1. 15

    Rust on the 7th place with 1 million LOC is actually pretty cool for Firefox! Didn’t think it has taken over that much already.

    1. 3

      Huh, I didn’t realize the 8086 only had a 20 pin address bus. Makes everything seem a bit more sane, although why make the segments overlap? I can’t see the benefit and it makes expanding the address space that much harder.

      1. 3

        I guess one (tiny) benefit of having segments overlap every 16 bytes is that a malloc() implementation could return pointers of XXXX:0000 format, i.e. only concern itself with segments? And then, if you want to index into such an array, you can put the array element’s index/offset in a register without having to add a base address offset, since the array always starts at 0000 (within the given segment).

        1. 3

          Overlapping has a lot of sense if you take into account that non-trivial amount of programs only ever needed one segment, so you could use “near” pointers and shorter jump instructions that only deal with offsets.

        2. 2

          More silly trivia: All wintel PCs boot with line 20 disabled, in order to default to 8086 mode. And if you turn it on, you talk to the keyboard controller. Some quick googling led me to an example here: https://github.com/Clann24/jos/blob/master/lab2/code/obj/boot/boot.asm#L29

          Of course these days all these devices exist on-die, but back in the day they would have been discrete ASICs.

        1. 13

          There’s two really nice things here:

          1. The “number of versions” is a fantastic metric and Microsoft Research observed something similar spending a little more time on this point. If you’re changing a module many times, perhaps you (the programmer) don’t know what it is supposed to do?
          2. The “size” is another good metric, but I think the authors don’t go far enough: Lines of code and number of statements are nowhere near as good as “source code bytes”. Arthur is supposed to have said only a short program has any chance of being correct, but really it’s scrolling that is getting you into trouble: When data is produced and consumed out of view of each other you literally cannot see the opportunity for the bug.

          But maybe something not so nice: testing has a negative correlation with defects, but not very much. This is consistent with a lot of other empirical examinations on the subject that had a lot less data, but it still sounds bonkers. People who swear by test driven development know it’s helping them write better code, but the numbers don’t lie, so what is it?

          My theory is that when you tell someone they need to write tests, they write crappy tests, but if they want to write tests even when they’re not required, then it’s because they want a second way to look at their problem and understand it better. And that’s what we’re striving for.

          1. 4

            when you tell someone they need to write tests, they write crappy tests, but if they want to write tests even when they’re not required, then it’s because they want a second way to look at their problem and understand it better.

            This rings very true to me, for what it’s worth.

            1. 2

              Yes, I wrote something similar on Stack Exchange a while back:

              Testing follows a common pattern in software engineering: testing is claimed to make software better/more “agile”/less buggy/etc., but it’s not really the testing which does this. Rather, good developers make software better/more “agile”/less buggy/etc. and testing is something that good developers tend to do.

              In other words, performing some ritual like unit testing for its own sake will not make your code better. Yet understanding why many people do unit testing will make you a better developer, and being a better developer will make your code better, whether it has unit tests or not.

            2. 3

              If you’re changing a module many times, perhaps you (the programmer) don’t know what it is supposed to do?

              That or the people asking for the change don’t know what they’re doing and keep changing the requirements. >.<

              1. 1

                That can generate new modules rather than changes to existing ones.

            1. 4

              Wait, are you telling me fractional scaling actually works in Gnome on Fedora?!

              (It doesn’t on Ubuntu, and it’s been keeping me in a state of stunned amazement that they’ve been shipping a desktop unusable on mainstream hardware for two consecutive releases now, and none of the reviewers have given it as much as a sideline mention. I guess I’m the only person in the world trying to run Ubuntu on an exceedingly rare Thinkpad X1 Carbon.)

              1. 2

                It doesn’t really. It just renders everything at one size larger than you need, and then uses in-GPU scaling.

                The same approach that iOS and macOS took, and the complete opposite of the Windows, Qt, Android, and HTML 5 approach.

                1. 2

                  It’s horses for courses; both approaches have their merits.

                  1. 1

                    Well, as long as it works, I’m fine :-)

                    I don’t know how Unity does it (which is what I’m using now), but I suspect it’s essentially the same, and it does look crisp at any scale factor.

                1. 11

                  I’m amused by the reactions to this. Code formatting is the least interesting problem in programming, and one of the most easily automated. Props to Łukasz for this; I may not agree with every choice, but I agree that the choices should be made once and once only, and then just … used.

                  1. 3

                    Totally agree with you on principal!

                    But it’s such a prolific topic for fun, pointless banter! :-) So why not? :-)

                  1. 6

                    No, no, no… Defaulting to double-quotes over apostrophes sends it to hell right away. I’m not fond of squeezing my left pinky over Shift the entire time I’m typing. Also, apostrophes are obviously more classy. Double-quotes smells too much of C and other C-inspired syntaxes.

                    On a slightly more serious note, if a line fits into the length limit doesn’t mean it should necessarily be reformatted this way. I prefer this:

                    return {
                        'AND': eval_and,
                        'OR': eval_or,
                    }[op](some, more, args, here)

                    to not be turned into a one-liner. But black does.

                    1. 8

                      But that’s the point of Black—to remove all thought about formatting so no one can bikeshed coding styles. There are no aesthetic concerns taken into account period. If it’s ugly, it’s ugly. Get over your artistic tendencies and program—that’s what you are paid for.

                      Would I use this? No (that is, if I programmed in Python—I don’t). I’ve built up a coding style that works for me over the past 30 years, and yes, I am concerned with aesthetic concerns of code. Then again, I’ve been fortunate to work at places were I an use my personal coding style.

                      1. 1

                        Code style affects readability though, it’s not just about making it look pretty (I like pretty code too though). So the choices Black makes in that regard are important. Personally I don’t think automatic formatting tools should be too concerned with line length (except maybe in some very specific contexts) and they should just work with the lines they’re fed. The rules this tool uses for splitting lines seem fairly arbitrary and it’s one of the few areas where I think a human is better off making the call.

                        I’m not a Go programmer, but I think gofmt handles this better?

                    1. 12

                      So, this might be a good time to float an idea:

                      None of this would be an issue if users brought their own data with them.

                      Imagine if users showed up at a site and said “Hey, here is a revokable token for storing/amending information in my KV store”. The site itself never needs to store anything about the user, but instead makes queries with that auth token to modify their slice of the user’s store.

                      This entire problem with privacy and security would go away, because the onus would be on the user to keep their data secure–modulo laws saying that companies shouldn’t (and as a matter of engineering and cost-effectiveness, wouldn’t) store their own copies of customer data.

                      Why didn’t we do this?

                      1. 16

                        http://remotestorage.io/ did this. I’ve worked with it and it’s nowhere near usable. There are so many technical challenges (esp. with performance) you face on the way that result of you basically having to process all user data clientside, but storing the majority of data serverside. It gets more annoying when you attempt to introduce any way of interaction between two users.

                        We did try this, saw that it’s too hard (and for some services an unsolved problem) and did something else. There’s no evil corporatism in that, nor is it a matter of making profit, even if a lot of people especially here want to apply that imagination to everything privacy-related. It’s human nature.

                        1. 2

                          basically having to process all user data clientside

                          If I go to a site, grant that site a token, couldn’t that server do processing server side?

                          It gets more annoying when you attempt to introduce any way of interaction between two users.

                          Looking at remotestorage it appears there’s no support for pub/sub, which seems like a critical failing to me. To bikeshed an example, this is how I see something like lobste.rs ought to be implemented:

                          • User data is stored in servers (like remotestorage) called pods, which contain data for users. A person can sign up at an existing pod or run their own, fediverse-style.

                          • These pods support pub/sub over websocket.

                          • A particular application sits on an app server. That app server subscribes to a list of pods for pub/sub updates, for whatever users that have given that application permission. On top of these streams the app server runs reduce operations and keeps the result in cache or db. A reduce operation might calculate something like, give me the top 1000 items sorted by hotness (a function of time and votes), given streams of user data.

                          • A user visits the site. The server serves the result instantly from its cache.

                          • Additionally the pub/sub protocol would have to support something like resuming broken connections, like replay messages starting from point T in time.

                          Anyway, given this kind of architecture I’m not sure why something like lobste.rs for example couldn’t be created - without the performance issues you ran into.

                          1. 2

                            If I go to a site, grant that site a token, couldn’t that server do processing server side?

                            If your data passes through third-party servers, what’s the point of all of this?

                            The rest of your post is to me, with all due respect, blatant armchair-engineering.

                            • The pub/sub stuff completely misses the point of what I am trying to say. I’m not talking about remotestorage.io in particular.

                            • Lobste.rs is a trivial usecase, and not even an urgent one in the sense that our centralized versions violate our privacy, because how much privacy do you have on a public forum anyway? Let’s try something like Facebook. When I post any content at all, that content will have to be copied to all different pods, making me subject to the lowest common denominator of both their privacy policies and security practices. This puts my privacy at risk. Diaspora did this. It’s terrible.

                            • Let’s assume you come up with the very original idea of having access tokens instead, where the pods would re-fetch the content from my pod all the time instead of storing a copy. This would somewhat fix the risk of my privacy (though I’ve not seen a project that does this), but:

                              • Now the slowest pod is a bottleneck for the entire network. Especially stuff like searching through public postings. How do you implement Twitter moments, global or even just local (on a geographical level, not on network topology level) trends?
                              • Fetching the data from my pod puts the reader’s privacy at risk. I can host a pod that tracks read requests, and, if the system is decentralized enough, map requests from pods back to users (if the request itself doesn’t already contain user-identifying info)

                            See also this Tweet, from an ex-Diaspora dev

                            1. 1

                              If your data passes through third-party servers, what’s the point of all of this?

                              It decouples data and app logic. Which makes it harder for an application to leverage its position as middle man to the data you’re interested in. Doing stuff like selling your data or presenting you with ads. Yet you put up with it because you are still interested in the people there. Because if data runs over a common protocol you’re free to replace the application-side of things without being locked in. For example, I bet there’s some good content on Facebook but I never go there because I don’t trust that company with my data. I wish there were some open source, privacy friendly front end to the Facebook network available, that would let me interact with people there, without sitting on Facebook’s servers, and open source. Besides that, if an application changes its terms of use, maybe you signed up trusting the application, but now you’re faced with a dilemma of rejecting the ToS and losing what you still like about the application, or accepting new crappy terms.

                              The rest of your post is to me, with all due respect, blatant armchair-engineering.

                              Ha! Approaching a design question by first providing an implementation without discussion seems pretty backwards to me. Anyway, as far as I’m concerned I’m just talking design. Specifically I’m criticizing what I perceive as a deficiency in remotestorage’s capabilities. And arguing that a decentralized architecture doesn’t have to be slow, is at least as good as a centralized architecture, and better, in many regards, for end users.

                              Let’s try something like Facebook. When I post any content at all, that content will have to be copied to all different pods,

                              No, I was saying that this would be published to subscribing applications. There could be a Facebook application. And someone else could set up a Facebook-alternative application, with the same data, but a different implementation. Hey, you could even run your own instance of Facebook-X application.

                              making me subject to the lowest common denominator of both their privacy policies and security practices.

