1. 3

    This seems to be a trend with major browsers recently — I definitely take issue with it, but I’m guessing there’s some rationale behind the decisions.

    1. 9

      Because URLs are hard to understand, apparently: https://www.wired.com/story/google-wants-to-kill-the-url/

      1. 7

        I don’t think URLs are working as a good way to convey site identity

        That’s because they are supposed to convey a location, not an identity.

        But it’s important we do something, because everyone is unsatisfied by URLs

        Who’s “everyone”? Never heard anybody say they were unsatisfied with URLs. Typical google-speak where they claim they are working for the greater good, while they are simply trying to twist the web to make it easier for their algorithms to process.

        1. 7

          That’s because they are supposed to convey a location, not an identity.

          A URL is a URI, so they are definitely also identifiers.

          1. 6

            Who’s “everyone”?

            I’m pretty sure the numbers speak loud enough about people not understanding URLs or its shortcoming only with all the successful phishing going around and all the confusion about the meaning of the padlock (Could be argued this is not an URL issue, but IMO still relies on the user understanding what is a domain).

            Domain and URLs should be abstracted away to the average user. The user wants to go on Facebook or Google, not https://facebook.com or https://google.com.

        2. 5

          I prefer what a lot of browsers do where they gray out most of the URL and show the domain name in full white/black

        1. 7

          Looks like a dream scenario for phishing, with the opportunity to create legit-looking domain names, plus the secure padlock right next to the address bar.

          I’m curious what they were trying to optimise for when coming up with this.

          1. 14

            I’m curious what they were trying to optimise for when coming up with this.

            Consumer lock-in is my guess. In conjunction with their other remarks about URLs, I think they want to make URLs unpredictable and hence scary, leading users to trust Google to tell them how to get to Apple’s website more than they trust ‘https://apple.com/’ to.

            This gives them more power to advertise, more power to redirect, and more power to censor. From their point of view it’s pure win; from ours, not so much.

            1. 12

              I think they want to scrap the URL bar all together so you can only make searches and click links (which go to google AMP pages) googles dream web is just one big google.

              1. 5

                …so you can only make searches and click links…

                That’s just catching up to what everyone is doing anyway. Even commercials eschew a domain name and tell the listener to search the company. Back to the ye olde “AOL Keyword” days.

                1. 3

                  because the domain name system is broken in the first place.

                  it’s invented by network engineers for network engineers.

                  1. 2

                    This has been the case for ages in Japan now, where ads often feature a search-like bar and the thing to type into said search bar.

                  2. 4

                    This. My hypothesis is that they are deliberately trying to break the URL bar with “improvements” such as these so that they can later justify removing it altogether.

                    As much as I’m annoyed with Firefox breaking DNS, this is arguably much worse. And what’s said is that all of the other major browsers will probably follow suit because imitating chrome is just what they all do now.

                  3. 4

                    I’ll be shocked if they don’t replace the address bar with a search-only box.

                  4. 5

                    I fail to see how this make phishing any easier. Given an attacker own a domain, he’s free to use whatever legit-looking subdomain names he wants. And even if somehow an attacker took control of www subdomain of a target, user are so used to www being aliased to @, I don’t see anyone thinking they might be phished due to that.

                    I’m curious what they were trying to optimise for when coming up with this.

                    My guess is they are trying to rethink the way people navigate the web. URLs are coming from somewhere with quite different application and users. Maybe we can do better for the average user (People on lobste.rs are not the average users). Hopefully those small changes can be easily driven by user testing and UX researches.

                    1. 1

                      A phisher who does obtain access to a domain can now quietly point WWW where they want and just one more thing will work out for their benefit. That isn’t a large difference, maybe, but could be quite confusing.

                  1. 34

                    I’m impressed by the lack of testing for this “feature”. It may have a huge impact for end users, but they have managed it to ship with noob errors like the following:

                    Why is www hidden twice if the domain is “www.www.2ld.tld”?

                    Who in their right mind misses that, and how on Earth wasn’t it caught at some point before it made it to the stable branch?

                    1. 11

                      url = url.replace(/www/g, '') - job well done!

                      1. 21

                        Worse

                        What’s really eye-opening is that comment just below wrapped in the pre-processor flag! Stunning.

                        1. 9

                          Wow, so whoever controls www.com can disguise as any .com page ever? And, as long as it’s served with HTTPS, it’ll be “secure”? That’s amazing.

                          1. 5
                            1. 5

                              Not just .com. On any TLD so you could have lobster.www.rs

                            2. 3

                              If I may ask, how is this worse than url = url.replace(/www/g, '')? If anything, the current implementation use a proper tokenizer to search and replace instead of a naive string replace.

                              1. 2

                                That’s just my hyperbole.

                          2. 10

                            Right, the amateurishness of Google here is stunning. You’d think with their famed interview process they’d do better than this.

                            On a tangential rant, one astonishing phenomenon is the helplessness of tech companies with multibillion capitalizations on relatively simple things like weeding out obvious bots or fixing the ridiculousness of their recommendation engines. This suggests a major internal dysfunction.

                            1. 14

                              To continue off on the tangent, it sounds like the classic problem with any institution when it reaches a certain size. No matter which type (public, private, government…), at some point the managerial overhead becomes too great and the product begins to suffer.

                              Google used to have a great search engine. It might even still be great for the casual IT user, but the signal-to-noise ratio has tanked completely within the past ~2 years. Almost all of my searches are now made on DuckDuckGo and it’s becoming increasingly rare that I even try Google, and when I do it’s mostly an exercise in frustration and I spend the first 3-4 searches on quoting and changing words to get proper results.

                              1. 5

                                Large institutions collapsing under their own managerial weight is more of a ‘feature’ in this case.

                                1. 1

                                  What are a few examples of queries for which DDG produces better results than Google?

                                  1. 2

                                    I’m not able to rattle off any examples, sorry. I’ll try to keep it in mind and post an example or two, but don’t hold your breath :)

                                    I’ve been using DDG as my primary search engine for 2-3-4 years now, and have tried to avoid Google more and more in that same time frame. This also means that all the benefits of Google having a full profile on me are missing from the equation, and I don’t doubt that explains a lot of the misery I experience in my Google searches. However, I treat DDG the same and they still manage to provide me with better search results than Google…

                                    In general every search that includes one or more common words tend to be worse on Google. It seems to me that Google tries to “guess” the intent of the user way too much. I don’t want a “natural language” search engine, I want a search engine that searches for the words I type into the search field, no matter how much they seem like misspellings.

                            1. 11

                              I’m one of the VerneMQ developers, so if you have any questions about VerneMQ I’d be happy to try to answer.

                              1. 2

                                I saw you addressed the difference with RabbitMQ. Do you know about Malamute (ZeroMQ broker)? How would it compare against? I really like the philosophy behind ZeroMQ, and use Malamute internally, but its a bit of a pain to install outside of Linux and I’ve hit bugs that left me with a feeling of “I’m the first user of this”.

                                1. 1

                                  I haven’t heard about Malamute before, so can’t say anything about it, I’m afraid. I did work with ZeroMQ briefly some years back and it seemed pretty nice. I’ll have to check out Malamute!

                                2. 2

                                  What are the pros/cons of VerneMQ vs Mosquitto?

                                  1. 3

                                    I guess what’s a pro and what’s a con is in the eye of the beholder. The biggest difference is that VerneMQ is built from the start to be a distributed broker, while Mosquitto is a stand-alone broker. The clustering makes VerneMQ horizontally scalable, so that would be a pro if you need that. Another difference which may be an important pro or con, depending on what one fancies, is that Mosquitto is written in C and hence plugins has to be written in C (correct me if I’m wrong here). VerneMQ plugins can be written in Erlang, Elixir or Lua or as HTTP endpoints. There are of course lots of other details, but those are, I think the main ones.

                                    1. 2

                                      emqtt is another one I have run across a few times (haven’t tried it out yet).

                                  1. 6

                                    He asked: why is there no argument to memcpy() to specify the maximum destination length?

                                    That’s the third one.

                                    If you really insist, #define safe_memcpy(d, s, dn, sn) memcpy(d, s, min(dn, sn))?

                                    1. 4

                                      Yeah, also, I don’t understand why would they want that.

                                      Imagine calling memcpy(d, 10, s, 15), and having your data not copied entirely, having your d buffer with cropped data. Garbage, essentially. How would that be better?

                                      edit: to be clear, I’m not complaining about your suggestion, but about the reasoning of the presenter on this.

                                      1. 4

                                        Yeah, also, I don’t understand why would they want that.

                                        Imagine calling memcpy(d, 10, s, 15), and having your data not copied entirely, having your d buffer with cropped data. Garbage, essentially. How would that be better?

                                        Cropped data would be a logic error in your application. With standard memcpy the additional 5 bytes overwrite whatever is in memory after the d buffer. This can even enable an attacker to introduce execution of their own code. That’s why ie. Microsoft ships a memcpy_s.

                                        Reading materials:

                                        1. 7

                                          But the unanswered question is why you’re calling memcpy(d, s, 15) instead of memcpy(d, s, 10)? At some level the problem is calling the function with the wrong argument, and adding more arguments maybe doesn’t help.

