1. 1

    Anyone took the course yet? Is it worth the time investment?

    1. 1

      I think you should definitely have a look! Just a reminder that the course is aimed for non technical people so do not expect too many deep dives. More a generalist’s view to enable fact based discussion around the hype of AI. We tried our best in creating the course and value all feedback!

      1. 7

        Massive kudos to this guy for not putting up with this SJW madness. I wish him all the best!

        We at suckless are heavily opposed to code of conducts and discriminatory organizations of any shape or form.

        1. 11

          Suckless takes a similarly principled stand against runtime config files.

          1. 8

            How does suckless oppose discrimination?

            1. 13

              It’s very simple. Any non-technological matters during software development move the software away from its ideal form. Thus, to make your software suck less, you only take the best developers no matter what race, gender, heritage, etc. these persons have.

              We do not believe in equal status (i.e. e.g. forcibly obtaining a 50/50 gender ratio), as this immediately leads to discrimination. We do however strongly believe in equal rights, naturally. You also naturally cannot have both.

              1. 94

                Any non-technological matters during software development move the software away from its ideal form.

                Suckless makes a window manager: a part of a computer that human beings, with all their rich and varying abilities and perspectives, interact with constantly. Your choices of defaults and customization options have direct impact on those humans.

                For example, color schemes determine whether color-blind people are able to quickly scan active vs inactive options and understand information hierarchy. Font sizes and contrast ratios can make the interface readable, difficult, or completely unusable for visually impaired people. The sizes of click targets, double-click timeouts, and drag thresholds impact usability for those with motor difficulties. Default choices of interface, configuration, and documentation language embed the project in a particular English-speaking context, and the extent to which your team supports internationalization can limit, or expand, your user base.

                With limited time and resources, you will have to make tradeoffs in your code, documentation, and community about which people your software is supportive and hostile towards. These are inherently political decisions which cannot be avoided. This is not to say that your particular choices are wrong. It’s just you are already engaged in “non-technical”, political work, because you, like everyone else here, are making a tool for human beings. The choice to minimize the thought you put into those decisions does not erase the decisions themselves.

                At the community development level, your intentional and forced choices around language, schedule, pronouns, and even technical terminology can make contributors from varying backgrounds feel welcome or unwelcome, or render the community inaccessible entirely. These too are political choices. Your post above is one of them.

                There is, unfortunately, no such thing as a truly neutral stance on inclusion. Consider: you wish to take only the best developers, and yet your post has already discouraged good engineers from working on your project. Doubtless it has encouraged other engineers (who may be quite skilled!) with a similar political view to your own; those who believe, for instance, that current minority representation in tech is justified, representing the best engineers available, and that efforts to change those ratios are inherently discriminatory and unjust.

                Policies have impact. Consider yours.

                1. 7

                  I don’t know if that was your goal, but this is one of the best arguments for positive discrimination I’ve read. Thanks for posting it, and also thanks for noting that all decisions have some inherent politics whether we like it or not.

                  Unfortunately there is simply no solution: positive discrimination is opposed to meritocracy. Forced ratios are definitely an unethical tool, as they are a form of discrimination. However, this unethical tool brings us to a greater good, which is a final product that incorporates diversity on its design and accommodates more users, which is a desirable goal on itself, for the reasons you explained.

                  1. 4

                    color schemes determine whether color-blind people are able to quickly scan active vs inactive options and understand information hierarchy. Font sizes and contrast ratios can make the interface readable, difficult, or completely unusable for visually impaired people. The sizes of click targets, double-click timeouts, and drag thresholds

                    Let me see if I understand what you’re saying. Are you claiming that when color schemes, font sizes and drag thresholds are chosen that that is a political decision? I think that many people would find that quite a remarkable claim.

                    1. 3

                      It’s impossible to not be political. You can be “the status quo is great and I don’t want to discuss it”, but that’s political. The open source “movement” started off political - with a strong point of view on how software economics should be changed. In particular, if you say a CoC that bans people from being abusive is unacceptable, you are making a political statement and a moral statement.

                      1. 3

                        It’s impossible to not be political

                        Could I ask you to clarify in what sense you are using the word “political”?

                        Merriam-Webster (for example) suggests several different meanings that capture ranges of activity of quite different sizes. For example, I’m sure it’s possible to act in a way which does not impinge upon “the art or science of government” but perhaps every (public) action impinges upon “the total complex of relations between people living in society”.

                        In what sense did you use that term?

                        1. 4

                          Let’s start off with a note about honesty. FRIGN begins by telling us “We do not believe in equal status (i.e. e.g. forcibly obtaining a 50/50 gender ratio)” as if someone was proposing the use of force to produce a 50/50 gender ratio - and we all know that wasn’t proposed by anyone. There’s no way to discuss this properly if people are going to raise false issues like that. What comment’s like FRIGN’s indicate is an unwillingness to have an open and honest conversation. The same bogus rhetoric is at the heart of Damore’s memo: he claims to be in favor of equal rights and just against mythical demand for 50/50 gender equality so that he can oppose obviously ineffective affirmative action programs at Google where 80% of technical staff are male (Damore’s misappropriation of science is similarly based on an objection to a position that nobody ever argued.).

                          The next point is that some people are objecting that a CoC and a minority outreach program are “political”. That’s true, but it involves the use of the more general meaning of “political” which the Collins dictionary provides as “the complex or aggregate of relationships of people in society, esp those relationships involving authority or power”. If we are using that definition, of course a CoC and a minority outreach program are political, but opposition to a CoC and a minority outreach program fits the definition as well. If you have an opinion one way or another, your opinion is political. You can’t sensibly use this wide definition of political to label the effort to adopt a CoC and to recruit more minorities and then turn around and claim your opposition to those is somehow not political. So that’s what I mean by “it is impossible to not be political”. The question is a political question and those who try to claim the high ground of being objective, disinterested, non-political for their side of the question are not being straightforward (perhaps it’s just that they are not being straightforward with themselves).

                          1. 3

                            I agree that a CoC, a minority outreach program, and opposition to a CoC all impinge upon “the complex or aggregate of relationships of people in society, esp those relationships involving authority or power”.

                            Would you also agree that there is a popular ideological political movement in favour of CoCs (some combination of the feminist, civil rights and social justice movements)? Perhaps there is also a popular ideological movement against CoCs (some combination of MRAs and the alt right). Are you also claiming that if one claims a “neutral” stance on CoCs one is de facto supporting one of these ideologies?

                            1. 3

                              I’m not sure it is possible to have a neutral stance. In fact, I doubt it.

                              1. 1

                                Interesting! Do you also doubt it is possible to take any action that is neutral with regard to a political ideology?

                                1. 3

                                  You are introducing something different. I don’t think you have to line up with one “side” or another, but you can’t avoid being a participant.

                                  1. 1

                                    You said “It’s impossible to not be political” so I’m trying to understand what you mean by that. So far I’m not clear whether you think every action is political. I’d appreciate it if you’d clarify your position.

                                    1. 2

                                      I’m making a very concrete assertion, which I sense does not fit into your schema. My assertion is that there is no neutrality on workplace equality and inclusion for anyone involved in the workplace. Anyone who, for example, participates in an open source development effort has a position on whether efforts should be made to make it more inclusive even if that position is “this is not important enough for me to express an opinion.”

                                      1. 1

                                        Thank you for clarifying. When you originally said “It’s impossible to not be political” I got the wrong impression.

                                        Do you also hold the same point of view when it comes to roughly comparable statements in other spheres? For example ‘Anyone who eats has a position on vegetarianism even if that position is “this is not important enough for me to express an opinion.”’?

                    2. 1

                      You’ve been quoted by LWN: https://lwn.net/Articles/753709/

                    3. 11

                      AKA shut up and hack? :)

                      1. 1

                        The suckless development process has no non-technical discussions?

                        How are the best developers identified?

                        1. 8

                          just curious, why would you need to identify the best developers? Wouldn’t the quality of their code speak for that?

                          1. 5

                            I also fail to see what the reasoning is. Just send your code, get the non technical discussions out.

                            1. -1

                              Apparently, quoting @FRIGN from above, “to make your software suck less.”

                            2. 8

                              How are the best developers identified?

                              I think this is a totally reasonable question, and one I’d like to see the answer too–if for no other reason than it might help those of us on other projects find more objective metrics to help track progress with.

                              Do you all at suckless use something like:

                              • defect rate
                              • lines of code/feature shipped
                              • execution time
                              • space in memory, space in storage

                              Like, what metrics do you use?

                              1. 7

                                You know, suckless is not a big company and the metrics that can be applied are more of a heuristic. A good developer is somebody who e.g. supplies a patch with a bug report, provides feedback to commits, makes contributions to the projects, thinks his commits through and doesn’t break stuff too often and does not personally identify with their code (i.e. is not butthurt when it’s not merged).

                                What needs to be stressed here is that the metric “lines of code” is completely off. There are horrible programmers who spit out lots of code and excellent ones who over time drop more lines than they add. Especially the latter group is very present among us and thus the LOC-metric will only give false results. Same with execution time, you find that when not enough time is spent on a problem you end up solving it wrong, in the worst case having to start all over.

                          2. 5

                            By being very diverse and doing fackelmärsche of course. https://suckless.org/conferences/2017/

                            1. 3

                              @FRIGN What’s the purpose of this “torchlight hike” in the context of producing code that sucks less? Don’t you see that the activities you choose to have during your conferences are a cultural stance, and because of that, can be perceived as exclusive by programmers that don’t recognize themselves in these activities?

                              1. 0

                                I get your point, but must honestly say that your argument sadly aligns with the ever-excluding and self-segregating destructful nature of cultural marxism. By eating food together at the conferences, do we exclude anorexics that might otherwise be willing to attend such a conference? I don’t drink any alcohol and never have. Still, it was not a problem when we went to a local Braukeller and some people drank alcohol and others like myself didn’t.

                                The fundamental point I think is that one can never fully and analytically claim that a certain process is completely unaffected by something else. If we dive down into these details we would then move on and say that the different choice of clothings, hairstyle, means of travel and means of accomodation all affect the coding process at suckless. This can be taken further and further with no limit, as we all know about the butterfly effect. At some point it is just not measurable any more.

                                If you ask me, this is a gross overstretching of what I said. There are quite a lot of people who do not attend the conferences but still work together with us on projects during that time. What really matters is that we e.g. do not ignore patches from these people or give them less relevance than those of others. To pick the example up: The torchlight hike did not affect any coding decision in a direct way, but it really bonded the team further together and was a very nice memory of this conference that I and the others are very fond of from what I’ve heard. On top of that, during the hike we were able to philosophize about some new projects of which some have become a reality. The net-gain of this event thus was positive.

