1. 24

    Original linker here.

    I think it’s ridiculous. Literally every link aggregator and forum that has NSFW/“sensitive” tagging quickly realizes that nobody defines it the same and they should have been more specific!

    If you want to filter out anything having to do with sex, then have a sex tag. Same goes for graphic/gory images. Also, we should differentiate between the word “sex” in writing and photos of people having sex, so we’ll want a sexual imagery tag (and then, to be fair to the weebs, hentai, yaoi, yuri, futa and the rest so they can still see just the types they approve of). Plus a tag or, better yet, trigger warnings for my acute trypophobia. And then a tag for profanity because I might have children walk behind me while I’m at a bus stop and I don’t want some kid picking up new words because of me. Oh, and tag anything mentioning my employer’s competitor, because I don’t want to be caught with their logo big as day on my screen when my boss walks by. Plus any posts linking to Linux newsgroups will need a threats of physical violence tag because of that truculent Fin!

    Or we can just remain a technology-focused link aggregator and flag+remove anything off-topic and leave the things that are reasonable for that site description, even if they have the horrible, no-good, very bad word “sex”.

    1. 8

      Please don’t get overboard. This response draws in a lot of unrelated things that didn’t happen here and we generally react on actual issues. Many of the things you describe have not happened, so it’s no use to bring them into the discussion. For example, no one mentioned trigger warnings, it’s you introducing them. (we can have a trigger warning discussion elsewhere, I find them useful for $reasons, but have had no practical need here)

      As useless as I find an NSFW or sensitive tag, keeping the discussion at a serious and constrained level is also important. It’s a valid point to raise, please don’t make it seem like is not.

      My stance on the issue is that your title made it sufficiently clear what the topic of linked post is.

      1. 12

        This is not about what any of us may think—it’s about what our respective employers may think, and I’m pretty sure they are, with few exceptions, pretty conservative on the issue.

        I don’t think your slippery slope is very compelling. What’s being proposed is a single tag to broadly indicate to employed lobsters—most of us, by all indications—that a given story could generate awkward conversations with one’s boss. I think it’s pretty clear what “NSFW” means, and objective criteria aren’t required—the suggestion mechanism will handle edge cases just fine.

        1. 5

          Yep. So, I look at aggregators on my phone so nobody can see any stuff that pops up. Few workplaces would ban smartphones but allow people to goof off on computers. Seems like it’s easy to solve for people worrying about it. Plus, I dont force others to put work into meeting my preferences that came with the job I chose.

          I dont object to a nsfw tag, though. It’s pretty common practice on social media. Im for courtesy. Im just also for realism. People concerned about a web page getting them fired should take precautions cuz this is random people on the Internet posting stuff.

          1.  

            What is Not Safe For Work? Here in the United States, nudity is pretty much Not Safe For Work, but in Europe, maybe not (I don’t know, I don’t live in Europe). Conversely, violence is okay here in the United States (sadly) but it’s probably Not Safe For Work in Europe.

            Much better then to have tags like “nudity”, “sexual imagry”, “violence” etc. than just one NSFW tag.

            1.  

              If it’s not safe for your work, suggest the tag. If it is don’t worry about it. I’d rather get some false positives than some false negatives. After all I can always open on my phone with the tag not hidden. I think tagging with nudity, sexual imagery etc is way too complicated, and frankly I don’t care why it’s not safe for work. I just care that someone felt that they couldn’t show it at their job.

            2.  

              it’s about what our respective employers may think

              I’ll bite - your employeer’s unreasonable work-monitoring policies should not be our problem or nuisance.

              1. 8

                I completely fail to see how an nsfw tag rises to the level of a problem or a nuisance.

                This is not about “work monitoring”. My workplace is fairly permissive, but it would still be awkward if my boss happened to see an article about smart dildoes on my screen. Many, many workplaces would go beyond just an awkward moment. I think it’s safe to say that most users here are employed, and I think it’s also safe to say that most are not employed at a workplace so free-wheeling as to be completely unconcerned if its employees are visiting inappropriate pages.

                1. 5

                  Sure, but if an article about smart dildoes is on your screen, you already clicked a link that says “Deldo is a sex toy control and teledildonics mode for Emacs”. How would the tag have helped you? It’s not like someone hid the nature of the content.

                  1.  

                    That title is on the front page of lobste.rs regardless, and there’s nothing resembling a guarantee that titles are always so explicit.

            3. 8

              A rather sanctimonious response to someone who just wants to be able to look at a programming site at their job. If you think it could be NSFW, then mark it, if not and someone does they’ll mark it. I was the one who made the comment on your post, and I read the article at home. It’s really great that you work at a place where you can scroll through titles about dildos or are willing and wealthy enough to get fired out of principle. To those of us without those liberties, you sound like an asshole.

              1.  

                I find that problem description weird. If you can run into problems of getting fired for the link titles on a news page, we cannot reliably save you from that.

                1.  

                  Cool to ignore the thing that I said would work, and works for literally nearly every site on the web. Why is there push back on this? I’m not saying we should hide content, or censor anything. I merely would like to be able to filter out NSFW things at work. I find this whole conversation super weird. If there’s no way to filter NSFW content on lobsters, then I’m going to have to start reporting every “NSFW” article and that seems frankly draconian. A lot of american jobs are like this, you are the one in the bubble. I don’t think it’s right that our workplaces are like this, I think its shitty and regressive but I also am not in denial about the reality of the average american workplace.

              2. 5

                I agree. It’s impossible to come up with a consensus about what is “sensitive” and what’s not. I think that by looking at the title and the URL that is being linked to, a reasonable person should be able to decide if it’s “safe” for them to open the link. If it’s borderline, then don’t open it or click the “save” button and view it at home.

                1. 8

                  The linked poster wants the tag so that the title itself can be filtered from the homepage, not as a warning not to open it.

                  1.  

                    I understand the purpose of a filter. The filter will always be flawed because it will filter out what the hivemind/mods/vocal minority think is sensitive, not what the user thinks is sensitive and it will generate all sorts of low value meta discussion about whether an article is/isn’t sensitive.

                2. 2

                  Hey, I agree with your position–just running the process. :)

                  1. 13

                    It’s already tagged with emacs; that should make most reasonable people not want to open it anyhow 😉

                1. 2

                  I think the significant point here is they’ve removed the patent clause, but why go from 3-clause BSD to MIT, what does that achieve?

                    1. 2

                      What existing standard is JMAP competing with? The only protocol I’m aware of that already does what JMAP proposes is Exchange ActiveSync, which is proprietary and Microsoft charges a licensing fee for even clients to implement it.