                                          1. 4

                                            Every security exploit can be drilled down to “why were you doing this!”. If there was an obvious answer, security exploit would have been a thing of the past. Meanwhile advocating harm reduction is as good as we can get because even if calling memcpy with a smaller destination is wrong to begin with, truncated data still has a more chance to end up with non-exploitable crash than plain old buffer overflow that often end up with reliable code exec.

                                            1. 3

                                              But why do we assume this extra parameter is better than the other parameter which we have assumed is incorrect? Why not add another extra parameter? memcpy_reallysafe(dest, src, destsize, srcsize, destsize_forserious, doublechecksize)

                                              1. 3

                                                Because in ten years a line of code can change and the assumptions that made one variable the right one will break. Suddenly you got the wrong variable in there. Personally, I think this is where asserts belong, to codify the assumptions over a long span of time and multiple developers.

                                                1. 3

                                                  A common use case of memcpy is to copy a buffer over another. The way program are structure we often end up with srcsize and dstsize that matches their buffer. The error come from the implicit contract that srcsize is always at least bigger than dstsize. Sure, good code would ensure this is always true. Actual code had many instance where it is not. Adding dstsize to memcpy means that this contract is now explicit and can be asserted by the actual function that put this contract in place.

                                                  I mean, at this point we are not arguing of hypothetical scenario, we have a whole history of this bug class happening over and over again. Simply keeping track of the semantic (Copy one buffer to the other) and asking for all the properties required (Buffer and their size) is a low effort and easy way to prevent many of those bug.

                                                  1. 1

                                                    Yeah, keeping track of the buffer size is a very good idea. But if you want it to always be correct, it should be done without requiring the programmer to manually carry the buffer size along in a separate variable from the buffer pointer.

                                                    Either something like “Managed C++”, where the allocator data structures are queried to figure out the size of the buffer, or something like Rust slices:

                                                    typedef struct {
                                                        char *ptr;
                                                        size_t len;
                                                    } slice_t;
                                                    slice_t slice(slice_t slice, size_t start, size_t end) {
                                                        assert(start <= end);
                                                        assert((end - start) <= slice.len);
                                                        slicet.ptr += start;
                                                        slice.len = end - start;
                                                        return slice;
                                                    }
                                                    slice_t slice_front(slice_t slice, size_t start) {
                                                        assert(start <= slice.len);
                                                        slice.ptr += start;
                                                        slice.len -= start;
                                                        return slice;
                                                    }
                                                    slice_t slice_back(slice_t slice, size_t end) {
                                                        assert(end <= slice.len);
                                                        slice.len = end;
                                                        return slice;
                                                    }
                                                    void slicecpy(slice_t dest, slice_t src) {
                                                        assert(dest.len == src.len);
                                                        memcpy(dest, dest.len, src);
                                                    }
                                                    

                                                    The point being to make it harder to mix up which len goes with which ptr, plus providing a assert-assisted pointer manipulation in addition to the safe memcpy itself. A safe abstraction needs to account for the entire life cycle of its bounds check, not just the point of use.

                                                    Also, this would really, really benefit from templates.

                                      1. 2

                                        I stumbled upon this project a few week ago. It seems there’s a protocol to redeem and use tokens when filling the first captcha and skip later ones. The protocol also allow user to stay anonymous.

                                        1. 2

                                          The issues with mruby have been to use it as a sandbox itself. While some language like Lua (or JavaScript) has been made to be embeddable and expect to run arbitrary scripts, most application language implementation such as mruby, CRuby, CPython, etc. are not. The fix is simply to sandbox the process and not the script. By using seccomp, code execution in mruby doesn’t lead anywhere, so it makes sense for Shpoify to reduce the bounty at 10% of its original price (And that’s still a generous amount for useless bugs). I’m glad to be one of the early participant of the bounty, there was a lot of low hanging fruit to exploit :)

                                          1. 3

                                            I think this kind of stories will appear more and more often as time goes by and wasm is becoming more and more accessible.

                                            1. 2

                                              Yeah. Having seen this all before (we called it JavaScript then), is it worth posting them?

                                              1. 6

                                                I think the author left a lot of details in the README about the process he went through that made it quite interesting. This is much more involved than just CC=emscripten make.

                                            1. 3

                                              Do you by any chance have a MOBI (Or even EPUB) format? Would be nicer to read it from an e-reader.

                                              1. 1
                                                1. 1

                                                  Awesome, thanks!

                                                2. 1

                                                  Unfortunately not! I just can’t seem to find a way to properly generate it from markdown, including the code samples with the nice syntax highlighting. I probably didn’t try enough, I’m sure there’s a simple way out there.

                                                  1. 4

                                                    pandoc can do this, but it’s not especially simple.

                                                    1. 2

                                                      Thanks, will check it out :)

                                                      1. 1

                                                        That would be awesome

                                                      2. 1

                                                        Why shouldn’t it be simple? Shouldn’t pandoc input1.md input2.md ... final.md -t epub3 -o book.epub. More epub options are listed in the man page, such as for specifying custom fonts, stylesheets and cover images.

                                                        Then, producing a mobi file is trivial using kindlegen or calibre.

                                                        1. 1

                                                          It’s not simple because about six seconds later I want to start tinkering with the code highlighting and maybe bump up that one margin and should that footnote have a slightly different font and…

                                                          1. 1

                                                            If you can edit .zip files and save it’s internal files, it’s quite simple to play around with the embedded stylesheet, since it’s just regular CSS.

                                                            But one should also say that Ebooks shouldn’t be overcustomized, IMO, but kept simple for the sake of compatibility and an ease of reading.

                                                      3. 3

                                                        I can help you with this if you upload the book source on github, i have a template for generating epub from markdown here if you are interested.

                                                    1. 1

                                                      I use Linux for pretty much everything, but one of my last job required Windows for development. My setup end up being Cygwin to replicate pretty much my entire Linux environment, sharing mostly the same dotfiles. With Cygwin you can install X11 and then use your favorite Linux terminal (I did use urxvt without any issue). Then you can use Vim, tmux, ssh, irssi just as you would on Linux. I did run into a few crash every now and then due to forking not always working on Windows, but otherwise I was able to live in my terminals the exact same way I was on Linux.

                                                      1. 1

                                                        Anyone took the course yet? Is it worth the time investment?

                                                        1. 1

                                                          I think you should definitely have a look! Just a reminder that the course is aimed for non technical people so do not expect too many deep dives. More a generalist’s view to enable fact based discussion around the hype of AI. We tried our best in creating the course and value all feedback!

                                                          1. 7

                                                            Massive kudos to this guy for not putting up with this SJW madness. I wish him all the best!

                                                            We at suckless are heavily opposed to code of conducts and discriminatory organizations of any shape or form.

                                                            1. 11

                                                              Suckless takes a similarly principled stand against runtime config files.

                                                              1. 8

                                                                How does suckless oppose discrimination?

                                                                1. 13

                                                                  It’s very simple. Any non-technological matters during software development move the software away from its ideal form. Thus, to make your software suck less, you only take the best developers no matter what race, gender, heritage, etc. these persons have.

                                                                  We do not believe in equal status (i.e. e.g. forcibly obtaining a 50/50 gender ratio), as this immediately leads to discrimination. We do however strongly believe in equal rights, naturally. You also naturally cannot have both.

                                                                  1. 94

                                                                    Any non-technological matters during software development move the software away from its ideal form.

                                                                    Suckless makes a window manager: a part of a computer that human beings, with all their rich and varying abilities and perspectives, interact with constantly. Your choices of defaults and customization options have direct impact on those humans.

                                                                    For example, color schemes determine whether color-blind people are able to quickly scan active vs inactive options and understand information hierarchy. Font sizes and contrast ratios can make the interface readable, difficult, or completely unusable for visually impaired people. The sizes of click targets, double-click timeouts, and drag thresholds impact usability for those with motor difficulties. Default choices of interface, configuration, and documentation language embed the project in a particular English-speaking context, and the extent to which your team supports internationalization can limit, or expand, your user base.

                                                                    With limited time and resources, you will have to make tradeoffs in your code, documentation, and community about which people your software is supportive and hostile towards. These are inherently political decisions which cannot be avoided. This is not to say that your particular choices are wrong. It’s just you are already engaged in “non-technical”, political work, because you, like everyone else here, are making a tool for human beings. The choice to minimize the thought you put into those decisions does not erase the decisions themselves.

                                                                    At the community development level, your intentional and forced choices around language, schedule, pronouns, and even technical terminology can make contributors from varying backgrounds feel welcome or unwelcome, or render the community inaccessible entirely. These too are political choices. Your post above is one of them.

                                                                    There is, unfortunately, no such thing as a truly neutral stance on inclusion. Consider: you wish to take only the best developers, and yet your post has already discouraged good engineers from working on your project. Doubtless it has encouraged other engineers (who may be quite skilled!) with a similar political view to your own; those who believe, for instance, that current minority representation in tech is justified, representing the best engineers available, and that efforts to change those ratios are inherently discriminatory and unjust.

                                                                    Policies have impact. Consider yours.

                                                                    1. 7

                                                                      I don’t know if that was your goal, but this is one of the best arguments for positive discrimination I’ve read. Thanks for posting it, and also thanks for noting that all decisions have some inherent politics whether we like it or not.

