1. 27

    I’m glad to see this trend of standing up against poltiical exclusion in Open Source. I assume that the Code of Conduct for llvm was written in good faith, but the continued demonization of political groups (and to some extent, white men) is troubling. Remember when no one on the internet cared what you looked like, believed, or who you loved? I want to go back to that :/

    1. 43

      Who is being excluded? How is Outreachy preventing someone from contributing to llvm?

      I remember those days too. “No one” cared because “everyone” assumed you were white, male, and college educated. “There are no women on the Internet” dates back, at least, to the early ’90s.

      As a black male dropout, that was fine for me— I could get involved. No one questioned my capabilities. And as long as I kept up a good impression of being fluent in upper-middle to upper-class white culture, I could build my skills and social capital.

      I also got beat up on the street in front of my grandmother for “showing off” how I could “talk white” at school.

      I also remember, when Pentiums were out, using a pawn shop purchased Apple IIc with a gifted modem. I also remember hacking into dial-up pools to get telnet— haha, as if my machine could talk SLIP or PPP. I remember begging friends from MOOs and IRC for a shell account. I remember having no concept of the disparity between myself and the people with whom I played games, chatted, wrote code, and made friends. They simply had things, and I didn’t.

      I don’t see a problem with choosing to give their time and their money to mentor people who otherwise might not be able to participate. There certainly hasn’t been a problem with people choosing to give their time and their money to people who look like them, sound like them, grew up with them, attend the same church as them, went to the same school as them, are friends with them, enjoy the same movies as them, play the same sports as them, and just happen to be a well-off straight white male. Just. Like. Them.

      1. 5

        I also remember hacking into dial-up pools to get telnet

        Holy crap, you and I are kindred spirits. The terminal-concentrator at the local university dropped you into a command line…you were supposed to then immediately telnet to the VAX on campus, but they didn’t enforce that. I was 13 years old and certainly not a student at said university but boy did I get around using that little trick.

        (This would’ve been like 1993. I’m old.)

        1. 4

          🙏🏾 s/the local university/Sprint/ and that was me too!

          1. 4

            It was an eight year old Amiga 1000 that my dad got at an estate sale for like $20 because it would only boot up about half the time and shut down and random intervals, hooked up to a black and white TV, with an old external 1200 baud modem and a terminal program I got off a disk on the cover of a magazine. I felt like the lord of all creation.

            Man I’m nostalgic now.

            1. 4

              Who ever thought we’d make it this far?

        2. 3

          I remember when internet arrived at my hometown. It was 1996. I am not sure such delay was related to skin color.

        3. 46

          There is no whitemend.

          Outreachy isn’t out to make a monster out of you. It’s trying to correct for GSoC. You don’t like Outreachy’s policies, a much smaller, less well-funded org than Google, then go through GSoC and Google. You have lots of other options other than Outreachy.

          The code of conduct doesn’t say anything about how white men are bad. Reading the CoC, if you object that strongly to it that you must leave, then please do! That’s the CoC working as intended. You are deciding to exclude yourself by deciding that what the CoC forbids (i.e. being an asshole) is something that you must be and defend.

          Also, one more thing.

          I wish I could explain to people who are privileged one way or another, that it doesn’t mean your entire life is handed to you in a silver platter. Being a white male doesn’t mean you can’t be poor or can’t be gay (thus discriminated) or that you can’t have a slew of other problems.

          It just means you don’t have those problems in addition to also being discriminated for being a woman, for being black, for being anything else.

          1. 5

            Reading the CoC, if you object that strongly to it that you must leave, then please do! That’s the CoC working as intended. You are deciding to exclude yourself by deciding that what the CoC forbids (i.e. being an asshole) is something that you must be and defend.

            I would disagree with that notion. I think it’s certainly possible to disagree with the CoC or parts of it without being an “asshole as the CoC forbids”. Personally and for example, I would say the “Be welcoming” clause is too exhaustive and could be shortened to “Be welcoming to everyone regardless of who they are and choose to be” which would IMO cover the same topics as it does now. The fifth clause is also way too broad and vague. A simple note that discussion not furthering the the project or it’s software, being NSFW or otherwise non-productive would have achieved the same goal and would give moderators more leeway to deal with troublemakers.

            I specifically wonder why number 6 was necessary. It’s a community of coders, if they can’t understand disagreement I seriously question what is going on behind the scenes that warrants such a rule. Does discussion derail so often into low level sand-flinging?