                    1. 2

                      Looks like we’ve hit silver 🎉

                      1. 3

                        Interesting to see some backlash over this, Dave Winer’s objections have caught my eye in particular.

                        On the one hand I’m not sure google should be punishing sites for being http only.

                        On the other hand, what is the open web if your ISP can inject ads into a page where there are none?

                        1. 2

                          I didn’t see a link to Winer’s objection in the linked article. Do you have a reference?

                            1. 4

                              He sounds a bit, well

                              HTTPS is going to burn huge portions of the open web

                              His entire shtick seems to be that he thinks HTTPS is a conspiracy by Google to control the web, somehow.

                              1. 3

                                He seems to be confounding Google’s motives, which in fairness are probably not altruistic, with the technology itself which is obviously pretty sound.

                                1. 2

                                  I’ve literally never seen so much FUD in my life. He must have some fundamental misconception about how HTTPS works. I just don’t see how he could be arguing these points otherwise.

                                  I mean, I would be mad if Google really was doing what he thinks they’re doing. But they’re not. He’s also totally missing (ignoring?) the fact that Mozilla is also taking steps matching Google’s.

                                  1. 4

                                    I hate to say it because I have a lot of respect for his work, but I think basically he’s got a lot of domains and can’t be bothered converting them. I totally get the objections against the way Google are approaching this, but going after https itself is dumb.

                                    Why would you think it’s a bad thing that you can guarantee that the site you are viewing has not been tampered with?

                                    I’ve seen him call out Mozilla too in fairness.

                                    1. 1

                                      Meh. Honestly I have no issues with the way Google is approaching this. They (and Mozilla) give plenty of time before making even the tiniest changes, and in the end really all they’re doing is changing the UI to reflect reality.

                                      And without them doing that, people exactly like Winer just wouldn’t care.

                                    2. 3

                                      I’m skimming through, trying to understand it, and he never really states an objection anywhere that I can see. I am familiar with several reasonable objections to the concentration of power created by the CA system and to the burden it imposes on content creators; I just don’t see Winer actually expressing any of them.

                                2. 1

                                  On the other hand, what is the open web if your ISP can inject ads into a page where there are none?

                                  May be this is better served by adding signatures to the basic HTTP rather than forcing HTTPS everywhere?

                                  1. 2

                                    Wouldn’t that involve the same trust infrastructure but without actually encrypting the traffic?

                                    1. 4

                                      Not completely. The benefit is that intermediaries can cache it if required, and clients can verify the signature only when needed. With the forcing of HTTPS everywhere, a lot of caching infrastructure that existed previously has become useless without any alternatives. These are especially important in low bandwidth countries or communities relying on low bandwidth gateways.

                                1. 9

                                  It’s a bit sad he’s taking Rust mostly as a stepping stone to sell his thing. For example, he’s not showing any examples of code that actually has that problem. But, he’s definitely right.

                                  That being said, I find the following comment from Manish worth cross-posting: https://www.reddit.com/r/rust/comments/7sq8xl/unsafe_zig_is_safer_than_unsafe_rust/dt75ny6/

                                  I mean, unsafe C++ is also safer than unsafe rust (all zig is unsafe zig, all c++ is unsafe c++)

                                  Generally c++ does try to make it tedious to do really footgunny things. It’s hard to compare because UB is UB and nasal demons come out regardless, but ime the scarier kinds can be harder to trigger in c++ in many cases. Plus Rust has noalias. But this is very anecdotal, others may disagree.

                                  1. 4

                                    I don’t see why it is sad, it seems quite intelligent for him to adopt strategies that reach his target audience. What would really be sad is if he did all that work making zig and nobody gave it a shot because there was no reasonable way to get people to read about it.

                                    1. 4

                                      It’s generally not a good strategy to take simple shots at others. We’re as excited about zig as anyone else, but this sets up for an annoying and unnecessary competition.

                                      Framing it as “Zig gets pointer alignment right” and using Rust as an example later in the post is a much better strategy. People appreciate if you point out flaws in a not-too-annoying way. That’s for example a reason why I promote Pony at any moment I can, they really get this right.

                                      In any case, I definitely don’t intent on telling you how you should feel about it. I don’t like it and Rust happens to be the project I align with :).

                                      1. 4

                                        I understand what you’re saying about putting it in a positive light instead, but honestly I’m not sure I would’ve read the article if it had been “Zig gets pointer alignment right”.

                                        Rust has taken a similar approach, many times it has taken “shots” at C++ and Go (I say “Rust” but of course it’s about individuals) and that is fine IMO. It is both helpful for the language to get attention, and helpful for the reader to have it compared to something more widely known.

                                        I’m keeping an interested eye on Zig as I think it can turn into something great, that “better C” place that’s closer to C than Go and farther from C++ than Rust (that’s my impression of the language, I may be wrong as I don’t follow it that closely yet).

                                        1. 3

                                          I don’t see it as taking a shot at Rust. At the end of the day here’s what I think will happen:

                                          • Rust will improve handling of this particular problem (there’s no fundamental reason Rust can’t do it)
                                          • Zig gets some attention

                                          Both wins, in my book.

                                          1. 7

                                            I don’t see it as taking a shot at Rust.

                                            The post starts with a language that’s safe-by-default with the temporal safety very rare in general. Cyclone and Clay are only predecessors coming to mind. The post then drops into unsafe Rust to focus on its weakest area: an area where you really want external tools like symbolic analysis or fuzzers running on it like with C. Then, post compares another language, Zig, with less safety in general to Rust in unsafe mode to show unsafe Rust is less safe in a specific case. Readers will find that the post pushing Zig sniping a weak area of Rust is also written by the author of Zig.

                                            That is exactly how most language promoters take a cheap shot at another language getting more attention. You might have not intended it that way but many readers will perceive it that way. skade’s suggested framing here is always better for this sort of thing. Double true if you’re authoring both the post and a competing language.

                                            And good luck on Zig since it’s an interesting language in the system space which I love seeing people try to improve. :)

                                          2. 2

                                            It’s generally not a good strategy to take simple shots at others. We’re as excited about zig as anyone else, but this sets up for an annoying and unnecessary competition.

                                            It is a competition already, people can only use a finite number of programming languages. If someone is using rust on a project, they are not using zig and vice versa.

                                        2. 1

                                          Not requiring a keyword to do unsafe operations doesn’t mean all code in a language is unsafe, it just isn’t explicitly spelled out when it is.

                                          1. 6

                                            Sure, but it means that any line of code is potentially unsafe.