                                                                      Unfortunately there is simply no solution: positive discrimination is opposed to meritocracy. Forced ratios are definitely an unethical tool, as they are a form of discrimination. However, this unethical tool brings us to a greater good, which is a final product that incorporates diversity on its design and accommodates more users, which is a desirable goal on itself, for the reasons you explained.

                                                                      1. 4

                                                                        color schemes determine whether color-blind people are able to quickly scan active vs inactive options and understand information hierarchy. Font sizes and contrast ratios can make the interface readable, difficult, or completely unusable for visually impaired people. The sizes of click targets, double-click timeouts, and drag thresholds

                                                                        Let me see if I understand what you’re saying. Are you claiming that when color schemes, font sizes and drag thresholds are chosen that that is a political decision? I think that many people would find that quite a remarkable claim.

                                                                        1. 3

                                                                          It’s impossible to not be political. You can be “the status quo is great and I don’t want to discuss it”, but that’s political. The open source “movement” started off political - with a strong point of view on how software economics should be changed. In particular, if you say a CoC that bans people from being abusive is unacceptable, you are making a political statement and a moral statement.

                                                                          1. 3

                                                                            It’s impossible to not be political

                                                                            Could I ask you to clarify in what sense you are using the word “political”?

                                                                            Merriam-Webster (for example) suggests several different meanings that capture ranges of activity of quite different sizes. For example, I’m sure it’s possible to act in a way which does not impinge upon “the art or science of government” but perhaps every (public) action impinges upon “the total complex of relations between people living in society”.

                                                                            In what sense did you use that term?

                                                                            1. 4

                                                                              Let’s start off with a note about honesty. FRIGN begins by telling us “We do not believe in equal status (i.e. e.g. forcibly obtaining a 50/50 gender ratio)” as if someone was proposing the use of force to produce a 50/50 gender ratio - and we all know that wasn’t proposed by anyone. There’s no way to discuss this properly if people are going to raise false issues like that. What comment’s like FRIGN’s indicate is an unwillingness to have an open and honest conversation. The same bogus rhetoric is at the heart of Damore’s memo: he claims to be in favor of equal rights and just against mythical demand for 50/50 gender equality so that he can oppose obviously ineffective affirmative action programs at Google where 80% of technical staff are male (Damore’s misappropriation of science is similarly based on an objection to a position that nobody ever argued.).

                                                                              The next point is that some people are objecting that a CoC and a minority outreach program are “political”. That’s true, but it involves the use of the more general meaning of “political” which the Collins dictionary provides as “the complex or aggregate of relationships of people in society, esp those relationships involving authority or power”. If we are using that definition, of course a CoC and a minority outreach program are political, but opposition to a CoC and a minority outreach program fits the definition as well. If you have an opinion one way or another, your opinion is political. You can’t sensibly use this wide definition of political to label the effort to adopt a CoC and to recruit more minorities and then turn around and claim your opposition to those is somehow not political. So that’s what I mean by “it is impossible to not be political”. The question is a political question and those who try to claim the high ground of being objective, disinterested, non-political for their side of the question are not being straightforward (perhaps it’s just that they are not being straightforward with themselves).

                                                                              1. 3

                                                                                I agree that a CoC, a minority outreach program, and opposition to a CoC all impinge upon “the complex or aggregate of relationships of people in society, esp those relationships involving authority or power”.

                                                                                Would you also agree that there is a popular ideological political movement in favour of CoCs (some combination of the feminist, civil rights and social justice movements)? Perhaps there is also a popular ideological movement against CoCs (some combination of MRAs and the alt right). Are you also claiming that if one claims a “neutral” stance on CoCs one is de facto supporting one of these ideologies?

                                                                                1. 3

                                                                                  I’m not sure it is possible to have a neutral stance. In fact, I doubt it.

                                                                                  1. 1

                                                                                    Interesting! Do you also doubt it is possible to take any action that is neutral with regard to a political ideology?

                                                                                    1. 3

                                                                                      You are introducing something different. I don’t think you have to line up with one “side” or another, but you can’t avoid being a participant.

                                                                                      1. 1

                                                                                        You said “It’s impossible to not be political” so I’m trying to understand what you mean by that. So far I’m not clear whether you think every action is political. I’d appreciate it if you’d clarify your position.

                                                                                        1. 2

                                                                                          I’m making a very concrete assertion, which I sense does not fit into your schema. My assertion is that there is no neutrality on workplace equality and inclusion for anyone involved in the workplace. Anyone who, for example, participates in an open source development effort has a position on whether efforts should be made to make it more inclusive even if that position is “this is not important enough for me to express an opinion.”

                                                                                          1. 1

                                                                                            Thank you for clarifying. When you originally said “It’s impossible to not be political” I got the wrong impression.

                                                                                            Do you also hold the same point of view when it comes to roughly comparable statements in other spheres? For example ‘Anyone who eats has a position on vegetarianism even if that position is “this is not important enough for me to express an opinion.”’?

                                                                        2. 1

                                                                          You’ve been quoted by LWN: https://lwn.net/Articles/753709/

                                                                        3. 11

                                                                          AKA shut up and hack? :)

                                                                          1. 1

                                                                            The suckless development process has no non-technical discussions?

                                                                            How are the best developers identified?

                                                                            1. 8

                                                                              just curious, why would you need to identify the best developers? Wouldn’t the quality of their code speak for that?

                                                                              1. 5

                                                                                I also fail to see what the reasoning is. Just send your code, get the non technical discussions out.

                                                                                1. -1

                                                                                  Apparently, quoting @FRIGN from above, “to make your software suck less.”

                                                                                2. 8

                                                                                  How are the best developers identified?

                                                                                  I think this is a totally reasonable question, and one I’d like to see the answer too–if for no other reason than it might help those of us on other projects find more objective metrics to help track progress with.

                                                                                  Do you all at suckless use something like:

                                                                                  • defect rate
                                                                                  • lines of code/feature shipped
                                                                                  • execution time
                                                                                  • space in memory, space in storage

                                                                                  Like, what metrics do you use?

                                                                                  1. 7

                                                                                    You know, suckless is not a big company and the metrics that can be applied are more of a heuristic. A good developer is somebody who e.g. supplies a patch with a bug report, provides feedback to commits, makes contributions to the projects, thinks his commits through and doesn’t break stuff too often and does not personally identify with their code (i.e. is not butthurt when it’s not merged).

                                                                                    What needs to be stressed here is that the metric “lines of code” is completely off. There are horrible programmers who spit out lots of code and excellent ones who over time drop more lines than they add. Especially the latter group is very present among us and thus the LOC-metric will only give false results. Same with execution time, you find that when not enough time is spent on a problem you end up solving it wrong, in the worst case having to start all over.

                                                                              2. 5

                                                                                By being very diverse and doing fackelmärsche of course. https://suckless.org/conferences/2017/

                                                                                1. 3

                                                                                  @FRIGN What’s the purpose of this “torchlight hike” in the context of producing code that sucks less? Don’t you see that the activities you choose to have during your conferences are a cultural stance, and because of that, can be perceived as exclusive by programmers that don’t recognize themselves in these activities?

                                                                                  1. 0

                                                                                    I get your point, but must honestly say that your argument sadly aligns with the ever-excluding and self-segregating destructful nature of cultural marxism. By eating food together at the conferences, do we exclude anorexics that might otherwise be willing to attend such a conference? I don’t drink any alcohol and never have. Still, it was not a problem when we went to a local Braukeller and some people drank alcohol and others like myself didn’t.

                                                                                    The fundamental point I think is that one can never fully and analytically claim that a certain process is completely unaffected by something else. If we dive down into these details we would then move on and say that the different choice of clothings, hairstyle, means of travel and means of accomodation all affect the coding process at suckless. This can be taken further and further with no limit, as we all know about the butterfly effect. At some point it is just not measurable any more.

                                                                                    If you ask me, this is a gross overstretching of what I said. There are quite a lot of people who do not attend the conferences but still work together with us on projects during that time. What really matters is that we e.g. do not ignore patches from these people or give them less relevance than those of others. To pick the example up: The torchlight hike did not affect any coding decision in a direct way, but it really bonded the team further together and was a very nice memory of this conference that I and the others are very fond of from what I’ve heard. On top of that, during the hike we were able to philosophize about some new projects of which some have become a reality. The net-gain of this event thus was positive.

                                                                                    In classical philosophy, there are two main trains of thought when it comes to evaluating actions: Deontology and Teleology. Deontology measures the action itself and its ethical value, completely ignoring the higher goal in the process. Teleology is the opposite, evaluating actions only by their means to reach a goal, completely ignoring the value of the action itself. The best approach obviously should be inbetween. However, there is a much more important lesson that can be taken from here: When evaluating a decision, one needs to realize what they are measuring and what is unimportant for a decision. What I meant is that to reach the goal of software perfection, the gender and other factors of the submitters do not matter. So even though we here at suckless have a goal, we are not teleologists, as we just ignore the factors that do not matter for coding.

                                                                                    It is an ethical question which norms you apply to a decision.

                                                                                    If we look at organizations like Outreachy, one might be mistaken to think that they are deontologists, striving to improve processes. However, after closer inspection it becomes clear that this is not the case and they are actually working towards a certain goal, increasing the number of trans and minority people in such communities. No matter how you think about this goal, it makes one thing clear: When you are working towards such a goal and also do not ignore irrelevant factors in your norms (and they in fact do by not ignoring e.g. race and gender), you quickly end up discriminating against people.