            Not too long ago I was member of a forum focused around LEGO robots. There were no rules of any kind but plenty of electricians and programmers around, men, women, kids and teens, etc. Everyone was happy to participate and be happy to exchange ideas and code. When there was drama the moderators enacted unspoken rules of the clearly obvious kind. If you insulted someone for no reason you got banned. Same for insulting someone based on their gender. We didn’t need rules for that. It was obvious as day that such behaviour was not something you’d do to have a productive conversation with someone about the intricacies of rubber bands vs gearing.

            1. 8

              I specifically wonder why number 6 was necessary. It’s a community of coders, if they can’t understand disagreement I seriously question what is going on behind the scenes that warrants such a rule. Does discussion derail so often into low level sand-flinging?

              Speaking as someone who has over the course of many years, moderated things on the internet. Things like this exist because otherwise someone will come along and say “but you didn’t say”. It’s an unwinabble battle, there will always be a “but you didn’t say” response to something. You try to cover the big things in a broad way so that people have a general idea.

              I’ve answered many emails as a member of the Pony core team where well meaning people write in to ask “if I do X, would that be against the CoC”. I can’t say that is how every CoC operates, but its how I like them to operate:

              Here are some ground rules. If you aren’t sure if what you are going to do violates those ground rules, maybe don’t it or ask whoever enforces the CoC.

              CoC’s are far from perfect. A large amount of that lack of perfection is that they are administered by people. Establishing some ground rules for a community is better than having none. Most communities have a CoC whether they call it that and whether its explicit. Take HackerNews, its called “Guidelines” there. It’s still a statement of some behavior that isn’t acceptable.

              1. 2

                I think if someone goes down the route of “but you didn’t say” that would be grounds for getting a mute from the poor moderator they annoyed. At least back in the forum that was how it was handled. Nitpickers aren’t people who tend to keep around once the people in charge hammer them on the fingers.

                I don’t think Hackernews’ Guidelines are comparable to a Code of Conduct. HN’s book of laws is much more vague and subjective, the word “guideline” already implies a certain amount of softness. Moderators won’t stick to that word-by-word and rather apply common sense on top of the rules. A “Code of X” for me implies a certain rigidness and thoroughness that isn’t present in most of them.

            2. 14

              The code of conduct doesn’t say anything about how white men are bad.

              And yet that is how it has been applied. The organisation is funding a scholarship which is very explicitly open to people of some race/gender combinations and not others. I don’t think finding that unconscionable makes someone an “asshole”; quite the opposite.

              I wish I could explain to people who are privileged one way or another, that it doesn’t mean your entire life is handed to you in a silver platter. Being a white male doesn’t mean you can’t be poor or can’t be gay (thus discriminated) or that you can’t have a slew of other problems.

              It just means you don’t have those problems in addition to also being discriminated for being a woman, for being black, for being anything else.

              Put it this way: I would lay money that, in practice, the average Outreachy scholarship ends up going to someone who has had an easier life than the average open-application scholarship (GSoC or similar). The rhetoric of inclusion is all about underprivileged groups, but somehow the beneficiaries always end up being middle-class college-educated liberals.

              1. 15

                The organisation is funding a scholarship which is very explicitly open to people of some race/gender combinations and not others. I don’t think finding that unconscionable makes someone an “asshole”; quite the opposite.

                Races and genders which are significantly unrepresented in the field they are trying to get them into.

                There are campaigns and organisations here to try and get more male primary school teachers, because males are significantly unrepresented in primary education. Are the people running those organisations and campaigns “assholes” for discriminating against women, who represent over 84% of primary school teachers?

                1. 4

                  He said although he made hiring decisions based on who was the best teacher, irrespective of gender, it would be great to see more men giving teaching a go.

                  That’s what the non-asshole version of this kind of thing looks like. Marketing the career to a particular demographic is fine. Giving that demographic an unfair advantage is not fine.

                  1. 2

                    It’s an unfair advantage that’s not even managing to negate the pre-existing unfair disadvantages that certain groups face.

                    1. 4

                      It’s Simpson’s paradox in reverse: picking an advantaged member of a disadvantage group over a disadvantaged member of an advantaged group is a negative step for equality that sounds like a pro-equality move.

                2. 6

                  The outreachies I’ve seen have gone to Indian and Eastern bloc girls. You don’t see a lot of those in GSoC.

                  1. 4

                    Sure. That doesn’t contradict what I said: that the beneficiaries of these efforts end up being disproportionately people from the international college-educated liberal middle class (a group that’s far more homogenous in the ways that matter than most races or genders, though that’s a separate discussion), people who have had an easier life with fewer problems than the people they are displacing, even when those people are white and male.

