1. 5

    Meta opinion about Cloudflare: I tried to avoid Cloudflare but if I have to use a CDN, I must allow some sort of a pseudo-MITM. I just choose CF instead of something else for my blog.

    1. 4

      You can ask browsers to verify that your CDN is returning what you want instead of giving them everything.

      1. 1

        Yeah, but only for assets/media. These days it’s common/desirable/??? for the web page itself to come through the CDN.

        1. 2

          If your page is dynamic, then it doesn’t make any sense for the web page to come through the CDN. If your page is just a bunch of links for your JS SPA, you should still serve it yourself for the security, and because it isn’t that big anyways. If your page is fully static, you should probably still serve it yourself, just to be sure that nobody is inserting anything unwanted into your page.

          1. 2

            If your page is dynamic, then it doesn’t make any sense for the web page to come through the CDN

            The route through the CDN’s private network should usually be faster than over the public internet.

            1. 1

              It’s not that expensive to have several servers in multiple locations to handle load, you just need to architecture for it. Paying for the access through the CDN’s private network is about the same cost.

          2. 1

            Exactly - my use case is the caching of the HTML web page itself.

        2. 2

          Where is your blog hosted? Why would it need a CDN? I would be surprised if does. My other comment in this thread gives some color on why I’ve never needed to MITM my own site:

          https://lobste.rs/s/xbl6uc/cloudflare_outage_on_july_17_2020#c_nt8atu

          1. 4

            Without a CDN your site and its assets are stored in a single location worldwide. If you happen to have readers who do not live close to where the site is hosted, latency will likely be noticeable. Is it using TLS? 3 round trips for the handshake. That’s before even downloading html, css, js and images.

            A quick check on https://wondernetwork.com/pings/Los+Angeles/Barcelona and ping between Western Europe and US west coast is around 150ms. That’s not nothing!

            As you pointed out, it’s not necessary, but it doesn’t visibly improve the user experience for a lot of people worldwide.

            1. 1

              WAN latency can be an issue for really optimized sites, but most sites aren’t really optimized.

              Example: I just want to webpagetest.org and put in nytimes.com.

              https://www.webpagetest.org/result/200722_CA_fc5e1e19a8f5c3402fc5cb91be7b4824/

              It took 15 seconds to load the page. nytimes presumably has all the CDNs in the world.

              Then I go to lobste.rs, and it takes less than a second:

              https://www.webpagetest.org/result/200722_7S_ec97779d98563256c0140997a431e19f/

              lobste.rs is hosted at a single location as far as I know (because CDNs would break the functionality of the site, i.e. the dynamic elements. It’s running of a single traditional database AFAIK)

              So the bottleneck is elsewhere, and I claim that’s overwhelmingly common.


              So it could be an issue, but probably not, and that’s why I asked for specific examples. Most sites have many other things to optimize first. If it were “free”, then sure, use a CDN. But it also affects correctness and has serious downside security wise (e.g. a self-MITM)

            2. 3

              It’s self hosted on a box in my house, so having a CDN ensures my ISP doesn’t hate me if I get too much traffic, and other services I host aren’t impacted.

              For folks concerned, I also provide a tor onion address for the blog which totally bypasses CF.

          1. 6

            Most linters or IDEs will catch that you’re ignoring an error

            I’m not always using linters or IDEs. Does that mean that I should be able to just ignore the error? I don’t think so

            Plan for failure, not success

            The default behavior in Go assumes success. You have to explicitly plan for failure

            has sufficient context as to what layers of the application went wrong. Instead of blowing up with an unreadable, cryptic stack trace

            I don’t know how about you, but math: square root of negative number -15 doesn’t exactly tell my why the error occurred. I’d rather look into that “cryptic” stack trace to find out where that negative number got used.

            1. 0

              math: square root of negative number -15

              math.Sqrt(-15) = NaN. I have no idea where you’ve seen that particular error message. Cases like that are exceptional and are a programmer’s mistake (e.g. division by zero), therefore Go would panic with a full stack trace.

              But let’s assume that there is some square root function that returns an error. We usually add annotations to error messages, e.g. in Go ≥1.13 fmt.Errorf("compute something: %w", err) and later check that errors.Is(err, math.ErrNegativeSqrt), so instead of

              math: square root of negative number -15
              

              you’d actually see

              solve equation: compute discriminant: square root of negative number -15
              

              which is way more descriptive than a stack trace if there are multiple similar error paths along the call stack (from my experience, that’s almost always true). With exceptions you’d have to carefully follow the stack trace line-by-line to find the cause of an error.

              Also, in many languages discovering that a particular function throws an exception without code analyzers is pretty hard.

              1. 5

                I have no idea where you’ve seen that particular error message.

                I just took it as an example.

                We usually add annotations to error messages

                Usually. But the default for go is just return err. Which leaves you with the problematic one.

                which is way more descriptive

                I don’t know how about you, but in a project with >10k LOC I’d like to see, in which exact file do you have to open for an error. I won’t always know the project by heart, and to find it normally would take a good couple of minutes.

                if there are multiple similar error paths along the call stack

                Uhhh, you just look into the first function along the call stack and go along in such case. It’s not that difficult. I know it can look scary, but stack traces usually have all the information that you need, and then some. Just learning their syntax will allow you to efficiently find causes of bugs. That cannot be said for Go, as different projects can use different styles of error annotations.

                With exceptions you’d have to carefully follow the stack trace line-by-line to find the cause of an error.

                I usually read less than half of it before realizing where the error lies. There is a ton of information in a call stack, and you don’t always need all of it.

                Also, in many languages discovering that a particular function throws an exception without code analyzers is pretty hard.

                In a simple case, looking for raise/throw/etc. is enough. But yes, this is a problem. Some languages do have a solution, e.g. Java, but those aren’t that common yet. I’d like improvement here.

                1. 3

                  What happens if “solve equation” calls “compute discriminant” multiple times? There is no line number telling me where it was called.

                  My preference is a good error message with a stack trace. I can choose to ignore the stack trace when looking at logs/output. Also, (in some languages) a stack trace can be generated without an exception.

                  1. 1

                    line numbers assume a few things:

                    • you have the same version of the code everywhere. in a production environment, you can easily have multiple versions of the same thing during deployments, upgrades, etc. Those situations are the most common situations in which you would encounter an error for the first time since, as we just said, you’re deploying potentially new code.
                    • you’re only talking about comprehending the error data as it happens, and not historically, in a log file somewhere. What if you’re looking at log data from a few days ago? Now you have to cross-reference your stack trace with what version of the app was running at the time that stack trace was generated. Ok, now check out the code at that time. Now step through the line numbers and run the program in your head to try to understand the story of how the error happened. -OR- just … read the error’s story of how it happened in a Go program.
                    • a stack trace is generally not going to capture local variables. Even if you know what line you’re on, you might not know what parameters that function was called with. With explicit wrapping of error values, you append to the error value the necessary contextual information, as decided by a human author, for a human to understand the cause of the error.

                    I don’t miss exceptions and stack traces after using Go for a few years. Both are, in my experience, actively worse than handling errors at the call site and wrapping errors with descriptive contextual information.

                    1. 2

                      I use both error context and stack traces; you can add stack traces to errors quite easily (about 20/30 lines of code) and it never hurts to have more information. In some cases there are performance problems with stack traces (an issue in any language), but those are rare enough that I’m not overly worried about it.

                      Cases where error context fails for me is when I’ve accidentally added identical context to two errors. This is usually a mistake on my part (copy/paste, or just laziness) and having the stack trace is helpful. I also find it easier in development because I can just go to “foo.go line 20”.

                      I replaced all pkg/errors calls with some sed-fu to Go 1.13 errors, but I added back stack traces after a few weeks with a small library (about 100 lines in total).

                      Either way, I don’t think context and stack traces need to be exclusive, and there is value in both in different contexts.

              1. 4

                Honestly, I applaud the attempt, but sadly it’s not enough. PGP key model IMO is fundamentally broken and anything new based on it will carry the same problems that it has.

                1. 8
                  • Spam email, even not opened : 0.3 CO2e
                  • A proper email : 4g CO2e
                  • An email with long attachment : 50g CO2e

                  i’m not really sure about these numbers.

                  1. 10

                    The carbon footprint of email are approximately

                    Where I live most power is from burning lignite, which is about as bad as it gets - 1.17 tonnes per megawatt hour.

                    4g of carbon emission would be 14 kj.

                    End-to-end delivery of an email from fastmail to gmail takes about half a second (counting from when I hit send to when it shows up in the gmail inbox).

                    To consume 14kj of carbon emissions in that half-second, you would need to draw 28kw! My local colo will, if you have a really fat wallet, sell you a 6kw line for an entire rack. Worst-case, the cooling for a rack that draws 6kw will use 4kw, and there’s embodied energy in the products, and a control plane, networking gear etc. Lets say a really full rack ends up using 14kw.

                    I don’t think 2 full racks of servers running at maximum power are strictly required to send an email.

                    I’ve been quite generous in this analysis - using lignite for power, inefficient cooling - and I still can’t see how these numbers could be within 3-5 orders of magnitude of reality.

                    1. 6

                      Two further comments:

                      1. The “email with long attachment” is 12x more CO2; that’s some attachment! Given that this number is given just after complaining about “people put images in their signature” I feel it’s rather misleading.

                      2. Email servers will run anyway; and the difference between the base power draw vs. maximum power draw in the context of processing emails is probably not going to be that great. While dealing with torrents of spam emails certainly increases the load significantly, it seems to me that an email with an image is unlikely to increase the power draw by 12x.

                      Given that this person has their own hefty dedicated server for their blog and some projects it seems they’re not overly concerned about a few grams of CO2 more or less. The entire thing seems like a post-hoc argument to rationalize “I don’t like HTML email”.

                      1. 2

                        The “email with long attachment” is 12x more CO2; that’s some attachment! Given that this number is given just after complaining about “people put images in their signature” I feel it’s rather misleading.

                        I can definitely see this. An average text-only email is ~4kb from what I’ve seen. Images I’d expect to see in email signatures weigh ~100kb. It’s a long way from 4kb to 104kb. 26 times larger emails would definitely use more energy to transfer. The question is, is the CO2 emissions dominated by the processing of the email, or the transfer, and I’m pretty sure it’s the processing. Though, even in processing some things like spam processing can use more energy for larger emails.

                    2. 4
                      • a web page complaining about email plus the resulting discussion: XXXXXXgCO2e

                      I’m fairly sure about this number although I’m not convinced about the relevancy of these ‘CO2e’ stories - not about the CO₂ itself, nor about the estimates. It makes a lot of difference whether that mail is sent between two people in Sweden - where electricity is largely CO₂-neutral due to the extensive use of hydro and nuclear (still, the so-called environmentalists want to get rid of it) with a bit of wind added in - or Poland where coal is used for ~85% of power generation.

                      1. 3

                        As others have pointed out, these CO2 number are highly doubtful. Neither source nor methodology are given to back up this claim. But even if we believe the author, one important question remains: Applying the same methodology, what would be numbers for Signal? And no, I don’t buy that routing your communication through the central servers of a private enterprise makes it trustworthy in any way. It’s great that they open source both the client and server software, but you have to simply trust them that that’s actually what they’re running on their servers.

                        In my opinion the biggest problem with Email nowadays is Gmail. And I’m not talking about the obvious privacy implications. I agree that email is kind of broken in that respect anyway, and that won’t change unless there’s a way of encrypting mail that’s end-user/non-techie friendly. I think the bigger problem is Gmail’s tendency to silently block mail from smaller providers. This, combined with their market share, is what breaks email for me.

                        1. 1

                          I think the bigger problem is Gmail’s tendency to silently block mail from smaller providers. This, combined with their market share, is what breaks email for me.

                          with anything else, these practices would be instant-lawsuit, but spam is the ideal front for them, as everybody dislikes it.

                          1. 1

                            but spam is the ideal front for them, as everybody dislikes it

                            Which is why we need to switch off of email, onto a communication channel that has spam-resistance baked in from the get-go.

                      1. 4

                        Note: every second line in the table is unreadable with prefers-color-scheme:dark

                        1. 1

                          Thanks, hadn’t noticed that - I’ve fixed it.