                              If you grant an application access to your data, you grant it access to your data. I don’t see a way around that puzzle in either a centralized or decentralized architecture. If anything, in a decentralized architecture you have more choices. Which means you don’t have to resign yourself to Facebook’s security and privacy policies if you want to interact with the “Facebook” network. You could move to Facebook-X.

                              Now the slowest pod is a bottleneck for the entire network. Especially stuff like searching through public postings. How do you implement Twitter moments, global or even just local (on a geographical level, not on network topology level) trends?

                              What I was describing was an architecture where pods just store data. Apps consume and present it. If I have an app, and I subscribe to X pods, there’s no reason I have to wait for the slowest pod’s response in order to construct a state that I can present users of my app.

                              So for something like search, or Twitter moments, you would have an application that subscribes to whatever pods it knows about. Those pods publish notifications to the app over web socket, for example whenever a user tweets. Your state is a reduction over these streams of data. Let’s say I store this in an indexed lookup like ElasticSearch. So every time a user posts a tweet, I receive a notification and add it to my instance of ElasticSearch. Now someone opens my app, maybe by going to my website. They search for X. The app queries the ElasticSearch instance. It returns the matching results. I present those results to the user’s browser.

                              Fetching the data from my pod puts the reader’s privacy at risk.

                              Hmm, I’m not sure if we’re on the same page. In the design I laid out, the app requests this data, not the pod.

                              1. 2

                                With respect, “social media” and aggregator sites are red herrings here. They cant be made to protect privacy by their very nature.

                                I’m more thinking about, say, ecommerce or sites that aren’t about explicitly leaking your data with others.

                                1. 1

                                  “With respect, “social media” and aggregator sites are red herrings here. They cant be made to protect privacy by their very nature.”

                                  Sure they can. Starting with Facebook, they can give privacy settings per post defaulting on things like Friends Only. They could even give different feeds for stuff like Public, Friends Only, or Friends of Friends. They can use crypto with transparent key management to protect as much of the less-public plaintext as possible. They can support E2E messaging. They can limit discovery options for some people where they have to give you a URL or something to see their profile. Quite a few opportunities for boosting privacy in the existing models.

                                  Far as link aggregators, we have a messaging feature that could be private if it isn’t already. Emails and IP’s if not in public profile. The filters can be seen as a privacy mechanism. More to that point, though, might be things like subreddits that were only visible to specific, invited members. Like with search, even what people are looking at might be something they want to keep private. A combo of separation of user activities in runtime, HTTPS and little to no log retention would address that. Finally, for a hypothetical, a link aggregator might also be modified to easily support document drops over an anonymity and filesharing service.

                        2. 9

                          Because the most formidably grown business of late are built on the ability to access massive amounts of user data at random. Companies simply don’t know how to make huge money on the Internet without it.

                          1. 3

                            We did. They’re called browser cookies.

                            The real problems are around an uneducated consumption-driven populous: Who can resist finding out “which spice girl are you most like?” – but would we be so willing to find out if it meant we get a president we wouldn’t like?

                            It is very hard for people to realise how unethical it is to hold someone responsible for being stupid, but we crave violence: We feel no thrill that can compare serving food, working in an office, or driving a taxi. Television and Media give us this violence, an us versus them; Hillary versus Urine Hilarity or The Corrupt Incumbent versus a Chance to Make America Great Again, or even Kanye versus anybody and everybody.

                            How can we make a decision to share our data? We can never be informed of how it will be used against us.

                            The GDPR does something very interesting: It says you’re not allowed to use someones data in a way they wouldn’t want you to.

                            I wish it simply said that, but it’s made somewhat complicated by a weird concept of “data” It’s clear that things like IP addresses aren’t [by themselves] your data, and even a name like John Smith isn’t data. Software understands data but not the kind of “data” that the GDPR is talking about. Pointing to “you” and “data” is a fair thick bit of regulation if you don’t want to draw a box around things and prevent sensible people from interpreting the forms of “data” nobody has yet thought of.

                            But keep it simple: Would that person want you doing this? Can you demonstrate why you think that is and convince reasonable people?

                            I’m doing a fair bit of GDPR consulting at the moment, and whilst there’s a big task in understanding their business, there’s also a big task getting them to approach their compliance from that line of questioning: How does this make things better for that person? Why do they want us to do this?

                            We’re not curing cancer here, fine, but certainly there are degrees.

                            1. 2

                              Browser cookies is something that crossed my mind after I suggested this, but my experience as a web dev makes me immediately suspect of them as durable stores. :)

                              I agree with your points though.

                            2. 2

                              This still doesn’t solve problems with tracking, because companies have already started to require GDPR opt-in to use their products (even when using the product doesn’t necessarily require data tracking), or to use their products without a degraded user experience.

                              See cloudflare, recaptcha, facebook, etc.

                              “You can’t use this site without Google Analytics having a K/V-auth-token”, “We will put up endless ‘find-the-road-sign’ captchas if we can’t track you”, etc.

                              1. 6

                                It’s a mistake to think you can “GDPR opt-in”. You can’t.

                                You have to prove that the data subject wants this processing. One way to do this is to ask for their consent and make them as informed as possible about what you’re doing. But they can decide not to, and they can even decide to revoke their consent at any time until you’ve actually finished the processing and erased their data.

                                These cookie/consent banners are worse than worthless; a queer kind of game people like Google are playing to try to waste time of the regulators.

                                We will put up endless ‘find-the-road-sign’ captchas if we can’t track you

                                I’ve switched to another search engine for the time being. It’s faster, the results are pretty good, and I don’t have to keep fiddling with blocking that roadblock on Google’s properties.

                            1. 12

                              I can’t really get behind just ignoring headers because some engineer feels like they aren’t useful anymore.

                              1. 8

                                He doesn’t just “feel like”, he has a justified technical position, and I don’t see any counter arguments to any of his points.

                                1. 5
                                  • Via is actually useful, if properly used, and can detect request loops outside your network
                                  • Expires is actually useful if you need to expire a response at a specific date, Cache-Control doesn’t do that, it’s only use isn’t “expire my content and don’t cache”
                                  • X-Frame-Options is needed to support older browser, IE only supports a minimal version of CSP since 10, if you support older clients, XFO is a good security addition as CSP may not be available
                                  1. 5

                                    The repeated use of “deprecation” without obvious links to the RFCs superceding those deprecations doesn’t help. Further, the entire point of the article is pretty clearly to help advertise Fastly (which presumably wants to go after some of Cloudflare’s market).

                                    Like, it’s an interesting read, but I’m a bit concerned about people putting their services behind providers that sanctimoniously decide to break with RFCs because it might get them more business.

                                  2. 3

                                    From the bit at the end it doesn’t sound like they’re doing anything to the headers by default? These are headers they recommend stripping out, and there’s an example at the end of how to strip out individual headers if you want to, but a site owner would have to actually do that to have any effect.

                                    1. 1

                                      Yeah, I don’t really see the problem here.

                                      Nobody’s forced to look at headers they’re not interested in, and the extras don’t hurt anything, except for using a bit of bandwidth.

                                    1. 8

                                      The most feature-packed release in a while! impl Trait is something I’ve been eagerly waiting for. But improved ergonomics with dereferencing under match and main() -> Result<> are great as well!

                                      1. 2

                                        My first gut reaction: if you find yourself reaching for glom, refactor your data into something simpler so you don’t have to use it.

                                        I mean sure, there are some domains and use cases where it could be warranted, but the page tries too hard to sell it as a long-needed solution for a ubiquitous problem. Which it isn’t.

                                        1. 4

                                          It would be nice to refactor things to be simpler, but sometimes we have to work with other people’s data. For my job, I have to make a lot of API calls to deeply nested data. This tool seems like it could be useful.

                                          1. 1

                                            Yep, I’m looking forward to trying this tool with some JSON-serialized Java objects I have to deal with from a 3rd party API (yes it is as bad as it sounds).

                                          2. 2

                                            Maybe I’ve just been unlucky with the data I’ve worked with, but LinkedIn, Facebook, GitHub, Wikipedia, Twitter, and PayPal’s APIs (especially the midtier/internal ones) are all exceedingly nested. Could just be my experience, but nested data seems pretty ubiquitous to me!

                                          1. 26

                                            I’m glad to see this trend of standing up against poltiical exclusion in Open Source. I assume that the Code of Conduct for llvm was written in good faith, but the continued demonization of political groups (and to some extent, white men) is troubling. Remember when no one on the internet cared what you looked like, believed, or who you loved? I want to go back to that :/

                                            1. 43

                                              Who is being excluded? How is Outreachy preventing someone from contributing to llvm?

                                              I remember those days too. “No one” cared because “everyone” assumed you were white, male, and college educated. “There are no women on the Internet” dates back, at least, to the early ’90s.

                                              As a black male dropout, that was fine for me— I could get involved. No one questioned my capabilities. And as long as I kept up a good impression of being fluent in upper-middle to upper-class white culture, I could build my skills and social capital.

                                              I also got beat up on the street in front of my grandmother for “showing off” how I could “talk white” at school.

                                              I also remember, when Pentiums were out, using a pawn shop purchased Apple IIc with a gifted modem. I also remember hacking into dial-up pools to get telnet— haha, as if my machine could talk SLIP or PPP. I remember begging friends from MOOs and IRC for a shell account. I remember having no concept of the disparity between myself and the people with whom I played games, chatted, wrote code, and made friends. They simply had things, and I didn’t.

                                              I don’t see a problem with choosing to give their time and their money to mentor people who otherwise might not be able to participate. There certainly hasn’t been a problem with people choosing to give their time and their money to people who look like them, sound like them, grew up with them, attend the same church as them, went to the same school as them, are friends with them, enjoy the same movies as them, play the same sports as them, and just happen to be a well-off straight white male. Just. Like. Them.

                                              1. 5

                                                I also remember hacking into dial-up pools to get telnet

                                                Holy crap, you and I are kindred spirits. The terminal-concentrator at the local university dropped you into a command line…you were supposed to then immediately telnet to the VAX on campus, but they didn’t enforce that. I was 13 years old and certainly not a student at said university but boy did I get around using that little trick.

                                                (This would’ve been like 1993. I’m old.)

                                                1. 4

                                                  🙏🏾 s/the local university/Sprint/ and that was me too!

                                                  1. 4

                                                    It was an eight year old Amiga 1000 that my dad got at an estate sale for like $20 because it would only boot up about half the time and shut down and random intervals, hooked up to a black and white TV, with an old external 1200 baud modem and a terminal program I got off a disk on the cover of a magazine. I felt like the lord of all creation.

                                                    Man I’m nostalgic now.

                                                    1. 4

                                                      Who ever thought we’d make it this far?

                                                2. 3

                                                  I remember when internet arrived at my hometown. It was 1996. I am not sure such delay was related to skin color.

                                                3. 46

                                                  There is no whitemend.

                                                  Outreachy isn’t out to make a monster out of you. It’s trying to correct for GSoC. You don’t like Outreachy’s policies, a much smaller, less well-funded org than Google, then go through GSoC and Google. You have lots of other options other than Outreachy.