                    1. 4

                      Let’s assume you’re right.

                      How does Outreachy working with international college-educated liberal middle class Indian and Eastern bloc girls displace anyone?

                      1. 2

                        If LLVM is choosing to fund a scholarship with Outreachy in place of funding one with GSoC, the recipient of that scholarship is displacing the person who would’ve received the GSoC one.

                        1. 9

                          Please correct me if I’m wrong, but as I understand it:

                          • LLVM participates in both Outreachy and GSoC.
                          • LLVM doesn’t fund either programme.
                            • Outreachy and GSoC both provide funds for their own programmes.

                          So, neither LLVM nor Outreachy are “displacing” anyone from GSoC.

                          Moreover, no one even signed up for LLVM’s Outreachy! So this is hypothetical “displacement.”

                          1. 1

                            Outreachy doesn’t fund internships, you need to bring your own funding to them. I’m not sure how LLVM is funding their outreachy internships.

                            1. 8

                              [citation needed]

                              Because, from their front page:

                              Outreachy provides three-month internships for people from groups traditionally underrepresented in tech. Interns are paid a stipend of $5,500 and have a $500 travel stipend available to them.

                              And their sponsor page:

                              Outreachy internship stipends, travel fund, and program costs are supported by our generous donors.

                              Same page, “Commonly Asked Questions”:

                              Q: Who pays the interns? A: The Outreachy parent organization, the Software Freedom Conservancy, handles payments to interns.

                              Not to make too fine a point:

                              Q: We have a company internship program. How does that work with Outreachy internships? A: Outreachy internships are completely separate from any other internship program. Outreachy organizers find FOSS communities that are willing to provide mentorship and use corporate sponsorship to fund the internships.

                              1. 1

                                I guess I don’t see how you’re disagreeing with what I wrote. You need to have funding arranged before you can set up an outreachy internship.

                                1. 4

                                  FOSS community provides mentorship. Corporate sponsor provides funding. Internship = mentorship + funding. Outreachy provides internships.

                                  The money from corporate sponsors goes into a pool that is used for all internships. Outreachy is a funds aggregator.

                                  When you say “you need to bring your own funding to them,” who is the “you?” It’s not the FOSS community. It’s not the internship applicant. Who is it?

                                  1. 1

                                    Perhaps the policy changed. When I looked this up in November it was the responsibility of whoever wanted to start an outreachy program for a project to identify a source of funding.

                                    1. 2

                                      According to the Internet Archive, in September of 2017, their policy was exactly the same. It’s the same at least back through the last GNOME Outreachy, over a year ago.

                                      Update: I deleted my follow-on questions. This is the kind of back and forth @pushcx warned about.

                                      1. 2

                                        Did you see my other comment? Each org needs to find a coordinator who needs to find funding for their org (see under coordinator, here: https://www.outreachy.org/mentor/). That might be in terms of corporate sponsorhip, but outreachy won’t do that for you.

                                        1. 2

                                          No I didn’t, I missed your self-reply. Sorry about that!

                                          And, yeah:

                                          Coordinator Duties Before Application Period Opens

                                          • Finding funding for at least 1 intern ($6,500)

                                          That’s clear and conflicts with their other pages. “Perhaps the policy changed” indeed. I put more weight on that page, though, than their more advertise-y ones.

                                          mea culpa!

                            2. 1

                              I understood LLVM was funding the scholarship but could easily have misunderstood. In any case it’s beside the point: my point goes through exactly the same if we’re talking about the person a hypothetical open-application scholarship would have selected or a person who was displaced as such.

                              Moreover, no one even signed up for LLVM’s Outreachy! So this is hypothetical “displacement.”

                              Isn’t it just the opposite? If choosing to offer an Outreachy scholarship rather than some other scholarship meant that instead of getting a likely-less-privileged individual they got, not a more-privileged individual but no-one, that’s an even bigger loss.

                              1. 1

                                If choosing to offer an Outreachy scholarship rather than some other scholarship […]

                                They also offer a GSoC scholarship, and there’s nothing to imply Outreachy replaced an alternative rather than being an addition.

                                1. 0

                                  Scholarships don’t grow on trees; surely the fairest comparison to make is offering a scholarship versus offering a slightly different scholarship. (Would you apply the same reasoning if someone wanted to offer a scholarship that was only for white people, say?)

                                  1. 3

                                    I can play this game too, where “displaced” is entirely hypothetical:

                                    • LLVM has displaced compiler developers from gcc!
                                    • My drinking tea tonight displaced a purchase of beer from the bar down the road!
                                    • My mother and father each displaced every other person on the planet born before 1980!