                                In classical philosophy, there are two main trains of thought when it comes to evaluating actions: Deontology and Teleology. Deontology measures the action itself and its ethical value, completely ignoring the higher goal in the process. Teleology is the opposite, evaluating actions only by their means to reach a goal, completely ignoring the value of the action itself. The best approach obviously should be inbetween. However, there is a much more important lesson that can be taken from here: When evaluating a decision, one needs to realize what they are measuring and what is unimportant for a decision. What I meant is that to reach the goal of software perfection, the gender and other factors of the submitters do not matter. So even though we here at suckless have a goal, we are not teleologists, as we just ignore the factors that do not matter for coding.

                                It is an ethical question which norms you apply to a decision.

                                If we look at organizations like Outreachy, one might be mistaken to think that they are deontologists, striving to improve processes. However, after closer inspection it becomes clear that this is not the case and they are actually working towards a certain goal, increasing the number of trans and minority people in such communities. No matter how you think about this goal, it makes one thing clear: When you are working towards such a goal and also do not ignore irrelevant factors in your norms (and they in fact do by not ignoring e.g. race and gender), you quickly end up discriminating against people.

                                I hope this clears this up a bit, but as a short sentence, what can be taken from here is: When discussing ethical matters, it’s always important to make clear which norms are applied.

                                1. 2

                                  fackelmärsche

                                  I’m not going to wade into anything else on this, but I’d like to just take a second and let you know that, while you may not mean it in this way the phrase “cultural marxism” is very, very often used as a stand in for “jews”. Some links for the record:

                                  https://www.splcenter.org/fighting-hate/intelligence-report/2003/cultural-marxism-catching

                                  https://newrepublic.com/article/144317/trumps-racism-myth-cultural-marxism https://www.smh.com.au/world/cultural-marxism--the-ultimate-postfactual-dog-whistle-20171102-gzd7lq.html

                                  1. 3

                                    It’s not my fault that some idiots don’t understand this term or it’s critical analysis. Cultural marxism, as the term implies, is the classical theory of marxism applied to culture. It has nothing to do with jews directly, it’s just an idea. If you know any better term to describe it, please let me know.

                                    Anyway, in the philosophical realms it’s known as ‘Critical Theory’, which originated in the Frankfurt School. However, nobody knows this term.

                                    Unless a better term is found, I disregard your argument and won’t accept your attempt to limit language of perfectly acceptable words to describe an idea. At the end of the day, terminology must be found that adequately describes what a certain idea is, and I see no reason why this should be wrong.

                                    Regarding the torch hike: Yes, marching with torches was abused by the NSDAP as a means of political rallying. However, at least in Germany, it is a much older and deeper-reaching tradition that dates back hundreds of years.

                                    1. -1

                                      You have amply demonstrated that you don’t know anything about the topic. You could start with the decent Wikipedia article. https://en.wikipedia.org/wiki/Frankfurt_School

                                    2. 2

                                      wow, uh, kind of a weird red flag that pointing this out is getting seriously downvoted. I picked these links pretty quickly, and anybody who comes behind and reads this and wonders how serious this is, do yourself a favor and image search and see how many memes have the star of david, greedy merchant, world strangling octopus or any of a number of openly anti-semitic imagery. Its not hidden, its not coy. If you’re tossing “cultural marxism” around you’re either willfully ignoring this or blatantly playing along. Its not a thing in the world. There are no leftists (at all) who call themselves “cultural marxists”, and in fact there is a sizeable faction of marxists who are openly disdainful of any marxism that eschews political struggle. The new republic article linked above goes into this, Perry Andersons “Considerations on Western Marxism”, a well known, well regarded text across a number of marxist subsects, is explicitly based on this. Anyway, enjoy contributing to a climate of increasing hostility toward jews. good stuff.

                                      edit: have some fun with this https://www.google.com/search?q=cultural+marxism&client=firefox-b&source=lnms&tbm=isch&sa=X&ved=0ahUKEwjz2tWrhvnaAhUJ7YMKHVgcCccQ_AUIDCgD&biw=1247&bih=510#imgrc=_

                                      1. 1

                                        The term ‘Cultural Marxism’ describes very well what it is, and not all leftists are cultural marxists. The classical theory of marxism, roughly spoken, is to think of society as being split in two camps, the Proletariat and the Bourgeoisie, eternally involved in a struggle, where the former is discriminated against and oppresed by the latter.

                                        Cultural Marxism applies these ideas to society. In the Frankfurt School it was called ‘Critical Theory’, calling people out to question everything that was deemed a cultural norm. What is essentially lead to was to find oppressors and oppressed, and we reached the point where e.g. the patriarchy oppressed against women, white people against minorities, christians against muslims and other religions and so forth. You get the idea. Before you go again rallying about how I target jews or something please take a note that up to this point in this comment, I have just described what cultural marxism is and have not evaluated or criticized it in any way, because this here is the wrong platform for that.

                                        What you should keep in mind is that the nature of cultural marxism is to never be in a stable position. There will always be the hunt for the next oppressor and oppressed, which in the long run will destroy this entire movement from the inside. It was a friendly advice from my side to you not to endulge in this separatory logic, but of course I understand your reasoning to the fullest.

                                        Just as a side note: I did not see you getting ‘seriously’ downvoted. What do you mean?

                                        1. 2

                                          It’s uncommon to find such a well-put explanation; thanks for that.

                                          There will always be the hunt for the next oppressor and oppressed, which in the long run will destroy this entire movement from the inside.

                                          If the movement runs out of good targets (and falls apart because they can’t agree on new ones), wouldn’t that imply that it will self-destruct only after it succeeds in its goals? That doesn’t sound like a bad thing.

                                          1. 1

                                            I’m glad you liked my explanation. :)

                                            That is a very interesting idea, thanks for bringing this thought up! It’s a matter dependent on many different factors, I suppose. It might fall apart due to not being able to agree on new targets or when everybody has become a target, but it is a very theoretical question which one of these outcomes applies here.

                                          2. 1

                                            Generally people who use “cultural marxism” as a pejorative are sloganeering. The idea of an “eternal struggle” is completely foreign to any kind of marxism which is based on a theory that classes come out of the historical process and disappear due the historical process. Marxism claims that the proletariat and bourgeosie are temporary divisions that arise from a certain type of economic organization. Whatever one thinks of that idea, your characterization of Marxism is like describing baseball as a game involving pucks and ice. Your summary of “cultural marxism” is even worse. Maybe take a class or read a decent book.

                                            1. 0

                                              Did you actually read any of the links I posted? Specifically the New Republic and SPLC links? I don’t know how else to say this and you pretty much side stepped what I said the first time so I’ll try to reiterate it: There is no such thing as “Cultural Marxism”. At all. Its not a descriptive category that any marxist actually self applies or applies to other marxists. I’m fully aware of the Frankfurt School, Adorno, Horkheimer, etc. I’ve read some of them and many, many of their contemporaries from Germany, people like Karl Mannheim. I read marxist publications everyday, from here in the states and from Europe. I’m a member of an explicitly marxist political party here in the states. I can’t emphasize this enough, “cultural marxism” isn’t real and is roughly on par with “FEMA camps”, “HARRP rays” and shape shifting lizard jews, meaning; its a far far right wing paranoid fantasy used to wall off people from other people and an actual understanding of the material conditions of their world. I also didn’t say, specifically in fact pointing out that I wasn’t saying this, that you were “targeting jews”. That being said, if you use a phrase that has its origins in anti-semitic polemics, is used explicitly and over-whelmingly by anti-semites, than that is on you. (Did you take a look at the linked image search? Does that sort of thing not give you pause?) To say that you “just described what cultural marxism is” is also inaccurate, you absolutely used it in a descriptive way

                                              I get your point, but must honestly say that your argument sadly aligns with the ever-excluding and self->segregating destructful nature of cultural marxism.

                                              White supremacist organizing is experiencing an enormous upsurge, not only here in the states but in Europe as well. From Le Pen to AfD to SVO in Austria and on and on. These people are not interested in polite conversation and they’re not using “cultural marxism” as a category to illuminate political opponents, its meant to denigrate and isolate, ironically given thats exactly what Neo Nazis and white supremacists here in the states accuse left wingers and “SJWs” of doing.

                                              I appreciate that you’re discussing this peacefully but I’m going to bow out of this thread unless you’re interested enough to take some time and read the links

                                              FWIW these also dismantle the trope and point out pretty much exactly what I’m saying around anti-semitism: https://www.vice.com/en_us/article/78mnny/unwrapping-the-conspiracy-theory-that-drives-the-alt-right https://www.theguardian.com/commentisfree/2016/feb/22/chris-uhlmann-should-mind-his-language-on-cultural-marxism

                                              1. 2

                                                I took some more time to read it up and from what I could see, I found that indeed cultural marxism has become more of a political slogan rather than a normal theoretical term in the USA.

                                                Here in Germany the term “Kulturmarxismus” is much less politically charged from what I can see and thus I was surprised to get this response after I just had “translated” this term into English. It might be a lesson to first get some background on how this might be perceived internationally, however, it is a gigantic task for every term that might come around to you.

                                                So to reiterate my question, what term could be better used instead? :)

                                                1. 1

                                                  interesting that it has a different grounding/connotation in Germany, but then again I’m not surprised since thats where its supposed to have originated from. I’ll reread your other posts and come up with a response thats fair. Thanks for taking the time to read those links.

                                2. 17

                                  I’m not going to remove this because you’re making a public statement for suckless, but please don’t characterize positions you disagree with as madness. That kind of hyperbole generally just leads to unproductive fights.

                                  1. 9

                                    Please don’t remove anything unless it’s particularly vulgar…

                                    1. [Comment removed by author]

                                      1. 3

                                        hey that’s my account you’re talking about!

                                    2. -1

                                      Removing differing viewpoints? It is precisely this kind of behavior that maddens people who complain about SJW, who (the SJW) seem unable to take any discussion beyond calling their opponent’s position “evil”, “alt-right”, “neo-nazi”, or, if they are exceptionally well-spoken, “mad”.

                                      1. 14

                                        No, removing abuse and hyperbole that acts as flamebait regardless of the political opinions expressed. So far I’ve removed one post and hope not to remove more.

                                        1. 2

                                          It’s hard for me to see a reason to remove things when we have the voting system in place, neither are perfect but one is at your sole discretion whereas the other is the aggregate opinion of the users.

                                          1. 21

                                            Voting isn’t a replacement of moderation. It helps highlight and reward good comments and it can punish bad comments, but it’s not sufficient for running a community. I’m trying to head off places where people give up on argument and just try to hurt or tar the people they disagree with because it doesn’t lead to a good community. Lobsters is a very good place for discussing computing and I haven’t seen that in communities this size with hands-off moderation (but I’d love counter-examples to learn from!) From a quick query, we’ve had comments from 727 unique users in the last 30 days and there’s around 15k unique IPs in the logs per weekday, so people are constantly interacting with the others who don’t know their background, don’t share history, can’t recognize in-jokes, simply don’t have reason to trust when messages are ambiguous, let alone provocative. Friendly teasing like “ah yeah, you would think that” or “lol php sucks” that’s rewarding bonding in a small, familiar group hurts in a big one because even if the recipient gets the joke and laughs along or brushes it off as harmless, it’s read by thousands of people who don’t or can’t.

