1. 11
    • Semver allows me to break compatibility in major releases. The author recommends not to, and to support old interfaces for years. The latter is out of the question for hobby projects. The package manager of the language I use (e.g. Cargo, npm) is able to deal with this just fine. Apt is not.
    • Cargo or npm allow me to lock all versions in my dependency tree and to restrict version ranges. Especially the latter is necessary for API breakages (in compliance with semver) to not be a problem. Again, it’s only apt that is not able to deal with this. Cargo or npm can resolve this conflict automatically and find appropriate versions, or do version splits if necessary. In Debian packaging, version splits are a manual task done by a person, which, to me, is the actual friction here.

    As an application developer I don’t see why I should need to work around the deficiencies of distribution’s package management systems, especially when those deficiencies are admitted by the author. I am not convinced that I, as developer, should bother with Debian. All of the arguments in “why Debian?” are from the perspective of an end user.

    The existence of Debian “stable” is actually a reason why I avoid Debian as a developer. Because what Debian considers “stable” comes at a price I don’t want to pay.

    In that sense I reasonate with the post by Joey Hess much more than with this one. Because I really think it’s the distros who have a problem here. Not me. I can just statically link everything, put the resulting binary in a PPA and never need to bother with any of this.

    1. 11

      Everything made a lot more sense to me when I started to think about the fact that the npm model assumes that code is being deployed by a team of full-time developers who are paid to stay on the upgrade treadmill and work thru all the integration issues of pulling in different pieces that have never been tested together. In this context, you can’t afford to wait for a stable release of a whole distro; you’ve got the bandwidth and expertise and test infrastructure to handle making it work with just the pieces you know you need. But forcing the end-user to be responsible for that kind of integration would be a nightmare.

      1.  

        The npm model works because it’s being deployed on top of a stable Debian system.

      2.  

        The package manager of the language I use (e.g. Cargo, npm) is able to deal with this just fine. Apt is not.

        Apt is perfectly able to cope with complex versioned dependencies, including “not compatible with libs < this version” and “this random point release actually changed the API so all the dependencies need to care about it, even though the developer claims otherwise”.

        Exactly what feature do you think apt is missing?

        1.  

          Version range restrictions (particularly upper bounds) are the default in Cargo and npm, while in apt they are only used if actually necessary. They’re not necessary if no breakage happens. That is the friction in apt for actually using semver to its full extent.

          It’s more of a policy or best practice question than a technical one, but it doesn’t matter.

      1. 18

        I completely agree. The more I end up doing at work the less I end up doing on my own time. I am confident in my abilities to build, to learn, to grow, and the company that employs me believes in growing its employees. I spent a bulk of my free time on other stuff like audio production, photography, cooking, etc. You become one dimensional as a human if you only do one thing, and that goes for anything - not just software development.

        1. 17

          The more I end up doing at work the less I end up doing on my own time.

          I have definitely found this to be true, in a way. When my work project is interesting and clearly defined, meaning I am able to make good progress and feel like I’ve actually “done” something, I tend to write a lot less code on my own time. So programming on my own time is kind of a creative release “valve” that gives me an outlet when work doesn’t.

          1. 5

            Sometimes I satisfy my compulsion to create when it isn’t being satisfied at work by cooking.

            1.  

              So programming on my own time is kind of a creative release “valve” that gives me an outlet when work doesn’t.

              This is exactly how it works for me.

              And if you see that I’m writing an operating system that aim to replace the whole stack from dynamic linking to JavaScript-enabled browsers with simpler and more effective solutions, you might get an idea about my deep frustration with hyped mainstream technologies.

              Without Jehanne I could simply explode.

            2. 5

              I also agree. I’m not experienced as some people since I’m just a junior developer but I’ve tried forcing myself to code in my free time and it just didn’t work out for me personally, either I would get burnt out and lose interest, or just not do it right at all. Now I’ve found other hobbies that I enjoy and do them when I can, and I’ve found that coding in my free time came from sudden ideas, like recently I’ve been coding a Discord bot and it has been slow going, but it’s been far more enjoyable than forcing myself to code at any given time.