                                    THE INJUSTICE

                                    1. 1

                                      Um, yes, it’s 100% fair to compare gcc to llvm, tea to beer, or your mother and father to other people?

                  2. 8

                    It just means you don’t have those problems in addition to also being discriminated for being a woman, for being black, for being anything else.

                    That’s incorrect in any environment where whites or men are the minority. Human nature dictates that all groups favor those like them and penalize those unlike them. Examining the politics of non-white nations in World History or current affairs confirm those groups are just as racist in the social systems they create. Examining the actions of black administrators or elected officials show they mostly bring in people like them regardless of what the mix is in their area. The kind of political beliefs behind these Codes of Conduct and privilege assume this doesn’t happen on a large scale by non-whites to whites. The wealth of evidence disagrees with that so strongly that believing in it anyway and suppressing alternative views is comparable to a religious faith. One that damages specific groups while propping up others.

                    Another point folks in favor of those beliefs and CoC’s never bring up is how many minority members disagree with them. The surveys they usually take are almost never worded to assess how many people believe it’s something all groups do to each other. That’s because they’re biased enough to try to just reinforce their own beliefs. In my surveys, I always present both sides asking which they think it is. I rarely meet black or Latino people, majority of minority members in my area, that think structural oppression is only a white thing. It’s so rare out here. Most think all groups do it but that whites are doing it the most. That’s reasonable. Yet, under CoC’s and associated beliefs, their views would be censored as well since they’d be construed as racist (in their definition) or contributing to reinforcement of it. Likewise, any “language” or “terms” that are racist, sexist… scratch that, which their political beliefs without supporting evidence label as inherently racist, sexist, etc. That too.

                    So, I object to these CoC’s that act like a good chunk of minority members’ opinions don’t matter, that ignore the fact that minorities do structural racism/sexism all the time (by default like people in general?), ignore the fact that whites/men they’re addressing might have been the oppressed minority in previous environment (or current), and then build social structures and enforcement mechanisms on top of those damaging, faith-based beliefs. I also say this as a white guy who spent years in black-run schools living a long time in many areas of black-run city working in black-run departments and companies. If I write about my experiences or tell it like a 3rd party, the black people always think the person in the story is black saying the feelings and obstacles are what they endure. When I say they’re white, then type of people I’m countering say, poof!, none of it counts as evidence of racism. That shows it’s politically-motivated maneuvering, not consistent logic.

                    These should be fought in favor of CoC’s that don’t require everyone in America or the World to believe and speak as if one, smaller, vocal group is unconditionally right in all political claims about these matters.

                    1. 14

                      That’s incorrect in any environment where whites or men are the minority. Human nature dictates that all groups favor those like them and penalize those unlike them. Examining the politics of non-white nations in World History or current affairs confirm those groups are just as racist in the social systems they create.

                      I’m sorry, what are you talking about? I’m from Peru where ‘whites’ are a minority. They are most certainly not discriminated against, quite the contrary. Whiteness is equated to privilege to the extent we have a saying here: ‘El dinero blanquea’, which roughly translates to ‘Money bleaches’.

                      The discrimination comes from factual power, not a head count. Power which was built upon centuries of enslavement and exploitation. Exploitation most members of the white elite minimize and/or are oblivious to.

                      It is the same in other places of South America. Certainly in Brazil, where the author is from.

                      1. 6

                        I’m from Peru where ‘whites’ are a minority. They are most certainly not discriminated against, quite the contrary. Whiteness is equated to privilege to the extent we have a saying here: ‘El dinero blanquea’, which roughly translates to ‘Money bleaches’.

                        I appreciate you sharing your example where one of the minorities has power. That supports my view that it’s highly conditional. Power is one thing that ties into discrimination. Group identity is another. You don’t need centuries of enslavement or exploitation to get one group working for themselves more or against another. It can be a factor, though. Often is. I also noticed you’re mentioning countries where white armies invaded them and their upper classes, not whites in general, did coercive negotiations for trade that benefits them. In this case, it’s real but tied to who did what. You can bet a group invaded by non-whites will also develop some reaction to that group.

                        Whereas around Memphis TN, being white in specific areas won’t get them respect or power due to the slavery that happened in the South. They’ll just get a warning to leave, beat down, robbed, and/or killed. No power. Like with those that invaded Latin America, the power was with a subset of them in high places or any that could get them to act on their behalf. As a civil rights proponent in America, I assure those powerful, white people would try to squash or minimize white people like me when our interests conflict. They hate outsiders even more but I would be treated more like them than your scenario would lead you to expect. I’m still in the outgroup. Just not as far out as Latin America. Same with local blacks or latinos that control specific areas, organizations, businesses, and so on. Being white conveys me large benefits in some contexts, about none in others, kind of negative in others, and violence/death in others.