                                            1. 2

                                              Lobsters is a very good place for discussing computing and I haven’t seen that in communities this size with hands-off moderation

                                              I support your position on sub-topic but even my Trial you linked to shows a bit otherwise on just this point. This site has more flexible, hands-off moderation than many I’ve seen with this much political dispute. Even in that link, we saw an amount of honest, civility, and compromise I don’t usually see. There’s been quite a bit better results in this thread than usual elsewhere. There seems to be enough community closeness despite our size that people are recognizing each others positions a bit. Instead of comments, you can actually see it by what’s not said more since it’s prior ground we’ve covered. The others are learning as discussion furthers. Then, there’s the stuff we don’t want which seems to be basically what those individuals are intending in a way that has nothing to do with site’s size.

                                              So, I support you getting rid of just pure abuse, trolling, sockpuppeting, etc. I don’t think we’ve hit the full weaknesses and limited vision of large sites yet despite our increase in comments and views. We’re still doing a lot better than average. We’re still doing it with minimal intervention on things like politics relative to what I’ve seen elsewhere. I think we can keep at current moderation strategy for now because of that. For now.

                                              Just wanted to say that in the middle of all this.

                                              1. 0

                                                Voting isn’t a replacement of moderation. It helps highlight and reward good comments and it can punish bad comments, but it’s not sufficient for running a community.

                                                I’m not sure if I see why it’s not a good replacement. To me, I see voting as distributed moderation and the “real” moderation is automatically hiding (not removing) comments when they fall below a threshold.

                                                I’m trying to head off places where people give up on argument and just try to hurt or tar the people they disagree with because it doesn’t lead to a good community.

                                                I think this method relies on an accurate crystal ball where you can foresee people’s actions and to an extent, the reactions of the people reading the comments.

                                                I’d have to question what you mean by “a good community”, it seems like it’s just a place where everyone agrees with what you agree with and those that disagree aren’t heard because it risks offending those that do agree.

                                                I think the best discussions on here are because we have many people with wide and varied opinions and backgrounds. The good comes from understanding what someone else is saying, not excluding them from the discussion. The only places I see that warranted is where someone has said something purposely and undeniably vile.

                                                1. 8

                                                  The automatic hiding of low-scoring comments is also a “sole discretion” thing; jcs added it and I tweaked it a few months ago. The codebase enforces a lot of one moderator’s ideas of what’s good for a community in a hands-off way and the desire to do that motivated its creation.

                                                  I strongly agree that a community where everyone agrees with the moderator would be bad one, even if I am that moderator. It’s tremendously rewarding to understand why other people see things differently, if for no other reason than the selfish reason that one can’t correct learn or correct mistakes if one never sees things one doesn’t already agree with.

                                                  I think the crystal ball for foreseeing problems is experience, from many years of reading and participating in communities as they thrive or fail. I think it’s possible to recognize and intervene earlier than the really vile stuff because I’ve seen it work and I’ve seen its absence fail. I keep asking for examples of excellent large communities without active moderators because I haven’t seen those, and after a couple decades and a few hundred communities I see the anthropic principle at work: they don’t exist because they self-destruct, sink into constant vileness, or add moderation. At best they have maintain with signal-to-noise ratios far below that of Lobsters where the thoughtful commentary is crowded out by trolling, running jokes, ignorance, and plan low-quality comments because it doesn’t seem worth anyone’s while to care when posting.

                                                  But moderation is not a panacea in and of itself. Without good experience, judgment, and temper a bad moderator swiftly destroys a community, and this is a very common way communities fail. If it helps any, the author of the comment I removed agrees that it wasn’t done to suppress their opinion.

                                                  1. 1

                                                    The benefit I see from moderation being part of the codebase is that it’s public, predictable and repeatable (it terms of reliability). When you take moderation decisions into your own discretion many of these virtues are lost.

                                                    As for experience, I think that’s tricky because it can easily lead you to making the same mistake twice. It’s also made of your personal experiences and you’re using that to curate the discussion of other people, I would caution that it’s another method of controlling dialog (perhaps subconsciously) to what you find acceptable, not necessarily what’s best for everyone.

                                                    1. 3

                                                      The benefit I see from moderation being part of the codebase is that it’s public, predictable and repeatable (it terms of reliability). When you take moderation decisions into your own discretion many of these virtues are lost.

                                                      Most of them go into the Moderation Log. I’ve been watching it since the jcs days since it’s what folks are supposed to do in a transparent, accountable system. Gotta put effort in. I haven’t seen much of anything that bothered me. The bans and deletes I’ve been able to follow @pushcx doing were trolling, alleged sockpuppeting, and vicious flamewaring. Some I couldn’t see where I’d rather the resource go off the front page rather getting deleted so someone looking at logs could see it for whatever it was. Nonetheless, his actions in the thread about me, the general admining, and what I’ve seen in moderation have been mostly good. A few really good like highlighting the best examples of good character on the site. I think he’s the only one I’ve seen do that on a forum in a while.

                                                      You have little to worry about with him in my opinion at the moment. Do keep an eye on the comments and log if you’re concerned. Scrape them into version storage if concerned about deletions. What goes on here is pretty public. Relax or worry as much as you want. I’m more relaxed than worried. :)

                                                      1. 3

                                                        Yeah, I agree on the pitfalls of experience. As SeanTAllen noted in a separate branch of this thread a minute ago, there’s “but you didn’t say” and other wiggle room; I think that’s where automatic moderation falls down and human judgment is required. Voting has its own downsides like fads, groupthink, using them to disagree (which is all over this thread), in-jokes, a drifting definition of topicality, all the parallels to the behaviors of political rhetoric, etc. Lobsters has never been voting only and I don’t see a compelling reason to change that. jcs’s involvement in the site was steadily declining so I’m certainly more actively moderating, but I don’t see that as a change in character. I guess what it comes down to is that I agree with you about what successful communities do and don’t look like, but I haven’t seen one that works on the model you’ve outlined and I don’t see that kind of fundamental change as a risk worth taking.

                                            2. 1

                                              So FRIGN writes to oppose “SWJ madness”, and you chime in to complain that “SWJ” calls opponents “mad”. Are you calling FRIGN “SWJ” or what? It’s kind of hard to discern your point in that cloud of grievance.

                                              1. 1

                                                “SJW” for “social justice warrior.”

                                                @COCK is sarcastically non-replying because you typo’ed.

                                                1. 2

                                                  Not exactly, I was sarcastically non-replying because I assumed he was intentionally misunderstanding me. I assumed this because I didn’t see any ambiguity in my answer. On later inspection I noticed the ambiguity so I gave an actual reply:

                                                  https://lobste.rs/s/nf3xgg/i_am_leaving_llvm#c_yzwuux

                                                  1. 1

                                                    The interesting thing is how people agreeing with Mr. cock pile on the insults against the people who they complain are insulting them by forcing them to sign on to codes of conduct which prohibit insults. It’s almost as if there was a good reason for those codes.

                                                    1. 1

                                                      I doubt the irony is lost on anyone supporting a CoC.

                                                  2. -1

                                                    Yes, I’m calling FRIGN a “SWJ”.

                                                    1. -1

                                                      Yes, well, one sympathizes with your plight.

                                                      1. 2

                                                        Ah now I see the ambiguity: “people who complain about SJW, who…” the “who” referred to the “SJW”, not the “people”

                                                  3. 1

                                                    The only comment that was removed was against FRIGN point of view. Nobody is removing differing point of view, just enforcing civil discussion.

                                                2. [Comment removed by author]

                                                  1. 4

                                                    “We at suckless are heavily opposed to code of conducts and discriminatory organizations of any shape or form.”

                                                  2. 4

                                                    It’s responses like yours that really make the case for codes of conduct.

                                                    1. 2

                                                      Are you speaking for the group or is that your own opinion? Knowing that the group aligns itself with that position would certainly make me not interested in working with it or contributing.

                                                      1. 6

                                                        To be fair, suckless is not well-organised enough to be a group that can have a single opinion to be spoken for.

                                                        That said, FRIGN is a prominent contributor and I from what I’ve seen most contributors are heavily on the side of “the code will speak for itself”.

                                                    1. 4

                                                      Web GUI technology has completely surpassed the desktop GUI technology.

                                                      Back in the day web stuff was so basic that a desktop GUI was nicer and an upgrade, now that has reversed.

                                                      1. 10

                                                        I agree to some extent, except that Electron apps (and some web apps) are all but unusable on low-end/older hardware. Many (but not all) are severely lacking in keyboard control and other things that one might expect, too. Every Electron app seems to be oblivious to multilingual users and underlines every word, despite me switching input methods.

                                                        1. 2

                                                          I’d like a HTML-based GUI that doesn’t embed a full renderer like Electron does – something that maps HTML onto native controls (including accessibility stuff) could be really neat.

                                                          1. 1

                                                            Isn’t that what React Native is? Maybe that’ll be the hot new thing instead of Electron; would prolly be an upgrade.

                                                            Edit: whoops, it’s iOS and Android only.

                                                            1. 1

                                                              React Native is just running your app as JS and communicating to a native set of widgets and layout, which need to be implemented per platform. If desktop support were something FB had as a priority it’d be a good option for a lot of people, but… it’s not.

                                                        2. 9

                                                          Couldn’t disagree more, and the reason is accessibility. it’s super trivial for desktop app developers to add keyboard shortcuts and other accessibility aids to their apps. Web developers, despite the fact that these standards like ARIA exist, seem unwilling to adopt them in any sizable number.

                                                          We can have this conversation again when the Hello World app produced by your average Java framework is Aria accessible, has keyboard shortcuts for everything, and works properly with screen readers.

                                                          1. 4

                                                            If the developer doesn’t care it doesn’t matter if it’s a desktop app or a web app. They wont do it either way.

                                                            The difficulty of adding keyboard shortcuts or adding accessibility tags is not dramatically different and quite easy for web apps too.

                                                          2. 3

                                                            As bad as GUI toolkits are, web tech is a lot more awkward to make GUIs with than any major cross-platform toolkit, simply because it’s a hack to draw anything with the DOM. (You’re literally live-editing the AST of a rich text document. It’s amazing that it works at all.)

                                                            1. 1

                                                              Your sole argument about DOM being a hack and akward is it being live-editing an AST? If anything, this might be a pro of the DOM API… I don’t see how a technology widely used, having API clearly defined for those use cases and supported by modern and old browsers can be called a hack and akwards. Meanwhile you have your average GUI toolkit that still ask you to design your AST in the code, put the styling right beside the event handling and often introduce first how to put a button a X,Y because using container and layout is akward and complicated.