                                                                                    I hope this clears this up a bit, but as a short sentence, what can be taken from here is: When discussing ethical matters, it’s always important to make clear which norms are applied.

                                                                                    1. 2

                                                                                      fackelmärsche

                                                                                      I’m not going to wade into anything else on this, but I’d like to just take a second and let you know that, while you may not mean it in this way the phrase “cultural marxism” is very, very often used as a stand in for “jews”. Some links for the record:

                                                                                      https://www.splcenter.org/fighting-hate/intelligence-report/2003/cultural-marxism-catching

                                                                                      https://newrepublic.com/article/144317/trumps-racism-myth-cultural-marxism https://www.smh.com.au/world/cultural-marxism--the-ultimate-postfactual-dog-whistle-20171102-gzd7lq.html

                                                                                      1. 3

                                                                                        It’s not my fault that some idiots don’t understand this term or it’s critical analysis. Cultural marxism, as the term implies, is the classical theory of marxism applied to culture. It has nothing to do with jews directly, it’s just an idea. If you know any better term to describe it, please let me know.

                                                                                        Anyway, in the philosophical realms it’s known as ‘Critical Theory’, which originated in the Frankfurt School. However, nobody knows this term.

                                                                                        Unless a better term is found, I disregard your argument and won’t accept your attempt to limit language of perfectly acceptable words to describe an idea. At the end of the day, terminology must be found that adequately describes what a certain idea is, and I see no reason why this should be wrong.

                                                                                        Regarding the torch hike: Yes, marching with torches was abused by the NSDAP as a means of political rallying. However, at least in Germany, it is a much older and deeper-reaching tradition that dates back hundreds of years.

                                                                                        1. 0

                                                                                          You have amply demonstrated that you don’t know anything about the topic. You could start with the decent Wikipedia article. https://en.wikipedia.org/wiki/Frankfurt_School

                                                                                        2. 2

                                                                                          wow, uh, kind of a weird red flag that pointing this out is getting seriously downvoted. I picked these links pretty quickly, and anybody who comes behind and reads this and wonders how serious this is, do yourself a favor and image search and see how many memes have the star of david, greedy merchant, world strangling octopus or any of a number of openly anti-semitic imagery. Its not hidden, its not coy. If you’re tossing “cultural marxism” around you’re either willfully ignoring this or blatantly playing along. Its not a thing in the world. There are no leftists (at all) who call themselves “cultural marxists”, and in fact there is a sizeable faction of marxists who are openly disdainful of any marxism that eschews political struggle. The new republic article linked above goes into this, Perry Andersons “Considerations on Western Marxism”, a well known, well regarded text across a number of marxist subsects, is explicitly based on this. Anyway, enjoy contributing to a climate of increasing hostility toward jews. good stuff.

                                                                                          edit: have some fun with this https://www.google.com/search?q=cultural+marxism&client=firefox-b&source=lnms&tbm=isch&sa=X&ved=0ahUKEwjz2tWrhvnaAhUJ7YMKHVgcCccQ_AUIDCgD&biw=1247&bih=510#imgrc=_

                                                                                          1. 1

                                                                                            The term ‘Cultural Marxism’ describes very well what it is, and not all leftists are cultural marxists. The classical theory of marxism, roughly spoken, is to think of society as being split in two camps, the Proletariat and the Bourgeoisie, eternally involved in a struggle, where the former is discriminated against and oppresed by the latter.

                                                                                            Cultural Marxism applies these ideas to society. In the Frankfurt School it was called ‘Critical Theory’, calling people out to question everything that was deemed a cultural norm. What is essentially lead to was to find oppressors and oppressed, and we reached the point where e.g. the patriarchy oppressed against women, white people against minorities, christians against muslims and other religions and so forth. You get the idea. Before you go again rallying about how I target jews or something please take a note that up to this point in this comment, I have just described what cultural marxism is and have not evaluated or criticized it in any way, because this here is the wrong platform for that.

                                                                                            What you should keep in mind is that the nature of cultural marxism is to never be in a stable position. There will always be the hunt for the next oppressor and oppressed, which in the long run will destroy this entire movement from the inside. It was a friendly advice from my side to you not to endulge in this separatory logic, but of course I understand your reasoning to the fullest.

                                                                                            Just as a side note: I did not see you getting ‘seriously’ downvoted. What do you mean?

                                                                                            1. 2

                                                                                              It’s uncommon to find such a well-put explanation; thanks for that.

                                                                                              There will always be the hunt for the next oppressor and oppressed, which in the long run will destroy this entire movement from the inside.

                                                                                              If the movement runs out of good targets (and falls apart because they can’t agree on new ones), wouldn’t that imply that it will self-destruct only after it succeeds in its goals? That doesn’t sound like a bad thing.

                                                                                              1. 1

                                                                                                I’m glad you liked my explanation. :)

                                                                                                That is a very interesting idea, thanks for bringing this thought up! It’s a matter dependent on many different factors, I suppose. It might fall apart due to not being able to agree on new targets or when everybody has become a target, but it is a very theoretical question which one of these outcomes applies here.

                                                                                              2. 1

                                                                                                Did you actually read any of the links I posted? Specifically the New Republic and SPLC links? I don’t know how else to say this and you pretty much side stepped what I said the first time so I’ll try to reiterate it: There is no such thing as “Cultural Marxism”. At all. Its not a descriptive category that any marxist actually self applies or applies to other marxists. I’m fully aware of the Frankfurt School, Adorno, Horkheimer, etc. I’ve read some of them and many, many of their contemporaries from Germany, people like Karl Mannheim. I read marxist publications everyday, from here in the states and from Europe. I’m a member of an explicitly marxist political party here in the states. I can’t emphasize this enough, “cultural marxism” isn’t real and is roughly on par with “FEMA camps”, “HARRP rays” and shape shifting lizard jews, meaning; its a far far right wing paranoid fantasy used to wall off people from other people and an actual understanding of the material conditions of their world. I also didn’t say, specifically in fact pointing out that I wasn’t saying this, that you were “targeting jews”. That being said, if you use a phrase that has its origins in anti-semitic polemics, is used explicitly and over-whelmingly by anti-semites, than that is on you. (Did you take a look at the linked image search? Does that sort of thing not give you pause?) To say that you “just described what cultural marxism is” is also inaccurate, you absolutely used it in a descriptive way

                                                                                                I get your point, but must honestly say that your argument sadly aligns with the ever-excluding and self->segregating destructful nature of cultural marxism.

                                                                                                White supremacist organizing is experiencing an enormous upsurge, not only here in the states but in Europe as well. From Le Pen to AfD to SVO in Austria and on and on. These people are not interested in polite conversation and they’re not using “cultural marxism” as a category to illuminate political opponents, its meant to denigrate and isolate, ironically given thats exactly what Neo Nazis and white supremacists here in the states accuse left wingers and “SJWs” of doing.

                                                                                                I appreciate that you’re discussing this peacefully but I’m going to bow out of this thread unless you’re interested enough to take some time and read the links

                                                                                                FWIW these also dismantle the trope and point out pretty much exactly what I’m saying around anti-semitism: https://www.vice.com/en_us/article/78mnny/unwrapping-the-conspiracy-theory-that-drives-the-alt-right https://www.theguardian.com/commentisfree/2016/feb/22/chris-uhlmann-should-mind-his-language-on-cultural-marxism

                                                                                                1. 2

                                                                                                  I took some more time to read it up and from what I could see, I found that indeed cultural marxism has become more of a political slogan rather than a normal theoretical term in the USA.

                                                                                                  Here in Germany the term “Kulturmarxismus” is much less politically charged from what I can see and thus I was surprised to get this response after I just had “translated” this term into English. It might be a lesson to first get some background on how this might be perceived internationally, however, it is a gigantic task for every term that might come around to you.

                                                                                                  So to reiterate my question, what term could be better used instead? :)

                                                                                                  1. 1

                                                                                                    interesting that it has a different grounding/connotation in Germany, but then again I’m not surprised since thats where its supposed to have originated from. I’ll reread your other posts and come up with a response thats fair. Thanks for taking the time to read those links.

                                                                                                2. 1

                                                                                                  Generally people who use “cultural marxism” as a pejorative are sloganeering. The idea of an “eternal struggle” is completely foreign to any kind of marxism which is based on a theory that classes come out of the historical process and disappear due the historical process. Marxism claims that the proletariat and bourgeosie are temporary divisions that arise from a certain type of economic organization. Whatever one thinks of that idea, your characterization of Marxism is like describing baseball as a game involving pucks and ice. Your summary of “cultural marxism” is even worse. Maybe take a class or read a decent book.

                                                                                    2. 17

                                                                                      I’m not going to remove this because you’re making a public statement for suckless, but please don’t characterize positions you disagree with as madness. That kind of hyperbole generally just leads to unproductive fights.

                                                                                      1. 9

                                                                                        Please don’t remove anything unless it’s particularly vulgar…

                                                                                        1. [Comment removed by author]

                                                                                          1. 3

                                                                                            hey that’s my account you’re talking about!