            1. 2

              It’s really useful for APIs to be opinionated. As an API user I can expect all promises to behave similarly. If I want to build an abstraction with different opinions I can do that. After all Promises can be polyfilled so an equivalent with different opinions presumably could be too.

              1. 8

                Seems like the old MS strategy of embrace, extend, and extinguish. This already happened with Google Talk that was using Jabber, then got rebranded as Hangouts with a proprietary protocol. Open standards are the only thing that makes the internet possible, and every large company is trying to find a way to create its own walled gardens to lock in the users.

                1. -2

                  You do realize that AMP is entirely standards based right? My sarcasm detector misfires sometimes.

                  1. 13

                    What standard? It isnt standard html.

                    Inventing some custom tags and a forced-down-everyones-throat js renderer for said tags, a standard does not make.

                    The amp project website is registered to Google, and realistically the “project” is controlled by google.

                    If you think anything google does re: AMP is anything but a massive power grab for even more control over the web, you’re incredibly naive.

                    1. 12

                      Compliance with the AMP standard requires loading the AMP framework from a Google-controlled server, and all content being cached by Google.

                      Something is an open standard if everyone can have input in it, and if they csn entirely self-host it and gain all the benefits.

                      If I self-host AMP entirely, the requirement (loading the framework from Google’s server) is not met anymore, same if I ban the Google AMP cache and use my own. In both cases, I will not get any of the AMP search benefits, and Google will declare my AMP invalid.

                      Valid AMP is, by definition, a proprietary product.

                      1. 3

                        The problem is that Google is changing the nature of email. Going back to GTalk example, Google started with an open standard, and then kept updating the protocol until it became mostly incompatible with third party clients.

                      1. 2

                        I used to run a few geographically distributed DNS and MX servers for my own domains. I stopped like 15 years ago. A couple of nights ago I had a nightmare that I was running my own MXes again. An actual nightmare.

                        1. 2

                          Hanging out for x86-64. I don’t have old Alphas or VAXen lying around.

                          1. 1

                            Alpha might (can’t overemphasize might) still be worth buying if you do concurrent or predictable software esp as hobby. Aside from relatively-simple RISC, the reason would be PALcode. That’s like doing microcode-level stuff with plain assembly language. One example is making arbitrary collections of instructions atomic by encoding them as a single instruction in PALcode. You also get the benefit they run while everything is still in cache and all. Intel added it to Itanium but I don’t know if it’s user-facing. For safety/security, you could do stuff with checks built-in or bring a HLL closer to the metal.

                            It was really neat. The boxes were also pretty reliable. Too bad they died off until we had just a few companies controlling a few ecosystems.

                            1. 1

                              Don’t forget Itanium - you can pick up a pretty decent system on eBay for not much - look for an HP rx2600/2620 or the workstation version, the HP zx 6000.

                              Of course, there’s always SIMH - there are many SIMH/OpenVMS/VAX emulation guides online, eg, this one. OpenVMS support for the VAX ended with version 7.3 though.

                            1. [Comment from banned user removed]

                              1. 3

                                Accusations of bribery are really a low blow.

                                1. [Comment from banned user removed]

                                  1. 5

                                    It’s a tech acquisition, so the profit of the company is of no interest.

                                    The technology of RIL is of interest for Mozilla, which is the vendor of Firefox, but also so much more.

                                    Also, I kind of shrug at “10s of millions”. A million is about the price you need to hire 5-10 engineers for a year, depending on where you are. Software is expensive.

                                    Jumping to bribery without anything else but pointing at “they bought a non-profitable company” is malicious, yes!

                                    1. 2

                                      The technology of RIL is of interest for Mozilla

                                      How so? It’s yet another rehash of that trivial “save web pages for offline/later reading” concept. No technological innovation whatsoever, no interest among Firefox users either.