                        It varies by context is my overall point. It’s not “If white, always this. If non-white, always that.” It’s really complicated. I’m sure I have plenty more to learn about the dynamics of the many groups. Thing is, countering it my way is much simpler than trying to trace it all: being civil, going out of your way to bring in others, accepting each other despite differences, and randomizing/blinding where possible selections/promotions. Increased fairness without further discrimination or hate. It’s simple, but not easy.

                        Edit to all: Other replies will be delayed since I have to work a late shift tonight. Heading out now. Hope yall have a good day and appreciate all the civil replies so far. :)

                        1. 4

                          Thank you for the thoughtful response. I get a better sense of what you were getting at. I don’t think I’m qualified to say much more on the matter, I don’t think I have a proper grasp of the dynamics of structural exploitation. But I’d like to add a couple of not fully developed ideas.

                          – Whiteness is sometimes used as a proxy for privilege.

                          – Whiteness is context dependent. My cousin from the US grew up on Pensilvania. Here he is a ‘gringo’, where he grew up he was considered far from white, being called racial slurs when growing up.

                          – It may be a better idea to talk more in other terms w/o proxies. Class politics are more relevant today than race IMHO.

                          – Even in Perú there are some contexts where you can be subject to specific instances of discrimination, but they pale in comparison to the structural discrimination that happens in the day to day basis. Which is why (in the context of Latin America at least) I view focusing on ‘reverse racism’ as a mechanism to distract from the larger and more important problem of structural discrimination.

                          also noticed you’re mentioning countries where white armies invaded them and their upper classes, not whites in general, did coercive negotiations for trade that benefits them.

                          I understand and empathize and partially agree with what you are getting at. Certainly you can’t be held personally accountable for everything action your government does. But at the same time they have to some extent the support of the general public. At best, you are turning a blind eye to the pain and suffering that supports your economy. But then again, it is our (Latin American) governments which are complicit and also responsible for said exploitation.

                          I’m the words of a mining worker, when talking to a college student:

                          – You speak of the gringos you’ve seen in Morococha and Cerro (Mines in Perú). But they are millions. Don’t generalize…

                          – So why do they send those how look down on us, cholos, not like people but like dogs.

                          Another thing, the exploitation of Latin America is not limited to ‘economic deals’ and is not something of the past (But there is more than a fair share to blame on our obsequent governments). In the 90’s US Companies hired henchmen to kill union leaders. The US Goverment (through US-‘AID’) provided logistic support for the mass forced sterilization of millions of women in Perú. Or even this decade, the US government, through the DEA, determines the policy and funds the forceful eradication of coca leaves further contributing to the impoverishment of Peruvian farmers. The Coca plant is legal here and is consumed by many in their day to day.

                          1. 1

                            I thank you for your detailed response. That was a mix of interesting and pretty sad. I’m going to back up a bit first on one issue since I was using a simplification that you and @stephenr are showing I probably shouldn’t use maybe here or in general. I’ll have to think on it. The actual belief I have about the ingroup vs outgroup dynamic is that they’re just treated differently in a way where it’s often positive to first and negative to second. It doesn’t have to be. I was just going with common pattern since it fits both my experiences and minorities in the U.S. which is mostly the topic around this thread. You’ve both given examples where a white outgroup can be benefit from their status in other countries. Likewise, there’s examples where the ingroup is a rough position with expectations for man or women coming to my mind easiest. One of the worst examples I’ve seen is the tribe that covers people in bullet ants to prove they’re men. I’d rather be the outgroup they look down on forever. ;)

                            On to your comments on exploitation. Far as unions, sterilization, and so on, that’s a side effect of the elites controlling America. They use the media to keep folks under control fighting enemies that aren’t the main enemy. You won’t see the stuff you described on American media much. Instead, it’s stuff that shocks or lets people point fingers temporarily for quick reactions. Next wave of shock happens making them forget what came before that. Americans can’t keep track of history. They can only focus collectively a moment at a time with what’s carefully put in front of them. The parts of the government doing things like you describe are mostly autonomous working for rich and powerful. Those that get voted in do a mix of things they said they’d do and things that appear to benefit their voters with lots of publicity for both. The choices are few with the non-participation and apathy so high that government doesn’t worry about rebellion. It’s kind of a constant rehash of the same games and corruption with businesses getting laws passed benefiting them more and more every year mostly under Americans’ noses since media barely reports on it.