                        1. 6

                          “With an open-source implementation, you see what you get”

                          Just wanted to note this is not true at all for hardware. The synthesis tools, usually two in combination, convert the high-level form into low-level pieces that actually run. They’re kind of like Legos for logic. Like with a compiler, they might transform them a lot to optimize. They use standard cells that are usually secret. Then, there’s analog and RF functionality that might have errors or subversions with fewer experts that know anything about it. Finally, there’s the supply chain from masks to fab to packaging to you.

                          With hardware, you have no idea what you actually got unless you tear it down. If it’s deep sub-micron, you have to one or more other companies during the tear-down process. This excludes the possibility that they can make components look like other components in a tear-down. Idk if that’s possible but figure I should mention it.

                          When I looked at that problem, my solution was that the core or at least a checker/monitor had to be at 350nm or above so a random sample could be torn up for visual inspection. The core would be designed like VAMP with strong verification. Then, synthesis (eg Baranov’s) to lower-level form with verified transforms followed by equivalence checks (formal and/or testing). The cells, analog, and RF would be verified by mutually-suspicious experts. Then, there were some methods that can profile analog/RF effects of onboard hardware to tell if they swap it out at some point. Anyway, this is the start with open (or vetted + NDA) cells, analog, and RF showing up overtime, too. Some already are.

                          1. 7
                            1. 2

                              I’m not a big fan of making critiques based on stuff that is explicitly outside of their security model. From my understanding, the formal verification of side channel for RISC-V would catch Spectre-style attacks: researchers implemented Spectre-like vulnerabilities into RISC-V designs which still conformed to the specification.

                              Yes, you can backdoor compilers, microcode, and hardware. But that’s not far from the generic critique of formal methods based on Godel’s incompleteness theorem. seL4 is the only operating system that makes it worth our time to finally start hardening the supply chain against those types of attacks.

                              1. 3

                                I normally agree. However, they were pushing seL4 on ARM as a secure solution. You cant secure things on ARM offerings currently on market. So, it’s a false claim. The honest one is it gives isolation except for hardware attacks and/or faults. For many, that immediately precludes using it. I’d rather them advertise honestly.

                                A side effect is that it might increase demand in secure hardware.

                            1. 8

                              I don’t get this hype about seL4. All I see are it’s claims about it’s security and speed, but I can’t find anything about it’s usability. The communication on it’s page aggressively attacks other operating systems (e.g. “If someone else tells you they can make such guarantees, ask them to make them in public so Gernot can call out their bullshit” in the FAQ). The performance page doesn’t have any comparisons to other OS’s, yet FAQ claims that it is the fastest in the metric presented there. In general, the few times I’ve seen somebody bring up seL4, the proponents were very aggressive against other OS’s. Doesn’t really look well, does it?

                              1. 17

                                The rhetoric from the seL4 cheerleaders can indeed be cringeworthy at times. That being said, the L4 family is an interesting look into how you can start with a really minimal set of OS features and get to something useful, and seL4 is one of a very few OS kernels to be subject to rigorous formal verification. How much you value that probably tracks very closely to how much you value formal verification in general.

                                It isn’t particularly useful to compare seL4 to a general-purpose OS like Linux or Windows since they’re intended for such different use cases. seL4 might be a useful building block for, say, a hardened security appliance that handles signing keys or runtime monitoring on behalf of some other general-purpose OS, or a high-value industrial control system (power plants, medical devices, voting machines, etc.)

                                The focus on performance is AFAICT aimed mainly at the historical critique of microkernels as painfully slow for real-world workloads. That in turn largely stems from the behavior of poorly-optimized Mach-backed syscalls on commodity PCs when they were being put up against monolithic designs back in the 90s. (Mac OS still seems to carry some of this debt, as Xnu is a pretty direct descendant of Mach.)

                                1. 3

                                  Is there a blog post about this? I want to know more!

                                  1. 4

                                    It’s not just Mach, it was also Windows NT, Minix, and others. It took the L3 and L4 family of kernels a long time to get this nailed down. Just dig around wikipedia for Microkernels and this paper for the history of L4.

                                2. 4

                                  It outperformed other microkernels. It would probably host an OS like Linux in a VM alongside bare-metal or runtume-supported components. A secure middleware lets the pieces communicate. The architecture is often called Multiple Independent Levels of Security with microkernels doing it called “separation” kernels. Overall performance depends on the overheads of context switching and message passing which lead to tradeoffs in how many pieces you break system into.

                                  This pdf on a similar system (Nizza) shows how building blocks like seL4 were to be used. INTEGRITY-178B was the first built, certified, and deployed in Dell Optiplex’s. The certification data at bottom-right shows what was required but watch out for their marketing ;). LynxSecure is used by Navy. Due to funding, complexity, and OK Labs focus on mobile, the seL4 team switched focus to embedded like military and IoT.

                                  @Shapr, tagging you in since the Nizza paper might help you out.

                                  1. 1

                                    I thought version of L4 hosting Linux outperform Linux?

                                    1. 4

                                      It did. The benchmark might be meaningless, though. A real system would extract more and more of the Linux TCB into isolated partitions. There would be more message passing. It could also cause more accidental cache flushes on top of clearing registers and caches that already happens in separation kernels upon security context switch. We don’t know what the performance hit would be.

                                      An example would be a web server where the kernel, ethernet, networking, filesystem, firewall, TLS, and user-facing server are all in separate partitions. Things that are mostly jumps in memory of one process become IPC across them. That could add up.

                                1. 18

                                  I applaud Apple’s approach to privacy, http://www.apple.com/privacy I was shocked to learn that coming from one of the largest corporations in the world, they are pushing the correct approach to privacy. Control of the private key.

                                  Zoom has been caught lying the past and has very fishy claims and ostensible practices. https://www.schneier.com/blog/archives/2020/04/security_and_pr_1.html So this is not a fair comparison in my opinion, but I do agree with the author’s principals and reasoning.

                                  1. 10

                                    The exact problem is that in this case Apple does not give ‘control of the private key’ to the consumer.

                                    (It’s not clear in this article, but I believe this is specifically limited to iCloud backups of iOS devices, and that it can be resolved by turning that feature off. This is an important issue to me and I’d appreciate more info if anyone has some.)

                                    1. 5

                                      I understand, iOS does not give control of the private key to the user, even more, the software used for messaging is highly proprietary and locked down. thanks for the correction, I was jaded by their slick marketing webpage.

                                      Does apple have the ability to decrypt user’s imessages? Up until now, I was going on the assumption that imessages were encrypted similar to signal.

                                      1. 7

                                        Apple has the ability to remotely install any software on your phone that they want, and therefore exfiltrate any data that they want.

                                        1. 2

                                          I don’t think that quite follows… Apple has the ability to install a new OS, and it has the ability to install apps, but both have limitations. I’ll deal with each.

                                          1. OS. If Apple is willing to build a custom version of the new OS and serve that to you when it serves a new OS to other people, then your custom OS can do exfiltrate anything. That’s a high bar though.

                                          2. Apps. Apple can install apps on your device at any time and perhaps silently, but those apps are subject to the security regime enforced by the OS version your phone already runs, which is one that countless researchers have checked as carefully as they can. The installled app won’t have the ability to exfiltrate any and all data belonging to the system or other apps.

                                          The past is immutable. Apple can write any code, but noone, not even Apple, can travel into the past.

                                          1. 2

                                            OS. If Apple is willing to build a custom version of the new OS and serve that to you when it serves a new OS to other people, then your custom OS can do exfiltrate anything. That’s a high bar though.

                                            Why would it have to be a custom version, and why would it have to be timed with the release of some other version?

                                            Apps. Apple can install apps on your device at any time and perhaps silently, but those apps are subject to the security regime enforced by the OS version your phone already runs, which is one that countless researchers have checked as carefully as they can.

                                            Which is not carefully at all because they can’t audit the code.

                                            1. 2

                                              Apps. Apple can install apps on your device at any time and perhaps silently, but those apps are subject to the security regime enforced by the OS version your phone already runs.

                                              Security engine works with rules, and those rules on apps are set by Apple. Safari is the only app that has JIT permissions, there is no reason why they couldn’t do that for a rogue app.

                                              1. 1

                                                Are you saying that iOS has a permission that permits apps to read other apps’ data? Or rather that some future version of the OS could hypothetically add such a permission that would, further in the future, enable silently installed apps to read other apps’ data?

                                                If the latter, then it’s a special form of the statement “product X is bad, because it could in the future be modified to do bad things”.

                                                1. 1

                                                  Cursory search says that it does exist. Though I’m not a iOS developer by any means.

                                                  1. 1

                                                    I’m not either. A friend who is says that capability doesn’t really exist any more. It once did and still has a name, but since deprecation the name is all it has.

                                                2. 1

                                                  And they have done this before. For example, the “Clips” app which is distributed through the AppStore has immediate camera access without prompting the user, I believe, because the app ships with a code sign entitlement that grants unprompted camera access. A regular iOS developer would never get Apple to sign such an entitlement, but as the Uber screen capture entitlement scandal proved, some developers are more equal than others.

                                            2. 1

                                              From Apple’s own iCloud security overview page:

                                              If you have iCloud Backup turned on, your backup includes a copy of the key protecting your Messages.

                                              Apple has the key to your backups, so they can access the iMessage key, rendering the so-called E2EE useless. If you disable iCloud backups, your messages can still end up in other people’s backups.

                                            3. 4

                                              You’re correct. iCloud backups can be retrieved by Apple. Using iTunes for backups is still safe. iCloud Photo Library is not end-to-end encrypted either, but that provides major usability benefits (like being able to see your photos from iCloud.com just like the competitor, Google Photos).

                                              This is the one major flaw with Apple’s privacy strategy for “average Joe” users. I think that having iCloud Backup on by default is great (losing your phone isn’t such an issue anymore), but it would be great if there were at least an option to encrypt it. Is the idea that people who lost their phone and forgot their password (because they never use their password after setting up their phone) would want access to the backups? That’s my only guess.

                                              1. 3

                                                Why would they? An average customer does not understand what a private key is. If you give out private keys to end-users and they lose them you are going to end up with massive data loss. Apple does the right thing. This is not perfect but it works for most cases. The other end (no unauthorized access to private keys) of this should be guaranteed by the law like in the EU. It is unfortunate that the US has the Patriot Act but it does not mean that you could have a chance against the US gov agencies even in the case of privately stored private keys.

                                              2. 5

                                                I was shocked to learn that coming from one of the largest corporations in the world, they are pushing the correct approach to privacy. Control of the private key.

                                                I’m shocked that you trust one of the largest corporations in the world to live up to their promises on this - or any other - issue. That implies you ascribe morals to the corporation, an organisation without morality. In the end it implies you assume Apple corp. would rather go down in flames (i.e. be forced to pay fines even they could not shoulder, being forced to split the company, etc.) than allow a bunch of TLA’s to do some harvesting.

                                                It isn’t that single out Apple here, I don’t think you can trust any of these entities and should act accordingly with data you don’t want to get in the wrong hands. For most people this won’t matter but if, say, you’re a dissident writer in Hong Kong or you happen to have proof of what really happened to Epstein it would be foolish to simply trust those data to an iDevice in the assumption that they’re safe for any adversary.

                                                1. 3

                                                  I was shocked to learn that coming from one of the largest corporations in the world, they are pushing the correct approach to privacy. Control of the private key.

                                                  The reason gigacorps don’t care about privacy is because most of them rely on siphoning your information for profit. Apple don’t, since they sell premium hardware and fashion accessories. That’s why Apple can give users more privacy.

                                                  1. 1

                                                    They are still trying to maximize their profits, and data is “the new oil,” so giving users privacy is not a viable path even for Apple. Marketing the idea of privacy on the other hand is a viable strategy.

                                                    Am I missing some substantive difference between Apple’s privacy policy and that of other tech companies?

                                                  2. 4

                                                    This makes so little sense to me, I think I might be parsing it wrong.

                                                    1. 2

                                                      Who has control over the private key? Steve has always been a pioneer in taking control away from users. Even if they claim the key resides on the device, this is far from the user controlling the key. The actual correct approach to privacy would have to give real control to users, and Steve could not be farther from this.