                                                              1. 1

                                                                A regular GUI toolkit doesn’t involve manipulating the AST of a markup language. It involves manipulating containers that map conceptually to layout, using already-implemented widgets. There’s an event handling system designed to efficiently handle widget-specific mappings, focus changes, and other common situations, as well as having sane defaults (versus having an event system that needed to be tacked on ten years after the other features were written).

                                                                The act of spawning a widget in a web app is an ugly hack, simply because document markup structurally conflicts with GUI layout in ways that the web developer must bodge.

                                                                If any GUI toolkit requires you to jump through hoops to draw a dot on the screen, it’s broken. (By this standard, most popular GUI toolkits are also broken, but HTML is the most broken of all.)

                                                                1. 1

                                                                  Yeah, regular GUI toolkit doesn’t involve AST and markup language, such as HTML, XAML, Android, QML, etc. In my opinion, working on a human readable and understandable AST might be the key of the web plateform GUI? Drawing anything is as simple as adding a node or subtree to my current tree. It’s as simple to do by hand than programmaticaly. If anything go wrong I have well made developpers tool to see and live edit this tree. Call it a hack all you want, I call it a successful low-level reprensentation to share the GUI state to the renderer, much better and powerfull than what you can do with Tcl or xlib (Although, much more heavy).

                                                                  If any GUI toolkit requires you to jump through hoops to draw a dot on the screen, it’s broken. (By this standard, most popular GUI toolkits are also broken, but HTML is the most broken of all.)

                                                                  There you go: <html><head></head><body>.</body></html>. By this test we can now assert that HTML is not broken (Or at least just as much as the others).

                                                                  1. 2

                                                                    You haven’t drawn a dot. You’ve typeset a period, and spent 40 characters doing it. And, typesetting text is what HTML is for, so it’s what it’s best at. If you actually want to ensure the period resembles a dot, set its x,y position, and set its color, you’ll need hundreds more characters.

                                                                    In BASIC, you can just do pset(x, y, color)

                                                                    In TK: canvas .c ; .c create point x y color ; pack .c

                                                                    An AST only makes sense if you are actually parsing or generating a structured language. The structure of an HTML document doesn’t coincide with the structure of a PARC GUI (i.e., every major GUI app since 1977), and is an even worse match for the scope of all possible useful GUIs (most of which resemble neither paper nor forms). The reason is that HTML was only ever intended to display minimally-formatted rich text.

                                                                    “Drawing something” is usually easier than manipulating the DOM. “Drawing something” is only trivial on the DOM when what you’re drawing is structured like a text document.

                                                          1. 20

                                                            The author doesn’t mention the popular GUI library that’s the best fit for his use case – TK. (I can’t blame him – TK has poor PR, since it’s marginally less consistent than larger and more unweildy toolkits like GTK and QT, while having many of the drawbacks of a plain X implementation.)

                                                            That said, the fact that TK is the easiest way to go from zero to a simple GUI is frankly pretty embarassing. There’s no technical reason GUI toolkits can’t be structured better – only social reasons (like “nobody who knows how to do it cares enough”).

                                                            1. 13

                                                              The problem is that TK still has terrible looking widgets. Just because UI fashion has moved away from consistent native look and feel doesn’t mean TK is passable.

                                                              1. 12

                                                                TTK mostly takes care of this, by creating a Look and Feel that matches up with the platform in question.

                                                                1. 3

                                                                  TK ships with TTK, which provides native widget styles for every major platform. It has shipped that way for nine years.

                                                                  1. 1

                                                                    I was not aware of TTK, thank you! I tried out TK a few times and seeing how awful it looked made me leave it really quickly for other technologies.

                                                                    1. 4

                                                                      TTK has been around for a long time, and built into TK for a long time too. It’s a mystery to me why they don’t enable it by default. I discovered it six years after it got bundled!

                                                                      1. 1

                                                                        I tried to look into it a little bit today but it looks like there is pretty much only one getting started guide for it, written in python. Do you know any guides for it in other languages?

                                                                        1. 2

                                                                          Not really. It provides native-styled clones of existing widgets, so if it’s wrapped by your target language, all you should need to do is import it and either overwrite the definitions of your base widget-set or reference the ttk version instead (ex., by running ‘s/tk./ttk./g’ on your codebase).

                                                                2. 5

                                                                  When he put out the JSON protocol, Tcl/Tk came right to mind. This is exactly how people do UI with Python and tkinter.

                                                                  1. 3

                                                                    Interesting — I have almost no experience with TK. I will look into it, thanks!

                                                                    1. 3

                                                                      TK is used by Mozart/Oz for the GUI, with a higher level library QTk on top of it. It works well and is easy to program with.

                                                                  1. 1

                                                                    Is there any way to specify the current project is using the wasm target so one could just use cargo build instead of relying on npm? I tried rustup override but I keep having an error about the wasm target not found, even though I just installed it on nightly.

                                                                    1. 1

                                                                      If you look at what npm run build-debug and npm run build-release are doing, you’ll see that it isn’t very magic:

                                                                      cargo +nightly build --target wasm32-unknown-unknown && \
                                                                          wasm-bindgen target/wasm32-unknown-unknown/debug/wasm_game_of_life.wasm --out-dir .
                                                                      

                                                                      So, yes, you can use cargo build to create the .wasm binary, you just have to supply the --target wasm32-unknown-unknown. However, to get the generated JavaScript API glue, you need to also run wasm-bindgen.

                                                                      The npm run build-* commands just package them both up in one step for convenience.

                                                                    1. 1

                                                                      Does netflix even prefill the email input field when one click the update link? In the likely case it doesn’t I fail to see how a scam would even work, implying the user will just fill in its usual credentials and log in in its own account.

                                                                      1. 4

                                                                        chromium-browser is scrutinized closely enough that this would be noticed on ubuntu, right?

                                                                        1. 5

                                                                          The sandbox engine downloading and running ESET actually appears to be in Chromium: https://cs.chromium.org/chromium/src/chrome/browser/safe_browsing/chrome_cleaner/ so developpers are free to review it and remove any reference to it. If my memory serve me well, Chrome Cleaner is not special and should appear in chrome://components/ along other optional close source components, although I don’t have a windows machine to validate right now. It should (Or at least used to) be disabled for other build than Google Chrome.

                                                                          1. 2

                                                                            Thanks. It doesn’t appear in chrome://components for me, at any rate.

                                                                            1. 1

                                                                              If I look at it on windows I can see the entry: Software Reporter Tool - Version: 27.147.200

                                                                              1. 1

                                                                                Excellent, a positive control.

                                                                          2. 2

                                                                            isra17’s reply implies there’s no scanner in Chromium, only Chrome. [I wrote this referring to his separate comment–now he has another reply here.] It probably wouldn’t make sense to have this on Linux anyway, just because there isn’t the same size of malware ecosystem there.

                                                                            (And I think the reporting/story would be different if the scanner were open source–we’d have an analysis based on the source code, people working on patched Chromium to remove it, and so on.)

                                                                            1. 1

                                                                              I’m curious about MacOS. I don’t run Chrome usually, but I have to in some cases, e.g. to use Google Meets for work.

                                                                              1. 2

                                                                                I don’t have an authoritative answer, but https://www.blog.google/products/chrome/cleaner-safer-web-chrome-cleanup/ only talks about Windows.

                                                                                1. 2

                                                                                  I don’t see it in chrome://components on my Mac, if that is indeed where it is supposed to appear.

                                                                            1. 18

                                                                              I actually used to work as a contractor on this project as a malware analyst. The cleaner was first developped by Google, but they moved to ESET after a while. For what it’s worth, the team are really privacy minded, and I can attest that it did made our job harder to track and possibly clean bad stuff. As a contractor I couldn’t even access any PII, including user report, since they could contains path with username, etc.

                                                                              For those that are asking why we can’t disable this, think about if you can disable it how unwanted software can do it just as easily. Not that malware can’t, but it’s much more involved to patch Chrome (And maintain the patches on all versions) than updating some settings file. It’s not as if you didn’t have alternative anyway, Chromium doesn’t have this component and Firefox is quite awesome.

                                                                              Anyway, if you have any question please feel free to ask! I’m not on this project anymore (Neither at Google), but I’ve been on the team since the beginning until the ESET transition and I’m still in touch with the team.

                                                                              1. 7

                                                                                I appreciate the details. The stuff on the team isnt comforting since it could change any time. Far as disabling it, that’s not a good argument given they could just offer a trusted tool that does this for the user. Not just for this but other risky stuff. They could even sell this. If anything, disabling it would reduce attack surface since anti-malware tools have been an attack vector in the past. It will also eliminate any negative impact on performance or watts.

                                                                                1. 4

                                                                                  The stuff on the team isnt comforting since it could change any time.

                                                                                  Also true for any service you use. I know it’s hard to believe, but Google is pretty strict about PII and what can be saved where for how long and seen by who and has an organisation overseeing all of this. There are processes in place governing each team at Google that requires team to document every PII they collect and the motivation behind this. In any case, detailed reports are sent only when users opt-in to send it.

                                                                                  Far as disabling it, that’s not a good argument given they could just offer a trusted tool that does this for the user. Not just for this but other risky stuff. They could even sell this.

                                                                                  Could you elaborate? I don’t seem understand what you want to convey here. Who are “they”, what “tool” and what “stuff” are talking about here?

                                                                                  If anything, disabling it would reduce attack surface since anti-malware tools have been an attack vector in the past. It will also eliminate any negative impact on performance or watts.

                                                                                  The scanner is sandboxed (open-source, part of chromium) and somewhat limited in what it can do. It’s not your usual anti-malware tools running from the kernel and featuring RCE as a service. It also think it was reviewed by that guy ;)

                                                                                  Something to think about is the actual state of the internet for the broad public. While most of us here won’t benefits from this tool and at worse will find it annoying while it scans in the background, reality is that a very large portion of the internet users are currently infected by spyware and adware. While we are arguing about privacy issue due to Chrome reading some of you files on your disk (And not sending them anywhere), most people have their whole internet history tracked by shady adware corporation and are being shown ads tricking them into buying fraud application and calling fake tech support. And I’m not even talking about the fact most of those software have backdoor usable by any actors to run arbitrary payload. Want an easy botnet? Reverse some of those freeware “updaters”.

                                                                                  Of course the Chrome Cleanup Tool doesn’t fix the root cause, but it could be argued that’s it’s better than nothing. And from Google point of view, there are benefits from it other than invade more of its user privacy. When Chrome is crashing due to an adware injecting its unstable DLL, guess who get the blame? I’ve even seen many report blaming Google about how Chrome is sending PII or rewriting ads when in fact it was adware being installed on user machine. It’s in Google interest to fix this issue before getting in the point where IE was with the toolbars hell.