                                            1. 5

                                              I like that the unsafe keyword in Rust makes it explicit. Makes it very easy to grep for unsafe behavior without additional tooling. Also frees up the mind from remember a list of unsafe operations while programming or while understanding other people’s code.

                                              1. 3

                                                That’s exactly it. Wirth did this in his languages like Oberon. Safe by default with unsafe modules saying so loud and clear.

                                          1. 2

                                            In what other languages would it be possible?

                                            I guess everything with properties (functions disguised as fields) so D, C#, etc.

                                            Afaik not with C, C++, or Java.

                                            1. 26
                                              #define a (++i)
                                              int i = 0;
                                              
                                              if (a == 1 && a == 2 && a == 3)
                                                  ....
                                              
                                              1. 1

                                                Isn’t that undefined behavior? Or is && a sequence point?

                                                1. 3

                                                  && and || are sequence points. The right expression may never happen depending on the result of the left, so it would make things interesting if they weren’t.

                                              2. 10

                                                This is very easy to do in C++.

                                                1. 5

                                                  You can also do it with Haskell.

                                                  1. 3

                                                    Doable with Java (override the equals method), and as an extension, with Clojure too:

                                                    (deftype Anything []
                                                      Object
                                                      (equals [a b] true))
                                                    
                                                    (let [a (Anything.)]
                                                      (when (and (= a 1) (= a 2) (= a 3))
                                                        (println "Hello world!")))
                                                    

                                                    Try it!

                                                    Or, inspired by @zge above:

                                                    (let [== (fn [& _] true)
                                                          a 1]
                                                      (and (== a 1) (== a 2) (== a 3)))
                                                    
                                                    1. 3

                                                      Sort of. In Java, == doesn’t call the equals method, it just does a comparison for identity. So

                                                       a.equals(1) && a.equals(2) && a.equals(3); 
                                                      

                                                      can be true, but never

                                                       a == 1 && a == 2 && a == 3;
                                                      
                                                    2. 3

                                                      perl can do it very simply

                                                      my $i = 0;
                                                      sub a {
                                                      	return ++$i;
                                                      }
                                                      
                                                      if (a == 1 && a == 2 && a == 3) {
                                                      	print("true\n");
                                                      }
                                                      
                                                      1. 2

                                                        Here is a C# version.

                                                        using System;
                                                        
                                                        namespace ContrivedExample
                                                        {
                                                            public sealed class Miscreant
                                                            {
                                                                public static implicit operator Miscreant(int i) => new Miscreant();
                                                        
                                                                public static bool operator ==(Miscreant left, Miscreant right) => true;
                                                        
                                                                public static bool operator !=(Miscreant left, Miscreant right) => false;
                                                            }
                                                        
                                                            internal static class Program
                                                            {
                                                                private static void Main(string[] args)
                                                                {
                                                                    var a = new Miscreant();
                                                                    bool broken = a == 1 && a == 2 && a == 3;
                                                                    Console.WriteLine(broken);
                                                                }
                                                            }
                                                        }
                                                        
                                                        1. 2

                                                          One of the ‘tricks’ where all a’s are different Unicode characters is possible with Python and Ruby. Probably in Golang too.

                                                          1. 7

                                                            In python, you can simply create class with __eq__ method and do whatever you want.

                                                            1. 4

                                                              Likewise in ruby, trivial to implement

                                                              a = Class.new do
                                                                def ==(*)
                                                                  true
                                                                end
                                                              end.new
                                                              
                                                              a == 1 # => true
                                                              a == 2 # => true
                                                              a == 3 # => true
                                                              
                                                          2. 2

                                                            In Scheme you could either take the lazy route and do (note the invariance of the order or ammount of the operations):

                                                            (let ((= (lambda (a b) #t))
                                                                   (a 1))
                                                              (if (or (= 1 a) (= 2 a) (= 3 a))
                                                                  "take that Aristotle!"))
                                                            

                                                            Or be more creative, and say

                                                            (let ((= (lambda (x _) (or (map (lambda (n) (= x n)) '(1 2 3)))))
                                                                    (a 1))
                                                                (if (or (= 1 a) (= 2 a) (= 3 a))
                                                                    "take that Aristotle!"))
                                                            

                                                            if you would want = to only mean “is equal to one, two or three”, instead of everything is “everything is equal”, of course only within this let block. The same could also be done with eq?, obviously.

                                                            1. 1

                                                              Here is a Swift version that uses side effects in the definition of the == operator.

                                                              import Foundation
                                                              
                                                              internal final class Miscreant {
                                                                  private var value = 0
                                                                  public static func ==(lhs: Miscreant, rhs: Int) -> Bool {
                                                                      lhs.value += 1
                                                                      return lhs.value == rhs
                                                                  }
                                                              }
                                                              
                                                              let a = Miscreant()
                                                              print(a == 1 && a == 2 && a == 3)
                                                              
                                                            1. 6

                                                              very surprising that the BSDs weren’t given heads up from the researchers. Feels like would be a list at this point of people who could rely on this kind of heads up.

                                                              1. 13

                                                                The more information and statements that come out, the more it looks like Intel gave the details to nobody beyond Apple, Microsoft and the Linux Foundation.

                                                                Admittedly, macOS, Windows, and Linux covers almost all of the user and server space. Still a bit of a dick move; this is what CERT is for.

                                                                1. 5

                                                                  Plus, the various BSD projects have security officers and secure, confidential ways to communicate. It’s not significantly more effort.

                                                                  1. 7

                                                                    Right.

                                                                    And it’s worse than that when looking at the bigger picture: it seems the exploits and their details were released publicly before most server farms were given any head’s up. You simply can’t reboot whole datacenters overnight, even if the patches are available and you completely skip over the vetting part. Unfortunately, Meltdown is significant enough that it might be necessary, which is just brutal; there have to be a lot of pissed ops out there, not just OS devs.

                                                                    To add insult to injury, you can see Intel PR trying to spin Meltdown as some minor thing. They seem to be trying to conflate Meltdown (the most impactful Intel bug ever, well beyond f00f) with Spectre (a new category of vulnerability) so they can say that everybody else has the same problem. Even their docs say everything is working as designed, which is totally missing the point…

                                                                2. 7

                                                                  Wasn’t there a post on here not long ago about Theo breaking embargos?

                                                                  https://www.krackattacks.com/#openbsd

                                                                  1. 12

                                                                    Note that I wrote and included a suggested diff for OpenBSD already, and that at the time the tentative disclosure deadline was around the end of August. As a compromise, I allowed them to silently patch the vulnerability.

                                                                    He agreed to the patch on an already extended embargo date. He may regret that but there was no embargo date actually broken.