                                                    1. 32

                                                      I’m not sure if I’ve yet seen a good e-mail client. Thunderbird is what I’m using right now, but it kind of sucks. All the webmail clients are ridiculously heavy, confusing, and have long loading times. Maybe Outlook is good.

                                                      Everyone, and every e-mail client, has a different idea of how e-mail works. Does the quoted text go at the bottom or the top? Is text hard or soft wrapped? If hard wrapped, is it wrapped at 80 or 72 columns? You end up with person A sending something with hard wrapping set to 80 columns, then person B quotes parts of that with 72 column hard wrapping, and you get alternating 72 and 8 column lines.

                                                      E-mail is a terrible medium for sending code. Most programmer types insist on hard wrapping, but e-mail clients configured to hard wrapping will break code by inserting newlines. Most people recommend hard wrapping at 72 lines; most code is wrapped at around 80-100 lines if at all.

                                                      E-mail is barely decentralized. Good luck hosting your own e-mail server without being overrun by spam and without being marked as spam by the big providers. Pray you don’t ever get your IP address globally blacklisted; pray your IP address has never been used for mail spam in the past.

                                                      An e-mail client is about as hard to implement as a web browser, since an e-mail client needs to parse and display HTML and CSS like a browser would (or at least like Outlook would).

                                                      E-mail discussion chains inevitably end up with a messy mix of hard wrapping at 80, hard wrapping at 72, HTML, plaintext, quoted text above the message, quoted text at the bottom of the message, and messages using symbols from proprietary Microsoft fonts.

                                                      E-mail is a terrible discussion platform.

                                                      1. 9

                                                        Everyone, and every e-mail client, has a different idea of how e-mail works. Does the quoted text go at the bottom or the top? Is text hard or soft wrapped? If hard wrapped, is it wrapped at 80 or 72 columns? You end up with person A sending something with hard wrapping set to 80 columns, then person B quotes parts of that with 72 column hard wrapping, and you get alternating 72 and 8 column lines.

                                                        There’s format=flowed for that now. Mailing list etiquette ended up against top-posting, which means quoted text shouldn’t to go the bottom.

                                                        E-mail is a terrible medium for sending code. Most programmer types insist on hard wrapping, but e-mail clients configured to hard wrapping will break code by inserting newlines. Most people recommend hard wrapping at 72 lines; most code is wrapped at around 80-100 lines if at all.

                                                        You should use git send-email, not pasting git format-patch output into your mail client.

                                                        An e-mail client is about as hard to implement as a web browser, since an e-mail client needs to parse and display HTML and CSS like a browser would (or at least like Outlook would).

                                                        Email shouldn’t have gotten HTML support in the first place, thank Microsoft for that. Also, almost all HTML email is sent for advertisement. How often do you see an email from a person that actually needs HTML? I haven’t seen one yet.

                                                        1. 15

                                                          There’s format=flowed for that now

                                                          Ah, that famously super well-supported feature which every e-mail client can use.

                                                          Mailing list etiquette ended up against top-posting, which means quoted text shouldn’t to go the bottom.

                                                          I don’t think I’ve used many e-mail clients which don’t default to putting quoted text at the bottom. When “mailing list etiquette” goes against most mainstream e-mail clients’ defaults, you guarantee that at least a large portion of the users won’t follow “mailing list etiquette”.

                                                          You should use git send-email, not pasting git format-patch output into your mail client.

                                                          Ah, so I can’t even use my preferred e-mail client to send patches.

                                                          Email shouldn’t have gotten HTML support in the first place, thank Microsoft for that.

                                                          Well, it’s here now. “E-mail sucks because Microsoft” isn’t a counter-argument to “e-mail sucks”.

                                                          Also, almost all HTML email is sent for advertisement.

                                                          Nope, I receive lots of HTML e-mail which isn’t advertisements.

                                                          How often do you see an email from a person that actually needs HTML?

                                                          Not many? Still, when I receive HTML e-mail, my client needs to support HTML.

                                                          1. 3

                                                            Ah, that famously super well-supported feature which every e-mail client can use.

                                                            I don’t think I’ve used many e-mail clients which don’t default to putting quoted text at the bottom. When “mailing list etiquette” goes against most mainstream e-mail clients’ defaults, you guarantee that at least a large portion of the users won’t follow “mailing list etiquette”.

                                                            Ah, so I can’t even use my preferred e-mail client to send patches.

                                                            If your client can’t support basic features use a different one.

                                                            And of course you can use your preferred email client to send patches, as long as it’s able to be configured to send patches properly. git send-email is just much more reliable than arbitrary shitty client number 72.

                                                            Well, it’s here now. “E-mail sucks because Microsoft” isn’t a counter-argument to “e-mail sucks”.

                                                            Email with people that use shit Microsoft products is, like most interactions with those people, pretty crap. It doesn’t matter what communication method you use with Microsoft-using people, you’re still going to get proprietary formats of one kind or another. At least with Email there’s a nice smooth transition path away from Microsoft crap towards much more functional alternatives.

                                                            Nope, I receive lots of HTML e-mail which isn’t advertisements.

                                                            All HTML email I receive is in one of three categories:

                                                            1. Actual spam spam
                                                            2. “Spam” in the form of email advertisements from websites I’ve signed up to at one point or another, so not unsolicited but not really wanted
                                                            3. People using HTML email because their client defaults to it or because they want an image in their signature, where the email could easily have been in plain text with no loss of functionality

                                                            Is there a different kind of HTML email you receive? I’m interested to hear this because everyone I’ve spoken to is in the same situation I’m in with HTML email.

                                                            Not many? Still, when I receive HTML e-mail, my client needs to support HTML.

                                                            Your browser supports HTML. Why can’t your client just open the HTML email in a browser window? It could even be a browser window embedded in the client window if that’s your preference.

                                                            1. 8

                                                              Email with people that use shit Microsoft products is, like most interactions with those people, pretty crap.

                                                              This sounds quite harsh to me. I don’t use windows or ms office or anything at home, but I have to useit all at work. Some purpl people don’t have a lot of choice.

                                                              Regular folks will typically buy a laptop with Windows and stiff pre-installed. How many consumer-laptops with lowprice with Linux pre-installed are there? Some people don’t have a choice in this as well.

                                                              1. 2

                                                                Rant incoming, be forewarned:

                                                                My patience has slowly run out with people that choose to stick their head in the sand and ignore the bajillions of reasons that Windows is a harmful platform designed by harmful people to harm. It’s spyware, it’s anti-standards, it’s buggy, it’s just crapware. I don’t mean to be inflammatory, I’m just sick of it. I’ve spent enough time trying to explain the issues with Microsoft products to various family members over the years. They just don’t care about privacy. They don’t care about supporting an American defence contractor. They just don’t care. They’ll complain about the decline of local bookstores and use Amazon. They’ll complain about their local butchers and grocers closing while spending most of their disposable income at the supermarket. They’ll complain about the quality of their computer and about how much they hate computers and computing, all of it Microsoft-specific annoyances and bad UI, and they’ll just keep on giving money to Microsoft. “Regular folks” can deal with their privacy issues and crap spyware software themselves. People choose to be ignorant, to not explore alternatives, to not learn anything new or unfamiliar. I’ve had enough.

                                                            2. 2

                                                              Ah, so I can’t even use my preferred e-mail client to send patches.

                                                              You can use more than one client. Some are better at some things than others.

                                                              Still, when I receive HTML e-mail, my client needs to support HTML.

                                                              I haven’t seen any mail client that wouldn’t send text when sending HTML alternative. Only time I’ve seen HTML emails without text is advertisements.

                                                            3. 4

                                                              There’s format=flowed for that now.

                                                              Which basically nothing supports.

                                                              1. 1

                                                                Really? How sad. It’s dead simple to implement. I know Apple Mail has supported it since 2000.

                                                                1. 8

                                                                  FastMail wrote an article detailing why they don’t support it: https://fastmail.blog/2016/12/17/format-flowed/

                                                                  1. 6

                                                                    As noted in common mailing list etiquette guides, you should disable format=flowed to avoid any software patches getting broken

                                                                    Wow.

                                                              2. 4

                                                                Mailing list etiquette ended up against top-posting, which means quoted text shouldn’t to go the bottom.

                                                                I used to think so too, until I found out even Theo de Raadt seems to have given up on bottom-posting:

                                                                https://marc.info/?l=openbsd-misc&m=159128694514674&w=2

                                                                (The above link is just a random email I found when trying to see if navigating some mailing list arcives was as unintuitive as I remembered it to be. Conclusion: it is.)

                                                              3. 8

                                                                I’m not sure if I’ve yet seen a good e-mail client.

                                                                I’ve been extremely happy with aerc: https://aerc-mail.org/

                                                                It has readability issues sometimes for some HTML emails, but for personal communication I’ve found it to be a joy to work with. I’ve used it daily for nearly a year.

                                                                1. 2

                                                                  I really want aerc to replace mutt for me, but it’s missing some crucial features: pgp mail encrypt/decrypt and signing support, and email threads. I learned enough golang when aerc was first started to contribute a tiny number of patches, but implementing these things are beyond what I have time/patience for at the moment. I hope one day I can drop mutt for good, and use aerc full-time.

                                                                  1. 2

                                                                    email threads

                                                                    This is the actual killer feature of email for programming projects. A good client with threads and a mailing list is better than most web-based forums.

                                                                    1. 1

                                                                      I’ve never missed email threads (although I’ve never used Mutt so I can’t compare), but I agree that PGP is a big missing feature. Currently, it’s WIP: https://todo.sr.ht/~sircmpwn/aerc2?search=label:%22pgp%22

                                                                  2. 6

                                                                    An additional problem is that you never know if someone is going to read your email in monospace or proportional fonts. If it’s the latter, then there’s no real way to send tabular data for example, or otherwise aligned text. Other than HTML of course, but some people are rabidly opposed to that as well, so you never know if that works for them, either 🤷‍♂️

                                                                    Also, when you use email lists are the primary way to get in touch for bug reports an the like, you’re actually adding quite a barrier IMO. You often need to be subscribed and you’re spammed with emails you don’t care about. Even if you don’t need to subscribe, you may get CC’d for a long time and get emails you may not care at all about.

                                                                    1. 1

                                                                      you never know if someone is going to read your email in monospace or proportional fonts. If it’s the latter, then there’s no real way to send tabular data for example, or otherwise aligned text. Other than HTML of course, but some people are rabidly opposed to that as well, so you never know if that works for them, either 🤷‍♂️

                                                                      You send HTML with the tabular/code/etc. stuff in a <tt> block. (Except the editor will probably instead use an inline CSS style, but same difference.) The luddites will be reading the plain-text alternate body in a monospaced font anyway, so everyone’s happy.

                                                                      1. 3

                                                                        Most non-terminal email clients display the text version as proportional, and there’s almost always an option to prefer the text version over HTML, so some people must be enabling that (perhaps not many, but not 0 either, especially among the tech crowd).

                                                                        I actually enable it myself in FastMail, mostly so that I have a consistent experience reading text. I just enabled and went through some of my recent email conversations, and for some reason loads of email clients set weird fonts, colours, line-heights, and that kind of stuff on their outgoing emails. I don’t really mind HTML email as such but having the entire UI and my email in 14px fonts, and then getting an email with a huge 22px font does not exactly make for a great reading experience.

                                                                        At least it looks like Outlook stopped sending their emails in fecking blue text by default, so that’s an improvement.

                                                                        1. 1

                                                                          luddites

                                                                          Ironically the luddites are the ones using Outlook and Gmail and other useless wrong-by-default email clients.

                                                                          1. 7

                                                                            A random historical note, since I think the community will appreciate it:

                                                                            The Luddites were not anti-technology (other than machines that harmed them by existing).

                                                                            The closest analogue to the Luddites I can think of today are the people deliberately feeding bad data into adtech.

                                                                      2. 5

                                                                        Outlook is awful and doesn’t implement email according to the specs or the way anyone else implements it. It’s just broken. It’s the classic ‘EEE’ strategy of Microsoft.