                                                                                  So in short, Chrome Cleanup Tool is not there to help you, it’s there for your not techsavy windows user that behave by clicking and running everything as admin it come across, and is now proxying his whole internet connection through some ad company server.

                                                                                  1. 6

                                                                                    Could you elaborate? I don’t seem understand what you want to convey here. Who are “they”, what “tool” and what “stuff” are talking about here?

                                                                                    I don’t want my tools to do things they’re not advertised as doing. Chrome’s job isn’t to scan my files, so it should never do that without telling me.

                                                                                    So in short, Chrome Cleanup Tool is not there to help you, it’s there for your not techsavy windows user that behave by clicking and running everything as admin it come across, and is now proxying his whole internet connection through some ad company server.

                                                                                    I don’t want contractors that I hired to replace my siding to break into my house and secretly rewire my kitchen without telling me, no matter how faulty the wiring. I don’t want Chrome to suddenly take it upon itself to scan my data without my express consent.

                                                                                    And now, Google has a list of files on their servers. Ones that a malicious employee can access, or which might be given in bulk to the NSA, should the NSA ask.

                                                                                    It’s not just annoying. It’s a breach of trust.

                                                                                    1. 6

                                                                                      “should the NSA ask.”

                                                                                      Should they force them, too. Also, in the Lavabit court records, the FBI told the judge the founder could avoid reputational damage by hiding that he gave over the key. He’d just keep telling users it was a private service. The judge agreed. Probably wasn’t the first or won’t be the last agreeing to give the government what they want while telling the company to lie that it couldn’t or didn’t happen.

                                                                                      1. 1

                                                                                        I don’t want contractors that I hired to replace my siding to break into my house and secretly rewire my kitchen without telling me, no matter how faulty the wiring. I don’t want Chrome to suddenly take it upon itself to scan my data without my express consent.

                                                                                        People hire Chrome to manage their banking account or browse trusted content. When Chrome begins to display more ads than it should, try to trick the user into paying fake service or simply steal users data, the same users that end up installing those malware are unlikely to understand they are the culprit in the first place. They trusted Chrome to protect them from themselve. Chrome only defense at that point is to clean after the user. Chrome is not annoying, user behavior is, and Chrome Cleanup Tool is only a hack trying to fix a part of the issue.

                                                                                        You don’t expect the contractor to rewire you kitchen because you won’t blame them if you break your wiring. Chrome is a whole another story. You expect someone to tell you if your wiring is about to burn your house down. This is exactly what Chrome is doing here. Many house have burn down, blame have been put on Chrome. Now Chrome is doing a quick check up from time to time, and if it find some fire hazard it gives you an opportunity to fix it. Chrome is only fixing once you gave it your explicit consent. It also won’t tell anyone unless you tell him otherwise.

                                                                                        1. 2

                                                                                          It is scanning without consent. For all we know this could be a tool for corporate espionage. Frankly with this knowledge no business and especially no software business should allow their employees to use chrome. I regularly recommended chrome to others, but never again.

                                                                                        2. 0

                                                                                          The goal of Chrome may not be to keep your whole computer malware free, but it is to keep itself secure. If Chrome can be taken over by malware (and as the most used browser, it has a huge target on its back), then how can users trust it as a safe software? If anything, this feature makes it a safer browser.

                                                                                          1. 2

                                                                                            So to keep itself secure it should also check for vulnerable IoT devices in the network and use the webcam to prevent unauthorized access? /s

                                                                                        3. 3

                                                                                          “ I don’t seem understand what you want to convey here.”

                                                                                          “For those that are asking why we can’t disable this, think about if you can disable it how unwanted software can do it just as easily. Not that malware can’t, but it’s much more involved to patch Chrome (And maintain the patches on all versions) than updating some settings file.”

                                                                                          This was in the general sense a false claim that I’ve seen way too many times, usually with nefarious features. That association is why I counter it quickly. They could definitely roll out the ability for a user, within the browser UI or as a standalone tool, to change this or other settings where they’re checked at startup and not enabled. Even the AV programs allow this. They let me tell it not to scan things for a certain period of time or at all. Let’s me mix and match features of various vendors should I choose to accept the challenges or risk that poses. The attacks on the AV’s so far have been malicious input into components that interact with network or files (like the scanners), not the switches in the UI.

                                                                                          That they were stealthy about this and didn’t allow anyone to turn it off means they just don’t care whether all users wanted it or still want it. Them not caring about users’ preferences is a separate issue that other browser vendors have done themselves on some of their components.

                                                                                          “Also true for any service you use.”

                                                                                          It’s always true that people or priorities can change at any time. From there, we look at the organization’s charter/purpose, the business model, its operating environment, and past behavior to assess risk. This is about a widely-deployed application people do tons of private stuff with developed by a publicly-traded, surveillance company working to get closer to Washington, DC. A team in that company rolled out something that started scanning people’s files without their knowledge. I don’t believe it’s nefarious at this point but it’s not just any company or product we’re talking about. The circumstances give more reason to worry than usual for some people.

                                                                                          They shouldn’t have done it or should let people disable it. All that said, I like they at least added some sandboxing and restrictions to it. That’s good.

                                                                                    1. 16

                                                                                      It’s even easier when using ii from suckless. We have a bot on #openbsd-gaming now that reports how many people are currently playing. It just runs qstat every 5 minutes, massages the output and spits it out to the input file tied to our channel. It’s hard to beat echo "hello world" > irc/chat.freenode.net/#openbsd-gaming for scripting bots.

                                                                                      1. 5

                                                                                        This is like some weird Portlandia thing…“The dream of Plan9 is alive in suckless”, etc.

                                                                                        Still, neat though! :)

                                                                                        1. -6

                                                                                          ii sounds great in theory, but try to answer new incoming queries. now instead of parsing a single stream of text you have to monitor an entire directory tree with files appearing out of nowhere at any time

                                                                                          parsing irc is super simple and ii is a retarded idea for a bot

                                                                                          1. 15

                                                                                            parsing irc is super simple and ii is a retarded idea for a bot

                                                                                            This isn’t constructive. If anything the toxicity detracts from your argument above.

                                                                                            1. 7

                                                                                              ii sounds great in theory, but try to answer new incoming queries. now instead of parsing a single stream of text you have to monitor an entire directory tree with files appearing out of nowhere at any time

                                                                                              Sure, if your bot needs to respond to private queries. The one on our channel doesn’t parse any input at all. Including the channel itself - it’s a notification bot.

                                                                                              parsing irc is super simple and ii is a retarded idea for a bot

                                                                                              You’re telling me it was retarded to output the result of qstat every 5 minutes to a file? It took 5 minutes to write the notification using ii - it serves it’s purpose.

                                                                                              Does ii fit every use case of writing a bot for IRC? Nope. However it does make it dead easy to have various tools output content to a file and get it delivered on an IRC channel that way.

                                                                                              1. 4

                                                                                                To be fair, even for notification, it seems overkill to pull ii and play with files when you can simply send to socket:

                                                                                                NICK bot
                                                                                                JOIN #foo
                                                                                                PRIVMSG #foo :My text message
                                                                                                

                                                                                                All you need is echo and nc and IRC is yours. ii look to me like an overkill solution for simple problems and limited solution for complexes ones. But then I might simply be missing some complexity about writing bots, manager server configuration, connection throttling, etc.

                                                                                                1. 2

                                                                                                  Sure, but you will either connect to the network each time you invoke that notification or will need to maintain the connection up, respond to keepalive pings from the server etc. It is really easier to just dump a notification to a file every 5 minutes and have ii handle the connection.

                                                                                                  It’s not perfect for all use cases, but it does simplify this specific one we had :)

                                                                                                2. -8

                                                                                                  yeah i’m sure not many irc bots want fancy features such as being able to reply to things

                                                                                            1. 6

                                                                                              i hate slack. it’s a necessary evil. i’m still trying to figure out some norms and conventions to make people not think it’s a replacement for email.

                                                                                              i use weechat for irc, and there’s a native/non-irc gateway slack plugin for it. works like a charm.

                                                                                              1. 1

                                                                                                I still have never used slack. How did this develop into a necessary evil? Wouldn’t Matrix or Rocket Chat fill the need? Mattermost? I find it fascinating that nobody wants to self host (use it to test your devops skills if you must) and nobody seems to care about some corporation having the chat logs of your developers (and code snippets, and and and)

                                                                                                1. 2

                                                                                                  Having tried to self host Matrix, the current server Synapse is a total pain to manage, super resource hungry, single threaded and as soon as you join big channels everything start to crumble. The gateways are buggy or inneficient. Hopefully the new Go server will fix some of the pain point, but overall I found that self-hosting is great if you want to lose your time on debugging and managing server instead of actually working on your projects.

                                                                                                  Right now I’m running The Lounge with IRC gateways and Bitlbee and it works great. Still some pain point and missing some slack features, but it’s all worth the RAM I save and the fact I can use IRC, Slack, Twitter, Facebook Messenger and Hangout in the same tab!

                                                                                                  1. 2

                                                                                                    I’ve been running my Matrix server for 6 months. It was dead simple to setup and requires no maintenance. I upgrade it regularly (I’m the maintainer on FreeBSD) and the IRC bridge works fine, but it is inefficient.

                                                                                                    I don’t know what OS you ran it on, but it’s quite simple to use on FreeBSD.

                                                                                                    edit: large rooms like the matrix dev room have no appreciable performance impact for me either…

                                                                                                    1. 1

                                                                                                      I don’t know, I ran it with avhost/docker-matrix docker image on a n1-standard-1 (3.75 Go RAM) instance in GCP along with the bridges and an HTTPS reverse proxy. After running it for a while, it could take me about 30 seconds to get my message aknowledge :| It could have been a bad config or slow I/O somewhere, in any case I gave up and won’t retry until Dendrite is stable. I had a much simpler setup that I used on a VPS a year ago until I got tired of cleaning the logs and message history that filled up the disk (There was/are no easy way to manage history and properly clean it…). The logs are also so noisy, seems like the dev mismatched INFO level for DEBUG.

                                                                                                      1. 2

                                                                                                        You have to run a Postgres database too so I wouldn’t try to run it on that hardware. I’ve got 24 cores and 64GB RAM, NVME SSD for ZFS cache, etc.

                                                                                                        1. 1

                                                                                                          I find it fascinating that nobody wants to self host […]

                                                                                                          You have to run a Postgres database too so I wouldn’t try to run it on that hardware. I’ve got 24 cores and 64GB RAM, NVME SSD for ZFS cache, etc.

                                                                                                          Your last answer pretty much explain your first statement. I can’t wrap around my head the fact that I need a few thousands worth of machine to exchange text messages to a few contacts.