                                                                    @stsp explained that in detail here on lobste.rs.

                                                                    1. 10

                                                                      So I assume Linux developers will no longer receive any advance notice since they were posting patches before the meltdown embargo was over?

                                                                      1. 3

                                                                        I expect there’s some kind of risk/benefit assessment. Linux has lots of users so I suspect it would take some pretty overt embargo breaking to harm their access to this kind of information.

                                                                        OpenBSD has (relatively) few users and a history of disrespect for embargoes. One might imagine that Intel et al thought that the risk to the majority of their users (not on OpenBSD) of OpenBSD leaking such a vulnerability wasn’t worth it.

                                                                        1. 5

                                                                          Even if, institutionally, Linux were not being included in embargos, I imagine they’d have been included here: this was discovered by Google Project Zero, and Google has a large investment in Linux.

                                                                    2. 2

                                                                      Actually, it looks like FreeBSD was notified last year: https://www.freebsd.org/news/newsflash.html#event20180104:01

                                                                      1. 3

                                                                        By late last year you mean “late December 2017” - I’m going to guess this is much later than the other parties were notified.

                                                                        macOS 10.13.2 had some related fixes to meltdown and was released on December 6th. My guess is vendors with tighter business relationships (Apple, ms) to Intel started getting info on it around October or November. Possibly earlier considering the bug was initially found by Google back in the summer.

                                                                        1. 2

                                                                          Windows had a fix for it in November according to this: https://twitter.com/aionescu/status/930412525111296000

                                                                      2. 1

                                                                        A sincere but hopefully not too rude question: Are there any large-scale non-hobbyist uses of the BSDs that are impacted by these bugs? The immediate concern is for situations where an attacker can run untrusted code like in an end user’s web browser or in a shared hosting service that hosts custom applications. Are any of the BSDs widely deployed like that?

                                                                        Of course given application bugs these attacks could be used to escalate privileges, but that’s less of a sudden shock.

                                                                        1. 1

                                                                          DigitalOcean and AWS both offer FreeBSD images.

                                                                          1. 1

                                                                            there are/were some large scale deployments of BSDs/derived code. apple airport extreme, dell force10, junos, etc.

                                                                            people don’t always keep track of them but sometimes a company shows up then uses it for a very large number of devices.

                                                                            1. 1

                                                                              Presumably these don’t all have a cron job doing cvsup; make world; reboot against upstream *BSD. I think I understand how the Linux kernel updates end up on customer devices but I guess I don’t know how a patch in the FreeBSD or OpenBSD kernel would make it to customers with derived products. As a (sophisticated) customer I can update the Linux kernel on my OpenWRT based wireless router but I imagine Apple doesn’t distribute the Airport Extreme firmware under a BSD license.

                                                                        1. 25

                                                                          Spectre PoC: https://gist.github.com/ErikAugust/724d4a969fb2c6ae1bbd7b2a9e3d4bb6 (I had to inline one #DEF, but otherwise works)

                                                                          1. 5

                                                                            I’ve tested it with some success on FreeBSD/HardenedBSD on an Intel Xeon. It works on bare metal, but doesn’t work in bhyve.

                                                                            1. 4

                                                                              oh god that runs quickly. terrifying.

                                                                              1. 3
                                                                                $ ./spectre
                                                                                Reading 40 bytes:
                                                                                Illegal instruction (core dumped)
                                                                                

                                                                                That was kinda disappointing. (OpenBSD on Hyper-V here.)

                                                                                1. 10

                                                                                  It worked for me on OpenBSD running on real hardware.

                                                                                  1. 1

                                                                                    That was kinda disappointing. (OpenBSD on Hyper-V here.)

                                                                                    perhaps it was the cache flush intrinsic.

                                                                                  2. 2

                                                                                    I’m impressed how easy it is to run this PoC - even for somebody who didn’t do C programming for years. Just one file, correct the line

                                                                                    #define CACHE_HIT_THRESHOLD(80)

                                                                                    to

                                                                                    #define CACHE_HIT_THRESHOLD 80

                                                                                    then compile: gcc -O0 -o spectre spectre.c

                                                                                    run:

                                                                                    ./spectre

                                                                                    and look for lines with “Success: “.

                                                                                    I am wondering if there is some PoC for JavaScript in the Browser - single HTML page with no dependencies containing everything to show the vulnerability?

                                                                                    1. 2

                                                                                      I’ve been playing quickly with the PoC. It seems to work just fine on memory with PROT_WRITE only, but doesn’t work on memory protected with PROT_NONE. (At least on my CPU)

                                                                                    1. 5

                                                                                      very reminiscent of Linus Neumann’s Trolldrossel (German for ‘troll throttle’): Depending on the amount of bad words in a given comment, the captcha fails regardless of the answer given. It was installed at a site providing comments for controversial german blogger Fefe when it was overwhelmed with racist, misogynistic and otherwise awful comments.

                                                                                      Here’s the 2013 talk about it, if you understand German.

                                                                                      1. 2

                                                                                        Hmmm, previous existing works make a patent attackable, no?

                                                                                        1. 4

                                                                                          Yep, it’d be existing prior art. In NZ you wouldn’t be able to patent this concept at all. They’ve banned software patents. The US really needs to do the same.

                                                                                          1. 2

                                                                                            Australia needs to do so also.

                                                                                          2. 1

                                                                                            Only if the existing work is implemented the same as each claim in the patent.

                                                                                        1. 5

                                                                                          I’m considering paying Pinboard for their web archiving feature, but so far it’s not been a huge pain point.

                                                                                          1. 6

                                                                                            I use Pinboard’s archiving, just for articles I’ve read and other things where I’d only be mildly annoyed if I lost them, it’s a bit too unreliable for anything else. The archiving time is sporadic, some things get archived in a couple of hours, others can take weeks, and many of my bookmarks say they’re archived but trying to open the archived page just causes an error.

                                                                                            I still use it because it’s the only one I’ve found that will archive PDFs and direct links to images. Well, that, and because I paid 5 years in advance.

                                                                                            1. 1

                                                                                              Thanks for the review. It’s sad they don’t do the archiving at the moment of bookmarking. That’s what I feel is the best approach, but maybe they have so many users that reaching front of the queue takes week or so?

                                                                                              Considering how you don’t think that good of Pinboard, I’m wondering why you went with buying 5-year service from the beginning.

                                                                                              1. 2

                                                                                                I already had a standard pinboard account grandfathered in from when it was a one-off fee, when I upgraded to an archiving account, and I had been happy enough with that. My thought process was I’d pay in advance and then I would have everything archived and I wouldn’t have to worry about it again for 5 years, I didn’t consider that it would turn out to be less reliable than I’d like.