                                                                        On quoting, I don’t know if it’s Gmail or Outlook or something else that started ruining it for everyone else by defaulting to this top-posting style but it’s wrong. Bottom-posting and eliding parts of the email you’re not replying to (interspersed quotes with your message) is standard, but to be honest most of the time you really don’t need to quote anything at all. When writing a letter you don’t photocopy or cut up parts of the original letter, paste them to the page and write your responses in between the bits of the original letter. You just reply. You say ‘in relation to X, I think [blah blah]’. I’ve been trying to get out of the habit of quoting posts I’m replying to on threaded forums, it’s really unnecessary when anyone can read the post I’m replying to directly above it. It’s mostly useful when you want to reply to a specific point.

                                                                        For sending code, there are two options. You can attach code, or you can put the code inline. Inline, code shouldn’t be hard wrapped. It’s not hard to configure a client to not wrap code, and frankly if you can’t configure your client to do this it’s just a bad client and you should find a new one or someone should fix the old one. How many widely used non-webmail email clients are not free software? Outlook is the only one I can think of.

                                                                        Email is super decentralised. It’s frankly just a myth that it’s hard to set up an email server that won’t get blacklisted or that you get heaps of spam. Spam filtering is really accurate these days.

                                                                        If you want to look at HTML, use a web browser. Email clients are for reading and dealing with email. Open a web browser window, embed a web browser, whatever.

                                                                        Stop having email discussion with people still using Outlook in 2020 and 99% of your issues with email disappear.

                                                                        1. 3

                                                                          An e-mail client is about as hard to implement as a web browser, since an e-mail client needs to parse and display HTML and CSS like a browser would (or at least like Outlook would).

                                                                          This is what eventually drove me to give up and use webmail (helped by fastmail actually having quite a good/fast webui with only a small number of mildly annoying bugs).

                                                                          1. 10

                                                                            I have been using email clients that don’t display HTML at all beyond stripping out tags so it’s readable as plain text, and I haven’t been missing anything. The only HTML-only emails I get are spam. And because HTML is an attachment, if I really need to view it, I can open it in a browser.

                                                                            1. 7

                                                                              The FastMail web UI is one of the few (non-trivial) SPA apps that I actually enjoy using. I think it got a lot of subtle things right that a lot of other SPAs didn’t.

                                                                              One of the bigger pain points is that it’s almost unusable with email discussions: you get a lot of duplicate messages (including those that you sent) and there’s no threading. It was probably never designed with that use case in mind, so that’s okay. But it does go to show that “you can just use email client” isn’t exactly true: you can use “any email client with specific features to deal with mailing lists”, and a lot of those features seem quite unnecessary outside of mailing lists. I’ve happily used FastMail for 7 years and it works perfect for everything else.

                                                                              I have a simple solution for this problem: don’t participate in mailing lists, which goes to show that things are perhaps not as easy and accessible and easy as claimed in this article.

                                                                              I’ve used many different email client over the years: probably all of the mainstream webmail, GUI, and terminal ones; the first part of the mutt tagline is completely accurate IMO, the second part … meh. Again, this seems further evidence to me that email is not as easy as it made out to be here.

                                                                              1. 3

                                                                                FastMail does threading if you enable it in the preferences. I subscribe to multiple mailing lists and use a single UI, fastmail, to read and manage the messages from all of the lists. A single inbox is the reason I prefer email to web forums.

                                                                                1. 1

                                                                                  I think you mean the message grouping? It’s nice, but not quite the same as threading shows threads within a conversation, whereas the message grouping just shows everything from old to new. IMO it doesn’t work very well for mailing lists beyond reading.

                                                                            2. 2

                                                                              I’m not sure if I’ve yet seen a good e-mail client

                                                                              Apple’s mail client (the macOS version, not the horrible iOS one) is pretty decent. It’s about the only Mac app I actually miss on other platforms. It handles a few tens of GBs of messages, searching is fast and works well, it does quoting sensibly, lets you reply to a part of a message the same way lobste.rs does (select the part you want to quote and hit reply), and so on. Thunderbird is just about okay. Both handle sending with multiple email addresses from the same account nicely (iOS mail doesn’t, for example). Thunderbird has slightly better threading support (Apple Mail renders threads as lists, not trees, so can be confusing for threads that split into subdiscussions).

                                                                              Outlook really struggles with non-HTML mail (it uses a Rich Text control for editing and then strips the formatting, often in surprising ways such as removing the quote bars, Apple Mail uses leading >s for quoted sections but renders them as coloured bars). My favourite Outlook bug arising from this is that, if you set your default to plain text and hit the ‘Make Teams Meeting’ link, it puts rich text with links to join your meeting and then silently strips them when you send so the recipient has no idea what they’re supposed to do to join.

                                                                              There are a few things that make email really bad. The first is archive storage. I have hundreds of MBs of LLVM mailing list archives. I keep my own copy because that’s the only way of being able to reply to or forward an old post easily. Dovecot avoids this by having a central IMAP folder for their mailing list history that anyone can subscribe to, but configuring that looks sufficiently annoying that I’ve never done it (I don’t want to add a new mail account to every mail client I use just to view it). Most of the time, I find posts on other projects from their web archives, but if I want to add a follow-on question then I have no mechanism to get that post in a form that I can hit reply to. Instead, I have to create a new thread and quote it, which breaks everyone else (and often doesn’t add the original sernders to the cc list correctly because most mailing list archives anonymise the sender addresses to avoid spammers harvesting them).

                                                                              Email is fine for a project that I’m actively engaged with. It’s far more annoying for projects that I’m casually contributing to. Things like GitHub issues are far better for that. They’re archived by search engines and if I find the issue and have more questions / comments I can hit reply and add them in the same thread.

                                                                              1. 2

                                                                                pray your IP address has never been used for mail spam in the past.

                                                                                To be fair, you don’t have to pray, you can query the spam databases.

                                                                                1. 2

                                                                                  Yeah, but there’s usually not that much you can do if you find your IP address in a spam database.

                                                                                  1. 2

                                                                                    You could simply switch your instance or server.

                                                                                    Running it in the address space of cloud VM providers is a bad idea indeed, but at a normal hoster it should be no problem. Maybe find one that is paid monthly and you can just cancel it.

                                                                                    1. 2

                                                                                      If you can’t host with a VM provider (because their block is probably banned) and you can’t host on your own (because of residential IP address reuse), won’t hosting be very expensive?

                                                                                      1. 1

                                                                                        that was not the question. I know people who wouldn’t trust their emails on a VPS/shared host anyway, so I’d say a good portion of people having their own mailserver do it on dedicated hardware anyway.

                                                                                        Also while sometimes whole blocks are banned, often it’s really just single IP addresses on the blacklist. Also maybe the same hoster has a different data center and then maybe a different block. As I said, if this is your concern you might not have success on the first try.

                                                                                        And that’s also the reason I have stayed with my current hoster, upgrading the same VPS contract with the same IP every few years, because I’ve been running my mailserver off of this IP for ~10 years and don’t have any of these problems.

                                                                              1. 11

                                                                                I hate how little control I have over things sent through email. I want to like email, and I was thinking long about why email makes me uncomfortable instead. I think this is maybe my sore point. Things like:

                                                                                • Being able to verify what your message will look like on the receiver end. I use that pretty ‘Preview’ button here on Lobsters all the time. Plain text simplifies a bit, but stuff like git-send-email complicates this again.

                                                                                • Verifying your message was received the way you intended. Recent example was me sending some DNS records to a client’s technical contact. Except their virus scanner botched the records by transforming them like links, wrapping them with some link-scanner URL. Cue 6 extra mails back and forth until we found a working solution. (Ties in with lack of moderation and threading issues.)

                                                                                • Making editorial changes after the message was sent. How many more times do we have to deal with missing attachments already? (Cue 2 extra mails every time.) (Also applies to IRC, btw.)

                                                                                • Tools that take over sending from the regular MUA, like git-send-email, just make me wary. I want to know when something is going out in my name. I want ample confirmation, or at least the flow I’m used to.

                                                                                And I can’t help but nod at all the other issues mentioned here. Email is kind of terrible.

                                                                                1. 8

                                                                                  Being able to verify what your message will look like on the receiver end. I use that pretty ‘Preview’ button here on Lobsters all the time. Plain text simplifies a bit, but stuff like git-send-email complicates this again.

                                                                                  There is a good argument that you shouldn’t worry about this. Not all people are going to look at your email. Some are going to hear it. Some are going to touch it. You should let people to read your email as they want.

                                                                                  1. 5

                                                                                    Being able to verify what your message will look like on the receiver end. I use that pretty ‘Preview’ button here on Lobsters all the time. Plain text simplifies a bit, but stuff like git-send-email complicates this again.

                                                                                    Preview on lobsters shows what your comment will look like on your screen once you’ve clicked send. But it doesn’t tell you how it’ll look on someone else’s screen, which can be subject to:

                                                                                    1. Different resolutions
                                                                                    2. Arbitrary user scripts
                                                                                    3. Custom fonts
                                                                                    4. High contrast stylesheets

                                                                                    etc. The argument that these are less common on the web is probably an argument against the web, because people make these customisations for good reason, and being able to scale up fonts and use dyslexic-friendly fonts, etc. is an important accessibility concern.

                                                                                    Verifying your message was received the way you intended. Recent example was me sending some DNS records to a client’s technical contact. Except their virus scanner botched the records by transforming them like links, wrapping them with some link-scanner URL. Cue 6 extra mails back and forth until we found a working solution. (Ties in with lack of moderation and threading issues.)

                                                                                    A pain in the arse for sure, but ISPs and virus scanners have been known to do similar things to web pages too! I remember reading horror stories about ISPs inserting ads into web pages, for example. So it’s not just an email problem.

                                                                                    Making editorial changes after the message was sent. How many more times do we have to deal with missing attachments already? (Cue 2 extra mails every time.) (Also applies to IRC, btw.)

                                                                                    I think this is a good thing. It has tradeoffs, it can be annoying, but I quite like that once I’ve received an email the person sending it can’t go back and edit it later.

                                                                                    IRC you can just do

                                                                                    <mrr> I fuckign hate XML
                                                                                    <mrr> s/fuckign/fucking/
                                                                                    

                                                                                    and you can even configure some clients to perform the replacement. :D

                                                                                    Tools that take over sending from the regular MUA, like git-send-email, just make me wary. I want to know when something is going out in my name. I want ample confirmation, or at least the flow I’m used to.

                                                                                    git config sendmail.confirm always

                                                                                  1. 16

                                                                                    lol it would actually be difficult for me to find a post I disagree with more. The fact that email is an open platform is about the only thing I agree with the author about.

                                                                                    email isn’t that difficult to use

                                                                                    It really is. It’s reasonably easy to use if a thread remains linear, but if it branches at all (someone responds to a message that isn’t the latest one in a thread) it becomes almost impossible to follow.

                                                                                    no moderation tools is a good thing

                                                                                    Ok, this is wrong in two ways, one is that without moderation tools your mailing list becomes a mess and the other is that every mailing list platform I’ve used lets you block people from the list.

                                                                                    plain text is great

                                                                                    It may well be great but let’s face it, we lost the war on HTML email a long long time ago

                                                                                    email is federated

                                                                                    True! If I have a gmail account and you have an outlook account we talk just fine, however running your own mail server is an exercise in pain so that the big mail providers don’t put you on a spamlist

                                                                                    1. 4

                                                                                      It’s reasonably easy to use if a thread remains linear, but if it branches at all (someone responds to a message that isn’t the latest one in a thread) it becomes almost impossible to follow.

                                                                                      I just responded to a message that isn’t the latest one in the thread. Do you find this difficult to follow?

                                                                                      Ok, this is wrong in two ways, one is that without moderation tools your mailing list becomes a mess and the other is that every mailing list platform I’ve used lets you block people from the list.

                                                                                      In Discord, you can get banned outright, that is you cannot participate in any community discussion. Can this happen in email? No.

                                                                                      It may well be great but let’s face it, we lost the war on HTML email a long long time ago.

                                                                                      What’s the last time you’ve seen an email that needs HTML features written by a human person for you? You don’t need HTML mail.