                                                                                        2. -1

                                                                                          Removing differing viewpoints? It is precisely this kind of behavior that maddens people who complain about SJW, who (the SJW) seem unable to take any discussion beyond calling their opponent’s position “evil”, “alt-right”, “neo-nazi”, or, if they are exceptionally well-spoken, “mad”.

                                                                                          1. 14

                                                                                            No, removing abuse and hyperbole that acts as flamebait regardless of the political opinions expressed. So far I’ve removed one post and hope not to remove more.

                                                                                            1. 2

                                                                                              It’s hard for me to see a reason to remove things when we have the voting system in place, neither are perfect but one is at your sole discretion whereas the other is the aggregate opinion of the users.

                                                                                              1. 21

                                                                                                Voting isn’t a replacement of moderation. It helps highlight and reward good comments and it can punish bad comments, but it’s not sufficient for running a community. I’m trying to head off places where people give up on argument and just try to hurt or tar the people they disagree with because it doesn’t lead to a good community. Lobsters is a very good place for discussing computing and I haven’t seen that in communities this size with hands-off moderation (but I’d love counter-examples to learn from!) From a quick query, we’ve had comments from 727 unique users in the last 30 days and there’s around 15k unique IPs in the logs per weekday, so people are constantly interacting with the others who don’t know their background, don’t share history, can’t recognize in-jokes, simply don’t have reason to trust when messages are ambiguous, let alone provocative. Friendly teasing like “ah yeah, you would think that” or “lol php sucks” that’s rewarding bonding in a small, familiar group hurts in a big one because even if the recipient gets the joke and laughs along or brushes it off as harmless, it’s read by thousands of people who don’t or can’t.

                                                                                                1. 2

                                                                                                  Lobsters is a very good place for discussing computing and I haven’t seen that in communities this size with hands-off moderation

                                                                                                  I support your position on sub-topic but even my Trial you linked to shows a bit otherwise on just this point. This site has more flexible, hands-off moderation than many I’ve seen with this much political dispute. Even in that link, we saw an amount of honest, civility, and compromise I don’t usually see. There’s been quite a bit better results in this thread than usual elsewhere. There seems to be enough community closeness despite our size that people are recognizing each others positions a bit. Instead of comments, you can actually see it by what’s not said more since it’s prior ground we’ve covered. The others are learning as discussion furthers. Then, there’s the stuff we don’t want which seems to be basically what those individuals are intending in a way that has nothing to do with site’s size.

                                                                                                  So, I support you getting rid of just pure abuse, trolling, sockpuppeting, etc. I don’t think we’ve hit the full weaknesses and limited vision of large sites yet despite our increase in comments and views. We’re still doing a lot better than average. We’re still doing it with minimal intervention on things like politics relative to what I’ve seen elsewhere. I think we can keep at current moderation strategy for now because of that. For now.

                                                                                                  Just wanted to say that in the middle of all this.

                                                                                                  1. 0

                                                                                                    Voting isn’t a replacement of moderation. It helps highlight and reward good comments and it can punish bad comments, but it’s not sufficient for running a community.

                                                                                                    I’m not sure if I see why it’s not a good replacement. To me, I see voting as distributed moderation and the “real” moderation is automatically hiding (not removing) comments when they fall below a threshold.

                                                                                                    I’m trying to head off places where people give up on argument and just try to hurt or tar the people they disagree with because it doesn’t lead to a good community.

                                                                                                    I think this method relies on an accurate crystal ball where you can foresee people’s actions and to an extent, the reactions of the people reading the comments.

                                                                                                    I’d have to question what you mean by “a good community”, it seems like it’s just a place where everyone agrees with what you agree with and those that disagree aren’t heard because it risks offending those that do agree.

                                                                                                    I think the best discussions on here are because we have many people with wide and varied opinions and backgrounds. The good comes from understanding what someone else is saying, not excluding them from the discussion. The only places I see that warranted is where someone has said something purposely and undeniably vile.

                                                                                                    1. 8

                                                                                                      The automatic hiding of low-scoring comments is also a “sole discretion” thing; jcs added it and I tweaked it a few months ago. The codebase enforces a lot of one moderator’s ideas of what’s good for a community in a hands-off way and the desire to do that motivated its creation.

                                                                                                      I strongly agree that a community where everyone agrees with the moderator would be bad one, even if I am that moderator. It’s tremendously rewarding to understand why other people see things differently, if for no other reason than the selfish reason that one can’t correct learn or correct mistakes if one never sees things one doesn’t already agree with.

                                                                                                      I think the crystal ball for foreseeing problems is experience, from many years of reading and participating in communities as they thrive or fail. I think it’s possible to recognize and intervene earlier than the really vile stuff because I’ve seen it work and I’ve seen its absence fail. I keep asking for examples of excellent large communities without active moderators because I haven’t seen those, and after a couple decades and a few hundred communities I see the anthropic principle at work: they don’t exist because they self-destruct, sink into constant vileness, or add moderation. At best they have maintain with signal-to-noise ratios far below that of Lobsters where the thoughtful commentary is crowded out by trolling, running jokes, ignorance, and plan low-quality comments because it doesn’t seem worth anyone’s while to care when posting.

                                                                                                      But moderation is not a panacea in and of itself. Without good experience, judgment, and temper a bad moderator swiftly destroys a community, and this is a very common way communities fail. If it helps any, the author of the comment I removed agrees that it wasn’t done to suppress their opinion.

                                                                                                      1. 1

                                                                                                        The benefit I see from moderation being part of the codebase is that it’s public, predictable and repeatable (it terms of reliability). When you take moderation decisions into your own discretion many of these virtues are lost.

                                                                                                        As for experience, I think that’s tricky because it can easily lead you to making the same mistake twice. It’s also made of your personal experiences and you’re using that to curate the discussion of other people, I would caution that it’s another method of controlling dialog (perhaps subconsciously) to what you find acceptable, not necessarily what’s best for everyone.

                                                                                                        1. 3

                                                                                                          The benefit I see from moderation being part of the codebase is that it’s public, predictable and repeatable (it terms of reliability). When you take moderation decisions into your own discretion many of these virtues are lost.

                                                                                                          Most of them go into the Moderation Log. I’ve been watching it since the jcs days since it’s what folks are supposed to do in a transparent, accountable system. Gotta put effort in. I haven’t seen much of anything that bothered me. The bans and deletes I’ve been able to follow @pushcx doing were trolling, alleged sockpuppeting, and vicious flamewaring. Some I couldn’t see where I’d rather the resource go off the front page rather getting deleted so someone looking at logs could see it for whatever it was. Nonetheless, his actions in the thread about me, the general admining, and what I’ve seen in moderation have been mostly good. A few really good like highlighting the best examples of good character on the site. I think he’s the only one I’ve seen do that on a forum in a while.

                                                                                                          You have little to worry about with him in my opinion at the moment. Do keep an eye on the comments and log if you’re concerned. Scrape them into version storage if concerned about deletions. What goes on here is pretty public. Relax or worry as much as you want. I’m more relaxed than worried. :)

                                                                                                          1. 3

                                                                                                            Yeah, I agree on the pitfalls of experience. As SeanTAllen noted in a separate branch of this thread a minute ago, there’s “but you didn’t say” and other wiggle room; I think that’s where automatic moderation falls down and human judgment is required. Voting has its own downsides like fads, groupthink, using them to disagree (which is all over this thread), in-jokes, a drifting definition of topicality, all the parallels to the behaviors of political rhetoric, etc. Lobsters has never been voting only and I don’t see a compelling reason to change that. jcs’s involvement in the site was steadily declining so I’m certainly more actively moderating, but I don’t see that as a change in character. I guess what it comes down to is that I agree with you about what successful communities do and don’t look like, but I haven’t seen one that works on the model you’ve outlined and I don’t see that kind of fundamental change as a risk worth taking.

                                                                                                2. 1

                                                                                                  So FRIGN writes to oppose “SWJ madness”, and you chime in to complain that “SWJ” calls opponents “mad”. Are you calling FRIGN “SWJ” or what? It’s kind of hard to discern your point in that cloud of grievance.

                                                                                                  1. 1

                                                                                                    “SJW” for “social justice warrior.”

                                                                                                    @COCK is sarcastically non-replying because you typo’ed.

                                                                                                    1. 2

                                                                                                      Not exactly, I was sarcastically non-replying because I assumed he was intentionally misunderstanding me. I assumed this because I didn’t see any ambiguity in my answer. On later inspection I noticed the ambiguity so I gave an actual reply:

                                                                                                      https://lobste.rs/s/nf3xgg/i_am_leaving_llvm#c_yzwuux

                                                                                                      1. 1

                                                                                                        The interesting thing is how people agreeing with Mr. cock pile on the insults against the people who they complain are insulting them by forcing them to sign on to codes of conduct which prohibit insults. It’s almost as if there was a good reason for those codes.

                                                                                                        1. 1

                                                                                                          I doubt the irony is lost on anyone supporting a CoC.

                                                                                                      2. -1

                                                                                                        Yes, I’m calling FRIGN a “SWJ”.

                                                                                                        1. -1

                                                                                                          Yes, well, one sympathizes with your plight.