                                                  The code of conduct doesn’t say anything about how white men are bad. Reading the CoC, if you object that strongly to it that you must leave, then please do! That’s the CoC working as intended. You are deciding to exclude yourself by deciding that what the CoC forbids (i.e. being an asshole) is something that you must be and defend.

                                                  Also, one more thing.

                                                  I wish I could explain to people who are privileged one way or another, that it doesn’t mean your entire life is handed to you in a silver platter. Being a white male doesn’t mean you can’t be poor or can’t be gay (thus discriminated) or that you can’t have a slew of other problems.

                                                  It just means you don’t have those problems in addition to also being discriminated for being a woman, for being black, for being anything else.

                                                  1. 5

                                                    Reading the CoC, if you object that strongly to it that you must leave, then please do! That’s the CoC working as intended. You are deciding to exclude yourself by deciding that what the CoC forbids (i.e. being an asshole) is something that you must be and defend.

                                                    I would disagree with that notion. I think it’s certainly possible to disagree with the CoC or parts of it without being an “asshole as the CoC forbids”. Personally and for example, I would say the “Be welcoming” clause is too exhaustive and could be shortened to “Be welcoming to everyone regardless of who they are and choose to be” which would IMO cover the same topics as it does now. The fifth clause is also way too broad and vague. A simple note that discussion not furthering the the project or it’s software, being NSFW or otherwise non-productive would have achieved the same goal and would give moderators more leeway to deal with troublemakers.

                                                    I specifically wonder why number 6 was necessary. It’s a community of coders, if they can’t understand disagreement I seriously question what is going on behind the scenes that warrants such a rule. Does discussion derail so often into low level sand-flinging?

                                                    Not too long ago I was member of a forum focused around LEGO robots. There were no rules of any kind but plenty of electricians and programmers around, men, women, kids and teens, etc. Everyone was happy to participate and be happy to exchange ideas and code. When there was drama the moderators enacted unspoken rules of the clearly obvious kind. If you insulted someone for no reason you got banned. Same for insulting someone based on their gender. We didn’t need rules for that. It was obvious as day that such behaviour was not something you’d do to have a productive conversation with someone about the intricacies of rubber bands vs gearing.

                                                    1. 8

                                                      I specifically wonder why number 6 was necessary. It’s a community of coders, if they can’t understand disagreement I seriously question what is going on behind the scenes that warrants such a rule. Does discussion derail so often into low level sand-flinging?

                                                      Speaking as someone who has over the course of many years, moderated things on the internet. Things like this exist because otherwise someone will come along and say “but you didn’t say”. It’s an unwinabble battle, there will always be a “but you didn’t say” response to something. You try to cover the big things in a broad way so that people have a general idea.

                                                      I’ve answered many emails as a member of the Pony core team where well meaning people write in to ask “if I do X, would that be against the CoC”. I can’t say that is how every CoC operates, but its how I like them to operate:

                                                      Here are some ground rules. If you aren’t sure if what you are going to do violates those ground rules, maybe don’t it or ask whoever enforces the CoC.

                                                      CoC’s are far from perfect. A large amount of that lack of perfection is that they are administered by people. Establishing some ground rules for a community is better than having none. Most communities have a CoC whether they call it that and whether its explicit. Take HackerNews, its called “Guidelines” there. It’s still a statement of some behavior that isn’t acceptable.

                                                      1. 2

                                                        I think if someone goes down the route of “but you didn’t say” that would be grounds for getting a mute from the poor moderator they annoyed. At least back in the forum that was how it was handled. Nitpickers aren’t people who tend to keep around once the people in charge hammer them on the fingers.

                                                        I don’t think Hackernews’ Guidelines are comparable to a Code of Conduct. HN’s book of laws is much more vague and subjective, the word “guideline” already implies a certain amount of softness. Moderators won’t stick to that word-by-word and rather apply common sense on top of the rules. A “Code of X” for me implies a certain rigidness and thoroughness that isn’t present in most of them.

                                                    2. 14

                                                      The code of conduct doesn’t say anything about how white men are bad.

                                                      And yet that is how it has been applied. The organisation is funding a scholarship which is very explicitly open to people of some race/gender combinations and not others. I don’t think finding that unconscionable makes someone an “asshole”; quite the opposite.

                                                      I wish I could explain to people who are privileged one way or another, that it doesn’t mean your entire life is handed to you in a silver platter. Being a white male doesn’t mean you can’t be poor or can’t be gay (thus discriminated) or that you can’t have a slew of other problems.

                                                      It just means you don’t have those problems in addition to also being discriminated for being a woman, for being black, for being anything else.

                                                      Put it this way: I would lay money that, in practice, the average Outreachy scholarship ends up going to someone who has had an easier life than the average open-application scholarship (GSoC or similar). The rhetoric of inclusion is all about underprivileged groups, but somehow the beneficiaries always end up being middle-class college-educated liberals.

                                                      1. 15

                                                        The organisation is funding a scholarship which is very explicitly open to people of some race/gender combinations and not others. I don’t think finding that unconscionable makes someone an “asshole”; quite the opposite.

                                                        Races and genders which are significantly unrepresented in the field they are trying to get them into.

                                                        There are campaigns and organisations here to try and get more male primary school teachers, because males are significantly unrepresented in primary education. Are the people running those organisations and campaigns “assholes” for discriminating against women, who represent over 84% of primary school teachers?

                                                        1. 4

                                                          He said although he made hiring decisions based on who was the best teacher, irrespective of gender, it would be great to see more men giving teaching a go.

                                                          That’s what the non-asshole version of this kind of thing looks like. Marketing the career to a particular demographic is fine. Giving that demographic an unfair advantage is not fine.

                                                          1. 2

                                                            It’s an unfair advantage that’s not even managing to negate the pre-existing unfair disadvantages that certain groups face.

                                                            1. 4

                                                              It’s Simpson’s paradox in reverse: picking an advantaged member of a disadvantage group over a disadvantaged member of an advantaged group is a negative step for equality that sounds like a pro-equality move.

                                                        2. 6

                                                          The outreachies I’ve seen have gone to Indian and Eastern bloc girls. You don’t see a lot of those in GSoC.

                                                          1. 4

                                                            Sure. That doesn’t contradict what I said: that the beneficiaries of these efforts end up being disproportionately people from the international college-educated liberal middle class (a group that’s far more homogenous in the ways that matter than most races or genders, though that’s a separate discussion), people who have had an easier life with fewer problems than the people they are displacing, even when those people are white and male.

                                                            1. 4

                                                              Let’s assume you’re right.

                                                              How does Outreachy working with international college-educated liberal middle class Indian and Eastern bloc girls displace anyone?

                                                              1. 2

                                                                If LLVM is choosing to fund a scholarship with Outreachy in place of funding one with GSoC, the recipient of that scholarship is displacing the person who would’ve received the GSoC one.

                                                                1. 9

                                                                  Please correct me if I’m wrong, but as I understand it:

                                                                  • LLVM participates in both Outreachy and GSoC.
                                                                  • LLVM doesn’t fund either programme.
                                                                    • Outreachy and GSoC both provide funds for their own programmes.

                                                                  So, neither LLVM nor Outreachy are “displacing” anyone from GSoC.

                                                                  Moreover, no one even signed up for LLVM’s Outreachy! So this is hypothetical “displacement.”

                                                                  1. 1

                                                                    Outreachy doesn’t fund internships, you need to bring your own funding to them. I’m not sure how LLVM is funding their outreachy internships.

                                                                    1. 8

                                                                      [citation needed]

                                                                      Because, from their front page:

                                                                      Outreachy provides three-month internships for people from groups traditionally underrepresented in tech. Interns are paid a stipend of $5,500 and have a $500 travel stipend available to them.

                                                                      And their sponsor page:

                                                                      Outreachy internship stipends, travel fund, and program costs are supported by our generous donors.

                                                                      Same page, “Commonly Asked Questions”:

                                                                      Q: Who pays the interns? A: The Outreachy parent organization, the Software Freedom Conservancy, handles payments to interns.

                                                                      Not to make too fine a point:

                                                                      Q: We have a company internship program. How does that work with Outreachy internships? A: Outreachy internships are completely separate from any other internship program. Outreachy organizers find FOSS communities that are willing to provide mentorship and use corporate sponsorship to fund the internships.

                                                                      1. 1

                                                                        I guess I don’t see how you’re disagreeing with what I wrote. You need to have funding arranged before you can set up an outreachy internship.

                                                                        1. 4

                                                                          FOSS community provides mentorship. Corporate sponsor provides funding. Internship = mentorship + funding. Outreachy provides internships.

                                                                          The money from corporate sponsors goes into a pool that is used for all internships. Outreachy is a funds aggregator.

                                                                          When you say “you need to bring your own funding to them,” who is the “you?” It’s not the FOSS community. It’s not the internship applicant. Who is it?

                                                                          1. 1

                                                                            Perhaps the policy changed. When I looked this up in November it was the responsibility of whoever wanted to start an outreachy program for a project to identify a source of funding.

                                                                            1. 2

                                                                              According to the Internet Archive, in September of 2017, their policy was exactly the same. It’s the same at least back through the last GNOME Outreachy, over a year ago.

                                                                              Update: I deleted my follow-on questions. This is the kind of back and forth @pushcx warned about.

                                                                              1. 2

                                                                                Did you see my other comment? Each org needs to find a coordinator who needs to find funding for their org (see under coordinator, here: https://www.outreachy.org/mentor/). That might be in terms of corporate sponsorhip, but outreachy won’t do that for you.

                                                                                1. 2

                                                                                  No I didn’t, I missed your self-reply. Sorry about that!

                                                                                  And, yeah:

                                                                                  Coordinator Duties Before Application Period Opens

                                                                                  • Finding funding for at least 1 intern ($6,500)

                                                                                  That’s clear and conflicts with their other pages. “Perhaps the policy changed” indeed. I put more weight on that page, though, than their more advertise-y ones.

                                                                                  mea culpa!

                                                                    2. 1

                                                                      I understood LLVM was funding the scholarship but could easily have misunderstood. In any case it’s beside the point: my point goes through exactly the same if we’re talking about the person a hypothetical open-application scholarship would have selected or a person who was displaced as such.

                                                                      Moreover, no one even signed up for LLVM’s Outreachy! So this is hypothetical “displacement.”

                                                                      Isn’t it just the opposite? If choosing to offer an Outreachy scholarship rather than some other scholarship meant that instead of getting a likely-less-privileged individual they got, not a more-privileged individual but no-one, that’s an even bigger loss.

                                                                      1. 1

                                                                        If choosing to offer an Outreachy scholarship rather than some other scholarship […]

                                                                        They also offer a GSoC scholarship, and there’s nothing to imply Outreachy replaced an alternative rather than being an addition.

                                                                        1. 0

                                                                          Scholarships don’t grow on trees; surely the fairest comparison to make is offering a scholarship versus offering a slightly different scholarship. (Would you apply the same reasoning if someone wanted to offer a scholarship that was only for white people, say?)

                                                                          1. 3

                                                                            I can play this game too, where “displaced” is entirely hypothetical:

                                                                            • LLVM has displaced compiler developers from gcc!
                                                                            • My drinking tea tonight displaced a purchase of beer from the bar down the road!
                                                                            • My mother and father each displaced every other person on the planet born before 1980!