                                                                                      1. 5
                                                                                        <marquee>TL;DR: HTML was expected to be mostly plain text.</marquee>
                                                                                        
                                                                                        <p>Is this readable to you? It is what HTML email composed by human
                                                                                        <b>could</b> look like if the HTML formatters were working nicely</p>
                                                                                        
                                                                                        <p>I doubt many people read HTML pages with curl, but for email it
                                                                                        might happen quite often if using a non-HTML client... Ok image looks
                                                                                        weird, <a href="https://example.org">links</a> are a bit obnoxious...
                                                                                        but HTML also stated simpliciyt as a goal.</p>
                                                                                        
                                                                                        <p>That being said, I have <i>never</i> seen any HTML email formatted
                                                                                        with nincely flowed text, and I guess a text alternative part is used
                                                                                        instead of "readable HTML source"</p>
                                                                                        
                                                                                        <p>This is not exactly a problem of email itself, but more generally
                                                                                        speaking HTML source</p>
                                                                                        
                                                                                        1. 3

                                                                                          I just responded to a message that isn’t the latest one in the thread. Do you find this difficult to follow?

                                                                                          I don’t, because I’m not using email. Reddit/lobsters or traditional forum software is so much easier to navigate

                                                                                          What’s the last time you’ve seen an email that needs HTML features written by a human person for you? You don’t need HTML mail

                                                                                          Well my mom emails me regularly with inline images and rich text, so…

                                                                                          1. 4

                                                                                            I don’t, because I’m not using email. Reddit/lobsters or traditional forum software is so much easier to navigate

                                                                                            Because you’re used to it, I guess. I really clearly remember opening Reddit and being utterly perplexed as to how it was meant to work. Why were some messages half way across the screen? Why were all the messages over on the left? How could I centre the messages on my screen? How were the messages sorted?

                                                                                        2. 6

                                                                                          If you have a gmail account, you are creating problems for everyone who doesn’t. GMail is the single biggest offender when it comes to false positives and silent loss of messages coming from independent servers.

                                                                                          1. 3

                                                                                            we lost the war on HTML email a long long time ago

                                                                                            I keep holding on, but yes, this is sadly true

                                                                                            1. 3

                                                                                              It really is. It’s reasonably easy to use if a thread remains linear, but if it branches at all (someone responds to a message that isn’t the latest one in a thread) it becomes almost impossible to follow.

                                                                                              Do you really feel that way? Personally I hate threaded discussions for anything except mailing lists. They’re particularly odious on discussion forums, which is part of why using reddit as a discussion forum sucks so much.

                                                                                              But for discussing patches on a mailing list, for example, having multiple threads of discussions with different people all interlaced in a linear order seems much worse than threading. One person replies with some style suggestions, another with a functionality request and another with a bug. Do you really want those comments and their replies to be interlaced? All that’s going to happen is people are just going to quote the entire thing they’re responding to in the linear thread to emulate true threading. You see this on flat/unthreaded forums all the time.

                                                                                              Ok, this is wrong in two ways, one is that without moderation tools your mailing list becomes a mess and the other is that every mailing list platform I’ve used lets you block people from the list.

                                                                                              I think the point being made here is not about moderation on the mailing list level (which is fine, communities can and should moderate themselves) but on the platform level. If you use Slack or Discord then your use of the entire platform can be moderated away by the people that run those platforms.

                                                                                              About the only way you can moderated off ‘email’ as a platform is if you’re moderated off the entire internet in general. If you’re not literally the Daily Stormer you should be fine.

                                                                                              It may well be great but let’s face it, we lost the war on HTML email a long long time ago

                                                                                              In what way? People use HTML email, people use Discord, people use Facebook. Others using something doesn’t mean you have to use it. When I get HTML email, depending on context, I sometimes explain to people why it’s problematic (accessibility, privacy, etc.). I have emailed service providers asking that they send plain text and HTML email, or at least don’t send a “plain text” mime part that’s just got HTML in it, because it confuses my email client.

                                                                                              People will keep using HTML email. You don’t have to.

                                                                                              True! If I have a gmail account and you have an outlook account we talk just fine, however running your own mail server is an exercise in pain so that the big mail providers don’t put you on a spamlist

                                                                                              It’s honestly not that hard and even if you don’t want to, there are lots of reputable non-Gmail non-Outlook webmail providers like Fastmail etc.

                                                                                              And you can use those providers but not use their webmail client, just throw their IMAP/SMTP details into your email client.

                                                                                            1. 13

                                                                                              Sending patches via email is as simple and straightforward

                                                                                              I would say sending and receiving patches via email is currently one of the downsides. Yes it works but it could be far better. I would say this is the biggest benefits of github/gitlab/…

                                                                                              First problem the send is done by git itself. Therefore you have to add your email credentials to git. Also the send mail only gets to your outbox, if your MSA puts outgoing mails in there (not sure how common this is).

                                                                                              On the receiving side you have to get the mail itself, which is with most GUI MUA not that easy. To apply the patch you have to guess the parent. The patch itself don’t include any hint’s for that. Yes you could write this in the cover-letter, but this would be only human readable (or only in your private format).

                                                                                              To have multiple patches, git-send-email generates one mail per commit. This works fine if you only want to answer to one commit. But if you want to reference multiple commits in one mail you have to copy. Also only one mail is referenced[0]. Send them as attachments is a workaround. Then your MUA should be able to use the content of attachments in a reply. I don’t know with MUAs have this feature. I assume this isn’t implemented very often.

                                                                                              [0] A email could theoretical reference multiple emails, but this isn’t implemented. Mostly because it has rare use cases and it’s hard to implement.

                                                                                              1. 4

                                                                                                To apply the patch you have to guess the parent. The patch itself don’t include any hint’s for that. Yes you could write this in the cover-letter, but this would be only human readable (or only in your private format).

                                                                                                If you use the --base argument to git format-patch it will say the base commit. You can also specify any prerequisite patches. --base=auto is probably what you want, you can enable it by default globally with git config --global format.useAutoBase true.

                                                                                                But if you want to reference multiple commits in one mail you have to copy. Also only one mail is referenced

                                                                                                It’s not clear to me why you’d want to reference multiple commits in one mail. It’s a bit confusing what you mean here. You want to send multiple unrelated commits in a single email? Or multiple related commits?

                                                                                                If you want people to be able to respond to the patch series as a whole they should respond to the cover letter.

                                                                                                1. 1

                                                                                                  you use the –base argument to git format-patch it will say the base commit

                                                                                                  Thanks didn’t know that.

                                                                                                  You want to send multiple unrelated commits in a single email? Or multiple related commits

                                                                                                  Of cures related commits.

                                                                                                  If you want people to be able to respond to the patch series as a whole they should respond to the cover letter.

                                                                                                  How do I use the content of the commits? how do I annotate which commits I reference? Oh by manual copy. As receiver I than have to manual search. Why do I have a computer again?

                                                                                                  I know you find a workaround for every problem I mention. But this is somehow the problems. You need these workaround, because the base concept don’t work properly.

                                                                                                  1. 2

                                                                                                    How do I use the content of the commits? how do I annotate which commits I reference? Oh by manual copy. As receiver I than have to manual search. Why do I have a computer again?

                                                                                                    You respond to those patches, surely? It’s not clear what the issue is here, to me. I mean if you want to respond to a patch series as a whole, “holistically”, you respond to the patch series, if you want to respond to a single patch, you respond to it directly, if you want to respond to multiple emails, you need a good client because most don’t support that. But having them split makes sense because usually you want to either address the whole patch series as a concept or you want to dig into the nitty gritty of individual patches. I think if you want to respond to the nitty gritty details of multiple patches in a single email then they probably shouldn’t be multiple patches but should be a single patch.

                                                                                                    I know you find a workaround for every problem I mention. But this is somehow the problems. You need these workaround, because the base concept don’t work properly.

                                                                                                    I just don’t think these are problems at all.

                                                                                                2. 2

                                                                                                  First problem the send is done by git itself. Therefore you have to add your email credentials to git.

                                                                                                  Not that different from using usual mail clients. Git is just another one, that only sends.

                                                                                                  Also the send mail only gets to your outbox, if your MSA puts outgoing mails in there (not sure how common this is).

                                                                                                  You can add your address to CC.

                                                                                                  To apply the patch you have to guess the parent.

                                                                                                  Master, unless the patch specified otherwise. You can apply the patch on whatever commit you want if it applies cleanly, and if it doesn’t, there’s git am -3 for a 3-way merge.

                                                                                                  The patch itself don’t include any hint’s for that.

                                                                                                  You can add such hints under the commit message in the patch.

                                                                                                  1. 6

                                                                                                    Git is just another one, that only sends

                                                                                                    Yes, but I already have one. It’s set up how I want my mail work. Why do I need an other?

                                                                                                    You can add your address to CC.

                                                                                                    Yes but why should I, my MUA does that for me. Also then the mail goes to my inbox not my output. Of course I can move it to my outbox. Also I can create a filter rule to automate that, but again why should I create an workaround for something my MUA already does?

                                                                                                    Master, unless the patch specified otherwise

                                                                                                    This only works if you process the patch directly. If you find a patch after a few month you have no clue with commit was the HEAD at this time and you may have to manual merge it before you can work with the commit.

                                                                                                    You can add such hints under the commit message in the patch

                                                                                                    Yes but you then have to parse this by human, because there isn’t a format for this.

                                                                                                    Don’t get me wrong. I would love to have a good way to send patches/commits over email. But git send-email is horrible. Attaching format-patches is better but still have big problems.

                                                                                                    edit: formating

                                                                                                    1. 3

                                                                                                      Yes, but I already have one. It’s set up how I want my mail work. Why do I need an other?

                                                                                                      Well you don’t need another. You can use a competently written mail client to send patches. But most of them are horrible and so if you want to send patches you need to use git send-email. Really, send-email exists for people that don’t want to change their mail client.

                                                                                                      Don’t get me wrong. I would love to have a good way to send patches/commits over email. But git send-email is horrible. Attaching format-patches is better but still have big problems.

                                                                                                      It’s completely fine.

                                                                                                      1. 3

                                                                                                        Well you don’t need another. You can use a competently written mail client to send patches. But most of them are horrible and so if you want to send patches you need to use git send-email. Really, send-email exists for people that don’t want to change their mail client.

                                                                                                        Only partly true. git assumes you can put raw diffs in a Mail. But this only works if your diff contains only ASCII and no lines longer then 998 chars (excluding CRLF). Also Lines should not be longer then 78 chars. So most MUA implement MIME (rfc 2045ff) to avoid these problems. The implementation and documentation of git format-patch and git am just ignore there is something what is called Content-Transfer-Encoding.

                                                                                                        Even if my MUA wouldn’t add a transfer encoding for long lines the complete handling is horrible. git format-patch generates one file per commit. These are mboxs with exactly one mail. So I need to get the mail out of the mbox to properly send a patch. Then you have to generate a series of drafts which reference the first mail of it. Of course no MUA implements this, because why do you want to reference a mail you haven’t even send?

                                                                                                        1. 3

                                                                                                          The implementation and documentation of git format-patch and git am just ignore there is something what is called Content-Transfer-Encoding.

                                                                                                          Then what is the --transfer-encoding argument to git-send-email for? Specify the transfer encoding to be used to send the message over SMTP. You can specify 7bit, 8bit, quoted-printable or base64 (or auto). The latter won’t have an issue with lines longer than 998 characters.

                                                                                                          Also Lines should not be longer then 78 chars.

                                                                                                          That rule of email etiquette doesn’t apply to patches in my experience.

                                                                                                          git format-patch generates one file per commit. These are mboxs with exactly one mail. So I need to get the mail out of the mbox to properly send a patch.

                                                                                                          You can just put the mbox into your Drafts folder…

                                                                                                          It’s funny how you seem to have all these problems with something that’s used successfully by tens of thousands of Linux kernel developers along with countless other communities and projects.

                                                                                                          EDIT:

                                                                                                          If given –thread, git-format-patch will generate In-Reply-To and References headers to make the second and subsequent patch mails appear as replies to the first mail; this also generates a Message-Id header to reference.

                                                                                                          Does this solve your issue?

                                                                                                      2. 2

                                                                                                        This only works if you process the patch directly. If you find a patch after a few month you have no clue with commit was the HEAD at this time and you may have to manual merge it before you can work with the commit.

                                                                                                        In my experience, maintainers will just tell you to send another revision if your patch doesn’t apply cleanly.