                                                                                                          1. 2

                                                                                                            Ah now I see the ambiguity: “people who complain about SJW, who…” the “who” referred to the “SJW”, not the “people”

                                                                                                      3. 1

                                                                                                        The only comment that was removed was against FRIGN point of view. Nobody is removing differing point of view, just enforcing civil discussion.

                                                                                                    2. [Comment removed by author]

                                                                                                      1. 4

                                                                                                        “We at suckless are heavily opposed to code of conducts and discriminatory organizations of any shape or form.”

                                                                                                      2. 4

                                                                                                        It’s responses like yours that really make the case for codes of conduct.

                                                                                                        1. 2

                                                                                                          Are you speaking for the group or is that your own opinion? Knowing that the group aligns itself with that position would certainly make me not interested in working with it or contributing.

                                                                                                          1. 6

                                                                                                            To be fair, suckless is not well-organised enough to be a group that can have a single opinion to be spoken for.

                                                                                                            That said, FRIGN is a prominent contributor and I from what I’ve seen most contributors are heavily on the side of “the code will speak for itself”.

                                                                                                        1. 4

                                                                                                          Web GUI technology has completely surpassed the desktop GUI technology.

                                                                                                          Back in the day web stuff was so basic that a desktop GUI was nicer and an upgrade, now that has reversed.

                                                                                                          1. 10

                                                                                                            I agree to some extent, except that Electron apps (and some web apps) are all but unusable on low-end/older hardware. Many (but not all) are severely lacking in keyboard control and other things that one might expect, too. Every Electron app seems to be oblivious to multilingual users and underlines every word, despite me switching input methods.

                                                                                                            1. 2

                                                                                                              I’d like a HTML-based GUI that doesn’t embed a full renderer like Electron does – something that maps HTML onto native controls (including accessibility stuff) could be really neat.

                                                                                                              1. 1

                                                                                                                Isn’t that what React Native is? Maybe that’ll be the hot new thing instead of Electron; would prolly be an upgrade.

                                                                                                                Edit: whoops, it’s iOS and Android only.

                                                                                                                1. 1

                                                                                                                  React Native is just running your app as JS and communicating to a native set of widgets and layout, which need to be implemented per platform. If desktop support were something FB had as a priority it’d be a good option for a lot of people, but… it’s not.

                                                                                                            2. 9

                                                                                                              Couldn’t disagree more, and the reason is accessibility. it’s super trivial for desktop app developers to add keyboard shortcuts and other accessibility aids to their apps. Web developers, despite the fact that these standards like ARIA exist, seem unwilling to adopt them in any sizable number.

                                                                                                              We can have this conversation again when the Hello World app produced by your average Java framework is Aria accessible, has keyboard shortcuts for everything, and works properly with screen readers.

                                                                                                              1. 4

                                                                                                                If the developer doesn’t care it doesn’t matter if it’s a desktop app or a web app. They wont do it either way.

                                                                                                                The difficulty of adding keyboard shortcuts or adding accessibility tags is not dramatically different and quite easy for web apps too.

                                                                                                              2. 3

                                                                                                                As bad as GUI toolkits are, web tech is a lot more awkward to make GUIs with than any major cross-platform toolkit, simply because it’s a hack to draw anything with the DOM. (You’re literally live-editing the AST of a rich text document. It’s amazing that it works at all.)

                                                                                                                1. 1

                                                                                                                  Your sole argument about DOM being a hack and akward is it being live-editing an AST? If anything, this might be a pro of the DOM API… I don’t see how a technology widely used, having API clearly defined for those use cases and supported by modern and old browsers can be called a hack and akwards. Meanwhile you have your average GUI toolkit that still ask you to design your AST in the code, put the styling right beside the event handling and often introduce first how to put a button a X,Y because using container and layout is akward and complicated.

                                                                                                                  1. 1

                                                                                                                    A regular GUI toolkit doesn’t involve manipulating the AST of a markup language. It involves manipulating containers that map conceptually to layout, using already-implemented widgets. There’s an event handling system designed to efficiently handle widget-specific mappings, focus changes, and other common situations, as well as having sane defaults (versus having an event system that needed to be tacked on ten years after the other features were written).

                                                                                                                    The act of spawning a widget in a web app is an ugly hack, simply because document markup structurally conflicts with GUI layout in ways that the web developer must bodge.

                                                                                                                    If any GUI toolkit requires you to jump through hoops to draw a dot on the screen, it’s broken. (By this standard, most popular GUI toolkits are also broken, but HTML is the most broken of all.)

                                                                                                                    1. 1

                                                                                                                      Yeah, regular GUI toolkit doesn’t involve AST and markup language, such as HTML, XAML, Android, QML, etc. In my opinion, working on a human readable and understandable AST might be the key of the web plateform GUI? Drawing anything is as simple as adding a node or subtree to my current tree. It’s as simple to do by hand than programmaticaly. If anything go wrong I have well made developpers tool to see and live edit this tree. Call it a hack all you want, I call it a successful low-level reprensentation to share the GUI state to the renderer, much better and powerfull than what you can do with Tcl or xlib (Although, much more heavy).

                                                                                                                      If any GUI toolkit requires you to jump through hoops to draw a dot on the screen, it’s broken. (By this standard, most popular GUI toolkits are also broken, but HTML is the most broken of all.)

                                                                                                                      There you go: <html><head></head><body>.</body></html>. By this test we can now assert that HTML is not broken (Or at least just as much as the others).

                                                                                                                      1. 2

                                                                                                                        You haven’t drawn a dot. You’ve typeset a period, and spent 40 characters doing it. And, typesetting text is what HTML is for, so it’s what it’s best at. If you actually want to ensure the period resembles a dot, set its x,y position, and set its color, you’ll need hundreds more characters.

                                                                                                                        In BASIC, you can just do pset(x, y, color)

                                                                                                                        In TK: canvas .c ; .c create point x y color ; pack .c

                                                                                                                        An AST only makes sense if you are actually parsing or generating a structured language. The structure of an HTML document doesn’t coincide with the structure of a PARC GUI (i.e., every major GUI app since 1977), and is an even worse match for the scope of all possible useful GUIs (most of which resemble neither paper nor forms). The reason is that HTML was only ever intended to display minimally-formatted rich text.

                                                                                                                        “Drawing something” is usually easier than manipulating the DOM. “Drawing something” is only trivial on the DOM when what you’re drawing is structured like a text document.

                                                                                                              1. 20

                                                                                                                The author doesn’t mention the popular GUI library that’s the best fit for his use case – TK. (I can’t blame him – TK has poor PR, since it’s marginally less consistent than larger and more unweildy toolkits like GTK and QT, while having many of the drawbacks of a plain X implementation.)

                                                                                                                That said, the fact that TK is the easiest way to go from zero to a simple GUI is frankly pretty embarassing. There’s no technical reason GUI toolkits can’t be structured better – only social reasons (like “nobody who knows how to do it cares enough”).

                                                                                                                1. 13

                                                                                                                  The problem is that TK still has terrible looking widgets. Just because UI fashion has moved away from consistent native look and feel doesn’t mean TK is passable.

                                                                                                                  1. 12

                                                                                                                    TTK mostly takes care of this, by creating a Look and Feel that matches up with the platform in question.

                                                                                                                    1. 3

                                                                                                                      TK ships with TTK, which provides native widget styles for every major platform. It has shipped that way for nine years.

                                                                                                                      1. 1

                                                                                                                        I was not aware of TTK, thank you! I tried out TK a few times and seeing how awful it looked made me leave it really quickly for other technologies.

                                                                                                                        1. 4

                                                                                                                          TTK has been around for a long time, and built into TK for a long time too. It’s a mystery to me why they don’t enable it by default. I discovered it six years after it got bundled!

                                                                                                                          1. 1

                                                                                                                            I tried to look into it a little bit today but it looks like there is pretty much only one getting started guide for it, written in python. Do you know any guides for it in other languages?

                                                                                                                            1. 2

                                                                                                                              Not really. It provides native-styled clones of existing widgets, so if it’s wrapped by your target language, all you should need to do is import it and either overwrite the definitions of your base widget-set or reference the ttk version instead (ex., by running ‘s/tk./ttk./g’ on your codebase).

                                                                                                                    2. 5

                                                                                                                      When he put out the JSON protocol, Tcl/Tk came right to mind. This is exactly how people do UI with Python and tkinter.

                                                                                                                      1. 3

                                                                                                                        Interesting — I have almost no experience with TK. I will look into it, thanks!

                                                                                                                        1. 3

                                                                                                                          TK is used by Mozart/Oz for the GUI, with a higher level library QTk on top of it. It works well and is easy to program with.

                                                                                                                      1. 1

                                                                                                                        Is there any way to specify the current project is using the wasm target so one could just use cargo build instead of relying on npm? I tried rustup override but I keep having an error about the wasm target not found, even though I just installed it on nightly.

                                                                                                                        1. 1

                                                                                                                          If you look at what npm run build-debug and npm run build-release are doing, you’ll see that it isn’t very magic:

                                                                                                                          cargo +nightly build --target wasm32-unknown-unknown && \
                                                                                                                              wasm-bindgen target/wasm32-unknown-unknown/debug/wasm_game_of_life.wasm --out-dir .
                                                                                                                          

                                                                                                                          So, yes, you can use cargo build to create the .wasm binary, you just have to supply the --target wasm32-unknown-unknown. However, to get the generated JavaScript API glue, you need to also run wasm-bindgen.