                                                                                            2. 2

                                                                                              I pay for it and use it – my only regret is activating it so late, after having added bookmarks for years – that meant many many bookmarks had already vanished. (Thankfully Pinboard lists all such errors and the specific HTTP code that caused it)

                                                                                              1. 1

                                                                                                I like that they provide all error and HTTP codes. Are there logs too, so you can actually tell when the page stopped being reachable?

                                                                                                1. 2

                                                                                                  No, just the error and an option to manually trigger a retry.

                                                                                                  It’s added as a machine tag like code:403

                                                                                              2. 2

                                                                                                I joined Pinboard almost exactly 7 years ago and it has already saved my butt a bunch of times. According to my profile page, about 5% of my bookmarks are dead links at this point.

                                                                                                1. 1

                                                                                                  It has to be reassuring. Well, they’re not only proving fun statistics, but they’re proving their value to you. I really haven’t heard about Pinboard until today. If there would be a local client for syncinc the archived content locally, then I could consider buying the service and using it, but first I would need to restore my habit of bookmarking that I somehow lost many years ago.

                                                                                                2. 1

                                                                                                  Interesting. I guess some bookmark-like service on top of archive.is / web.archive.org could be created. Or maybe there is even already such thing for free.

                                                                                                1. 2

                                                                                                  On the science of gender differences, I recommend reading http://slatestarcodex.com/2017/08/07/contra-grant-on-exaggerated-differences/. Do read it. The whole thing.

                                                                                                  1. 7

                                                                                                    I wasn’t expecting anything better from SSC, but:

                                                                                                    51% of law students are now female […] Somebody has to explain why the equal and greater negative stereotypes against women in law, medicine, etc were completely powerless, yet for some reason the negative stereotypes in engineering were the ones that took hold and prevented women from succeeding there.

                                                                                                    That 51% in law happened for the first time last year and was the result of – wait for it – diversity initiatives. Meanwhile the law profession itself is considered one of the least diverse with woman underrepresented in general, and even more so in higher roles.

                                                                                                    1. -1

                                                                                                      What an atrocious example of inability to do basic scientific reasoning.

                                                                                                    1. 52

                                                                                                      I am on fastmail for my domain. Works fine, does everything I need.

                                                                                                      1. 7

                                                                                                        I am also a happy fastmail.com customer since about 2 years now. I used mailbox.org before, a german email provider, which is quite cheap (1€ per month) and allowed to use custom email domains but their spam filter sucked. Fastmail’s spam filter is also not perfect, in fact Gmail has still by far the best filtering, but their service is great and I can use custom email domain’s too. They also develop JMAP a JSON based IMAP replacement.

                                                                                                        1. 7

                                                                                                          I’d say the fact that JMAP is JSON based is only marginally-relevant; it’s got several significant design improvements over IMAP - e.g:

                                                                                                          • Folder renames no longer munge mail IDs (usually forces clients to re-download all messages).
                                                                                                          • No persistent connection (IMAP keeps your mobiles radio awake).
                                                                                                          • Flood control (some IMAP commands can send millions of identical lines in response).
                                                                                                          • Saving a draft with an attachment doesn’t make you re-send the attachment.
                                                                                                          • Subscribe to all changes in your mailbox via a single connection (vs one connection per folder)
                                                                                                          1. 1

                                                                                                            It’s more than IMAP replacement too, possibly better described as an alternative to Exchange ActiveSync.

                                                                                                          2. 3

                                                                                                            I’m with mailbox.org myself, with the 2.5EUR/month plan and a private domain. Mostly happy, I don’t have issues with spam. They seem to be quite opinionated on how to handle spam: https://www.heinlein-support.de/vortrag/spam-quarantaene-und-tagging-der-grosse-irrtum. But it seems classical spam tagging has been added recently, though I haven’t tested it: https://mailbox.org/update-des-webportals-bringt-nuetzliche-zusatzfunktionen-fuer-ihr-e-mail-postfach/

                                                                                                            I’m not that happy with the web interface though, it seems to be https://en.wikipedia.org/wiki/Open-Xchange.

                                                                                                            1. 1

                                                                                                              Is JMAP even supported anywhere? Does anybody use it? Last I checked, not even Fastmail actually used this for anything. Seems like the project started with some energy but is mostly dead now? What a shame, as I’d love to use it somewhere… Please do correct me if I’m wrong.

                                                                                                              1. 4

                                                                                                                Hi, I’m some engineering guy at FastMail.

                                                                                                                JMAP is currently going through the standardisation process at the IETF to become an RFC. Several companies have built or are building client and server implementations based on those drafts. We’re putting a lot of work into JMAP support in Cyrus.

                                                                                                                At FM, we use it internally for some (but not yet all) of our UI-server interactions, and we’re working on converting the UI to use JMAP natively (once the standardisation work has stablised).

                                                                                                                Finally, we’re just about to launch a new product that uses JMAP from top to bottom - Cyrus, Ix (a JMAP API generator) and Overture (a UI framework with a JMAP-backed storage layer).

                                                                                                                So there’s lots happening on JMAP at FastMail and elsewhere.

                                                                                                                1. 1

                                                                                                                  That’s really wonderful to hear. Once a year I email FastMail tech support asking them if there’s a JMAP thing, but the answer is always something like “no, and we don’t know when if ever.” And then I’m sad. This here is the first positive confirmation I’ve received, and I’m quite happy to hear it!

                                                                                                                  Hopefully once you release a fully JMAP designed system, you’ll have auto-exporters from existing tag-based systems like Gmail? Something like this would probably net you a massive user base.

                                                                                                            2. 7

                                                                                                              I switched to fastmail last month and I am very happy with it. Before that, I had been self-hosting for 10 years, but I started seeing my emails listed as spam after I switched VPS providers (despite correct SPF etc), and I wasn’t motivated enough to fight for my IP reputation again.

                                                                                                              1. 5

                                                                                                                Also Fastmail, moved from Google Apps for domains 2 or 3 years ago. Besides the advantages others mentioned, subdomain addressing is also a cool feature. Some mail providers support plus addressing

                                                                                                                me+foobarbaz@mydomain.com

                                                                                                                subdomains addressing is a bit nicer. You can make disposable addresses in the form of:

                                                                                                                me@foobarbaz.mydomain.com

                                                                                                                makes it easier to write rules and to drop mail when the address is sold to some spammer.

                                                                                                                Also their support is pretty good. I had a small feature/refinement request twice, in both cases they had the feature implemented in their beta site in a couple of days.