                                                                            THE INJUSTICE

                                                                            1. 1

                                                                              Um, yes, it’s 100% fair to compare gcc to llvm, tea to beer, or your mother and father to other people?

                                                          2. 8

                                                            It just means you don’t have those problems in addition to also being discriminated for being a woman, for being black, for being anything else.

                                                            That’s incorrect in any environment where whites or men are the minority. Human nature dictates that all groups favor those like them and penalize those unlike them. Examining the politics of non-white nations in World History or current affairs confirm those groups are just as racist in the social systems they create. Examining the actions of black administrators or elected officials show they mostly bring in people like them regardless of what the mix is in their area. The kind of political beliefs behind these Codes of Conduct and privilege assume this doesn’t happen on a large scale by non-whites to whites. The wealth of evidence disagrees with that so strongly that believing in it anyway and suppressing alternative views is comparable to a religious faith. One that damages specific groups while propping up others.

                                                            Another point folks in favor of those beliefs and CoC’s never bring up is how many minority members disagree with them. The surveys they usually take are almost never worded to assess how many people believe it’s something all groups do to each other. That’s because they’re biased enough to try to just reinforce their own beliefs. In my surveys, I always present both sides asking which they think it is. I rarely meet black or Latino people, majority of minority members in my area, that think structural oppression is only a white thing. It’s so rare out here. Most think all groups do it but that whites are doing it the most. That’s reasonable. Yet, under CoC’s and associated beliefs, their views would be censored as well since they’d be construed as racist (in their definition) or contributing to reinforcement of it. Likewise, any “language” or “terms” that are racist, sexist… scratch that, which their political beliefs without supporting evidence label as inherently racist, sexist, etc. That too.

                                                            So, I object to these CoC’s that act like a good chunk of minority members’ opinions don’t matter, that ignore the fact that minorities do structural racism/sexism all the time (by default like people in general?), ignore the fact that whites/men they’re addressing might have been the oppressed minority in previous environment (or current), and then build social structures and enforcement mechanisms on top of those damaging, faith-based beliefs. I also say this as a white guy who spent years in black-run schools living a long time in many areas of black-run city working in black-run departments and companies. If I write about my experiences or tell it like a 3rd party, the black people always think the person in the story is black saying the feelings and obstacles are what they endure. When I say they’re white, then type of people I’m countering say, poof!, none of it counts as evidence of racism. That shows it’s politically-motivated maneuvering, not consistent logic.

                                                            These should be fought in favor of CoC’s that don’t require everyone in America or the World to believe and speak as if one, smaller, vocal group is unconditionally right in all political claims about these matters.

                                                            1. 14

                                                              That’s incorrect in any environment where whites or men are the minority. Human nature dictates that all groups favor those like them and penalize those unlike them. Examining the politics of non-white nations in World History or current affairs confirm those groups are just as racist in the social systems they create.

                                                              I’m sorry, what are you talking about? I’m from Peru where ‘whites’ are a minority. They are most certainly not discriminated against, quite the contrary. Whiteness is equated to privilege to the extent we have a saying here: ‘El dinero blanquea’, which roughly translates to ‘Money bleaches’.

                                                              The discrimination comes from factual power, not a head count. Power which was built upon centuries of enslavement and exploitation. Exploitation most members of the white elite minimize and/or are oblivious to.

                                                              It is the same in other places of South America. Certainly in Brazil, where the author is from.

                                                              1. 6

                                                                I’m from Peru where ‘whites’ are a minority. They are most certainly not discriminated against, quite the contrary. Whiteness is equated to privilege to the extent we have a saying here: ‘El dinero blanquea’, which roughly translates to ‘Money bleaches’.

                                                                I appreciate you sharing your example where one of the minorities has power. That supports my view that it’s highly conditional. Power is one thing that ties into discrimination. Group identity is another. You don’t need centuries of enslavement or exploitation to get one group working for themselves more or against another. It can be a factor, though. Often is. I also noticed you’re mentioning countries where white armies invaded them and their upper classes, not whites in general, did coercive negotiations for trade that benefits them. In this case, it’s real but tied to who did what. You can bet a group invaded by non-whites will also develop some reaction to that group.

                                                                Whereas around Memphis TN, being white in specific areas won’t get them respect or power due to the slavery that happened in the South. They’ll just get a warning to leave, beat down, robbed, and/or killed. No power. Like with those that invaded Latin America, the power was with a subset of them in high places or any that could get them to act on their behalf. As a civil rights proponent in America, I assure those powerful, white people would try to squash or minimize white people like me when our interests conflict. They hate outsiders even more but I would be treated more like them than your scenario would lead you to expect. I’m still in the outgroup. Just not as far out as Latin America. Same with local blacks or latinos that control specific areas, organizations, businesses, and so on. Being white conveys me large benefits in some contexts, about none in others, kind of negative in others, and violence/death in others.

                                                                It varies by context is my overall point. It’s not “If white, always this. If non-white, always that.” It’s really complicated. I’m sure I have plenty more to learn about the dynamics of the many groups. Thing is, countering it my way is much simpler than trying to trace it all: being civil, going out of your way to bring in others, accepting each other despite differences, and randomizing/blinding where possible selections/promotions. Increased fairness without further discrimination or hate. It’s simple, but not easy.

                                                                Edit to all: Other replies will be delayed since I have to work a late shift tonight. Heading out now. Hope yall have a good day and appreciate all the civil replies so far. :)

                                                                1. 4

                                                                  Thank you for the thoughtful response. I get a better sense of what you were getting at. I don’t think I’m qualified to say much more on the matter, I don’t think I have a proper grasp of the dynamics of structural exploitation. But I’d like to add a couple of not fully developed ideas.

                                                                  – Whiteness is sometimes used as a proxy for privilege.

                                                                  – Whiteness is context dependent. My cousin from the US grew up on Pensilvania. Here he is a ‘gringo’, where he grew up he was considered far from white, being called racial slurs when growing up.

                                                                  – It may be a better idea to talk more in other terms w/o proxies. Class politics are more relevant today than race IMHO.

                                                                  – Even in Perú there are some contexts where you can be subject to specific instances of discrimination, but they pale in comparison to the structural discrimination that happens in the day to day basis. Which is why (in the context of Latin America at least) I view focusing on ‘reverse racism’ as a mechanism to distract from the larger and more important problem of structural discrimination.

                                                                  also noticed you’re mentioning countries where white armies invaded them and their upper classes, not whites in general, did coercive negotiations for trade that benefits them.

                                                                  I understand and empathize and partially agree with what you are getting at. Certainly you can’t be held personally accountable for everything action your government does. But at the same time they have to some extent the support of the general public. At best, you are turning a blind eye to the pain and suffering that supports your economy. But then again, it is our (Latin American) governments which are complicit and also responsible for said exploitation.

                                                                  I’m the words of a mining worker, when talking to a college student:

                                                                  – You speak of the gringos you’ve seen in Morococha and Cerro (Mines in Perú). But they are millions. Don’t generalize…

                                                                  – So why do they send those how look down on us, cholos, not like people but like dogs.

                                                                  Another thing, the exploitation of Latin America is not limited to ‘economic deals’ and is not something of the past (But there is more than a fair share to blame on our obsequent governments). In the 90’s US Companies hired henchmen to kill union leaders. The US Goverment (through US-‘AID’) provided logistic support for the mass forced sterilization of millions of women in Perú. Or even this decade, the US government, through the DEA, determines the policy and funds the forceful eradication of coca leaves further contributing to the impoverishment of Peruvian farmers. The Coca plant is legal here and is consumed by many in their day to day.

                                                                  1. 1

                                                                    I thank you for your detailed response. That was a mix of interesting and pretty sad. I’m going to back up a bit first on one issue since I was using a simplification that you and @stephenr are showing I probably shouldn’t use maybe here or in general. I’ll have to think on it. The actual belief I have about the ingroup vs outgroup dynamic is that they’re just treated differently in a way where it’s often positive to first and negative to second. It doesn’t have to be. I was just going with common pattern since it fits both my experiences and minorities in the U.S. which is mostly the topic around this thread. You’ve both given examples where a white outgroup can be benefit from their status in other countries. Likewise, there’s examples where the ingroup is a rough position with expectations for man or women coming to my mind easiest. One of the worst examples I’ve seen is the tribe that covers people in bullet ants to prove they’re men. I’d rather be the outgroup they look down on forever. ;)

                                                                    On to your comments on exploitation. Far as unions, sterilization, and so on, that’s a side effect of the elites controlling America. They use the media to keep folks under control fighting enemies that aren’t the main enemy. You won’t see the stuff you described on American media much. Instead, it’s stuff that shocks or lets people point fingers temporarily for quick reactions. Next wave of shock happens making them forget what came before that. Americans can’t keep track of history. They can only focus collectively a moment at a time with what’s carefully put in front of them. The parts of the government doing things like you describe are mostly autonomous working for rich and powerful. Those that get voted in do a mix of things they said they’d do and things that appear to benefit their voters with lots of publicity for both. The choices are few with the non-participation and apathy so high that government doesn’t worry about rebellion. It’s kind of a constant rehash of the same games and corruption with businesses getting laws passed benefiting them more and more every year mostly under Americans’ noses since media barely reports on it.

                                                                    So, that’s how that works if you were wondering. When I was young, I never thought handfuls of companies and some government organizations could really control most of several hundred million people with the presence of the Internet, activists getting word out, and so on. Yet, they actually can. They’re also intelligent, focused, well-staffed, and relentless in their pursuits vs masses that are hit and miss on these things with more scattered beliefs, goals, and participation. Just like in this, those fighting over the CoC’s and such aren’t investing effort in joining together against the elites like folks did in MLK days which truly scared them enough to plot murders. If they beat the corruption, they could work law by law, reg by reg, case by case to get a lot done starting with something as simple as due process for workers (I’m union). It takes unity and focus on where the foundational problems are, though, to achieve something like that. Not to knock efforts to improve things elsewhere but we really should be almost all in on dealing with people paying bribes for damaging laws to be passed that give corrupt jurisdictions and companies impunity in their evils. It seems like so much starts right there.

                                                                    Anyway, there’s a lot of people pulling for the folks you describe. They just feel powerless to do anything about it. Also, those that care are so few that giving up products that come from there will change nothing. So, everyone from the consumers to the traders ignore their fleeting thoughts since they need some cheap copper.

                                                              2. 13

                                                                I’m not sure how anything you’ve written is relevant to LLVM’s code of conduct. It says; be welcoming of everyone, be considerate, be respectful, don’t make violent threats. All very basic, common sense stuff that the vast majority of people don’t need to a checklist to accomplish. I’m not sure how you went from what is actually written there, to this:

                                                                The kind of political beliefs behind these Codes of Conduct and privilege assume this doesn’t happen on a large scale by non-whites to whites.

                                                                Which part of LLVM’s CoC do you think is saying this? Do you think the part about being welcoming of everyone regardless of race is non-white people discriminating against white people?

