        I’ve found this useful when I’ve written deserializers that can switch over some constant loaded from a file; you can still put the default: goto fail; clause in to handle invalid data, but you’ll get warnings when you add a new enum value without adding it to the switch.