                                                                                                                1. 5

                                                                                                                  I went to fastmail two years ago when the server on which I’d hosted my own email for about eight years died. I was happy to give a great company about $60 a year to host my family’s email. I was probably spending $60 a month of my own time just to administer the damn thing.

                                                                                                                  1. 4

                                                                                                                    I’m on Fastmail too, with my own domain, for about ten years. The web UI is focused and fast, and the iOS app is just a webview, but a decent one that’s quick. I use Fastmail aliases and inbox rules to send to multiple external addresses, like a basic private listserve. Tons of advanced features for mail users, DFA, and no advertising or shenanigans with your inbox.

                                                                                                                    They went through a purchase by Opera a while ago, then a few years later Opera sold the business back to the original Fastmail employees – not a single hiccup or business misstep the whole time. They are laser focused. They contribute back to the open source mail server community.

                                                                                                                    The only issue on my wishlist is that they still don’t support the full CardDAV protocol, which means I cannot fully sync my Fastmail addressbook with iOS, Mac, Windows, or *nix apps, but they’re working on it, and it’s due soon (early 2018?).

                                                                                                                    I think it’s cheap for what you get, if you’re into that sort of thing.

                                                                                                                    1. 1

                                                                                                                      What exactly is missing from CardDAV support? I’m happily using it to sync contacts to my iOS/Android devices.

                                                                                                                    2. 2

                                                                                                                      Same here. I use fastmail for every new domain that I need email for and it’s pretty great.

                                                                                                                      1. 1

                                                                                                                        Another vote for fastmail. Been a user for several years now. Has by far the best webui out of any provider. Very stable, and quick restoration of backups if you ever need them.

                                                                                                                        1. 1

                                                                                                                          Another +1 for Fastmail. I’ve used them for 3 years and have been pleased with all their services. Their documentation is clear, the system is not hard to use, and they answer questions promptly.

                                                                                                                          The only thing I’m waiting for is HTTPS support on their web hosting. But if you need serious web hosting, Fastmail probably shouldn’t be yout first choice.

                                                                                                                          1. 1

                                                                                                                            Yep, fastmail here too, it’s superb.

                                                                                                                          1. 2

                                                                                                                            @tedu - I may be misunderstanding what’s going on but it seems the root cert doesn’t work with libressl.

                                                                                                                            # openssl x509 -text -in ca-tedunangst-com.crt >> /etc/ssl/cert.pem 
                                                                                                                            $ nc -c www.tedunangst.com 443
                                                                                                                            nc: tls handshake failed (certificate verification failed: permitted subtree violation)
                                                                                                                            

                                                                                                                            Possibly this openssl bug, patched here but it doesn’t look like libressl has that patch.

                                                                                                                            1. 1

                                                                                                                              Yeah, we should probably fix that bug. :( Thanks a lot for tracking down a patch.

                                                                                                                            1. 2

                                                                                                                              Sadly enough the website raise tls error on brave for android.

                                                                                                                              1. 2

                                                                                                                                That’s because Brave behaves just like any other browser when it comes to https certificates.

                                                                                                                                Or are you saying that you’re still getting an error even after installing tedu’s root CA?

                                                                                                                                1. 5

                                                                                                                                  Why I would install some random root CA.

                                                                                                                                  1. 1

                                                                                                                                    The article addresses this.

                                                                                                                                1. 1

                                                                                                                                  I used to like that option. Now, entry-level mainframes are getting down to new car prices. So, maybe put something similar saying it runs on Bull or IBM mainframes with latest release with keys & trusted boot in onboard HSM. Whatever is hard to get a license or docs for where they have to buy one to find an attack.

                                                                                                                                  Then, if you detect a mainframe attack, then you can smile knowing they wasted a lot of time and/or money. :)

                                                                                                                                1. [Comment removed by author]

                                                                                                                                  1. 11

                                                                                                                                    I said this elsewhere, but 60% of the industry has “numerous personality deficiencies”. Who hasn’t gotten into arguments with the Linuses or … those systemd people?

                                                                                                                                    Why do they get a pass? Supposedly for their contributions. But this blog post listed a decent amount of contributions to Github as well. And according to the blog, the managers thought as much for their technical performance.

                                                                                                                                    So many of us get a pass for social deficiencies. But here, apparently not. This could be a “cultural fit” thing, but based off of what I’ve heard about Github, I feel like some accommodations could be made if the technical contributions were good.

                                                                                                                                    1. 5

                                                                                                                                      Why do they get a pass?

                                                                                                                                      Because they’ve actually made valuable contributions to the field, instead of making money via political parasitism. We wouldn’t (and shouldn’t) tolerate someone like Linus if he held some nouveau-middle management mumbo jumbo fluff job. Instead, he’s effectively created and managed a project with social utility at least in the tens of billions of dollars, and his rudeness, beyond being excusable, is actually extremely useful in discouraging time-sinks that would hurt Linux development if humoured.

                                                                                                                                      1. 0

                                                                                                                                        his rudeness, beyond being excusable, is actually extremely useful in discouraging time-sinks that would hurt Linux development if humoured

                                                                                                                                        It also hurts Linux development when the likes of Alan Cox quit because Linus gets confused and decides to go on a half-cocked rant. And there is potentially people who would make good contributions but see what happened to the likes of Cox and decide they don’t want to be on the receiving end of that.

                                                                                                                                        1. 6

                                                                                                                                          Did he quit because of a rant? He seems to dispute this himself -

                                                                                                                                          “I’m aware that ‘family reasons’ is usually management speak for ‘I think the boss is an asshole’ but I’d like to assure everyone that while I frequently think Linus is an asshole (and therefore very good as kernel dictator) I am departing quite genuinely for family reasons and not because I’ve fallen out with Linus or Intel or anyone else. Far from it I’ve had great fun working there.”

                                                                                                                                          1. 2

                                                                                                                                            He resigned as tty maintainer over the rant.

                                                                                                                                            https://lkml.org/lkml/2009/7/28/375

                                                                                                                                            1. 3

                                                                                                                                              But that’s a long way from “It also hurts Linux development when the likes of Alan Cox quit” given he spent the next 4 years still working on kernel development.

                                                                                                                                              1. 1

                                                                                                                                                So you don’t think him resigning as tty maintainer hurt Linux, at all? The work he did in other areas made up for it? And when greg k-h (begrudging) took it on, that didn’t detract at all from the work he did (or would have done) in other areas if he hadn’t needed to step into that role?

                                                                                                                                                I’d argue it would have been better for Linux if it hadn’t happened, ergo it hurt Linux.