                                                                                                          1. 1

                                                                                                            I’m running dozens of services on this machine. Which cost me $400 on eBay 2 years ago. Servers aren’t expensive. VMs are terribly overpriced. Matrix takes up about 1% CPU and 2GB of RAM

                                                                                                  2. 1

                                                                                                    you have to consider the audience, and the tradeoff. the audience is everyone non-tech i work with… i’ve pined for the day non-tech colleagues could use irc, but it just ain’t ever gonna happen. the tradeoff is being ‘part of the team’ vs. left out. in a distributed team, there’s no question about what to do to adapt.

                                                                                                    for whatever reason, slack checked off the boxes that mattermost, hipchat, et al just didn’t. and i don’t see microsoft’s or google’s challenges breaking off any of slack’s pie.

                                                                                                    the question of self hosting is (in my opinion) irrelevant, just like for most folks now the question of self hosting email is irrelevant.

                                                                                                    1. 1

                                                                                                      I run a Mattermost server for friends and family. The experience is still less polished than Slack, although it’s catching up fast. The main problem is mobile OS integration; even fairly simple things (sharing images from the Gallery to Mattermost) are as yet unsupported, at least on Android.

                                                                                                      That said, at the rate it’s improving, it’ll be at parity soon. And for most cases it’s there already.

                                                                                                  1. 9

                                                                                                    I feel like this is pointless and somewhat childish. If you want to commit to an oath, join a professional order and be audited and actually accountable for your actions. The signature could have at least be using cryptographic signature or signed commit.

                                                                                                    1. 3

                                                                                                      Childish is the first thought I had when I started reading this. I started reading and wondered “how old is this guy?” The language used definitely doesn’t help. The more serious it wants to be, the less seriously I can take it.

                                                                                                      I understand there are good intentions here, but it seems goofy to me to have some sort of oath. It’s like a digital pinky swear.

                                                                                                      1. 3

                                                                                                        It’s deeply amusing to me that out of all the work I’ve released publicly, this is the first to have the label “childish” applied.

                                                                                                        For the record, this includes quite a few joke libraries and a game where I made every sound effect with my voice.

                                                                                                        1. 2

                                                                                                          Don’t take it personnally. I’m not calling you a child and looking at your work you definitely come off as someone mature. I could explain the childish sense by something that is to be taken seriously, but end up as somewhat naive and rely on low-effort action without actual consequence. It gave me the similar feeling as the “Tag someone you love” image posts on Facebook… I’m sure it has good intentions, but in the end it is still too simple and vague to bring value to what already exists and it doesn’t bring any ideas about ways to enforce it.

                                                                                                          For the record, this includes quite a few joke libraries and a game where I made every sound effect with my voice.

                                                                                                          Joke libraries and game with sound effect from your voice are not childish, they are just fun.

                                                                                                          No strong feeling :) Just trying to describe how I feel about this content.

                                                                                                          1. 1

                                                                                                            Yeah, I want to echo this. It’s childish in the naïve “send this to 10 people or you will have bad luck!” sort of way. I think “low-effort action without actual consequence” is the best way to describe it.

                                                                                                    1. 2

                                                                                                      Is it a wonder that slack is closing up after having established themselves? Embrace, Extend, Extinguish? Maybe look at matrix and riot.im as a replacement for slack. And start migration by bridging slack to matrix.

                                                                                                      1. 2

                                                                                                        Unfortunately the Slack bridge to matrix seems to be unmaintained. They talked how they were looking about pupetting user over 1 year ago, but there was no effort in this direction since then. As long as matrix will not provide anything better than webhook integration to Slack I doubt anyone will move over. And that’s not talking about how managing your own matrix homeserver can be a pain.

                                                                                                        1. 1

                                                                                                          For the last year matrix has had a hard time with funding and little progress. But they got funding and the future is looking brighter

                                                                                                      1. 32

                                                                                                        I don’t see why this progress bar should be obnoxiously put at the top of the page. It’s cool if you wanna do a donation drive but don’t push it in the face of everybody who comes here. Honestly at first I thought this was a bar for site expense. Then I realised it’s to ‘adopt’ an emoji.

                                                                                                        1. 7

                                                                                                          Lobsters isn’t a daily visit for most readers, probably even for most users. They can’t see it to join in if there isn’t anything visible for it, and it has an id for adblocking if you prefer not to see it.

                                                                                                          1. 22

                                                                                                            Personally a check this site quite regularly on my mobile device… which doesn’t have an ad-blocker.

                                                                                                            1. 13

                                                                                                              That sounds awful. If you’re an android user, normal uBlock Origin works on Firefox for Android just like it does on desktop. :)

                                                                                                              1. 3

                                                                                                                Or use Block This!, which blocks ads in all apps.

                                                                                                                1. 3

                                                                                                                  Oh, that’s a cool little tool. Using a local VPN to intercept DNS is a neat trick. Unfortunately doesn’t help with in this case because it blocks requests to domains and not elements on a page via CSS selectors.

                                                                                                                  That does make me want to actually figure out my VPN to home for my phone and setup a pi-hole, though.

                                                                                                                2. 2

                                                                                                                  Ohh! Good to know, thanks.

                                                                                                                3. 2

                                                                                                                  Firefox 57+ has integrated adblocker nowadays, on both desktop and mobile; plus, there’s also Brave.

                                                                                                                4. 27

                                                                                                                  That is still annoying that I need to setup my adblocker to fix lobste.rs. So much for all the rant articles about bad UX/UI in here.

                                                                                                                  1. 11

                                                                                                                    maybe one could just add a dismiss button or sometimes like that? I don’t find it that annoying, but I guess it would be a pretty simple solution.

                                                                                                                    1. 1

                                                                                                                      I concur, either a client side cookie or session variable.

                                                                                                                      1. 1

                                                                                                                        Well, yeah… that’s how you could implement it, and I guess that would be the cleanest and simplest way?

                                                                                                                    2. 2

                                                                                                                      It’d be great to see data about that! Personally I visit daily or at least 3 times a week. Lack of clutter and noise is one of the biggest advantages of Lobsters. And specifically, I looked at the link, and I have no idea who this Unicode organization is, or their charitable performance, or even if they need the money. I’d imagine they are mostly funded by the rich tech megacorps?

                                                                                                                      1. 1

                                                                                                                        [citation needed] ;-)

                                                                                                                      2. 3

                                                                                                                        Adopting an emoji isn’t the end goal: the money goes to Unicode, which is a non-profit organization that’s very important to the Internet.

                                                                                                                        1. 5

                                                                                                                          If this bar actually significantly annoys you, I’m surprised you haven’t literally died from browsing the rest of the internet.

                                                                                                                        1. 13

                                                                                                                          I’ve changed my tune on Bitcoin recently for two reasons, despite still liking its ideals:

                                                                                                                          1. The government intervening in the economy is sometimes a feature, not a bug. In times of economic crisis, for example, the government has unique powers to help. Sometimes it is a bug, but Bitcoin seems to assume that any intervention by any centralized entity, at ALL, is malicious. In fact I intend to take an economics class to be better informed on this very issue.

                                                                                                                          2. The energy use is unconscionable. We’re already destroying the environment at a ridiculous pace and the Bitcoin space (to me, at least, bearing in mind that I don’t REALLY pay attention) seems to be full of anarchists who are determined to have their uncontrollable system at any cost, with absolutely no regard to seemingly unrelated consequences.

                                                                                                                          1. 13

                                                                                                                            The government intervening in the economy is sometimes a feature, not a bug.

                                                                                                                            If by “sometimes a feature” you mean “the only thing that prevents repeated economic collapse” then yes.

                                                                                                                            If you’re interested at all then definitely take a macroeconomics class. And history while you’re at it, especially pre-industrial and early industrial America.

                                                                                                                            1. 5

                                                                                                                              Sometimes == every time bitcoiners fall for a scam and lose money (and suddenly drop all the libertarian stuff and start crying for government help).

                                                                                                                              Look at /r/Buttcoin, the amount of fraud in the cryptocurrency space is beyond ridiculous.

                                                                                                                              1. 1

                                                                                                                                I agree with your observation, but I think understanding the cause is more useful than poking fun at it. I’ve gotten the sense that falling for scams is an expected cost to a certain constituency, specifically the people who are using cryptocurrency as a medium of exchange for things the governments they live under don’t approve of. I don’t expect the prevalence of scams to scare that group away. People who don’t share that driving concern should take note and understand that it’s always likely to be high-risk.

                                                                                                                              2. 1

                                                                                                                                Not that I’m in favor of Bitcoin at all (and I seriously agree with your first point) but I’ve also seen arguments that Bitcoin is used in some places (perhaps it was China?) to help mop up excess energy from renewable sources when they’re at peak output hours. I think the argument went that when the sun is high in the sky on a clear day, or when the wind is really blowing, energy companies will often turn off windmills or solar panels to avoid producing too much energy. In this case, Bitcoin can help use up that excess energy, and by turning it into cash, become a sort of renewable subsidy that makes it more attractive to build more renewable energy sources. I do know there are definitely places where a renewables-powered grid overproduces so much that energy prices become negative.

                                                                                                                                Perhaps this isn’t true, but I think it illustrates that maybe the energy problem is a more complex issue than it appears?

                                                                                                                                1. 7

                                                                                                                                  Sounds like some fairy tale told by miners implying they are not mining 24h/7d a week.

                                                                                                                                  1. 3

                                                                                                                                    Mm, that matches my understanding of how energy production works, but it’s also the case that that energy could go into other things. I think it was actually here on lobste.rs that I learned about kinetic energy storage (roll a ball up a hill, to roll it back down later… that sort of thing) and how it’s used to smooth out energy demand.

                                                                                                                                    There’s no way that Bitcoin miners aren’t making things difficult for grid operators. I agree with @isra17 that it’s an extremely self-serving claim.

                                                                                                                                  2. -1

                                                                                                                                    The energy seems like a fairly trivial cost to me. It’s a fraction of a percent. I’m willing to pay that price, and I’m also optimistic about the future of renewable energy.

                                                                                                                                    1. 13

                                                                                                                                      The per-transaction electricity cost was 215kwh back in November - that’s not trivial in the slightest. At market rates where I live it’s $7 or so.

                                                                                                                                      Credit cards processors use several orders of magnitude less per payment made.

                                                                                                                                      1. 1

                                                                                                                                        Well in dollars terms it either is worth it or its not. I’m not particularly concerned about the environmental impact.

                                                                                                                                        1. 9

                                                                                                                                          And whom do you expect to deal with the environmental consequences?

                                                                                                                                          1. 2

                                                                                                                                            whoever’s dealing with it for the other 99.9% of the environmental impact from non-renewable energy sources

                                                                                                                                            1. 7

                                                                                                                                              That would be your descendants.