                                                                1. 8

                                                                  “Violent threats or language directed against another person. Discriminatory jokes and language. especially those using racist or sexist terms Advocating for, or encouraging, any of the above behavior.” (my emphasis added)

                                                                  It’s those words that are used to block people based on political beliefs. The kinds of people that push CoC’s often have specific views about what is considered racist, sexist, etc that there’s not a wide consensus on. Any words or behavior will be interpreted in the light of their views. This is double true when they get into the moderation positions, which they often aim for. I don’t have to speculate as I’ve been banned from forums for quoting under my own name minority member’s opinions on minority issues. They were racist, sexist, etc. by their definitions. These policies interpreted however they want are the leverage they use to reinforce their own groups or eject other groups. Advocating for is the last term where anyone even debating whether something was racist or sexist might be construed as supporting the racist or sexist person. That’s happened plenty, too.

                                                                  So, it’s the intent behind the terms along with whose enforcing them, what their beliefs are, and if they’re willing to exclude people with different beliefs on contentious topics. They usually are. So, I oppose those in favor of CoC’s without enforcement of political ideology that focus on people just staying civil, friendly, etc. Those parts of the CoC’s I have no problem with.

                                                                  EDIT to add what I’m fine with since I’d rather not be overly critical of something that’s mostly good:

                                                                  “be friendly and patient, be welcoming, be considerate, be respectful, be careful in the words that you choose and be kind to others, and when we disagree, try to understand why.”

                                                                  Most of the weaseling is built into that “be careful in the words you chose” part. Minus the weaseling, even quite a few points in that section are good. Also note that we don’t have to speculate given Lobsters already has enforcement that’s similar to what I’m advocating for. Our moderators may agree or disagree with people’s political views but haven’t ejected anyone for stating their views with data in a civil way. Our community is still a thriving, functioning community despite any political scuffles.

                                                                2. 11

                                                                  That’s incorrect in any environment where whites or men are the minority.

                                                                  I guess you’ve never been to Thailand. Whites are a ridiculous minority, but they’re held in such high regard by a large percentage of the population.

                                                                  Edit: and to clarify, this isn’t the same situation as @PuercoPop’s:

                                                                  Thailand was never colonised, has never been under ‘white’ or ‘western’ rule and was not a ‘source’ for slavery by whites, Heck, whites (without getting Thai citizenship, which, holy shit is that a long process) can’t own land, can’t own more than 49% of a company, etc.

                                                                  Try to find some Thai soap operas on YouTube - notice how all the actors are very pale skinned: they’re all half-Thai, half-white. If they want to show a ‘poor brown girl’ (believe me, their stereotype, not mine) they literally take a Thai/White actress, and use makeup/body paint/whatever to show their version of what anyone else would think of as a ‘natural’ brown skin.

                                                                  I’ve been stopped at police licence checkpoints, and the cop has been so excited just to say hello to a white guy he doesn’t even care if I have a licence.

                                                                  1. 4

                                                                    Of course structural oppression isn’t a white only thing. Anyone can discriminate against anyone. And sure, in localized areas some groups can oppress others in different ways than the average. That doesn’t mean CoCs shouldn’t try to prevent racist / sexist conduct.

                                                                    What things do you see in CoCs that minority members disagree with, that unfairly construes their beliefs as racist? Or disregards their opinions? Or ignores that whites/men may have been the oppressed minority in their environment?

                                                                    1. 4

                                                                      That doesn’t mean CoCs shouldn’t try to prevent racist / sexist conduct.

                                                                      I didn’t say that. I said it’s usually interpreted in a way where racist and sexist conduct has definitions that usually mean whites/males can’t experience the negatives, are often responsible for them (supported point in general case), and inherently have the positives. Evidence strongly counters two of those showing it has to be judged case by case, place by place, etc. For instance, the forums dominated by the types of people with that ideology make them the majority with the structural power to include, exclude, oppress, and so on. By their own definitions this is true. Yet, any person in a different group dissenting in such a place will be told they’re the “majority” with “privilege” who wouldn’t understand the… blah blah blah. Actually, at least in that context, they’re a minority getting treated worse than its majority at risk of damaging affects of discriminatory treatment. This plays out in other contexts like school, work, etc. where non-whites or non-males in the majority positions reinforce themselves at others expense. A general pattern.

                                                                      Far as minority members disagree with, who are the minority members? That’s exactly what I mean. It depends on who you’re talking about in what context. Someone who is a minority member in one environment might be part of the privileged majority in another. The very definitions of who constitutes a minority (absolute vs conditional), what defines racism, who has privilege… these are in dispute across the nation. Many non-white and non-males dispute some of same points, too. So, starting from a specific set of views on it being true with enforcement working from there is already discriminating against all who disagree. They’ve not proven these views with evidence either.

                                                                      Note: You can try to cheat with legal terms that one side or a group of them got in but treating the law as truth or moral is dangerous. Slavery and women not having rights were legal. So, my definitions are about reasonable categories people are in with their numbers or influence compared to groups of other categories.

                                                                      The evidence collected on a global scale indicates that all groups in power reward their own and oppress others. So, if by evidence, this stuff will be conditional with every group monitoring themselves for bias boosting their outgroups when they don’t get a fair shake: not just whites or males being monitored with everyone boosting non-whites or non-males in all scenarios. In this country or in tech scene, the results would mostly be boosting non-whites or non-males to correct existing imbalances just on the numbers alone. No argument there. Yet, other things wouldn’t be taboo or inconsistent with the rules: a mostly black or women organization in mixed area with people in other categories having skills would be said to give more privilege to blacks/women, possibly structurally racist/sexist in hiring if ratios of workers vs supply were really skewed, encouraged to diversify, and activist action taken if they didn’t. Just like such people would do with white or male majority structurally reinforcing their own groups.

                                                                      We don’t see this. Most of the types that push and want to enforce CoC’s frame it as one thing by definition with whites or males on high-privileged/victim-creating side in all situations. That’s dishonest. I’ll take “this happens more often than that” but not “this never happens or we should act like it doesn’t exist.” With that, they can’t eject people for disagreeing with them on what counts as discriminatory language or behavior if it’s something there’s no consensus on by people who otherwise are against a lot of clearly-discriminating behavior. Further, they might be more likely to go with diverse inclusion plus blind evaluation/selection to correct imbalances instead of ignore whites/males much as possible to only focus on everyone else. One is inherently more fair achieving a similar goal.

                                                                      1. 2

                                                                        But don’t you think that being the privileged majority in the society you live in will have more to do with shaping your experience and fortune in the world than being the privileged majority in an online message board or OSS project?

                                                                        1. 3

                                                                          In the spaces I live with, my lack of privilege as a white minority in many contexts has cost me likely mental health, plenty humiliation, confusion, physical beatings, missed dates, missed jobs, missed promotions, and so on. Coworkers locally were just telling me recently about black-run classes singling them out for opposing beliefs. Things they say get an entire room screaming at them to intimidate them into silence on top of whatever penalties teacher might give. More extreme versions of this ideology are going campus to campus all over the place taking on life of their own where students are doing things like holding up signs protesting inferred problems in words or ideas of instructors that are there to help them during class.

                                                                          Again, I”m white male who doesn’t or can’t have such problems in a structural way according to specific groups in the United States despite the evidence of such things happening with non-white or non-male majorities. The forum example was just easier for people to see where you can tell the white male is not in control, is subject to the whims of others, and can be damaged for that. People causing outgroups problems is totally predictable in my model. That’s not the interesting thing. The interesting thing about the forum example is that the people in control who are the majority continue to describe their limited, powerless target in the same terms like powerful and majority. It doesn’t usually change as the circumstances change. It’s usually politics or religion when people’s beliefs or dictated rules don’t change when data flips by 100%.

                                                                          So, it’s not what they say it is or consistent. That’s enough reason to resist it. That following it would damage more innocent whites or males making them suffer as so many of us did is even more reason. You could say what motivates me to write these posts isn’t much different as what motivates those on the other side with personal experiences in racism or sexism to write their posts. It’s not “reverse (ism)” so much as all the same evil to me. Once we see and experience the evils, we have to stop them from continuing in any form they’ll take. Another thing I noticed is we seem to do it for others’ sake more than ourselves as we can’t undo what we experienced. We’ll always be a bit fucked up by it. We can maybe stop someone else from having to experience that, though. I want someone else to be everyone instead of “everyone but whites and males.”

                                                                          As usual, that’s on top of all the non-whites and non-males I care about and try to help. They just get a lot more attention and support than this other cause. Hence it being a focus area you’ll see me on. Plus, having been affected so strongly, that’s a motivational bias of mine on top of it.

                                                                          1. 4

                                                                            @nickpsecurity, that sucks. You’ve been a victim of structural discrimination. Worse, because it’s not a politically sexy or easily visible form, people continually reject your experience. That. Sucks.

                                                                            In the past, if I’d heard your narrative, I’d have dismissed you by thinking something like “this white dude forgets he always has the option to leave, unlike …” But that’s unfair.

                                                                            You’ve been a member of these communities, for years. You’ve been a decent person. You have family, friends, colleagues, social capital, and memories in these communities. To tell you “get up, leave, move on” is to ignore the simple reality that we’re social animals and structural discrimination harms everyone.

                                                                            Thank you for your repeated posts on this point. At the very least, you got through my thick head. Hopefully, in the future, I can be a better person for it.

                                                                            1. 2

                                                                              Damn. That means a lot to me you saying that. I sent a private message not long ago about your comments being interesting as usual on these discussions. More than usual with one comment about you getting beat up for talking white to presumably get ahead whereas I was learning early to talk or act black to attempt inclusion in my environment. It’s because some of what you wrote seems like you might have started in similar circumstances as me going in an opposite direction to find yourself with opposite views. Maybe a stretch to say two sides of same coin but that metaphor popped into my head at least. Then, we end up here in this moment on this forum. A trip, eh?

                                                                              It’s why I fight for flexibility on these topics in these discussions in wherever places I can. It’s painful and costly but the moments I learn from or reach people are worth it to me. I think those moments are critical. Probably gotta get to sleep now as I intended to. I just had to respond to that comment. :)

                                                                              Edit: Oh yeah, sleepy enough I forgot to say Good Night.

                                                                3. 16

                                                                  demonization of political groups (and to some extent, white men)

                                                                  I’m a white man in tech and I can count the number of times I’ve been demonized on zero fingers.

                                                                  demonization of political groups

                                                                  The dominant political party in this country has in black and white in its party platform a desire to make same-sex marriage illegal (while simultaneously claiming “government overreach” is a bad thing). If hearing that we shouldn’t punish gay people just for being gay makes you uncomfortable, well…it’s supposed to.

                                                                  (That same party has in its platform a denial of anthropogenic climate change, an existential threat to our civilization; the denial of which has zero scientific backing….but no, we can’t tell them that they’re wrong.)

                                                                  More importantly, the stuff I’m talking about above is also banned. You can’t go to a conference and talk about how “Republicans are stupid”. You’d be asked to leave or at least tone it down.

                                                                  The problem is that a lot of people hear “don’t be an asshole” and they think “man when I tell transgender folks they’re stupid and make jokes about gay people I get called an asshole (totally unjustifiably!) and I might get in trouble. Ugh, SJW’s!”