                                                                                                                                          2. 2

                                                                                                                                            I think Zimpenfish thoroughly refuted the Alan Cox example, and as for

                                                                                                                                            And there is potentially people who would make good contributions

                                                                                                                                            There are vastly more people who would make bad contributions, either because they’re low quality, useless, or incur excessive technical debt. Linux’s inaccessibility to immature coders and egotists discourages people you don’t want contributing more than those you do.

                                                                                                                                      2. 19

                                                                                                                                        Author clearly has numerous personality deficiencies

                                                                                                                                        This is a highly inappropriate personal remark.

                                                                                                                                        1. 11

                                                                                                                                          Author clearly has numerous personality deficiencies just from reading between the lines of this post

                                                                                                                                          Since the analysis was so easy for you, can you make some of your conclusions explicit? What are these numerous ‘personality deficiencies’ that she clearly deserved to be teated this way and then fired?

                                                                                                                                          the most glaring of which is the fact that they can’t admit fault

                                                                                                                                          But, can’t she? I mean, reportedly she received the criticism of “un-empathic communication style”, lack of code reviews, and the performance improvement plan, and was clearly working to address each of them. She wouldn’t have kept notes each week, have made herself available for doing code reviews, and pointed out the ways she was working to grow if she couldn’t admit fault.

                                                                                                                                          Given her thoughts on pair programming (helping her identify any negative ingrained behavior she wouldn’t have otherwise noticed), I don’t think it’s fair to claim ‘they can’t admit fault’ is fair at all.

                                                                                                                                          they can’t admit fault. Github was right to fire them

                                                                                                                                          She has a gender, which comes with nifty pronouns including she and her.

                                                                                                                                          Github was right to fire them, just based on reading this article alone.

                                                                                                                                          Let’s slow down there for a second, maybe talk about this a bit? The values she quoted from the CEO and the goals of her team were clearly in conflict with the actual organizational behavior she experienced.

                                                                                                                                          Unless you think that providing really sound feedback on the questioner that was exactly within her job description was a ‘personality deficiency’.

                                                                                                                                          Can we talk about that, by the way? What the hell is a personality deficiency, and to what degree do they have to exist for an organization to treat someone this way and then fire them? I mean, I get that certain things might make someone more difficult to work with, but isn’t that the point of inclusivity? That we tolerate people’s quirks and where they are in life so that they can bring their voice and experience into the organization?

                                                                                                                                          You know, experience like continuous harassment in the open source community.

                                                                                                                                          because I have dealt with folks like the author bring toxic and destructive attitudes into the workplace

                                                                                                                                          Please elaborate, as it was so clear to you.

                                                                                                                                          Actually, I’m a bit confused by your stance I suppose. This post exists explicitly and solely to point out the things the author experienced that were in conflict with both what she was promised and what Github claims to represent. And she does that in this article, right?

                                                                                                                                          She isn’t trying to get her job back (obviously she doesn’t want to return, and the fact that she is a senior engineer with a history of productive development, I think her clear desire to be away from Github counts as signal).

                                                                                                                                          Does her “deserving to be fired” erase what she experienced, or are you claiming that everything she talks about having experienced either a) wasn’t actually a problem or b) didn’t really happen that way?

                                                                                                                                          1. 8

                                                                                                                                            She has a gender, which comes with nifty pronouns including “she” and “her.”

                                                                                                                                            Are you seriously bringing that up as a point in your argument? You could’ve just as well used the argument that it’s more courteous to use genderless pronouns. Why put the form of an argument over its substance?

                                                                                                                                            Anyway, if you need an example of her taking her views to places where they’re not really relevant, you need look no further than here.

                                                                                                                                            1. 0

                                                                                                                                              Not the person you are talking to but:

                                                                                                                                              Are you seriously bringing that up as a point in your argument? You could’ve just as well used the argument that it’s more courteous to use genderless pronouns. Why put the form of an argument over its substance?

                                                                                                                                              When you know someone’s gender identity it is polite to use their preferred pronouns. Personally, I wouldn’t have brought it up but my guess is that the author was deliberately using neutral pronouns because they don’t respect her gender identity but knew if they used male pronouns they’d get hell for it. But it can also just be a style of writing, so as said, I wouldn’t have brought it up.

                                                                                                                                              Anyway, if you need an example of her taking her views to places where they’re not really relevant, you need look no further than here.

                                                                                                                                              I, and she herself in https://medium.com/@coralineada/on-opalgate-2efd0fc1e0fd (ugh, I hate the trend of adding ‘gate’ to everything), acknowledge that the way she opened the issue (specifically the title) was overly inflammatory.

                                                                                                                                              However, reaching out and letting people know that a member of their community is likely scaring people off from the project is a relevant view and needed in some cases. As said above, she did it in an overly inflammatory way but I don’t agree that it is not relevant.

                                                                                                                                              After this whole thing I was: 1. Upset with how coraline handled starting it 2. Never ever going to touch opal (supported by the fact that the actual owner (NOT meh) implemented coraline’s Code of Conduct but now they are using ‘No Code of Conduct’).

                                                                                                                                        1. 10

                                                                                                                                          Choose your hashes and your designs carefully!

                                                                                                                                          Isn’t the moral here that you should try to plan for hash alg changes? Because “Choose your hashes” is just hindsight, really. When SVN was designed, SHA1 was probably still “safe”, right?

                                                                                                                                          1. 13

                                                                                                                                            Plan for changes. And then start making them. SVN isn’t alone here, but there was a solid ten year lead time between “SHA1 can have collisions” and “I told you so”. The state of RC4 is somewhat similar, with people refusing to move because it wasn’t broken enough. (And a lack of clear direction forward in some cases.)

                                                                                                                                            Google went to considerable effort to create a collision. If they hadn’t, people would still say it’s only a theoretical concern. Be thankful it’s still just a warning shot.

                                                                                                                                            1. 2

                                                                                                                                              There was a submission a long while ago talking about various strange behaviors of crypto material. One was that there was an algorithm that used as a hash, two hash functions and XORed the results together to create the final hash. This allowed them to survive the deprecation of MD5, though they never moved away from MD5. I wonder how useful it is to do this as a way of transitioning away from aging weakly vulnerable hashes.

                                                                                                                                              1. 3

                                                                                                                                                XOR is worse than concatenation for combining hashes if you’re looking for collision resistance. Here’s a paper describing the safest way to combine two hashes: https://eprint.iacr.org/2013/210

                                                                                                                                                Also, see this answer on crypto StackExchange describing various failures of combined hashes.