                                                                                                                          The npm run build-* commands just package them both up in one step for convenience.

                                                                                                                        1. 1

                                                                                                                          Does netflix even prefill the email input field when one click the update link? In the likely case it doesn’t I fail to see how a scam would even work, implying the user will just fill in its usual credentials and log in in its own account.

                                                                                                                          1. 4

                                                                                                                            chromium-browser is scrutinized closely enough that this would be noticed on ubuntu, right?

                                                                                                                            1. 5

                                                                                                                              The sandbox engine downloading and running ESET actually appears to be in Chromium: https://cs.chromium.org/chromium/src/chrome/browser/safe_browsing/chrome_cleaner/ so developpers are free to review it and remove any reference to it. If my memory serve me well, Chrome Cleaner is not special and should appear in chrome://components/ along other optional close source components, although I don’t have a windows machine to validate right now. It should (Or at least used to) be disabled for other build than Google Chrome.

                                                                                                                              1. 2

                                                                                                                                Thanks. It doesn’t appear in chrome://components for me, at any rate.

                                                                                                                                1. 1

                                                                                                                                  If I look at it on windows I can see the entry: Software Reporter Tool - Version: 27.147.200

                                                                                                                                  1. 1

                                                                                                                                    Excellent, a positive control.

                                                                                                                              2. 2

                                                                                                                                isra17’s reply implies there’s no scanner in Chromium, only Chrome. [I wrote this referring to his separate comment–now he has another reply here.] It probably wouldn’t make sense to have this on Linux anyway, just because there isn’t the same size of malware ecosystem there.

                                                                                                                                (And I think the reporting/story would be different if the scanner were open source–we’d have an analysis based on the source code, people working on patched Chromium to remove it, and so on.)

                                                                                                                                1. 1

                                                                                                                                  I’m curious about MacOS. I don’t run Chrome usually, but I have to in some cases, e.g. to use Google Meets for work.

                                                                                                                                  1. 2

                                                                                                                                    I don’t have an authoritative answer, but https://www.blog.google/products/chrome/cleaner-safer-web-chrome-cleanup/ only talks about Windows.

                                                                                                                                    1. 2

                                                                                                                                      I don’t see it in chrome://components on my Mac, if that is indeed where it is supposed to appear.

                                                                                                                                1. 18

                                                                                                                                  I actually used to work as a contractor on this project as a malware analyst. The cleaner was first developped by Google, but they moved to ESET after a while. For what it’s worth, the team are really privacy minded, and I can attest that it did made our job harder to track and possibly clean bad stuff. As a contractor I couldn’t even access any PII, including user report, since they could contains path with username, etc.

                                                                                                                                  For those that are asking why we can’t disable this, think about if you can disable it how unwanted software can do it just as easily. Not that malware can’t, but it’s much more involved to patch Chrome (And maintain the patches on all versions) than updating some settings file. It’s not as if you didn’t have alternative anyway, Chromium doesn’t have this component and Firefox is quite awesome.

                                                                                                                                  Anyway, if you have any question please feel free to ask! I’m not on this project anymore (Neither at Google), but I’ve been on the team since the beginning until the ESET transition and I’m still in touch with the team.

                                                                                                                                  1. 7

                                                                                                                                    I appreciate the details. The stuff on the team isnt comforting since it could change any time. Far as disabling it, that’s not a good argument given they could just offer a trusted tool that does this for the user. Not just for this but other risky stuff. They could even sell this. If anything, disabling it would reduce attack surface since anti-malware tools have been an attack vector in the past. It will also eliminate any negative impact on performance or watts.

                                                                                                                                    1. 4

                                                                                                                                      The stuff on the team isnt comforting since it could change any time.

                                                                                                                                      Also true for any service you use. I know it’s hard to believe, but Google is pretty strict about PII and what can be saved where for how long and seen by who and has an organisation overseeing all of this. There are processes in place governing each team at Google that requires team to document every PII they collect and the motivation behind this. In any case, detailed reports are sent only when users opt-in to send it.

                                                                                                                                      Far as disabling it, that’s not a good argument given they could just offer a trusted tool that does this for the user. Not just for this but other risky stuff. They could even sell this.

                                                                                                                                      Could you elaborate? I don’t seem understand what you want to convey here. Who are “they”, what “tool” and what “stuff” are talking about here?

                                                                                                                                      If anything, disabling it would reduce attack surface since anti-malware tools have been an attack vector in the past. It will also eliminate any negative impact on performance or watts.

                                                                                                                                      The scanner is sandboxed (open-source, part of chromium) and somewhat limited in what it can do. It’s not your usual anti-malware tools running from the kernel and featuring RCE as a service. It also think it was reviewed by that guy ;)

                                                                                                                                      Something to think about is the actual state of the internet for the broad public. While most of us here won’t benefits from this tool and at worse will find it annoying while it scans in the background, reality is that a very large portion of the internet users are currently infected by spyware and adware. While we are arguing about privacy issue due to Chrome reading some of you files on your disk (And not sending them anywhere), most people have their whole internet history tracked by shady adware corporation and are being shown ads tricking them into buying fraud application and calling fake tech support. And I’m not even talking about the fact most of those software have backdoor usable by any actors to run arbitrary payload. Want an easy botnet? Reverse some of those freeware “updaters”.

                                                                                                                                      Of course the Chrome Cleanup Tool doesn’t fix the root cause, but it could be argued that’s it’s better than nothing. And from Google point of view, there are benefits from it other than invade more of its user privacy. When Chrome is crashing due to an adware injecting its unstable DLL, guess who get the blame? I’ve even seen many report blaming Google about how Chrome is sending PII or rewriting ads when in fact it was adware being installed on user machine. It’s in Google interest to fix this issue before getting in the point where IE was with the toolbars hell.

                                                                                                                                      So in short, Chrome Cleanup Tool is not there to help you, it’s there for your not techsavy windows user that behave by clicking and running everything as admin it come across, and is now proxying his whole internet connection through some ad company server.

                                                                                                                                      1. 6

                                                                                                                                        Could you elaborate? I don’t seem understand what you want to convey here. Who are “they”, what “tool” and what “stuff” are talking about here?

                                                                                                                                        I don’t want my tools to do things they’re not advertised as doing. Chrome’s job isn’t to scan my files, so it should never do that without telling me.

                                                                                                                                        So in short, Chrome Cleanup Tool is not there to help you, it’s there for your not techsavy windows user that behave by clicking and running everything as admin it come across, and is now proxying his whole internet connection through some ad company server.

                                                                                                                                        I don’t want contractors that I hired to replace my siding to break into my house and secretly rewire my kitchen without telling me, no matter how faulty the wiring. I don’t want Chrome to suddenly take it upon itself to scan my data without my express consent.

                                                                                                                                        And now, Google has a list of files on their servers. Ones that a malicious employee can access, or which might be given in bulk to the NSA, should the NSA ask.

                                                                                                                                        It’s not just annoying. It’s a breach of trust.

                                                                                                                                        1. 6

                                                                                                                                          “should the NSA ask.”

                                                                                                                                          Should they force them, too. Also, in the Lavabit court records, the FBI told the judge the founder could avoid reputational damage by hiding that he gave over the key. He’d just keep telling users it was a private service. The judge agreed. Probably wasn’t the first or won’t be the last agreeing to give the government what they want while telling the company to lie that it couldn’t or didn’t happen.

                                                                                                                                          1. 1

                                                                                                                                            I don’t want contractors that I hired to replace my siding to break into my house and secretly rewire my kitchen without telling me, no matter how faulty the wiring. I don’t want Chrome to suddenly take it upon itself to scan my data without my express consent.

                                                                                                                                            People hire Chrome to manage their banking account or browse trusted content. When Chrome begins to display more ads than it should, try to trick the user into paying fake service or simply steal users data, the same users that end up installing those malware are unlikely to understand they are the culprit in the first place. They trusted Chrome to protect them from themselve. Chrome only defense at that point is to clean after the user. Chrome is not annoying, user behavior is, and Chrome Cleanup Tool is only a hack trying to fix a part of the issue.

                                                                                                                                            You don’t expect the contractor to rewire you kitchen because you won’t blame them if you break your wiring. Chrome is a whole another story. You expect someone to tell you if your wiring is about to burn your house down. This is exactly what Chrome is doing here. Many house have burn down, blame have been put on Chrome. Now Chrome is doing a quick check up from time to time, and if it find some fire hazard it gives you an opportunity to fix it. Chrome is only fixing once you gave it your explicit consent. It also won’t tell anyone unless you tell him otherwise.

                                                                                                                                            1. 2

                                                                                                                                              It is scanning without consent. For all we know this could be a tool for corporate espionage. Frankly with this knowledge no business and especially no software business should allow their employees to use chrome. I regularly recommended chrome to others, but never again.

                                                                                                                                            2. 0

                                                                                                                                              The goal of Chrome may not be to keep your whole computer malware free, but it is to keep itself secure. If Chrome can be taken over by malware (and as the most used browser, it has a huge target on its back), then how can users trust it as a safe software? If anything, this feature makes it a safer browser.