                                2. 1

                                  If you want to choke just read the Mozilla Foundation’s financial disclosures

                                  1. 2

                                    Where are these hosted? I can only find general accounting information, without specific spending breakdowns.

                                1. 1

                                  I find rust hard because the way it hides complexity feels different. Macros seem to be necessary to offer usable APIs but make me feel like I’m missing some important details.

                                  I expect I’ll be able to get over this but it makes me choose other tools when I want to get something done.

                                  1. 1

                                    Maybe when the bubble bursts I can pick up a second hand card cheap.

                                    1. 1

                                      Just be careful on how it’s been used. If it’s been running 24/7 mining without adequate cooling it may have a limited lifespan.

                                    1. 1

                                      I’m more familiar with this on iOS than Android because I was researching ways to provision protected wifi networks for end users. These were the only way we could find to add usefully secure credentials but the ux and UI suck. And there’s basically no way for the end user to know what you’re asking to do to their device :-(

                                      1. 0

                                        I have this horrible horrible feeling that Rust is becoming the new Perl. This all reminds me of when Perl added “object orientation” and things became more confusing and hard to understand for passers by like myself.

                                        1. 5

                                          Every serious new language needs to be able to solve the c10k problem; we knew Rust would need async I/O sooner or later.

                                          What is ugly is the proliferation of macros when a proper general-purpose solution is possible. If you look at the final example from the link, async! is fulfilling exactly the same role as the notorious try!; if the language would adopt HKT they could build a single reusable standard form of “do notation” into the language and reuse it for result, async, option, and many other things: https://philipnilsson.github.io/Badness10k/escaping-hell-with-monads/

                                          1. 6

                                            It is extremely unclear that a strongly-typed do notation is possible in Rust. It’s also not clear if we’ll ever get HKT directly; GAT gives us equivalent power, but fits in with the rest of stuff more cleanly.

                                            1. 3

                                              What is GAT?

                                              1. 2

                                                generic associated types

                                            2. 1

                                              I think async! will eventually be made into a language feature (a couple of community members have proposals for this), it’s just that we’re experimenting on it as a proc macro, because we can. It’s way more annoying to experiment with features baked into the language.

                                            3. 1

                                              The only language feature added here is generators (and possibly, async/await sugar), everything else will be a library. Both things are quite common amongst languages; and shouldn’t be too confusing.

                                              Everything else listed here is a library that you only deal with when you are doing async stuff. And the complexities listed are largely internal complexities; tokio should be pretty pleasant to work with.

                                            1. 4

                                              I guess we all miss the days when your only choice was a windows-only app.

                                              1. 6

                                                very surprising that the BSDs weren’t given heads up from the researchers. Feels like would be a list at this point of people who could rely on this kind of heads up.

                                                1. 13

                                                  The more information and statements that come out, the more it looks like Intel gave the details to nobody beyond Apple, Microsoft and the Linux Foundation.

                                                  Admittedly, macOS, Windows, and Linux covers almost all of the user and server space. Still a bit of a dick move; this is what CERT is for.

                                                  1. 5

                                                    Plus, the various BSD projects have security officers and secure, confidential ways to communicate. It’s not significantly more effort.

                                                    1. 7

                                                      Right.

                                                      And it’s worse than that when looking at the bigger picture: it seems the exploits and their details were released publicly before most server farms were given any head’s up. You simply can’t reboot whole datacenters overnight, even if the patches are available and you completely skip over the vetting part. Unfortunately, Meltdown is significant enough that it might be necessary, which is just brutal; there have to be a lot of pissed ops out there, not just OS devs.

                                                      To add insult to injury, you can see Intel PR trying to spin Meltdown as some minor thing. They seem to be trying to conflate Meltdown (the most impactful Intel bug ever, well beyond f00f) with Spectre (a new category of vulnerability) so they can say that everybody else has the same problem. Even their docs say everything is working as designed, which is totally missing the point…

                                                  2. 7

                                                    Wasn’t there a post on here not long ago about Theo breaking embargos?