                                                                                                  1. 27

                                                                                                    There’s a huge funnel problem for computer science at the moment. Go and Rust have some pretty serious evangelical marketing teams, but they are a drop in the ocean compared to the emergent ultramarketing behemoth that feeds JavaScript to the new developer.

                                                                                                    Part of this is that JS is constantly “new and modern” – with the implication that it’s a bandwagon that you’ll be safe on, unlike some of the old cobwebbed bandwagons. Constant change and “improvement” is itself a safety generator.

                                                                                                    Another part is that it’s so easy to get to hello, webpage. The sweet spot on the racket is enormous. Every computer including your phone comes with at least 1 and usually several JS interpreters. Frictionlessness drives adoption.

                                                                                                    The problem is that JS is, violently, garbage for most purposes. It’s a local maxima that has essentially everyone trapped, including the next generation. It’s not clear how we escape from this one.

                                                                                                    1. 16

                                                                                                      I feel about JS similarly to the way I felt about the x86 ISA taking over the world. “A local maxima that has everyone trapped”, that caused billions of dollars of R&D to be diverted into clever hardware, code generation, psychological treatment for programmers, etc. (I think the last thing is a joke, but I’m not sure.) One could even draw a parallel between the modern “micro-op” architectural approach to bypassing literal x86 in hardware and the WASM approach to bypassing literal JS in the browser.

                                                                                                      1. 10

                                                                                                        The longer it goes, the more this talk gets correctly.

                                                                                                        1. 1

                                                                                                          I’m not sure any other ISA would have been better than x86 at the time x86 began to take off. Lots of companies were trying lots of things in the RISC world, and plenty of money was being spent on RISC hardware and compilers, and the x86 still began to take off. Intel had a lot of money? IBM had a lot of money, and IBM was working on RISC. HP had a lot of money, and HP was working on RISC. And so on.

                                                                                                          1. 2

                                                                                                            Of the obvious choices available at the time x86 began to take off (1984ish), I would say the 680x0 was a better choice, demonstrated by watching the parallel evolution of the two. At least the extensions to 32-bit and virtual memory seemed a lot more straightforward on the 68k. They both would have run out of steam and gotten weird by now, but I feel like it would have been less weird.

                                                                                                        2. 2

                                                                                                          It’s not clear how we escape from this one.

                                                                                                          Simply wait. There are some better tools out there (for some value of the objective function “better.”)

                                                                                                          We’ve moved on from C, C++ and Java, all of which have had a similar level of death grip. JS is not invincible. The more users it attains, the more it suffers problems of perception due to the wide variance of quality. This gives rise to new opportunities.

                                                                                                          Really, I get a bit disappointed that everyone is content to rewrite everything every seven years, but, hey, it’s their life.

                                                                                                          1. 0

                                                                                                            I take strong offense at this proclamation of JavaScript as garbage. What kind of an opinion is that? If you don’t know JavaScript, don’t call out garbage. If you do know if well, you’ll see that it isn’t any more garbage then any other modern language for most purposes for which it is used - at least on backend.

                                                                                                            The entire ecosystem has some issues, but every ecosystem does. And considering that node was created only a decade ago and has vastly more users then some “serious” things that exist for ages, it’s obvious that there’s something that it’s going correctly.

                                                                                                            1. 28

                                                                                                              I take strong offense at this proclamation of JavaScript as garbage.

                                                                                                              You are offended on behalf of Javascript? People can dislike things that you like. It doesn’t do anything.

                                                                                                              1. 4

                                                                                                                Okay, inprecise choice of words on my part. I’ve wanted to state that I strongly disagree with his statement, english isn’t my first language and so I didn’t think every word completely through. I think you can still get the message. Be flexible a bit and you’ll understand it.

                                                                                                                1. 7

                                                                                                                  I’m not sure what other languages you know, but compared to most popular languages:

                                                                                                                  • Javascript has a weird type-system that doesn’t really pay off. Sure, they added inheritance recently (welcome to the 80s), but there are all kinds of inconvenient relics like having to do Object.keys(x) when in Python you can just do x.keys() (as in most popular languages)

                                                                                                                  • Javascript makes it much harder to catch errors. Its implicit typecasting (undefined+“1”==“undefined1”, really??) and misuse of exceptions in the API means that when something goes wrong, you’ll often find out a few functions later, and then struggle to zero-in on the actual problem.

                                                                                                                  • The ecosystem is too fractured. The lack of a curated “standard library” sends novices into all sorts hacky solutions, and makes other people’s code less familiar.

                                                                                                                  I could really go on for a long while, and there are tons of example that I could give. I can say positive things too, like it has a good JIT, lots of interesting libraries, and some nifty syntax features (while lacking others), but overall think it’s a really bad language, that just happened to be in the right place and in the right time.

                                                                                                                  1. 1

                                                                                                                    For the record, JavaScript has always had inheritance, it just hasn’t had a class syntactical sugar that made it trivial to use until ES6.

                                                                                                                    1. 1

                                                                                                                      I wouldn’t call it bad. It just has bad parts. The == operator you mentioned is a trap for many beginners. On the other hand, there’s no inheritance problem because the inheritance was always there - you just have to know how prototypes work. The type system without extra tools and some practice is a pain. Yet the closure or say prototypical inheritance and composability you get is great.

                                                                                                                      JavaScript got really lousy reputation because unlike, say, C++ or Java, everybody wrote it, not just people who studied software engineering for five years and know how to use tools, have structure and not break the rules.

                                                                                                                      And it’s keeping the lousy reputation because it is still being done - randos adding jquery plugins for perfectly css-able animations even today.

                                                                                                                      Plus it’s got 25 years of backwards compatibility to maintain, so those bad parts never leave. Yes, it has been at the right place at the right time - but many others have tried and are still trying.

                                                                                                                      But despite all the bad parts and lack of standards, it’s still immensely flexible and productive and for a lot of use cases actually provides the best concepts to do them. Could you put something like elixir in a browser engine? Or java? Or Rust? Probably. Would it be better? Maybe, but I suspect not by much.

                                                                                                                      I don’t know, I’m probably not seeing it. I’m not claiming that it’s a great language or that it’s even good for everything and everyone. But people only see the ads and single page apps where they don’t belong or where they simply don’t like it, and ignore a lot of directness that the language provides, look down on flexibility, and don’t allow the little language that could its deserved praise (where it does deserve it).

                                                                                                                      Once again, as I’ve said in another comment - I don’t claim it’s the best language ever. I’m just saying it is not garbage. These days the tooling and the entire ecosystem is mature and there are no more language issues in writing a typical NodeJS application then in most other similar languages.

                                                                                                                      1. 1

                                                                                                                        Javascript has a weird type-system that doesn’t really pay off. Sure, they added inheritance recently (welcome to the 80s)

                                                                                                                        It added inheritance as a sop to people who didn’t know composition and refused to learn. Are you not satisfied with that? Does it have to become a pure Smalltalk clone for you? Composition is more powerful but it’s less familiar. Now JS has easy ways to do both.

                                                                                                                  2. 23

                                                                                                                    I have a deep understanding of JavaScript; I promise that my opinion is rooted in experience.

                                                                                                                    1. 6

                                                                                                                      Even though you personally find Node impressive, there might be people who don’t get impressed by languages (or any software really).

                                                                                                                      Being impressed or having respect (for a software) makes no sense. It is just a tool that should be used or discarded at will. Not a cultural icon.

                                                                                                                      If you do know if well, you’ll see that it isn’t any more garbage then any other modern language for most purposes for which it is used - at least on backend.

                                                                                                                      You have stated no arguments that support your conclusion. I believe that the jury is still out on the matter of language effect on productivity. All the studies I know of were totally botched.

                                                                                                                      Anecdotally, I have seen more poor Node backends than Python ones. I have also seen less high quality Haskell backends, which confuses me greatly. Still, I wouldn’t go as far as to conclude that everything is the same crap.

                                                                                                                      1. 5

                                                                                                                        Denying the role of aesthetic judgement in programming is madness.

                                                                                                                        1. 1

                                                                                                                          I didn’t state I find Node impressive. I do love it for the productivity it brings to me. And that is just the point of my reply. The guy claimed JavaScript is garbage, also without arguments. I’ve just pointed out that. No more garbage then any other language, in my opinion. If anybody brings arguments into this whole discussion, including the original post of the thread that claims people are pushing node, we can talk about with arguments. Otherwise we’re all just giving opinions and estimations.

                                                                                                                          Anecdotally I’m seeing much more crappy Java Enterprise and Spring backend code lately then node. Likely because I work at a java shop now. But I don’t claim that people are pushing Java exclusively for backend (even though they do at my company, we literally have 100% Java in my 800 people department), nor do I claim Java is garbage.

                                                                                                                          I hope that clarifies my objection to the claim of garbageness.

                                                                                                                          1. 4

                                                                                                                            I think you are right that JavaScript brings great initial productivity. Especially in the single developer case. For many simple tasks, it is easy to use node, easy to use npm, and easy to deploy code. Where I have seen problems that I know are avoidable in other languages is in its long term sustenance and operation, which are vitally important parts of software engineering.

                                                                                                                            Other languages have, for example, highly vetted and deep standard libraries of functions which are included in the system and move very slowly, which eliminates large classes of dependency management issues. Or, they have good type systems, which helps prevent common problems, especially in dynamic languages. Or they have exceptional tooling that enforces good practices. Or they are especially operable in production, with good intrinsic performance or observability characteristics.

                                                                                                                            But the most important thing, to me, is that most other languages have a culture of remembering, but this is distinctly lacking in JavaScript. I attribute this to many JavaScript programmers starting from scratch in their software career inside JavaScript, and not having broader exposure to the vast surface of other kinds of software. And I attribute it also to the “stack overflow” method of programming, in which rather than engineer your software, you assemble it from the guesses of others, losing fidelity and getting more blurry with each iteration.

                                                                                                                            It could sound like I’m being a pretentious jerk. I’ll confess to that. But having been a professional software engineer for now 32 years, and having seen probably a hundred languages and environments, the current JavaScript one is my least favorite. I appreciate that it’s one that you have significant personal investment in, but I would also encourage you to step out and up, and look around.

                                                                                                                            1. 1

                                                                                                                              Thanks, this also raises some quite relevant concerns. And I agree with these things. And now I have to fall back to the fact that despite these problems, it’s not garbage. I did step out and I try other languages and their frameworks, but I’m simply personally the most productive with it. And when I worked in teams where Node was used on the backend, the teams were professionals and mostly didn’t have problems with the language itself - maybe more or less then if it was done in, say, Spring or Rails, but I would say the typical problems are always stupid things like commas in the database where they break serialization somehow.

                                                                                                                              And that is the point of my original comment. Which was that I object to the claim that JavaScript is garbage. Maybe a lot of garbage is written in JavaScript today, but it in itself is not that, and can provide perfectly productive envrionment for doing our jobs.

                                                                                                                        2. 6

                                                                                                                          I wouldn’t call JavaScript “garbage” myself, but it sure has some problems that few other languages have. [1] + [2] resulting in "12" being a simple example. JavaScript definitely took the 90s/00s vogue of “all things should be dynamic!” more than a few steps too far.

                                                                                                                          considering that node was created only a decade ago and has vastly more users then some “serious” things that exist for ages, it’s obvious that there’s something that it’s going correctly.

                                                                                                                          Well, just because it’s popular doesn’t mean it’s good ;-)

                                                                                                                          I notice myself that I often use tools that I know, even when it’s not necessarily the best fit, simply because it’s so much easier. Yesterday I wrote some Ruby code for a Jekyll plugin and had to look up a lot of basic stuff and made a few simple mistakes along the way; there was quite a lot of overhead here. And I programmed Ruby for a living for 2 years (but that was 5 years ago, and looks like I have forgotten much).

                                                                                                                          JavaScript is rather unique in the sense that almost everyone has to deal with it because it’s the only language supported by browsers[1], so there are a lot of people familiar with JS who would rather like to use it in other scenarios as well: not necessarily because it’s the “best”, but because it’s just easier as they won’t have to re-learn a whole bunch of stuff.