                                                                  Remember when no one on the internet cared what you looked like, believed, or who you loved? I want to go back to that :/

                                                                  I’ve been on the Internet since around 1992. That’s only three years after the very first consumer ISP served its first customer.

                                                                  Was there a large contingent of people who really did believe that? Absolutely, I mean, I was one of them. Were there plenty of racists, sexists, homophobes, and bigots of all stripes? Absolutely. Go look at old Usenet archives from the 80’s and 90’s. Racism, sexism, homophobia abound. There was a long diatribe against same-sex marriage on a Perl newsgroup for some damn reason around 1996; there were plenty of people who chimed in and agreed. Various big names in the early hacker community were famously bigoted (often hiding behind “libertarianism” while simultaneously claiming women and black folks are just inherently inferior and it’s “just science”).

                                                                  The “good old days” are very often viewed through rose-colored glasses. People were people back then too, for all the good and the bad.

                                                                  1. 16

                                                                    Remember when no one on the internet cared what you looked like, believed, or who you loved? I want to go back to that :/

                                                                    This was never true. People on the internet have always cared about who you are in ways that factor these things in. The fact that the (largely white) nerd culture contingent who had a lot of influence on the early internet has decided to tell this utopian story does not make it any more true than stories your grandpa tells about respectful children and walking both ways uphill in the snow.

                                                                    1. 23

                                                                      It’s less that “No one cared what you looked like” and more “Everyone assumed you were a white dude with roughly conformal beliefs, behaviors, and similar.”

                                                                      1. 3

                                                                        There’s no contradiction. Both those things were true.

                                                                    2. 12

                                                                      Remember when no one on the internet cared what you looked like, believed, or who you loved?

                                                                      And look where it got us. Toxic subcultures, huge gender inequality in the workplace, software products that simply don’t work for many groups people… The field was biased towards white male hackers from the very beginning, and “not caring” only increased this bias. No, I don’t want to go back to that, I want to fix it.


                                                                      Also, “no one one the Internet cared what you looked like” simply because they technically couldn’t: nicknames and plain text don’t divulge much. As soon as we got real names and YouTube it became obvious that the majority of people care very much about how you look like. So a young girl making a guitar cover or an Ubuntu installation walk-through mostly gets “you’re hot” and “nice boobs” comments.

                                                                      1. 16

                                                                        People with privilege have been getting more and more outraged that the world is discriminating against them. They see it as unfair. Yes, it’s discrimination and that sucks. But it’s infuriating when they paint it as unfair, because that implies they’re somehow being disproportionately discriminated against, that the discrimination is unfairly balanced against them. And of course that’s nonsense. These privileged people, intentionally or not, feel they’re entitled to live free from any and all discrimination at the expense of those less privileged.

                                                                        Remove yourself from the politics and think about a simple model instead of race, sex, gender, or orientation. Just group A and group B.

                                                                        • members of group A receive 120 points a day
                                                                        • members of group B receive 80 points a day

                                                                        Members of group A develop a belief system that they are entitled to their 120 points. When some members of group B try to increase their points to 85, and that lowers the group A points to 119, the members of group A become angry. They say the members of group B are being unfair.

                                                                        Group A believes that group B should not take any action that decreases their daily points. Group A compares their loss of 1 point to group B’s initial 40 point deficit, drawing a false equivalency. Some subset of A, group A’ deliberately take points from group B members around them to restore their original 120 points. Group A’ claims this is fair.

                                                                        Group A’ bands together to institutionalize the 40 point difference. Some extreme members of group A’ even try to widen the 40 point difference. Group A’ comes to believe at an institutional level that the 40 point deficit either doesn’t exist, or is somehow natural and fair. Group A’ believes they hold the moral superiority by defending their 120 points.

                                                                        Members of group B continue to try to elevate themselves, but A’ demands that all work done by group B must benefit group A’ equally. A’ considers this fair. Groups A and B focus on elevating group B rather than bickering with group A’ about whether 1 equals 40. Some members of both groups A and B institutionalize polite exclusion of group A’ just to simplify the whole thing, because they’re tired of bickering.

                                                                        A vocal minority demonizes group A’ for their actions. Some members of group A find this demonization troubling. A larger and less vocal group of A and B think group A’ is a bunch of fucking douchebags, and start to actively exclude A’ rather than deal with their asinine bullshit. A surprising amount of group A wonders if this exclusion is fair or reasonable. Group B, and an increasing amount of group A, respond “are you fucking joking my ass what the actual fuck?”

                                                                        If you’re a member of group A, please try to empathize with group B. Next time you feel discriminated against for your group A membership, take a step back and reflect on how you’re feeling in that moment. Try to imagine what it’s like to feel that way every single day of your life, at work, on the street, or in your own home through the media.

                                                                        1. 2

                                                                          But it’s infuriating when they paint it as unfair, because that implies they’re somehow being disproportionately discriminated against

                                                                          I think there is more to this implication than you’re letting on, because it makes assumptions about what “fairness” actually means from the person wielding the term. You’ve assumed one definition, but perhaps someone else has another in mind. As a nominal example, consider this implication in different ethical frameworks (say deontological or Kantian ethics versus utilitarian). Is it true in all of them? Alternatively, do you dismiss ethical frameworks in which it isn’t true as nonsense or intractable? Either way, those are important assumptions to state, because your entire comment appears to rest on them.

                                                                          (I do wholeheartedly agree with your final paragraph, but try my best to perhaps apply it as much as possible, with a healthy dose of perspective taking on all sides. I don’t always succeed!)

                                                                        2. 4

                                                                          I’m glad to see this trend of standing up against poltiical [sic] exclusion in Open Source.

                                                                          Me too, I just wish more people would up and leave, instead of stick around and yell about “reverse discrimination” and such. I’m definitely coming at it from a selfish angle (and concern for my friends,) I’m just really tired of people who “disagree” with us existing, at best, and actively harass us at worst. The only way I can participate in open source is anonymously, which means it’s mostly uncredited work. It’s just not worth the toll it takes on my mental health. Of course, whenever possible, I contribute to projects/communities who show that they are aware of these issues, and are actively doing something about it.

                                                                          Looking forward to the Incorrect, Off-topic, and Troll downvotes.

                                                                          1. 4

                                                                            I think it’s a loss when someone who can write code leaves a OSS project. I also think that discrimination, which you refer to as “reverse discrimination” in certain contexts, is bad, end of story. I don’t want anyone to be discriminated against. “Contribute good code” is all I ask off people looking to work with me. Politics are boringly unproductive towards that goal.

                                                                            1. 4

                                                                              I think it’s a loss when someone who can write code leaves a OSS project.

                                                                              I don’t, if they keep other people away who can also write code. I honestly can’t understand what’s wrong with participating in this, unless you believe (actual) discrimination isn’t real.

                                                                              1. 2

                                                                                I do believe actual discrimination is real but I think discriminatory internships aren’t the solution as they only lead to problems down the road. It’s great that outreachy is doing it and I believe they honestly think it’s the correct solution but I simply can’t agree on that.

                                                                        1. 16

                                                                          As someone who worked on one of the prior/better DVCS (bazaar), I’m really sympathetic to this curmudgeon argument. However, I think the battle has been lost since at least 2009, and it would be more productive to write tooling for git than keep complaining from the sidelines.

                                                                          1. 27

                                                                            They aren’t complaining, they wrote fossil instead of complaining. The complaints come from other people complaining to them for not using git.

                                                                            1. 36

                                                                              As one of the most used libraries in existence, I think SQLite has license to do whatever the hell they want. Their workflow obviously works for them.

                                                                              And this isn’t really complaining, it’s about things fossil does better than git from their point of view. To me it reads like the author set out to write an objective post highlighting the differences, but got annoyed along the way, corrupting their tone for some bits. I imagine this post only exists because they’ve been asked this question enough times to just document it.

                                                                              1. 3

                                                                                and it would be more productive to write tooling for git than keep complaining from the sidelines.

                                                                                IMO, it’s worth keeping the other things alive. At least with hg there is hg-git so us hg users can live inside the git world, but I also use FreeBSD as my main OS so I’m willing to put up with some pain to avoid a monoculture.

                                                                                1. 3

                                                                                  I still use bazaar for my personal projects :-)

                                                                                  1. 3

                                                                                    While (sadly) Bzr did not make it, Hg does seem to be hanging in there. Both Facebook & Google use it internally, for instance.

                                                                                    1. 2

                                                                                      I think for the branch stuff in particular you would need to get stuff into git’s core to make the kind of improvements needed. But those improvements might go against the entire current mental model of branches for git!

                                                                                      Might be pretty tricky.

                                                                                    1. 7

                                                                                      the only way to make money is to grind up your users for advertising paste.

                                                                                      Well, no. You can simply ask users for money. It’s not going to produce THAT MUCH money, but it can just be enough for a service to sustain itself. The beauty of Fediverse is that it works best with many small to medium sized services, nobody actually needs that much money in the first place.

                                                                                      1. 3

                                                                                        If they thought they could get away with it, they would certainly do both.

                                                                                      1. 25

                                                                                        Why do people overthink this? Versions are for human consumption. If I use x.y.z and x.y.z+1 comes out, my expectation is that I should be able to upgrade (if I need to) with minimum friction. Sometimes (rarely!) this is not the case. Tough life.

                                                                                        Similarly I expect I should be able to upgrade to x.y+1.zz, but in this case I expect there might be more work involved, more testing, etc. In general, it should still work though. If not, tough life.

                                                                                        I fully expect moving to x+1.yy.zz would be painful. Sometimes it isn’t though. Life is great.

                                                                                        What’s the problem? The version communicates information to me. Like every other communication, sometimes it’s not perfectly accurate. So what? it’s news, not math.

                                                                                        It seems that people who complain about this are the people who want to upgrade without testing. That is insane. You always need to test. You can’t trust that it will work because some guy who doesn’t know how you use the software promised you that it will work. No, he promised it should work. There are no guarantees. You always need to test.

                                                                                        1. 5

                                                                                          You are missing one final thing. I expect to be able to install X and X+1 side by side in whatever system. So many things seem to miss that, at least vgo gets that right.

                                                                                          1. 2

                                                                                            Yes, unfortunately almost every package manager gets this wrong.

                                                                                            1. 3

                                                                                              In a lot of cases it’s not the package manager’s fault; it’s the way the language does module loading. npm gets this right but the only reason it’s able to is because Node’s module loading algorithm supports (was designed to support?) this usecase.

                                                                                              1. 1

                                                                                                They were written at the same time by the same person, so yes, “designed” is appropriate.

                                                                                                1. 1

                                                                                                  Do you mean require() and npm? I don’t think that’s right. I’m just assuming require() was Ryan Dahl in the very beginning of Node (docs say 0.1.13). And npm was by Isaac Schlueter, quite a while after that. People used to share Node modules on the Node GitHub wiki, and IIRC (though I wasn’t there, I just know from reading) npm was one of several package managers at the time.

                                                                                                  1. 2

                                                                                                    I was told that Isaac implemented both; it’s possible that I was misinformed, or maybe it was re-implemented by him.