                                                                                                                                              1. 2

                                                                                                                                                o/ yo

                                                                                                                                                1. 0

                                                                                                                                                  if their solution ends up involving defining standards for sufficiently useful computations, well, uh, godspeed

                                                                                                                                        2. 9

                                                                                                                                          A fraction of a percent of what? Energy use? Today Bitcoin is estimated to use as much energy as the country of Denmark. By 2020 is estimated it’ll use literally as much energy as we use in the entire planet today. I don’t particularly see how that’s trivial. Source: https://arstechnica.com/tech-policy/2017/12/bitcoins-insane-energy-consumption-explained/

                                                                                                                                          1. 6

                                                                                                                                            Today Bitcoin is estimated to use as much energy as the country of Denmark

                                                                                                                                            That’s far out of date. Denmark consumes approximately 3.5GW; bitcoin is now at about 5GW, somewhere between Hong Kong and Bangladesh.

                                                                                                                                            https://digiconomist.net/bitcoin-energy-consumption

                                                                                                                                            By 2020 is estimated it’ll use literally as much energy as we use in the entire planet today.

                                                                                                                                            No credible extrapolation is possible, obviously. Energy usage will drop fast when the bubble bursts.

                                                                                                                                            1. 0

                                                                                                                                              Because denmark has like 5 million people? I’m about as worried about bitcoin as I am another denmark popping up (the world gains like 12x the population of denmark every year)

                                                                                                                                              edit: re 2020: https://xkcd.com/605/

                                                                                                                                            2. 1

                                                                                                                                              I know next to nothing about cryptocurrencies, but my understanding is that Proof of Stake means we don’t need to use this energy. Many coins don’t use this because they weren’t sure whether it was secure. But recently the IOHK team has proven a secure Proof of Stake algorithm for Cardano.

                                                                                                                                              Is there a downside to this approach?

                                                                                                                                              1. 4

                                                                                                                                                The “Criticism” section on the Wikipedia article on Proof of Stake lists a few:

                                                                                                                                                https://en.wikipedia.org/wiki/Proof-of-stake#Criticism

                                                                                                                                                Note that Wikipedia is an ideological battleground when it comes to cryptocurrencies, so make sure to check the citations for a more comprehensive view.

                                                                                                                                                1. 2

                                                                                                                                                  I can’t find the source for this despite having seen it just last night (sigh) but IOHK apparently makes you generate your own seed, which has resulted in lots of people using web-based generators that then steal your money. This is a really bad idea and it’s not that hard to read from /dev/urandom and then say “here write this thing down.”

                                                                                                                                                  So I wouldn’t really trust them to have done stuff correctly, including Proof of Stake. Obviously that doesn’t mean it can’t be done or even that they haven’t done it - just that I would like to see a lot of scrutiny from experts.

                                                                                                                                                  1. 2

                                                                                                                                                    So I wouldn’t really trust them to have done stuff correctly, including Proof of Stake.

                                                                                                                                                    The point is you don’t have to, they have proofs.

                                                                                                                                            1. 3

                                                                                                                                              By this logic, nothing ever would have had to have been invented. At least if you carry it through to the end, it the way stated, not the way it was intended.

                                                                                                                                              1. 12

                                                                                                                                                This particular line of refutation and critique is probably the most common refrain I hear when this sort of article or sentiment is brought up. It’s also wrong–note the “maybe” in the post title.

                                                                                                                                                Let’s not flatter ourselves: yet another “HTML DOM but with better syntax”, “jQuery but with cleaner syntax”, “HTML DOM but with databinding”, “Angular but with smarter data-binding this time”, “Angular but with version-breaking and typescript”, “HTML DOM but with better diffing”, “React but artisinal”, “React but artisinal but also angular”, is hardly invention in the sense you probably mean it.

                                                                                                                                                1. 10

                                                                                                                                                  Our use of common tools has forced us into fixing the things that bother us about them, instead of developing truly new ways of solving our problems. The common solutions don’t make us think, and destroy our ability to think outside the box.

                                                                                                                                                  What would software be like if the free software movement never happened? Instead of “buying” loose fitting uniforms, I bet we’d all be excellent fabric makers, and tailors of original clothes that fit just right.

                                                                                                                                                  1. 3

                                                                                                                                                    And worse, now that we have too many tools to ever fix any of them, there is actually an entire generation of “developers” who simply have no capacity to write quality, durable code.

                                                                                                                                                    What would software be like if the free software movement never happened? Instead of “buying” loose fitting uniforms, I bet we’d all be excellent fabric makers, and tailors of original clothes that fit just right.

                                                                                                                                                    Some of us anyway.

                                                                                                                                                    But unlike good clothing, most people cannot “see” code, so very few people appraise it’s quality – A lot of people actually think they’re paying for code, that somehow more code is more valuable.

                                                                                                                                                    Weird.

                                                                                                                                                    I actually welcome legislation that puts programmers and business on the hook legally (with proper teeth, like the GDPR promises to have) for their work, because I would like to always do good work, but I know I can’t do that while being competitive.

                                                                                                                                                    1. 3

                                                                                                                                                      And worse, now that we have too many tools to ever fix any of them, there is actually an entire generation of “developers” who simply have no capacity to write quality, durable code.

                                                                                                                                                      This isn’t any different from how it used to be. For as long as we’ve had computers we’ve had people worried about developers writing bad, brittle code. The usual solution? High quality, well tested components we know are good, so that developers have fewer places to screw up.

                                                                                                                                                      Not having to roll our own crypto is, on the whole, a good thing.

                                                                                                                                                      1. 1

                                                                                                                                                        And worse, now that we have too many tools to ever fix any of them, there is actually an entire generation of “developers” who simply have no capacity to write quality, durable code.

                                                                                                                                                        You sound old and grumpy, it’s gonna be alright. I’ve seen old people and young generation alike write shitty (and good) code. At least by reusing existing components people might have an easier time to build systems or complex program relying on widely used and tested pattern.

                                                                                                                                                        I actually welcome legislation that puts programmers and business on the hook legally (with proper teeth, like the GDPR promises to have) for their work

                                                                                                                                                        How would such legislation going to encourage individuals from taking risk and rewrite their own components instead of reusing existing more tested and widely used ones?

                                                                                                                                                        because I would like to always do good work, but I know I can’t do that while being competitive.

                                                                                                                                                        If you need legislation to be able to market your good work, “maybe it’s you”.

                                                                                                                                                        1. 1

                                                                                                                                                          That probably results in more money for insurance companies but not better software.

                                                                                                                                                          1. 4

                                                                                                                                                            I’m confident if we are planning more, writing better specs, coding more carefully, focusing on reducing code size, and doing more user-testing, then software will be better.

                                                                                                                                                            And there may always be a gap: As we learn where it is, we can probably refine those fines…

                                                                                                                                                        2. 3

                                                                                                                                                          What if I don’t want to be a tailor, though? I want to be a welder, but I can’t, because I spend all my time tailoring!

                                                                                                                                                          Component programming has, historically, been the hoped-for solution to the software crisis. Parnas made that a central advantage of his work on modules, high-correctness software is predicated on using verified components, etc etc. It might not have lived to it’s standards, but it’s a lot better than where we used to be.

                                                                                                                                                          Consider the problems you want to think about, and then consider how hard it would be to solve then if you had to write your own compiler.

                                                                                                                                                          1. 2

                                                                                                                                                            It might not have lived to it’s standards, but it’s a lot better than where we used to be.

                                                                                                                                                            Hmm. Can you elaborate on why it’s better? I feel that in a lot of ways it’s worse!

                                                                                                                                                            Consider the problems you want to think about, and then consider how hard it would be to solve then if you had to write your own compiler.

                                                                                                                                                            We’ve trained ourselves to make a base set of assumptions about what a computer is, and has to be. A C compiler is just a commodity tool, these days. But, obviously, people have invented their own languages, and their own compilers.

                                                                                                                                                            But, consider a very basic computer, and forth. Forth is simple enough that you can write very big functioning systems, in a small amount of code. Consider the VPRI Steps project that’s been attempting to build an entire computing system in a fraction of the code modern systems take. What would things look like, then?

                                                                                                                                                            1. 1

                                                                                                                                                              Hmm. Can you elaborate on why it’s better? I feel that in a lot of ways it’s worse!

                                                                                                                                                              The most popular Python time library, Arrow, is 2000+ lines of core code and another 2000+ lines of localization code. If you tried to roll your own timezone library you absolutely will make mistakes that will bite you down the line, but Arrow is battle-tested and, to everybody’s knowledge, correct.

                                                                                                                                                              Consider the VPRI Steps project that’s been attempting to build an entire computing system in a fraction of the code modern systems take. What would things look like, then?

                                                                                                                                                              That report lists 17 personnel and was funded by a 5 million dollar grant. I don’t have that kind of resources.

                                                                                                                                                              1. 2

                                                                                                                                                                When was the last time you wrote code that required accurate timezones (UTC is almost always OK for what I do)? And, to be honest, 4,000 lines doesn’t seem like enough to be exhaustive here…

                                                                                                                                                                But, I don’t disagree that there are exceptional things that we should all share.

                                                                                                                                                                Just that, in the current state of things, relying on an external library responsibly, requires a deep understanding of it to use it properly. You can’t rely on documentation—it’s incomplete. You can’t rely on its tests—they don’t exhaustively prove it works. You can’t trust the names of functions—they lie, or at least have ambiguity. And, more often than not, you care about only a small percentage of the functionality, anyway.

                                                                                                                                                                That report lists 17 personnel and was funded by a 5 million dollar grant. I don’t have that kind of resources.

                                                                                                                                                                The point wasn’t “we should all go define 2,000 line systems that do everything.” It was, apparantly poorly, attempting to point out that there may have been another way to “compute,” that would have made rolling everything yourself more appropriate. I think it’d be pretty hard to go back to a place where that’s true—the market has spoken, and it’s OK with bloated, completely broken software that forces them to upgrade their computers every 3 years just to share photos in a web browser and send plain text email to their familes.

                                                                                                                                                                1. 1

                                                                                                                                                                  When was the last time you wrote code that required accurate timezones (UTC is almost always OK for what I do)? And, to be honest, 4,000 lines doesn’t seem like enough to be exhaustive here…

                                                                                                                                                                  Maybe not timezones, but definitely https, authentication libraries, web scrapers, crypto, unit testing frameworks, standard library stuff…

                                                                                                                                                                  I think it’d be pretty hard to go back to a place where that’s true—the market has spoken, and it’s OK with bloated, completely broken software that forces them to upgrade their computers every 3 years just to share photos in a web browser and send plain text email to their familes.

                                                                                                                                                                  Right, but I’m asking historically if this was caused by the rise of component-based programming, as opposed to just being correlated with it, or even if it happened despite it! It’s really hard to prove a counterfactual.

                                                                                                                                                        3. 0

                                                                                                                                                          So… do you not believe in evolution, then?