                                                                                                                          That’s not necessarily a bad thing, by the way; I’m all for giving people the tools to Get Shit Done. My point is merely that much of NodeJS’s popularity probably stems from factors other than intrinsic qualities of the language, runtime, and/or ecosystem.

                                                                                                                          [1]: Ignoring wasm, which isn’t quite ready for production-use, and “X-to-JS” compilers, which typically still require knowledge of JS.

                                                                                                                          1. 1

                                                                                                                            Oh, I wasn’t claiming that the popularity of NodeJS comes from it’s quality. I’m just saying JavaScript is not garbage, which the commenter claimed without argumenting it.

                                                                                                                            I mean, I know that [1] + [2] is “12” in JavaScript. But if you ask me how many times I’ve had a problem because of that in the last year, I would possibly be mistaken, but I would say 0 times.

                                                                                                                            Again, it’s not the best language and it has its problems. But it’s not garbage.

                                                                                                                            1. 2

                                                                                                                              I mean, I know that [1] + [2] is “12” in JavaScript. But if you ask me how many times I’ve had a problem because of that in the last year, I would possibly be mistaken, but I would say 0 times.

                                                                                                                              I find this interesting, because a few comments upwards, you state this:

                                                                                                                              The typical problems are always stupid things like commas in the database where they break serialization somehow.

                                                                                                                              It might just be me, but in no other language have I ever heard of specifically this problem. If you dig a little deeper, you’ll notice that there are a few fundamental issues in the language. But definitely the most prominent root issue is that types are treated extremely loosely, which causes all sorts of offshoot problems, like the two above.

                                                                                                                              I always try to think a bit more holistically about this, and when you do, you start to see this pop up everywhere. Just yesterday I was debugging an issue with a colleague where he accidentally was throwing a JSON-encoded string at a program where in fact he should have been taking the JSON document, extract a specific key’s string value and send that to the program. Basically the same thing: it’s too easy to mix up types.

                                                                                                                              I occasionally see this in Python as well: when you accidentally have a string instead of a list of strings; because of the “everything is a sequence” abstraction it’s too easy to mix things up, and you end up chasing down the rabbit hole before you figure out where it’s going wrong. It’s better if things error out early when you try to do something that makes no sense.

                                                                                                                              Having type-specific operators makes it easier to get your bearings when reading unfamiliar code, too, in my experience.

                                                                                                                          2. 3

                                                                                                                            And considering that node was created only a decade ago and has vastly more users then some “serious” things that exist for ages, it’s obvious that there’s something that it’s going correctly.

                                                                                                                            No, it means JS has a powerful monopoly (the web) and thus commands a huge mindshare. Some subset of those people want to take their painstakingly earned experience to the server.

                                                                                                                            1. 0

                                                                                                                              So, ‘heads I win, tails you lose’, eh? Good argument. /s

                                                                                                                          1. 9

                                                                                                                            Thanks for the detailed writeup. Seems like the machine still needs some more polish in the audio department. Having a lot of low-level options via ALSA sound interesting to me, actually. As someone who produces music on Linux, I prefer to give ALSA a good kicking until it works, rather than dealing with Pulseaudio’s latency issues. Is it possible to record the internal stereo mix directly, ie. can you select it as a recording source without resorting to jackd trickery?

                                                                                                                            1. 7

                                                                                                                              To be honest, “you have to use ALSA instead of pulse to get audio to play reliable” is not a pinebook-specific problem; both my thinkpads are the same way.

                                                                                                                              1. 7

                                                                                                                                And I have the opposite experience with both my thinkpads. Audio ‘just works’ with pulseaudio, including multisource concurrent playback, auto-switching from internal mic/speaker to external headset on plug in, bluetooth headsets, etc. None of that works out of the box with alsa on those systems.

                                                                                                                                1. 5

                                                                                                                                  Agreed, wasn’t trying to suggest otherwise. That said, “reliable” maybe isn’t the right word. Pulseaudio works fine for just listening to music or watching video, and is usually much less of a hassle to set up. When latency matters however (music production, emulation), ALSA performs much better in my experience.

                                                                                                                                  1. 5

                                                                                                                                    Pulseaudio works fine for just listening to music or watching video

                                                                                                                                    This has not been my experience. Of course every machine is different, but I used to have it cutting out constantly until I removed it entirely. Frequently plugging in my headset would reset the volume so that one ear was muted and the other wasn’t. Ever since uninstalling pulse, on my machines ALSA has been 100% reliable.

                                                                                                                                    1. 2

                                                                                                                                      I haven’t had problems with pa since switching to Arch from Fedora. I think the experience varies a lot based on what distro you use.

                                                                                                                                      1. 1

                                                                                                                                        On my old black plastic MacBook (3,2) running Arch back in the day, PulseAudio was what made Linux audio start to be nice. ALSA worked, but in an https://xkcd.com/963/ sort of way.

                                                                                                                                  2. 3

                                                                                                                                    Linux ecosystem in general needs cleanup in audio department

                                                                                                                                    1. 9

                                                                                                                                      Charts like that having been making the rounds for ages and always feel they’re a bit disingenuous because most people don’t have half that stuff installed, and use even less of the stuff they do have installed.

                                                                                                                                      For most people, it’s just PulseAudio → ALSA → Sound card. Some of the abstractions/libraries on top of that – such as SDL, gstreamer, etc. – add useful features like the ability to decode mp3 files and whatnot. In other words, it’s a lot less messy than that chart makes it seem.

                                                                                                                                      (I do have plenty of gripes with the ALSA C API, which is … not very good, but that’s a different matter)

                                                                                                                                      1. 8

                                                                                                                                        Indeed, these charts conflate the audio system with multimedia libraries (and in case of the first one, even multimedia applications like VLC). That said, I very much agree that the state of audio on Linux is not great. Sadly everybody seems to be betting their horses on Pulseaudio, which to me seems more like an attempt to cover up the mess rather than cleaning it up.

                                                                                                                                        1. 3

                                                                                                                                          VLC is included because of one of the cursed parts in the chart - VLC can be used as a playback backend by phonon, which is an audio playback API that is mostly used by KDE software.

                                                                                                                                        2. 4

                                                                                                                                          (I do have plenty of gripes with the ALSA C API, which is … not very good, but that’s a different matter)

                                                                                                                                          Out of curiosity, do you have any references for what a good low-level audio API looks like? It’s something I’ve been wondering about for a while, since audio on Linux is so perennially bad, but while I’m decently familiar with the physics of audio I don’t know much about the low-level details. It seems like it should just be “bytes with the proper format go into buffer at a fixed rate”, which is something that GPU and network drivers have been solving forever…

                                                                                                                                          1. 2

                                                                                                                                            It’s not perfect, but in contrast to Linux, I’ve never had audio issues under FreeBSD: https://www.freebsd.org/cgi/man.cgi?query=sound&sektion=4

                                                                                                                                            1. 2

                                                                                                                                              Thanks, I’ll take a look at it!

                                                                                                                                            2. 1

                                                                                                                                              Coming in late, but sndio is also worth a look(default sound under OpenBSD)

                                                                                                                                        3. 2

                                                                                                                                          Is it possible to record the internal stereo mix directly, ie. can you select it as a recording source without resorting to jackd trickery?

                                                                                                                                          I have no idea, but if you can give me some pointers on how to find out I can try. If it’s worth anything, the full dump from the alsa-info script is here: http://alsa-project.org/db/?f=5363202956bb52364b8f209683f813c662079d84

                                                                                                                                          1. 2

                                                                                                                                            Thanks. Judging from this output, it is not possible to record the internal mix out of the box. That’s somewhat disappointing. It’s not surprising considering this has been the norm for off-the-shelf laptops for several years now, but I would have expected an open hardware like the Pinebook Pro to fare better.

                                                                                                                                          2. 1

                                                                                                                                            Just to satisfy my curiosity, why do you want to record the internal mix on the built in sound card? This is surely handy in some situations (when you want to record all your screen for example) but… personally for serious music stuff I’ve always used USB sound cards. Playback is probably okay on most decent laptops these days, but recording is something entirely different even on a super high end machine. So if I’d buy a Pinebook Pro I would expect an awfully noisy sound card even for playback (even if I wouldn’t really care).

                                                                                                                                            There’s another clue: the issue with the speakers described in the article feels like a noise coming from a bad sound card or amplifier. Broken speakers don’t produce noise like that.

                                                                                                                                          1. 1

                                                                                                                                            This seems interesting but I was curious how browser updates work (Gobo doesn’t seem to be a rolling release as far as I can tell). As far as I can tell you just use the binaries that Mozilla provides (which is fine) but I guess you have to put it manually into the new directory structure?

                                                                                                                                            While doing some searching I came across this old Reddit thread: https://old.reddit.com/r/linux/comments/b6du1k/anyone_using_gobolinux_daytoday/

                                                                                                                                            1. 1

                                                                                                                                              You might just use /Programs/Firedox/Latest/ as the installation location and use Firefox auto update on Linux which just patches Firefox in-place. I don’t see much need to version it anyways, if you don’t do webdev.

                                                                                                                                            1. 7

                                                                                                                                              When it comes to blocking ads, I go all the way: uBlock Origin with all the bells and whistles activated, cookie-blocker, cookie-consent-blocker, privacy badger, cookie autodelete, etc., but most importantly, SponsorBlock, where a community of enthusiasts identifies sponsor clips in youtube-videos, marks them and auto-skips them for everybody else. If you think that these sponsors take long to get “detected”, you’re wrong: I’ve not seen a single sponsor since I’ve been using it, even on videos only a few minutes (!) old.

                                                                                                                                              Sponsors are getting increasingly annoying and widespread on YouTube. I don’t think that content should be free, and youtubers need a way to monetize their videos, but using ad blocking technology might push them to much saner models like Patreon.

                                                                                                                                              I see it like this: Every ad-served user wastes a set amount of time and is annoyed, but only contributes like 0.001€ per view. If only one in 5000 viewers is a regular supporter on patreon with 5€/video (which is not uncommon), the youtuber gets the same amount of reward and everyone benefits from it. The patreon supporter gets a few perks on top, but most importantly, no one has to sit through ads. Another thing is, that since the adpocalypse on YouTube, the YouTubers are getting demonetized for even little things. And those ad-friendly-guidelines will get stricter and stricter. Going away from ad-revenue will not only bring benefits to the viewers, it will also bring back independence to the videomakers.

                                                                                                                                              Some people blame me for blocking ads, but I just can’t be arsed to sit through them. Every time I use another person’s phone, it really shocks me how bad ads on the internet have become. Those people using iDevices can’t even install ad blockers, which shows how bad a walled garden can harm your experience.

                                                                                                                                              1. 8

                                                                                                                                                I probably won’t install SponsorBlock.

                                                                                                                                                The main reason is that most of the arguments I made against ad blocking don’t apply here. Sponsored video clips are unlikely to exploit vulnerabilities (the video creator, and likely the video host, have reencoded the clip they were provided, so any malformed video is probably gone by now). They can’t track you, since they cannot make any outgoing web requests, and they cannot change after the video has been produced. And because they’re unable up change after the video is put out, they’re also unlikely to link to fly-by-night malware operations; starting from scratch as a direct video sponsor is too much work.

                                                                                                                                                They’re still annoying, but I’m sorry, the time and effort it takes to install and configure an ad blocker takes too much work just for a minute or two per video.

                                                                                                                                                1. 1
                                                                                                                                                  1. 4

                                                                                                                                                    It’s not as simple as a five minute initial setup. Ad blockers incur a variety of other costs:

                                                                                                                                                    • I’m not nearly smart enough to make good points on capitalism in general, but I know people who see ad blocker as a moral hazard. I do have to justify myself to others.

                                                                                                                                                    • Ad lists aren’t 100% reliable. There’s the risk of someone inserting a “sponsor segment” that messes up the video, either because they disagree on what constitutes a sponsor segment (does product placement count?) or because they’re just trolling.

                                                                                                                                                    • If I switch browser, I need to re-install the add-on.

                                                                                                                                                    • If the browser upgrades, the add-on might break.

                                                                                                                                                    • If the video website upgrades, the add-on might break it.

                                                                                                                                                    • The add-on might be compromised. Ask about the Stylish incident.

                                                                                                                                                    Clearly worth it for the script-carrying ad networks (I am not going to take on a security hazard just up prop up your business), but not so obvious for video sponsors.