                            So, that’s how that works if you were wondering. When I was young, I never thought handfuls of companies and some government organizations could really control most of several hundred million people with the presence of the Internet, activists getting word out, and so on. Yet, they actually can. They’re also intelligent, focused, well-staffed, and relentless in their pursuits vs masses that are hit and miss on these things with more scattered beliefs, goals, and participation. Just like in this, those fighting over the CoC’s and such aren’t investing effort in joining together against the elites like folks did in MLK days which truly scared them enough to plot murders. If they beat the corruption, they could work law by law, reg by reg, case by case to get a lot done starting with something as simple as due process for workers (I’m union). It takes unity and focus on where the foundational problems are, though, to achieve something like that. Not to knock efforts to improve things elsewhere but we really should be almost all in on dealing with people paying bribes for damaging laws to be passed that give corrupt jurisdictions and companies impunity in their evils. It seems like so much starts right there.

                            Anyway, there’s a lot of people pulling for the folks you describe. They just feel powerless to do anything about it. Also, those that care are so few that giving up products that come from there will change nothing. So, everyone from the consumers to the traders ignore their fleeting thoughts since they need some cheap copper.

                      2. 13

                        I’m not sure how anything you’ve written is relevant to LLVM’s code of conduct. It says; be welcoming of everyone, be considerate, be respectful, don’t make violent threats. All very basic, common sense stuff that the vast majority of people don’t need to a checklist to accomplish. I’m not sure how you went from what is actually written there, to this:

                        The kind of political beliefs behind these Codes of Conduct and privilege assume this doesn’t happen on a large scale by non-whites to whites.

                        Which part of LLVM’s CoC do you think is saying this? Do you think the part about being welcoming of everyone regardless of race is non-white people discriminating against white people?

                        1. 8

                          “Violent threats or language directed against another person. Discriminatory jokes and language. especially those using racist or sexist terms Advocating for, or encouraging, any of the above behavior.” (my emphasis added)

                          It’s those words that are used to block people based on political beliefs. The kinds of people that push CoC’s often have specific views about what is considered racist, sexist, etc that there’s not a wide consensus on. Any words or behavior will be interpreted in the light of their views. This is double true when they get into the moderation positions, which they often aim for. I don’t have to speculate as I’ve been banned from forums for quoting under my own name minority member’s opinions on minority issues. They were racist, sexist, etc. by their definitions. These policies interpreted however they want are the leverage they use to reinforce their own groups or eject other groups. Advocating for is the last term where anyone even debating whether something was racist or sexist might be construed as supporting the racist or sexist person. That’s happened plenty, too.

                          So, it’s the intent behind the terms along with whose enforcing them, what their beliefs are, and if they’re willing to exclude people with different beliefs on contentious topics. They usually are. So, I oppose those in favor of CoC’s without enforcement of political ideology that focus on people just staying civil, friendly, etc. Those parts of the CoC’s I have no problem with.

                          EDIT to add what I’m fine with since I’d rather not be overly critical of something that’s mostly good:

                          “be friendly and patient, be welcoming, be considerate, be respectful, be careful in the words that you choose and be kind to others, and when we disagree, try to understand why.”

                          Most of the weaseling is built into that “be careful in the words you chose” part. Minus the weaseling, even quite a few points in that section are good. Also note that we don’t have to speculate given Lobsters already has enforcement that’s similar to what I’m advocating for. Our moderators may agree or disagree with people’s political views but haven’t ejected anyone for stating their views with data in a civil way. Our community is still a thriving, functioning community despite any political scuffles.

                        2. 11

                          That’s incorrect in any environment where whites or men are the minority.

                          I guess you’ve never been to Thailand. Whites are a ridiculous minority, but they’re held in such high regard by a large percentage of the population.

                          Edit: and to clarify, this isn’t the same situation as @PuercoPop’s:

                          Thailand was never colonised, has never been under ‘white’ or ‘western’ rule and was not a ‘source’ for slavery by whites, Heck, whites (without getting Thai citizenship, which, holy shit is that a long process) can’t own land, can’t own more than 49% of a company, etc.

                          Try to find some Thai soap operas on YouTube - notice how all the actors are very pale skinned: they’re all half-Thai, half-white. If they want to show a ‘poor brown girl’ (believe me, their stereotype, not mine) they literally take a Thai/White actress, and use makeup/body paint/whatever to show their version of what anyone else would think of as a ‘natural’ brown skin.