                                                                                                                                                1. 2

                                                                                                                                                  Yes, that is strange. :) I think the crypto community usually frowns on things like that. Consider that at the time you had something better than MD5 to stir into the result, you could have just used that something better. MD5 ^ SHA1 isn’t notably superior to just SHA1. SHA1 ^ SHA2 isn’t really better than SHA2.

                                                                                                                                                  1. 1

                                                                                                                                                    I think the crypto community usually frowns on things like that.

                                                                                                                                                    Is it just “that’s pointless” or could it really hurt? Is it likely or inevitable that the output of two different hash functions on the same input would have coincidental correlations that cancel out with the xor, creating a subtly biased composite function that is worse than the sum of its parts?

                                                                                                                                                    1. 1

                                                                                                                                                      Indeed: It used to be frowned on because people were concerned that there might be some subtle interaction between the algorithms, although I’ve never seen any evidence of such interactions “in the wild”.

                                                                                                                                                      With modern cryptographically strong hash functions, which have a much stronger theoretical base for their security, it’s just a pointless waste of time. I guess you gain a slight ‘security through obscurity’ benefit: an algorithm for generating collisions in SHA-2 (if such a thing were to be discovered) might not work on your custom SHA1^SHA2 implementation, but the same background theory could probably be used to break your implementation - it would just take a little more time.

                                                                                                                                                      1. 1

                                                                                                                                                        The contrast between crypto and os/application level approach to security is striking.

                                                                                                                                                        In the former, an algorithm once accepted is assumed secure until someone publishes a paper or poc that demonstrates a weakness. Furthermore it is assumed that these first discoveries are always more theoretical than practical, so there is no “zero day” rush to change algorithms.

                                                                                                                                                        In the latter case, we assume there are undiscovered bugs that could be weaponized in a short timeframe, and defense in depth is the norm.

                                                                                                                                                        I do not find it surprising that some developers reach for tricks like mixing the output of two different algorithms. After all, if mixing predictable data (message) with pseudo-random noise (keystream) works for encryption and mixing potentially predictable data (time, io events, etc.) with other such events works for entropy pool mixing, why wouldn’t it work for mixing hashes (which can be thought of as being pseudo-random noise seeded with the key)?

                                                                                                                                                        If there were no undesirable interactions between two different hash algorithms, intuition says that mixing one with the other is safe as long as one of the algorithms remains secure. And again assuming no interaction, intuition might say that to break the composite, it is inevitable that you break its components..

                                                                                                                                                      2. 1

                                                                                                                                                        Mostly pointless I believe. There’s a proof that given two 128 bit hashes, the work to find a collision in both is proportional to 2^128 + 2^128, or 2^129, and not the 2^256 you might hope for. But also, any time you color outside the lines, you run the risk of making things worse.

                                                                                                                                                        1. 1

                                                                                                                                                          Right, so I would assume the reasoning people have for mixing is not that it doubles the number of bits of search space, but that it saves your ass the day someone finds one of these algorithms is broken and the work to find a collision is proportional to 2^49 or whatever.

                                                                                                                                                          Making things worse is a thought that eludes these people.

                                                                                                                                                        2. 1

                                                                                                                                                          Is it likely or inevitable that the output of two different hash functions on the same input would have coincidental correlations that cancel out with the xor, creating a subtly biased composite function that is worse than the sum of its parts?

                                                                                                                                                          It’s likely there’ll be nonzero correlation, because hash functions aren’t written in isolation and use similar techniques. But probably not significant enough to make a difference in practice.

                                                                                                                                                    2. 4

                                                                                                                                                      You need to pick a sufficienly strong hash for your application. SHA1 is still in this territory for SVN’s purposes, since collisions are still negligible during typical use as a version control system. Which is great, because otherwise the fix about to be released would break the system for many users.

                                                                                                                                                      SVN”s problems are that apart from discussing the issue years ago nobody bothered to check what actually happens in the implementation when a collision occurs (that’s a process problem), and that we found ourselves incredibly constrained while trying to come up with the best possible fix for the “webkit” problem. Today, we cannot change the hash without breaking important parts of the system or adding (yet more) backwards compat boilerplate code. We must prevent SHA1 collisions from entering the system to prevent (perhaps accidental) DoS attacks on the system. At the core, this is a design problem. Some features have tightly embraced SHA1 and now replacing it involves a lot of work.

                                                                                                                                                      Edit: Another factor that complicated things was that API, protocol, and on-disk format changes are off-limits for SVN’s patch releases, but we had to patch both the 1.9 and 1.8 release series.

                                                                                                                                                      1. 2

                                                                                                                                                        The iron law of cryptography is that crypto schemes always get weaker over time.

                                                                                                                                                        But when this is a problem which isn’t going to manifest itself for fifteen years or more, punting it to the long grass is always going to be very tempting!

                                                                                                                                                        1. 2

                                                                                                                                                          SHA2 hadn’t even been published when SVN was first released (SVN was released in 2000, SHA2 was first published as a draft in 2001 and finalised in 2002).

                                                                                                                                                        1. 15

                                                                                                                                                          Here’s the deal folks: systemd is software and it has bugs

                                                                                                                                                          Sure, bugs happen, but I think the beat up is more because of:

                                                                                                                                                          poettering closed this
                                                                                                                                                          poettering added the not-a-bug label

                                                                                                                                                          It’s not the crime, it’s the cover-up.

                                                                                                                                                          1. 5

                                                                                                                                                            Did you know you can run Sonarr directly on OpenBSD? :D

                                                                                                                                                            1. 3

                                                                                                                                                              I don’t want to run mono on my beautiful OpenBSD, I want to running that crap on a Linux ;D

                                                                                                                                                              1. 3

                                                                                                                                                                It could be more secure to run it natively on OpenBSD

                                                                                                                                                                edit: I maintain sonarr and radarr on FreeBSD

                                                                                                                                                                1. 1

                                                                                                                                                                  I forgot /s

                                                                                                                                                                2. 2

                                                                                                                                                                  Over docker. Because security matters.

                                                                                                                                                                  1. 2

                                                                                                                                                                    Why not run OpenBSD in the VM as well? It’d be segregated from the rest of the system and still running on OpenBSD.

                                                                                                                                                                    1. 1

                                                                                                                                                                      I just wanted to try the alpine machine, so I tried with Sonarr

                                                                                                                                                                    2. 1

                                                                                                                                                                      As a C# developer and OpenBSD user, it’s perfectly fine.

                                                                                                                                                                      Speaking of Mono, I need to finish my port of it to Haiku. (Not even BeOS is safe. Muhahaha!)