                                                                                                                                                2. 2

                                                                                                                                                  Thank you for this, I never heard about SponsorBlock and I already love it!

                                                                                                                                                  1. 1

                                                                                                                                                    If only one in 5000 viewers is a regular supporter on patreon with 5€/video (which is not uncommon), the youtuber gets the same amount of reward and everyone benefits from it. The patreon supporter gets a few perks on top, but most importantly, no one has to sit through ads.

                                                                                                                                                    This is a great point. This is a really good article on that topic by Tim Carmody.

                                                                                                                                                    Those people using iDevices can’t even install ad blockers

                                                                                                                                                    This isn’t really true: iOS has supported ad blockers (“content blockers”) since September 2015. Granted, these are only used for web content—they’re active in Safari and in all embedded web views but they can’t apply restrictions to non–web view content in apps. Overall, though, I don’t think it’s fair to say that iOS doesn’t support ad blockers.

                                                                                                                                                  1. 1

                                                                                                                                                    Might be interesting to add devdocs.io docs collection as a source. It has a really large number of docs collected.

                                                                                                                                                      1. 2

                                                                                                                                                        It doesn’t work though. It only finds the documentation groups, but cannot find symbols in the documentation, e.g. I’d expect https://quickref.dev/search?q=site%3Adevdocs.io+godot+object.connect&type=all to point to https://devdocs.io/godot~3.1/classes/class_object#class-object-method-connect

                                                                                                                                                        1. 2

                                                                                                                                                          I could add a bang for devdocs, though. Maybe, !dd ?

                                                                                                                                                          1. 1

                                                                                                                                                            Hmm, google yields similar results with site:devdocs.io godot object.connect. Maybe devdocs loads that content dynamically and somehow doesn’t let crawlers to scrap the data… Quickref uses Bing’s index.

                                                                                                                                                      1. 18

                                                                                                                                                        It is not open source though. It’s license prohibits you from selling modified engine versions, which is not compliant with OSD point 1. Additionally, their definition for “Game Engine Product” is way too broad so it probably breaks OSD’s point 6. Some people have pointed this out to them, we are yet to see any reconsideration.

                                                                                                                                                        Edit: looks like they are changing their marketing to exclude the phrase open source.

                                                                                                                                                        1. 8

                                                                                                                                                          The language even looks misleading. They keep saying free and open on the first page. It’s how lots of sites say “FOSS.” Then, the next page says this:

                                                                                                                                                          “Defold is a free and open game engine with a permissive license derived from the popular Apache 2.0 License. The license grants you the freedom to develop games without worrying about paying licensing fees or royalties on your earnings.”

                                                                                                                                                          The references to permissive and Apache make the reader think it’s going to be like that. Then, clicking the license shows us it’s not like that at all. They need to fix all this so it doesn’t undermine the great thing they’re doing in sharing their code.

                                                                                                                                                          1. 3

                                                                                                                                                            thanks , updated the title

                                                                                                                                                            1. 4

                                                                                                                                                              Referring to it as a permissive license is a bit confusing, as permissive is often used to refer to BSD, MIT and similar licenses which have fewer restrictions than some of the copyleft licenses. The article and linked pages never describe the license as permissive, so why not just put the article title, “King shares the Defold game engine source code and invites collaborators and partners” as the submission title?

                                                                                                                                                              1. 2

                                                                                                                                                                Yeah, I see your point, can’t edit the title anymore unfortunately. I got the permissive part from the tweet linked in the above comment https://twitter.com/defold/status/1262744466311360517

                                                                                                                                                            2. 1

                                                                                                                                                              His Majesty giveth, but His Majesty also taketh away.

                                                                                                                                                            1. 3

                                                                                                                                                              First time I’ve heard of the rule of 72, looks pretty useful.

                                                                                                                                                              1. 6

                                                                                                                                                                https://en.wikipedia.org/wiki/Rule_of_72 explains, basically it’s actually the rule of e*100 (i.e. ~69.3) but 72 has more divisors so is easier to work with.

                                                                                                                                                                1. 3

                                                                                                                                                                  basically it’s actually the rule of e*100 (i.e. ~69.3)

                                                                                                                                                                  I think it’s ln(2) ~ 69.

                                                                                                                                                                  1. 1

                                                                                                                                                                    Right you are, I was getting my logarithms mixed up.

                                                                                                                                                              1. 5

                                                                                                                                                                Great read. To the point.

                                                                                                                                                                The part about django hits the nail in the head. Frameworks are the plague, libraries are awesome. Whenever I read the word ‘framework’ I run! The idea that the application is written by framework authors and the user just places chunks of their own code here and there is just not sane. Whenever the user needs to do something that doesn’t fall into that workflow, then they are clueless and solve it by including another ‘framework’.

                                                                                                                                                                1. 1

                                                                                                                                                                  I see all of those people complaining about web frameworks, so I’d like you to show me, how do you do a “web library”. That is, a library, that is made for creating web servers, without requiring the user to reimplement the framework themselves.

                                                                                                                                                                  1. 4

                                                                                                                                                                    These are the things web frameworks provide:

                                                                                                                                                                    • url dispatcher
                                                                                                                                                                    • macros built around said url dispatcher (depends on the language how fancy you can get with these)
                                                                                                                                                                    • a template library
                                                                                                                                                                    • orm/active record
                                                                                                                                                                    • a request parser
                                                                                                                                                                    • helpers for sending replies
                                                                                                                                                                    • pipping among your controllers/views/models/whatever-they-call-it. Sometimes this becomes more tedious than just using your language import mechanisms

                                                                                                                                                                    Additionally, they often hide the main listening loop from you.

                                                                                                                                                                    There is no reason for these to live inside a bundle called framework. One can implement these separately and mix and match.

                                                                                                                                                                    Then you call write the listening loop yourself, or if you prefer to use a standardized application format such as WSGI, servlets, etc. you can bring in a plugable compatible web server library. Or you use a web server library, typically it comes with a method of function to start the main loop.

                                                                                                                                                                    Some examples:

                                                                                                                                                                    Java, python, and probably other languges, come with a standard api to write web applications. If you implement your application using those apis, you can then use a plugable server implementation. You don’t need a framework. Indeed most frameworks in these languages are built on top of these.

                                                                                                                                                                    https://www.python.org/dev/peps/pep-0333/ https://en.wikipedia.org/wiki/Java_servlet

                                                                                                                                                                    1. 1

                                                                                                                                                                      The usual definition of framework vs library is that your code calls the library code, and framework code calls your code. Notably the most useful feature of web frameworks, is the one that makes them frameworks - it’s the URL dispatcher. A lot of web frameworks don’t even have an ORM, or “pipping among your controllers/views/models/whatever-they-call-it”.

                                                                                                                                                                      1. 1

                                                                                                                                                                        You can trivially do an url dispatcher that you have to call with an url (and other details of a request) and it gives you back a function or some identifier, so you can call it or something. That would be a library, right? Clojure’s web stack is built like that.

                                                                                                                                                                        1. 1

                                                                                                                                                                          Now question - why don’t let the framework have this piece of code. What else would you want to do with the returned function than to call it? I don’t see the usefulness of excluding that tiny piece of code.

                                                                                                                                                                          1. 1

                                                                                                                                                                            Well the thing is that if you just call that function then you’ve certainly have no other options. In case of a library you can supply identifiers instead of functions. You could have an async call instead of just calling a function. You could supply classes (ugh) there. You could send results of dispatch somewhere downstream - say, to Kafka, for, again, async processing.

                                                                                                                                                                            Lots of options, because you’re deciding what to do. In case of framework you have no hand in decisions.

                                                                                                                                                                            1. 1

                                                                                                                                                                              I see no point to. Why couldn’t the framework just handle async functions? Why couldn’t the framework have class based views? What’s the point of sending results from there - many frameworks have so called middleware, which integrates cleanly and is composable. Like, I don’t see any point to it, besides being able to say, “Only my code calls my code”, which is a lie anyways, since it’s the OS that calls your code in the first place, and in many languages, “main()” isn’t actually the first thing run. Libraries have their place, but there are places where frameworks are just simply better.

                                                                                                                                                                              1. 3

                                                                                                                                                                                Why couldn’t the framework just handle async functions?

                                                                                                                                                                                It could, until a new need arises!

                                                                                                                                                                                there are places where frameworks are just simply better.

                                                                                                                                                                                Yes, they are good when you don’t yet know how to do things. They allow you to start without learning too much. When you have enough knowledge, they are crutches.

                                                                                                                                                                                1. 1

                                                                                                                                                                                  It could, until a new need arises!

                                                                                                                                                                                  How often do you add a new way to call your code? If it’s more often than your scheduled project rewrite, it’s too often.

                                                                                                                                                                                  Yes, they are good when you don’t yet know how to do things. They allow you to start without learning too much. When you have enough knowledge, they are crutches.

                                                                                                                                                                                  Then why do experienced developers make and use them? Probably because they went past “I don’t like it when I don’t know how absolutely everything is working over the hood” phase. Frameworks are fit to make code that handles requests. Be it network requests, UI requests, etc. Libraries are fit to answer requests. When using a framework, you are just writing another library.

                                                                                                                                                                                  1. 3

                                                                                                                                                                                    Why do experienced developers use inheritance? Does not make sense to me either.

                                                                                                                                                                                    1. 1

                                                                                                                                                                                      Probably because they understand that when used properly it is a powerful tool. I think the problem with inheritance in modern languages is that it is too easy to use. It is too powerful to be used with simple syntax, IMO it should involve some arcane manipulations directly to the object model of the language.

                                                                                                                                                                                    2. 1

                                                                                                                                                                                      How often do you schedule rewrites? What’s the point for scheduled rewrites?

                                                                                                                                                                                      Then why do experienced developers make and use them?

                                                                                                                                                                                      Lots and lots of experienced developers do not make frameworks and do not use them.

                                                                                                                                                                                      1. 1

                                                                                                                                                                                        How often do you schedule rewrites? What’s the point for scheduled rewrites?

                                                                                                                                                                                        Every two to four years. It happens naturally anyways in companies. You bring your tech stack up to date and learn from mistakes that you did the last time, while also integrating that hodge-podge feature that you did for that one client cleanly and reuseably.

                                                                                                                                                                                        Lots and lots of experienced developers do not make frameworks and do not use them.

                                                                                                                                                                                        I don’t know about you, but I don’t really see them in fields where using frameworks makes sense, such as web backends, UI, etc.

                                                                                                                                                                                        1. 2

                                                                                                                                                                                          I’m building a product with a small team (I’m co-founder and CTO) and to me scheduling rewrites each 2-4 years sounds insane. I think we probably would just go bankrupt if we tried to do a rewrite for… for what?

                                                                                                                                                                                          Maybe I don’t understand what do you mean by “rewrite”. To me, rewrite is “let’s init a blank repository and start from scratch, but this time better than before, using new shiny technologies”.

                                                                                                                                                                                          1. 1

                                                                                                                                                                                            It is probably more gradual with small teams, but it still does happen. Probably even more often, with small teams, since as the team expands more limitations are found with previous architecture.

                                                                                                                                                                          2. 1

                                                                                                                                                                            I wouldn’t call that the most useful feature at all as that would be pretty trivial to implement when compared with, for example, request parsing.

                                                                                                                                                                            The most ubiquous and usual, certainly yes.

                                                                                                                                                                            But there is no reason why this needs to be provided as a framework other than an existing crowd of web developers that are not aware that all you would need is a library.

                                                                                                                                                                            Take flask for example, most people define request handling functions wrapped In an annotation and don’t ever call it manually. The definition acts as the dispatching rule, as per rules provided in the decorators. But there is no reason whatsoever why this is better than having a function that binds an URL rule to an handler function. In fact that is exactly all that happens in the decorator implementation. It just calls flask.add_url_rule(). You can do this yourself instead of using the decorators and get rid of the silliness of having a dependency calling your code rather than the other way around. If you check your favourite framework URL dispatcher, you would be surprised how simple they are.

                                                                                                                                                                            1. 1

                                                                                                                                                                              Not having decorators doesn’t change flask from being a framework to being a library. It’s now just a framework without syntactic sugar.