                                                                                                                                                          1. 1

                                                                                                                                                            Thb, when I read “maybe it’s you”, I understand this as a stylistic device, and don’t read it literally. And I guess it depends on the situation, I totally agree with you than 99% of the “new” stuff invented for the web have no need to be created (which one could generalized to the whole economy if one would want to). I just want to say that there are situations where being open to new ideas wouldn’t be bad, because sometimes bad ideas are kept just because of a network effect.

                                                                                                                                                            And if we’re already talking about what exactly was written (I should have clarified this, so it’s my fault), i was talking about the title. I know the text says something different, that’s why I said “not the way it was intended”.

                                                                                                                                                            1. 2

                                                                                                                                                              Author here. Thank you for your feedback! You’re right: the title may be construed as an accusative. For the record: it is not. I’ll take better care with such things going forward!

                                                                                                                                                        1. 1

                                                                                                                                                          Cierge utilises reCAPTCHA to ensure magic codes (which expire quickly) are not brute-forceable.

                                                                                                                                                          Is there server side account-based throttling or locking? Relying exclusively on reCAPTCHA means that anyone bypassing it will be able to easily bruteforce the small magic code.

                                                                                                                                                          1. 1

                                                                                                                                                            Bypassing reCAPTCHA doesn’t sound easy. Your first link mentions, at the end of the post, that it doesn’t work anymore. And the second link is based on humans solving reCAPTCHA with an average response time of 10s, which is way too long to brute force. Am I missing something? Anyway, with or without reCAPTCHA, throttling is a must have.

                                                                                                                                                            1. 1

                                                                                                                                                              My point with the first 2 links is to show that every once in a while someone find some way to bypass reCAPTCHA. reCAPTCHA is not provably secure, it’s just security through through a bunch of heuristic. The last link show how with a few bucks you can solves many thousands of reCAPTCHA. 10s might look slow, but you can do them concurrently and if there’s no throttling, the attacker has as many tries as he wants, so he’s bound to win sooner or later.

                                                                                                                                                          1. 25

                                                                                                                                                            Spectre PoC: https://gist.github.com/ErikAugust/724d4a969fb2c6ae1bbd7b2a9e3d4bb6 (I had to inline one #DEF, but otherwise works)

                                                                                                                                                            1. 5

                                                                                                                                                              I’ve tested it with some success on FreeBSD/HardenedBSD on an Intel Xeon. It works on bare metal, but doesn’t work in bhyve.

                                                                                                                                                              1. 4

                                                                                                                                                                oh god that runs quickly. terrifying.

                                                                                                                                                                1. 3
                                                                                                                                                                  $ ./spectre
                                                                                                                                                                  Reading 40 bytes:
                                                                                                                                                                  Illegal instruction (core dumped)
                                                                                                                                                                  

                                                                                                                                                                  That was kinda disappointing. (OpenBSD on Hyper-V here.)

                                                                                                                                                                  1. 10

                                                                                                                                                                    It worked for me on OpenBSD running on real hardware.

                                                                                                                                                                    1. 1

                                                                                                                                                                      That was kinda disappointing. (OpenBSD on Hyper-V here.)

                                                                                                                                                                      perhaps it was the cache flush intrinsic.

                                                                                                                                                                    2. 2

                                                                                                                                                                      I’m impressed how easy it is to run this PoC - even for somebody who didn’t do C programming for years. Just one file, correct the line

                                                                                                                                                                      #define CACHE_HIT_THRESHOLD(80)

                                                                                                                                                                      to

                                                                                                                                                                      #define CACHE_HIT_THRESHOLD 80

                                                                                                                                                                      then compile: gcc -O0 -o spectre spectre.c

                                                                                                                                                                      run:

                                                                                                                                                                      ./spectre

                                                                                                                                                                      and look for lines with “Success: “.

                                                                                                                                                                      I am wondering if there is some PoC for JavaScript in the Browser - single HTML page with no dependencies containing everything to show the vulnerability?

                                                                                                                                                                      1. 2

                                                                                                                                                                        I’ve been playing quickly with the PoC. It seems to work just fine on memory with PROT_WRITE only, but doesn’t work on memory protected with PROT_NONE. (At least on my CPU)

                                                                                                                                                                      1. 1

                                                                                                                                                                        As someone else below said, you can just always return “password is incorrect” regardless of whether the user exists. The key is not to vary the message based on whether the user ID entered exists or not.

                                                                                                                                                                        The “ways to deduce a username” are also quite specific and only work because logins are username based not email based AND because GitHub profiles are public.

                                                                                                                                                                        But hey, I guess “suggested method X doesn’t work quite as expected in situations Y and Z” isn’t as catchy as “X is bullshit” now is it?

                                                                                                                                                                        1. 1

                                                                                                                                                                          Have you read the article? “password is incorrect” doesn’t change anything. You could remove the error message and it wouldn’t change anything. The point to the article is that whatever you try to do, you can simply go to the sign up page and check if you can create an account under a given username or email and check the result. It is not specific to wether you use email, username or github profiles.

                                                                                                                                                                          1. 3

                                                                                                                                                                            Login page and signup page are two separate things where we have the same goal: don’t leak existence of user accounts.

                                                                                                                                                                            On the login screen, returing the same error message all the time achieves this.

                                                                                                                                                                            On the signup screen, the solution is simple: make usernames display only (ie not used for login) and dont show “already registered” errors for email.

                                                                                                                                                                        1. 14

                                                                                                                                                                          A logo vulnerability for a local exploit without privsec for a software with a small market share, running on a system with an even smaller market share. I’m always interested about writeups, but I doubt the landing/marketing page was required.

                                                                                                                                                                          1. 14

                                                                                                                                                                            Yes but think about context: they’re working with GIMP. 😜

                                                                                                                                                                            1. 1

                                                                                                                                                                              I think I’m missing the joke here.

                                                                                                                                                                              1. 3

                                                                                                                                                                                I think the joke is that since the vulnerability is in an image editor, that of course they had to make a logo for the vulnerability using the image editor.

                                                                                                                                                                            2. 5

                                                                                                                                                                              I think being picky about the distinction between “logo deserving vuln” and “just a CSVCVE [1]” is silly, because whatever we were doing before to communicate security issues and get end users to pay attention wasn’t working at all. I don’t know if this is better, but at least it’s different.

                                                                                                                                                                              [1]: I am currently working on a CSV issue… blah

                                                                                                                                                                              1. 4

                                                                                                                                                                                Its worth noting that the page says that no one from the Gimp team seems to take them seriously. The publicity that this site will get might help that change.

                                                                                                                                                                                1. 1

                                                                                                                                                                                  Did you see what @hanno responded to this on twitter?

                                                                                                                                                                                  There were some comments criticizing me for making such a buzz about FLIMP. But one day later we have default HTTPS downloads for GIMP and people start working on merging patches & fixing stuff. It worked.

                                                                                                                                                                                1. 17

                                                                                                                                                                                  If only json had allowed trailing commas in lists and maps.

                                                                                                                                                                                  1. 9

                                                                                                                                                                                    And /* comments! */

                                                                                                                                                                                    1. 3

                                                                                                                                                                                      And 0x... hex notation…

                                                                                                                                                                                      1. 3

                                                                                                                                                                                        Please no. If you want structured configs, use yaml. JSON is not supposed to contain junk, it’s a wire format.

                                                                                                                                                                                        1. 4

                                                                                                                                                                                          But YAML is an incredibly complex and truth be told, rather surprising format. Every time I get it, I convert it to JSON and go on with my life. The tooling and support for JSON is a lot better, I think YAMLs place is on the sidelines of history.

                                                                                                                                                                                          1. 4

                                                                                                                                                                                            it’s a wire format

                                                                                                                                                                                            If it’s a wire format not designed to be easily read by humans, why use a textual representation instead of binary?

                                                                                                                                                                                            If it’s a wire format designed to be easily read by humans, why not add convenience for said humans?

                                                                                                                                                                                            1. 1

                                                                                                                                                                                              Things don’t have to be black and white, and they don’t even have to be specifically designed to be something. I can’t know what Douglas Crockford was thinking when he proposed JSON, but the fact is that since then it did become popular as a data interchange format. It means it was good enough and better than the alternatives at the time. And is still has its niche despite a wide choice of alternatives along the spectrum.

                                                                                                                                                                                              What I’m saying is that adding comments is not essential a sure-fire way to make it better. It’s a trade-off, with a glaring disadvantage of being backwards incompatible. Which warrants my “please no”.

                                                                                                                                                                                          2. 1

                                                                                                                                                                                            http://hjson.org/ is handy for human-edited config files.

                                                                                                                                                                                            1. 1
                                                                                                                                                                                            2. 5

                                                                                                                                                                                              The solutions exist!

                                                                                                                                                                                              https://github.com/json5/json5

                                                                                                                                                                                              I don’t know why it’s not more popular, especially among go people.

                                                                                                                                                                                              There is also http://json-schema.org/

                                                                                                                                                                                              1. 3

                                                                                                                                                                                                I had to do a bunch of message validation in a node.js app a while ago. Although as Tim Bray says the spec’s pretty impenetrable and the various libraries inconsistent, once I’d got my head round JSON Schema and settled on ajv as a validator, it really helped out. Super easy to dynamically generate per message-type handler functions from the schema.

                                                                                                                                                                                                1. 2

                                                                                                                                                                                                  One rather serious problem with json5 is its lack of unicode.

                                                                                                                                                                                                2. 3

                                                                                                                                                                                                  I think this only show that JSON has chosen tradeoff that make it more geared to be edited by software, but has the advantage of being human editable/readable for debugging. JSON as config is not appropriate. There is so many more appropriate format (toml, yaml or even ini come to mind), why would you pick the one that doesn’t allows comments and nice sugar such as trailing commas or multiline string. I like how kubernetes does use YAML as its configuration files, but seems to work internally with JSON.

                                                                                                                                                                                                  1. 8

                                                                                                                                                                                                    IMO YAML is not human-friendly, being whitespace-sensitive. TOML isn’t great for nesting entries.

                                                                                                                                                                                                    Sad that JSON made an effort to be human-friendly but missed that last 5% that everyone wants. Now we have a dozen JSON supersets which add varying levels of complexity on top.

                                                                                                                                                                                                    1. 11

                                                                                                                                                                                                      “anything whitespace sensitive is not human friendly” is a pretty dubious claim

                                                                                                                                                                                                      1. 5

                                                                                                                                                                                                        Solution: XML.

                                                                                                                                                                                                        Not even being ironic here. It has everything you’d want.

                                                                                                                                                                                                        1. 5

                                                                                                                                                                                                          And a metric ton of stuff you do not want! (Not to mention…what humans find XML friendly?)

                                                                                                                                                                                                          This endless cycle of reinvention of S-expressions with slightly different syntax depresses me. (And yeah, I did it too.)

                                                                                                                                                                                                          1. -5

                                                                                                                                                                                                            Triggered.

                                                                                                                                                                                                            1. 13

                                                                                                                                                                                                              Keep this shit off lobsters.