                                                    https://www.krackattacks.com/#openbsd

                                                    1. 12

                                                      Note that I wrote and included a suggested diff for OpenBSD already, and that at the time the tentative disclosure deadline was around the end of August. As a compromise, I allowed them to silently patch the vulnerability.

                                                      He agreed to the patch on an already extended embargo date. He may regret that but there was no embargo date actually broken.

                                                      @stsp explained that in detail here on lobste.rs.

                                                      1. 10

                                                        So I assume Linux developers will no longer receive any advance notice since they were posting patches before the meltdown embargo was over?

                                                        1. 3

                                                          I expect there’s some kind of risk/benefit assessment. Linux has lots of users so I suspect it would take some pretty overt embargo breaking to harm their access to this kind of information.

                                                          OpenBSD has (relatively) few users and a history of disrespect for embargoes. One might imagine that Intel et al thought that the risk to the majority of their users (not on OpenBSD) of OpenBSD leaking such a vulnerability wasn’t worth it.

                                                          1. 5

                                                            Even if, institutionally, Linux were not being included in embargos, I imagine they’d have been included here: this was discovered by Google Project Zero, and Google has a large investment in Linux.

                                                      2. 2

                                                        Actually, it looks like FreeBSD was notified last year: https://www.freebsd.org/news/newsflash.html#event20180104:01

                                                        1. 3

                                                          By late last year you mean “late December 2017” - I’m going to guess this is much later than the other parties were notified.

                                                          macOS 10.13.2 had some related fixes to meltdown and was released on December 6th. My guess is vendors with tighter business relationships (Apple, ms) to Intel started getting info on it around October or November. Possibly earlier considering the bug was initially found by Google back in the summer.

                                                          1. 2

                                                            Windows had a fix for it in November according to this: https://twitter.com/aionescu/status/930412525111296000

                                                        2. 1

                                                          A sincere but hopefully not too rude question: Are there any large-scale non-hobbyist uses of the BSDs that are impacted by these bugs? The immediate concern is for situations where an attacker can run untrusted code like in an end user’s web browser or in a shared hosting service that hosts custom applications. Are any of the BSDs widely deployed like that?

                                                          Of course given application bugs these attacks could be used to escalate privileges, but that’s less of a sudden shock.

                                                          1. 1

                                                            DigitalOcean and AWS both offer FreeBSD images.

                                                            1. 1

                                                              there are/were some large scale deployments of BSDs/derived code. apple airport extreme, dell force10, junos, etc.

                                                              people don’t always keep track of them but sometimes a company shows up then uses it for a very large number of devices.

                                                              1. 1

                                                                Presumably these don’t all have a cron job doing cvsup; make world; reboot against upstream *BSD. I think I understand how the Linux kernel updates end up on customer devices but I guess I don’t know how a patch in the FreeBSD or OpenBSD kernel would make it to customers with derived products. As a (sophisticated) customer I can update the Linux kernel on my OpenWRT based wireless router but I imagine Apple doesn’t distribute the Airport Extreme firmware under a BSD license.

                                                          1. 13

                                                            LWN’s write-up was at the right level for me. I’ll read the papers when I have time. https://lwn.net/SubscriberLink/742702/83606d2d267c0193/

                                                            PS: go subscribe to LWN, it’s great.

                                                            1. 7
                                                              1. 2

                                                                This is the one that finally made me understand it, well on a conceptual level.

                                                            1. 25

                                                              Spectre PoC: https://gist.github.com/ErikAugust/724d4a969fb2c6ae1bbd7b2a9e3d4bb6 (I had to inline one #DEF, but otherwise works)

                                                              1. 5

                                                                I’ve tested it with some success on FreeBSD/HardenedBSD on an Intel Xeon. It works on bare metal, but doesn’t work in bhyve.

                                                                1. 4

                                                                  oh god that runs quickly. terrifying.