                          I’ve been stopped at police licence checkpoints, and the cop has been so excited just to say hello to a white guy he doesn’t even care if I have a licence.

                          1. 4

                            Of course structural oppression isn’t a white only thing. Anyone can discriminate against anyone. And sure, in localized areas some groups can oppress others in different ways than the average. That doesn’t mean CoCs shouldn’t try to prevent racist / sexist conduct.

                            What things do you see in CoCs that minority members disagree with, that unfairly construes their beliefs as racist? Or disregards their opinions? Or ignores that whites/men may have been the oppressed minority in their environment?

                            1. 4

                              That doesn’t mean CoCs shouldn’t try to prevent racist / sexist conduct.

                              I didn’t say that. I said it’s usually interpreted in a way where racist and sexist conduct has definitions that usually mean whites/males can’t experience the negatives, are often responsible for them (supported point in general case), and inherently have the positives. Evidence strongly counters two of those showing it has to be judged case by case, place by place, etc. For instance, the forums dominated by the types of people with that ideology make them the majority with the structural power to include, exclude, oppress, and so on. By their own definitions this is true. Yet, any person in a different group dissenting in such a place will be told they’re the “majority” with “privilege” who wouldn’t understand the… blah blah blah. Actually, at least in that context, they’re a minority getting treated worse than its majority at risk of damaging affects of discriminatory treatment. This plays out in other contexts like school, work, etc. where non-whites or non-males in the majority positions reinforce themselves at others expense. A general pattern.

                              Far as minority members disagree with, who are the minority members? That’s exactly what I mean. It depends on who you’re talking about in what context. Someone who is a minority member in one environment might be part of the privileged majority in another. The very definitions of who constitutes a minority (absolute vs conditional), what defines racism, who has privilege… these are in dispute across the nation. Many non-white and non-males dispute some of same points, too. So, starting from a specific set of views on it being true with enforcement working from there is already discriminating against all who disagree. They’ve not proven these views with evidence either.

                              Note: You can try to cheat with legal terms that one side or a group of them got in but treating the law as truth or moral is dangerous. Slavery and women not having rights were legal. So, my definitions are about reasonable categories people are in with their numbers or influence compared to groups of other categories.

                              The evidence collected on a global scale indicates that all groups in power reward their own and oppress others. So, if by evidence, this stuff will be conditional with every group monitoring themselves for bias boosting their outgroups when they don’t get a fair shake: not just whites or males being monitored with everyone boosting non-whites or non-males in all scenarios. In this country or in tech scene, the results would mostly be boosting non-whites or non-males to correct existing imbalances just on the numbers alone. No argument there. Yet, other things wouldn’t be taboo or inconsistent with the rules: a mostly black or women organization in mixed area with people in other categories having skills would be said to give more privilege to blacks/women, possibly structurally racist/sexist in hiring if ratios of workers vs supply were really skewed, encouraged to diversify, and activist action taken if they didn’t. Just like such people would do with white or male majority structurally reinforcing their own groups.

                              We don’t see this. Most of the types that push and want to enforce CoC’s frame it as one thing by definition with whites or males on high-privileged/victim-creating side in all situations. That’s dishonest. I’ll take “this happens more often than that” but not “this never happens or we should act like it doesn’t exist.” With that, they can’t eject people for disagreeing with them on what counts as discriminatory language or behavior if it’s something there’s no consensus on by people who otherwise are against a lot of clearly-discriminating behavior. Further, they might be more likely to go with diverse inclusion plus blind evaluation/selection to correct imbalances instead of ignore whites/males much as possible to only focus on everyone else. One is inherently more fair achieving a similar goal.

                              1. 2

                                But don’t you think that being the privileged majority in the society you live in will have more to do with shaping your experience and fortune in the world than being the privileged majority in an online message board or OSS project?

                                1. 3

                                  In the spaces I live with, my lack of privilege as a white minority in many contexts has cost me likely mental health, plenty humiliation, confusion, physical beatings, missed dates, missed jobs, missed promotions, and so on. Coworkers locally were just telling me recently about black-run classes singling them out for opposing beliefs. Things they say get an entire room screaming at them to intimidate them into silence on top of whatever penalties teacher might give. More extreme versions of this ideology are going campus to campus all over the place taking on life of their own where students are doing things like holding up signs protesting inferred problems in words or ideas of instructors that are there to help them during class.