                                                                                              2. 1

                                                                                                Package managers that allow side-by-side global installs that I can think of:

                                                                                                • gem / bundler
                                                                                                • maven
                                                                                                • homebrew
                                                                                                • nix

                                                                                                They all require special tools to choose which version you want to use though. Are there any others? Are there any without that requirement?

                                                                                            2. 1

                                                                                              After accepting that every upstream change can break our code the next step is to accept that additional “level of probability” communicated by those dotted numbers are useless: they don’t affect your behavior as a maintainer, you still have to a) read and understand what changed and b) update and test your system. Which means that a single number would do just nice.

                                                                                              I can speculate that semver became popular because of people who want to be trendy by “living on the bleeding edge” but still want some escape hatch that would “allow” them to not really read and understand all change logs of all those dozens of dependencies changing daily. So they like semver because if anything breaks after a minor version change, they can say it’s not their fault.

                                                                                              1. 1

                                                                                                It seems that people who complain about this are the people who want to upgrade without testing.

                                                                                                Unfortunately, I’ve found that most people setup their package dependencies in whatever system to take X.*.*, so you automatically get updates between builds. That isn’t necessarily a fault of semver but it is what semver is selling.

                                                                                                1. 2

                                                                                                  To clarify, when you say lots of people set things up this way, you’re not counting people who use lockfiles, correct?

                                                                                                  1. 2

                                                                                                    I guess not since I have experienced this fairly often.

                                                                                                  2. 1

                                                                                                    Why is this unfortunate? Due to lacking test between builds and shoddy upgrade procedures and builds that don’t lock down versions when the tests pass?

                                                                                                    Kinda like what @4ad said, it’s as if people expect this to solve world hunger when it should be regarded as a canned food in your pantry.

                                                                                                    1. 0

                                                                                                      Assuming no locks, the biggest problem is that it means what you built and what I built are not guaranteed to be the same thing. So reproducible builds are out. It also means if you have a bug and I don’t, we don’t know why.

                                                                                                      IME, semantic versioning has not helped me upgrade dependencies. I have to test the new update no matter what, despite the SemVer spec using words like MUST when it defines what things mean. And people fuck up their SemVers enough that backwards compatible changes end up not being backward compatible. So are we better off with SemVer than just some incrementing release number? I’m not really convinced the complexity of SemVer is really bringing a lot of value other than making us all feel like we elegantly solved a problem.

                                                                                                1. 1

                                                                                                  This is actually very educational. Thank you!

                                                                                                  1. 21

                                                                                                    I love how this thing is written: only plain old Lisp that directly translates to plain old HTML and plain old SQL. No complex template engines, ORMs, multiple inheritance, events, callbacks and modern complex machinery I’ve struggled with in the past.

                                                                                                    Nowadays I tend to follow a similar simplistic approach to web programming, and it’s so much better. I don’t think I’m the only one, and I think many of us try to “rediscover” this simplicity through recent projects like HyperScript or Ecto.

                                                                                                    I think we should learn a lot form the past.

                                                                                                    1. 10

                                                                                                      I have taken to writing web “apps” in Ruby using only the standard library. It’s way more than enough. And extremely educational to use: you’ve got to put all the pieces of a web stack together yourself. After building a few personal apps this way I have a few utility classes that cover the abstractions I care about.

                                                                                                      The biggest is a 50 line SimpleController base class that extends WEBrick::Servlet, pre-processes request data, wraps responses with some default headers, and renders ERB templates with a render method like Rails does.

                                                                                                      And I set up WEBrick to authenticate my client TLS certificate. I love having all the security and convenience of ssh public keys for my personal web apps too. Although I wouldn’t bother with that in a million years if MacOS Keychain Access didn’t make it trivial to generate client certificates.

                                                                                                      WEBrick - built in HTTP server

                                                                                                      • multi-threaded
                                                                                                      • access and error logs
                                                                                                      • static file server
                                                                                                      • multipart/form-data (file upload) support
                                                                                                      • cookies support
                                                                                                      • HTTP Basic Auth
                                                                                                        • pluggable UserDB backend
                                                                                                        • comes with Apache-style htpasswd and htdigest backends
                                                                                                      • SSL/TLS, including client-side certificate validation

                                                                                                      ERB - built in HTML template engine

                                                                                                      • did you know this was in the standard library?
                                                                                                      • WEBrick can run .rhtml files as ERB
                                                                                                      • erb cli tool ships with Ruby, great for debugging templates

                                                                                                      YAML::DBM - built in database

                                                                                                      • transparently stores objects as YAML in a key-value store
                                                                                                      • syntax identical to hash map, e.g. db['key'] = obj
                                                                                                      • original DBM was written by Ken Thompson at Bell Labs
                                                                                                      • multi-threaded with just a couple lines of code
                                                                                                        • DB_LOCK = Mutex.new
                                                                                                        • def transaction() DB_LOCK.synchronize { yield DB } end
                                                                                                        • transaction { |db| v = db[k]; v.a = b; db[k] = v }
                                                                                                        • if you think I’m joking then benchmark it
                                                                                                        • literally the same strategy used by MongoDB until 2015
                                                                                                      • for sufficiently simple apps SQL is more trouble than it’s worth
                                                                                                      • for kicks implement the WEBrick::UserDB interface in a 10 line class

                                                                                                      Minitest - built in unit test framework

                                                                                                      • actually a good test framework
                                                                                                      • default test framework for Rails apps

                                                                                                      Kernel.open - default open call is special magic

                                                                                                      • require 'open-uri' makes regular open work on http[s]:// URIs
                                                                                                        • Ruby stdlib vs Python Requests library:
                                                                                                          • content = open('https://google.com').read
                                                                                                          • content = requests.get('https://google.com').text
                                                                                                        • also adds .open method to URI objects
                                                                                                        • handles redirections, etc.
                                                                                                      • calling open on a pipe-prefixed string opens a subprocess
                                                                                                        • e.g. p = open('|cat'); p.write('neat'); p.read() == 'neat'
                                                                                                        • for small projects shelling out is often the easiest way to do certain things

                                                                                                      Thread / Queue / Mutex / ConditionVariable / Monitor

                                                                                                      • I find Ruby’s traditional concurrency classes extremely usable
                                                                                                      • Threads and Queues are just as easy as goroutines and channels
                                                                                                        • it’s 2018, threads are pretty cheap
                                                                                                      1. 9

                                                                                                        I’d argue it’s not about rediscovering something we forgot. Doing things simply is actually really, really hard. And everyone has to learn it by themselves, I don’t believe it’s a teachable technique. And it just takes time. And by the time you’re there you couldn’t care less about hyping up your acquired knowledge and putting it on display in the form of a framework :-) That’s why trending hot stuff is invariably over-complicated.

                                                                                                        1. 3

                                                                                                          I wrote a web app in C++ (long story) and tried to do this. For HTML I made a DSL using variadic templates and user-defined operators so I could write div("class-name"_class, p("Hello there")) etc, found a nice SQL DSL to write queries in a similar fashion, and so on. It was simpler to me than something like Django, but of course I would never use C++ for a public web app.

                                                                                                          1. 3

                                                                                                            OpenResty is pretty nice in that regard. Just a scripting interface to nginx.

                                                                                                          1. 25

                                                                                                            Mozilla feels free to do things to your browsing that they wouldn’t do to users of regular Firefox

                                                                                                            Yes, that’s what testing means, among other things. Nightlies are for testing.

                                                                                                            1. 12

                                                                                                              Sure, but it’s worthwhile users alerting Mozilla of the boundaries of that testing that they’re comfortable with. Yes, happy to test new features, bug fixes, new UI, etc. Not so sure about testing involving my browsing activity being sent to a private company in a foreign country.

                                                                                                              1. 14

                                                                                                                As opposed spraying your browsing activity unencrypted, all over the internet. DNS is without a doubt the most dubious protocol in use by the average internet user, ever since unencrypted HTTP became uncool.

                                                                                                                And the privacy policy they negotiated with CloudFlare is pretty strict:

                                                                                                                And in this case the operating agreement with the dns provider is part of making that right choice. For this test that means the operator will not retain for themselves or sell/license/transfer to a third party any PII (including ip addresses and other user identifiers) and will not combine the data it gets from this project with any other data it might have. A small amount of data necessary for troubleshooting the service can be kept at most 24 hrs but that data is limited to name, dns type, a timestamp, a response code, and the CDN node that served it.

                                                                                                                1. 7

                                                                                                                  I’m aware of the downsides of DNS, and I’m pleased to see work towards alternatives. I would like such experiments to either be opt in, or provide ample notification that privacy expectations are different for the duration of the experiment so users can choose not to share their data with CloudFlare if they want. As Mozilla says in their recent blog post:

                                                                                                                  At Mozilla, our approach to data is simple: no surprises, and user choice is critical. We believe in that not just because it makes for good products, but because trust is a key factor in keeping the internet healthy.

                                                                                                                  1. 0

                                                                                                                    So, pray tell, what do I use to replace DNS?

                                                                                                                    Saying that about DNS might make more sense if more people ran their own DNS server, instead of relying upon their ISP or worse, Google.

                                                                                                                    1. 10

                                                                                                                      …this DNS replacement technology that Mozilla is testing out in their nightly.

                                                                                                                      1. 2

                                                                                                                        Wonderful! Why not run IP over HTTPS/2?

                                                                                                                        You are still spraying your browser activity over the Internet, only the contents are protected, not who you are visiting.

                                                                                                                        1. 14

                                                                                                                          Ah yes, I forgot the first principle of security, “if you can’t protect everything perfectly, might as well just protect nothing.”

                                                                                                                          DNS requests and responses leak plenty of information that an encrypted connection won’t, chiefly the domains and subdomains I’m visiting. If I’ve encrypted my DNS traffic can you still figure out what I’m doing just from the destination IP address? Yes just whois that IP address! Easy right? Oh, it’s Cloudflare. That really narrows it down, they don’t have very many customers. Or maybe Akamai, or Cloudfront, or S3, or GCS. Just knowing what CDN I sent a request to is enough to make an educated guess about what I was doing, no doubt. Cloudflare only has 6 million customers or so, should be easy to pick out the one I’m using.

                                                                                                                          1. 4

                                                                                                                            If I’ve encrypted my DNS traffic can you still figure out what I’m doing just from the destination IP address?

                                                                                                                            No, you can still figure it out from SNI, which sends the domain and subdomain you’re accessing in cleartext before the TLS connection starts, this is used to allow the server to present the correct certificate.

                                                                                                                            Basically all major websites today require SNI, and your browser will send it even if the site may not require it, causing any MitM to see just as much from SNI as they would see from DNS.

                                                                                                                            1. 4

                                                                                                                              There is a proposal to encrypt SNI. Sending DNS over HTTP is one of many defenses we have to put up to increase privacy, a single solution will not fix it.

                                                                                                                              1. 3

                                                                                                                                Trust, but it’d be preferable to send DNS over a simpler protocol, e.g. what dnscrypt did.

                                                                                                                                DNS over HTTP makes DNS resolution on e.g. an Arduino basically impossible, because you’re now using half of your ROM for the TCP and HTTP stack.