                                                                  1. 3
                                                                    $ ./spectre
                                                                    Reading 40 bytes:
                                                                    Illegal instruction (core dumped)
                                                                    

                                                                    That was kinda disappointing. (OpenBSD on Hyper-V here.)

                                                                    1. 10

                                                                      It worked for me on OpenBSD running on real hardware.

                                                                      1. 1

                                                                        That was kinda disappointing. (OpenBSD on Hyper-V here.)

                                                                        perhaps it was the cache flush intrinsic.

                                                                      2. 2

                                                                        I’m impressed how easy it is to run this PoC - even for somebody who didn’t do C programming for years. Just one file, correct the line

                                                                        #define CACHE_HIT_THRESHOLD(80)

                                                                        to

                                                                        #define CACHE_HIT_THRESHOLD 80

                                                                        then compile: gcc -O0 -o spectre spectre.c

                                                                        run:

                                                                        ./spectre

                                                                        and look for lines with “Success: “.

                                                                        I am wondering if there is some PoC for JavaScript in the Browser - single HTML page with no dependencies containing everything to show the vulnerability?

                                                                        1. 2

                                                                          I’ve been playing quickly with the PoC. It seems to work just fine on memory with PROT_WRITE only, but doesn’t work on memory protected with PROT_NONE. (At least on my CPU)

                                                                        1. 2

                                                                          I’m so looking forward to seeing what this is all about.

                                                                          1. 0

                                                                            I don’t want to work with bigots. Sorry not sorry.

                                                                            1. 2

                                                                              I find your first sentence funny because of the irony, but your second sentence suggests it may not be meant as a joke?

                                                                              1. 2

                                                                                It’s weird that saying “I don’t want to work with racists” is acceptable but “I don’t want to work with homophobes” means you’re somehow just as bigoted as the homophobes. I’m sorry, I don’t want to work with someone who thinks my sister’s marriage should be illegal and that her worth as a person is less than theirs because of something that will never affect them.

                                                                                If someone said in a meeting to a black coworker “I’m sure glad you’re not dating my daughter” there would be an uproar, but we’re supposed to be fine with someone saying “I just don’t think you should be allowed to get married because of who you are.”

                                                                                More accurately, you’re free to think that sort of thing all you want, but don’t play the victim if you bring it up at work and people get upset that you’re denigrating their private lives (which, by definition, is completely separate from work and is thus not an appropriate workplace discussion).

                                                                                This is true regardless of what the topic is. If a Catholic employee thinks all Protestants are going to Hell, great…don’t point that out to them when you’re all just trying to get work done. It’s irrelevant.

                                                                                I know I’ve worked with homophobes before. I’ve worked with sexists before. I’ve worked with people who knew I was going to burn for all eternity. Even if (and the science is open) women are somehow less mathematically inclined than men on average, stating something like that at work is implying something about your specific co-workers who are women. If I pointed out at a meeting that I think men are less suited to UI design because statistically they’re less empathetic than women, I’m implying any male co-workers on my project are possibly inherently less fit than the women…without judging their work on its merits. I don’t get to play the victim when people are upset that I did something like that.

                                                                                1. 2

                                                                                  I can emphasize with your comment, but it is beside my point. There is no irony in “I don’t want to work with racists” and “I don’t want to work with homophobes”.

                                                                                  “I don’t want to work with bigots” is ironic, because it means ianloic is intolerant towards “bigots” because they have different opinions and a bigot is (literally according to Google) “a person who is intolerant towards those holding different opinions”. Thus ianloic does no want to work with himself.

                                                                            1. 1

                                                                              I love that they launched this collaboration with Comcast the same week as net neutrality was killed. It must have taken some coordination to have their heads that far up their asses.

                                                                              1. 1

                                                                                Why don’t you have a fast build server? 8 cores seems small for a “server”.

                                                                                1. 3

                                                                                  It’s a startup without an infinite supply of money.