                                                                                                                                              1. 2

                                                                                                                                                So to keep itself secure it should also check for vulnerable IoT devices in the network and use the webcam to prevent unauthorized access? /s

                                                                                                                                            3. 3

                                                                                                                                              “ I don’t seem understand what you want to convey here.”

                                                                                                                                              “For those that are asking why we can’t disable this, think about if you can disable it how unwanted software can do it just as easily. Not that malware can’t, but it’s much more involved to patch Chrome (And maintain the patches on all versions) than updating some settings file.”

                                                                                                                                              This was in the general sense a false claim that I’ve seen way too many times, usually with nefarious features. That association is why I counter it quickly. They could definitely roll out the ability for a user, within the browser UI or as a standalone tool, to change this or other settings where they’re checked at startup and not enabled. Even the AV programs allow this. They let me tell it not to scan things for a certain period of time or at all. Let’s me mix and match features of various vendors should I choose to accept the challenges or risk that poses. The attacks on the AV’s so far have been malicious input into components that interact with network or files (like the scanners), not the switches in the UI.

                                                                                                                                              That they were stealthy about this and didn’t allow anyone to turn it off means they just don’t care whether all users wanted it or still want it. Them not caring about users’ preferences is a separate issue that other browser vendors have done themselves on some of their components.

                                                                                                                                              “Also true for any service you use.”

                                                                                                                                              It’s always true that people or priorities can change at any time. From there, we look at the organization’s charter/purpose, the business model, its operating environment, and past behavior to assess risk. This is about a widely-deployed application people do tons of private stuff with developed by a publicly-traded, surveillance company working to get closer to Washington, DC. A team in that company rolled out something that started scanning people’s files without their knowledge. I don’t believe it’s nefarious at this point but it’s not just any company or product we’re talking about. The circumstances give more reason to worry than usual for some people.

                                                                                                                                              They shouldn’t have done it or should let people disable it. All that said, I like they at least added some sandboxing and restrictions to it. That’s good.

                                                                                                                                        1. 16

                                                                                                                                          It’s even easier when using ii from suckless. We have a bot on #openbsd-gaming now that reports how many people are currently playing. It just runs qstat every 5 minutes, massages the output and spits it out to the input file tied to our channel. It’s hard to beat echo "hello world" > irc/chat.freenode.net/#openbsd-gaming for scripting bots.

                                                                                                                                          1. 5

                                                                                                                                            This is like some weird Portlandia thing…“The dream of Plan9 is alive in suckless”, etc.

                                                                                                                                            Still, neat though! :)

                                                                                                                                            1. -6

                                                                                                                                              ii sounds great in theory, but try to answer new incoming queries. now instead of parsing a single stream of text you have to monitor an entire directory tree with files appearing out of nowhere at any time

                                                                                                                                              parsing irc is super simple and ii is a retarded idea for a bot

                                                                                                                                              1. 15

                                                                                                                                                parsing irc is super simple and ii is a retarded idea for a bot

                                                                                                                                                This isn’t constructive. If anything the toxicity detracts from your argument above.

                                                                                                                                                1. 7

                                                                                                                                                  ii sounds great in theory, but try to answer new incoming queries. now instead of parsing a single stream of text you have to monitor an entire directory tree with files appearing out of nowhere at any time

                                                                                                                                                  Sure, if your bot needs to respond to private queries. The one on our channel doesn’t parse any input at all. Including the channel itself - it’s a notification bot.

                                                                                                                                                  parsing irc is super simple and ii is a retarded idea for a bot

                                                                                                                                                  You’re telling me it was retarded to output the result of qstat every 5 minutes to a file? It took 5 minutes to write the notification using ii - it serves it’s purpose.

                                                                                                                                                  Does ii fit every use case of writing a bot for IRC? Nope. However it does make it dead easy to have various tools output content to a file and get it delivered on an IRC channel that way.

                                                                                                                                                  1. 4

                                                                                                                                                    To be fair, even for notification, it seems overkill to pull ii and play with files when you can simply send to socket:

                                                                                                                                                    NICK bot
                                                                                                                                                    JOIN #foo
                                                                                                                                                    PRIVMSG #foo :My text message
                                                                                                                                                    

                                                                                                                                                    All you need is echo and nc and IRC is yours. ii look to me like an overkill solution for simple problems and limited solution for complexes ones. But then I might simply be missing some complexity about writing bots, manager server configuration, connection throttling, etc.

                                                                                                                                                    1. 2

                                                                                                                                                      Sure, but you will either connect to the network each time you invoke that notification or will need to maintain the connection up, respond to keepalive pings from the server etc. It is really easier to just dump a notification to a file every 5 minutes and have ii handle the connection.

                                                                                                                                                      It’s not perfect for all use cases, but it does simplify this specific one we had :)

                                                                                                                                                    2. -8

                                                                                                                                                      yeah i’m sure not many irc bots want fancy features such as being able to reply to things

                                                                                                                                                1. 6

                                                                                                                                                  i hate slack. it’s a necessary evil. i’m still trying to figure out some norms and conventions to make people not think it’s a replacement for email.

                                                                                                                                                  i use weechat for irc, and there’s a native/non-irc gateway slack plugin for it. works like a charm.

                                                                                                                                                  1. 1

                                                                                                                                                    I still have never used slack. How did this develop into a necessary evil? Wouldn’t Matrix or Rocket Chat fill the need? Mattermost? I find it fascinating that nobody wants to self host (use it to test your devops skills if you must) and nobody seems to care about some corporation having the chat logs of your developers (and code snippets, and and and)

                                                                                                                                                    1. 2

                                                                                                                                                      Having tried to self host Matrix, the current server Synapse is a total pain to manage, super resource hungry, single threaded and as soon as you join big channels everything start to crumble. The gateways are buggy or inneficient. Hopefully the new Go server will fix some of the pain point, but overall I found that self-hosting is great if you want to lose your time on debugging and managing server instead of actually working on your projects.

                                                                                                                                                      Right now I’m running The Lounge with IRC gateways and Bitlbee and it works great. Still some pain point and missing some slack features, but it’s all worth the RAM I save and the fact I can use IRC, Slack, Twitter, Facebook Messenger and Hangout in the same tab!

                                                                                                                                                      1. 2

                                                                                                                                                        I’ve been running my Matrix server for 6 months. It was dead simple to setup and requires no maintenance. I upgrade it regularly (I’m the maintainer on FreeBSD) and the IRC bridge works fine, but it is inefficient.

                                                                                                                                                        I don’t know what OS you ran it on, but it’s quite simple to use on FreeBSD.

                                                                                                                                                        edit: large rooms like the matrix dev room have no appreciable performance impact for me either…

                                                                                                                                                        1. 1

                                                                                                                                                          I don’t know, I ran it with avhost/docker-matrix docker image on a n1-standard-1 (3.75 Go RAM) instance in GCP along with the bridges and an HTTPS reverse proxy. After running it for a while, it could take me about 30 seconds to get my message aknowledge :| It could have been a bad config or slow I/O somewhere, in any case I gave up and won’t retry until Dendrite is stable. I had a much simpler setup that I used on a VPS a year ago until I got tired of cleaning the logs and message history that filled up the disk (There was/are no easy way to manage history and properly clean it…). The logs are also so noisy, seems like the dev mismatched INFO level for DEBUG.

                                                                                                                                                          1. 2

                                                                                                                                                            You have to run a Postgres database too so I wouldn’t try to run it on that hardware. I’ve got 24 cores and 64GB RAM, NVME SSD for ZFS cache, etc.

                                                                                                                                                            1. 1

                                                                                                                                                              I find it fascinating that nobody wants to self host […]

                                                                                                                                                              You have to run a Postgres database too so I wouldn’t try to run it on that hardware. I’ve got 24 cores and 64GB RAM, NVME SSD for ZFS cache, etc.

                                                                                                                                                              Your last answer pretty much explain your first statement. I can’t wrap around my head the fact that I need a few thousands worth of machine to exchange text messages to a few contacts.

                                                                                                                                                              1. 1

                                                                                                                                                                I’m running dozens of services on this machine. Which cost me $400 on eBay 2 years ago. Servers aren’t expensive. VMs are terribly overpriced. Matrix takes up about 1% CPU and 2GB of RAM

                                                                                                                                                      2. 1

                                                                                                                                                        you have to consider the audience, and the tradeoff. the audience is everyone non-tech i work with… i’ve pined for the day non-tech colleagues could use irc, but it just ain’t ever gonna happen. the tradeoff is being ‘part of the team’ vs. left out. in a distributed team, there’s no question about what to do to adapt.

                                                                                                                                                        for whatever reason, slack checked off the boxes that mattermost, hipchat, et al just didn’t. and i don’t see microsoft’s or google’s challenges breaking off any of slack’s pie.

                                                                                                                                                        the question of self hosting is (in my opinion) irrelevant, just like for most folks now the question of self hosting email is irrelevant.

                                                                                                                                                        1. 1

                                                                                                                                                          I run a Mattermost server for friends and family. The experience is still less polished than Slack, although it’s catching up fast. The main problem is mobile OS integration; even fairly simple things (sharing images from the Gallery to Mattermost) are as yet unsupported, at least on Android.

                                                                                                                                                          That said, at the rate it’s improving, it’ll be at parity soon. And for most cases it’s there already.