                                                                                                                                1. 3

                                                                                                                                  Probably, yes, for such purposes you can fall back to a local resolver that can do DNS over HTTP for you or alternatively just use plain DNS.

                                                                                                                                  The reason people want to jump for DNS over HTTP is that it’s least likely to break middleboxes (dnscrypt does, there were a few fun situations I had while using it with DNS manipulating middleboxes like you find in any free wifi out there)

                                                                                                                                  HTTPS is rarely inspected and when it is, the body is left alone, so putting DNS there is a reasonable way to get middleboxes to stop modifying it.

                                                                                                                                  1. 3

                                                                                                                                    Sure, that’s a solution for the people that have to deal with middleboxes.

                                                                                                                                    But it would be preferable if those of us that don’t could have a simpler, more efficient protocol, for which cleaner and faster implementations can exist.

                                                                                                                                    1. 3

                                                                                                                                      Part of this study is exactly to find out how efficient this is.

                                                                                                                                      The upside is also that DoH offers privacy without clients having to massively reimplement everything.

                                                                                                                                      dnscrypt has to my knowledge rather poor support and IIRC was even dropped from development entirely for a period of time, the author pointing the website towards the DoH implementation at Google.

                                                                                                                                      The problem really is that the size of a UDP packet doesn’t offer much space to do much cryptography. A RSA4096 key will take up to 446 bytes, the largest UDP packet you can safely send over the internet is 500 bytes. Current DNSSEC largely relies on RSA2048 via multiple TXT records (you can hear the belt jumping from the gears when you push that into BIND, it works but bleh)

                                                                                                                                      Ed25519 takes 32 bytes, which is much better, but that’s still almost 10% of the entire packet.

                                                                                                                                      On DoH there is no such limitation. We can stuff more complicated and more secure cryptography through there. You can sign the entire response body with a good and long key on the origin server and put it into a header. Simple and efficient, yet safe.

                                                                                                                                      1. 4

                                                                                                                                        I’m myself a developer for an Android client for an IRC bouncer with custom protocol.

                                                                                                                                        I’ve spent quite a while to implement our custom binary protocol to get highest performance, and I can do a whole handshake - connect - sync in below 50ms on a good connection, or at a maximum of around 5 seconds on 2G throttled to 64kbps on a 2010 phone on unreliable connection with a protocol worst case.

                                                                                                                                        Even establishing a HTTP/2 connection becomes a significant bottleneck at this point. (And I’ll probably have to ship a custom DNS resolver in the app anyway, as people want to be able to use mDNS resolution, which Android doesn’t support)

                                                                                                                                        1. 3

                                                                                                                                          You don’t have to establish a HTTP/2 connection per roundtrip. You’re supposed to keep the connection open and you can then even multiplex requests over it.

                                                                                                                                          Your android app should not be implementing DNS. It should be handing over the DNS requests to the system library which is then free to use DoH or traditional DNS or dnscrypt.

                                                                                                                                          Application protocols like IRC are fine since they’re on a higher level but DNS shouldn’t be a problem your application has to concern itself with.

                                                                                                                                          mDNS is a signficiantly simpler spec than DNS itself (once you include all the updates you need to understand all the modern queries and responses) and I don’t see why you would even begin to pipe it over DoH…

                                                                                                                                          1. 3

                                                                                                                                            The question with all this is, to where?

                                                                                                                                            Does your DoH work in a corporate intranet, where only the local IRC server is available in the subnet the phone is in (I’ve got cases such as that)?

                                                                                                                                            Does your DoH work in situations where the user can access local servers with sub 6ms RTT, but the nearest Google server is 350ms RTT away?

                                                                                                                                            There’s lots of situations where these things get complicated, and this experiment will only ever be able to test a tiny subset of them. The majority of these edge cases need to be explored through other means.

                                                                                                                                            1. 2

                                                                                                                                              Yes because DoH is a protocol, you don’t have to send it to a Google server.

                                                                                                                                              Since it’s simply DNS piped over HTTP you can pipe the HTTP body into any DNS server and get a response over localhost.

                                                                                                                                              DoH only means “open a HTTP connection, pipe dns query into the body”. HTTP/2 deals with multiplexing and keep-alive.

                                                                                                                                              And you can still have local resolution via /etc/hosts or mDNS, those are seperate resolvers.

                                                                                                                              2. 2

                                                                                                                                That’s true, I didn’t think about SNI. Still DNS traffic probably will go someplace else other than the eventual destination server, providing more opportunities to snoop. And DNS often encodes more than just the target hostname. And there are quite a few more MitM attacks on DNS than TLS connections. So there’s definitely room for improvement in hostname resolution.

                                                                                                                                1. 3

                                                                                                                                  For DNS there’s a flag you can use with your local resolver to only send the relevant parts to each server.

                                                                                                                                  So to resolve i.k8r.eu you’d only send “eu.” to the root DNS server, then only “k8r.eu.” to the .EU nic’s server, and only the actual DNS server of i.k8r.eu would see the full subdomain.

                                                                                                                1. 6

                                                                                                                  Besides the negative points discussed above, Atom is effectively the same tool as Sublime Text except it runs slower.

                                                                                                                  I disagree with that statement. Sublime Text is great, I love its speed, but it has a bunch of tiny awkward details that Atom doesn’t have, and Atom has some cool features that Sublime Text doesn’t.

                                                                                                                  From ST one of the things that bothers me the most is that it assumes I want to drag text that I’ve selected, which is false, actually I basically never want to drag text. This assumption means that I can’t select something and then re-select something inside that selection, because it assumes a drag is a text drag, not a selection.

                                                                                                                  Another bit I find Atom does great is the splits, I love its approach. My favorite of any editor.

                                                                                                                  Not that I use it a lot, but the Git support from Atom is great.

                                                                                                                  I can’t figure out how to make ST’s subl command behave like I want. I want it to behave exactly like Atom’s:

                                                                                                                  • subl . opens current dir in a window and nothing more
                                                                                                                  • subl opens new window and nothing more
                                                                                                                  • If a window is opened without a file, it just opens an empty window with no working dir

                                                                                                                  Right now it also opens whatever old window I had open when I last closed ST, and I can’t find how to disable that.

                                                                                                                  Also, to be fair, Atom has Teletype now. I haven’t used it, but it looks cool.

                                                                                                                  I probably missed something, but I think I’ve done enough to show it’s not “the same”.

                                                                                                                  1. 2

                                                                                                                    The ‘drag selected text’ continually confounds me. I can’t imagine anyone finding that useful. The other thing is Eclipse and other IDEs dragging/dropping arbitrary objects in project/navigator views, “oops where’d that folder go?” It’s maddening.

                                                                                                                    1. 3

                                                                                                                      One always cuts and pastes, right? Who drags around a block of text..

                                                                                                                      1. 1

                                                                                                                        Have you tried going to preferences -> settings and addding/changing "drag_text" to false?

                                                                                                                      2. 2

                                                                                                                        The dragging thing is probably OS-specific. I don’t see it on my Ubuntu.

                                                                                                                        1. 1

                                                                                                                          It looks like there’s an undocumented option remember_open_files in ST. That combined with alias subl="subl -n" in your shell should get pretty close to the behavior you’re looking for.

                                                                                                                        1. 10

                                                                                                                          The whole “value gap” theory, on which this proposal is based, is flawed.

                                                                                                                          The European Commission spent €360.000 to prove that copyright infringement negatively affects sales. The study they (we) have paid for concluded that, with the exception of recently released blockbusters, there is no evidence to support the idea that online copyright infringement displaces sales. So they’ve tried to keep it secret, till Julia Reda published it: https://juliareda.eu/2017/09/secret-copyright-infringement-study/

                                                                                                                          Julia’s post on the proposed upload filters is also an interesting read: https://juliareda.eu/2018/02/voss-upload-filters/

                                                                                                                          There must be a lack of better things to spend EU money on, I guess.

                                                                                                                          1. 1

                                                                                                                            The whole “value gap” theory, on which this proposal is based, is flawed.

                                                                                                                            But oh so profitable!

                                                                                                                          1. 13

                                                                                                                            GitHub are, of course, a company that thrives from content creators acting as sharecroppers on their centralised hosting platform. The dichotomy of “freedom to post whatever you want to GitHub” vs “OMG the Fahrenheit 451 future of Europe” is a false one, because you can post your open source project’s code to your open source project’s GitLab, Kallithea, or other instance. GitHub are downplaying that alternative so that “freedom” is recast as “the freedom for GitHub to have all your codes”.

                                                                                                                            1. 4

                                                                                                                              Wouldn’t this legislation apply to Gitlab or any other alternative as well?

                                                                                                                              1. 2

                                                                                                                                Wait, my hard drive can store stuff too, now we need to add copyright detection to virus scanner a too!

                                                                                                                                1. 0

                                                                                                                                  I can run my own gitlab, I cannot run my own github. If I run my own gitlab then I can know that only my own project code is hosted on the gitlab.

                                                                                                                                  1. 4

                                                                                                                                    And what, you don’t plan to ever collaborate with anyone? You don’t plan to ever use any open-source libraries written by others? You’re sure you aren’t going to hit any false positives? How do you think Gitlab is being built for your use? Pointing out OP’s self-interest doesn’t actually replace addressing its criticisms.

                                                                                                                                    If this goes through, copyright trolls will become a thing. Get a lawyer, squat on some maximally general pattern of bits, and now projects can’t upload stuff matching it without paying you.

                                                                                                                                    1. 1

                                                                                                                                      If he sets up public repositories people can contribute code to his repository on his own Gitlab instance.

                                                                                                                                      1. 1

                                                                                                                                        i run my own gitlab for my software projects, people join there to collaborate or send me patches via email / pastebin.

                                                                                                                                  2. 6

                                                                                                                                    You got the point here. GitHub is trying to stay in a grey area instead so people won’t move away from their services, “supporting” both freedom and law by passing the ball to us with their Call to Action.

                                                                                                                                    1. 2

                                                                                                                                      They explicitly mention that for smaller players introduction of content upload filters would be even more burdensome. And also they don’t mention it, it’s obvious that GitHub of all companies would have the resources to implement such a thing. So I don’t see why you try to cast it as GitHub caring only for themselves.

                                                                                                                                      Besides, “listen to what’s being said, not who’s saying”. The concern is valid and well articulated. Any attempt from copyright mongers to tax another human activity is counterproductive to progress and should be stopped.

                                                                                                                                      1. -2

                                                                                                                                        github explicitly mention that github are the best people to solve this problem? interesting.

                                                                                                                                        1. 2

                                                                                                                                          Sorry, where did you get that? :-) It’s neither in the text, nor in my comment.

                                                                                                                                          1. -1

                                                                                                                                            so, when you said “They explicitly mention”, you didn’t mean the “they” we were talking about? interesting.

                                                                                                                                            1. 3

                                                                                                                                              Let’s assume you’re not trolling me on purpose here…

                                                                                                                                              They is GitHub. I did say GitHub would be the least affected themselves by such a law:

                                                                                                                                              GitHub of all companies would have the resources to implement such a thing

                                                                                                                                              I did not say they “are the best people to solve this problem”. It’s just a completely different thing.