                                  Again, I”m white male who doesn’t or can’t have such problems in a structural way according to specific groups in the United States despite the evidence of such things happening with non-white or non-male majorities. The forum example was just easier for people to see where you can tell the white male is not in control, is subject to the whims of others, and can be damaged for that. People causing outgroups problems is totally predictable in my model. That’s not the interesting thing. The interesting thing about the forum example is that the people in control who are the majority continue to describe their limited, powerless target in the same terms like powerful and majority. It doesn’t usually change as the circumstances change. It’s usually politics or religion when people’s beliefs or dictated rules don’t change when data flips by 100%.

                                  So, it’s not what they say it is or consistent. That’s enough reason to resist it. That following it would damage more innocent whites or males making them suffer as so many of us did is even more reason. You could say what motivates me to write these posts isn’t much different as what motivates those on the other side with personal experiences in racism or sexism to write their posts. It’s not “reverse (ism)” so much as all the same evil to me. Once we see and experience the evils, we have to stop them from continuing in any form they’ll take. Another thing I noticed is we seem to do it for others’ sake more than ourselves as we can’t undo what we experienced. We’ll always be a bit fucked up by it. We can maybe stop someone else from having to experience that, though. I want someone else to be everyone instead of “everyone but whites and males.”

                                  As usual, that’s on top of all the non-whites and non-males I care about and try to help. They just get a lot more attention and support than this other cause. Hence it being a focus area you’ll see me on. Plus, having been affected so strongly, that’s a motivational bias of mine on top of it.

                                  1. 4

                                    @nickpsecurity, that sucks. You’ve been a victim of structural discrimination. Worse, because it’s not a politically sexy or easily visible form, people continually reject your experience. That. Sucks.

                                    In the past, if I’d heard your narrative, I’d have dismissed you by thinking something like “this white dude forgets he always has the option to leave, unlike …” But that’s unfair.

                                    You’ve been a member of these communities, for years. You’ve been a decent person. You have family, friends, colleagues, social capital, and memories in these communities. To tell you “get up, leave, move on” is to ignore the simple reality that we’re social animals and structural discrimination harms everyone.

                                    Thank you for your repeated posts on this point. At the very least, you got through my thick head. Hopefully, in the future, I can be a better person for it.

                                    1. 2

                                      Damn. That means a lot to me you saying that. I sent a private message not long ago about your comments being interesting as usual on these discussions. More than usual with one comment about you getting beat up for talking white to presumably get ahead whereas I was learning early to talk or act black to attempt inclusion in my environment. It’s because some of what you wrote seems like you might have started in similar circumstances as me going in an opposite direction to find yourself with opposite views. Maybe a stretch to say two sides of same coin but that metaphor popped into my head at least. Then, we end up here in this moment on this forum. A trip, eh?

                                      It’s why I fight for flexibility on these topics in these discussions in wherever places I can. It’s painful and costly but the moments I learn from or reach people are worth it to me. I think those moments are critical. Probably gotta get to sleep now as I intended to. I just had to respond to that comment. :)

                                      Edit: Oh yeah, sleepy enough I forgot to say Good Night.

                        3. 16

                          demonization of political groups (and to some extent, white men)

                          I’m a white man in tech and I can count the number of times I’ve been demonized on zero fingers.

                          demonization of political groups

                          The dominant political party in this country has in black and white in its party platform a desire to make same-sex marriage illegal (while simultaneously claiming “government overreach” is a bad thing). If hearing that we shouldn’t punish gay people just for being gay makes you uncomfortable, well…it’s supposed to.

                          (That same party has in its platform a denial of anthropogenic climate change, an existential threat to our civilization; the denial of which has zero scientific backing….but no, we can’t tell them that they’re wrong.)

                          More importantly, the stuff I’m talking about above is also banned. You can’t go to a conference and talk about how “Republicans are stupid”. You’d be asked to leave or at least tone it down.

                          The problem is that a lot of people hear “don’t be an asshole” and they think “man when I tell transgender folks they’re stupid and make jokes about gay people I get called an asshole (totally unjustifiably!) and I might get in trouble. Ugh, SJW’s!”

                          Remember when no one on the internet cared what you looked like, believed, or who you loved? I want to go back to that :/

                          I’ve been on the Internet since around 1992. That’s only three years after the very first consumer ISP served its first customer.

                          Was there a large contingent of people who really did believe that? Absolutely, I mean, I was one of them. Were there plenty of racists, sexists, homophobes, and bigots of all stripes? Absolutely. Go look at old Usenet archives from the 80’s and 90’s. Racism, sexism, homophobia abound. There was a long diatribe against same-sex marriage on a Perl newsgroup for some damn reason around 1996; there were plenty of people who chimed in and agreed. Various big names in the early hacker community were famously bigoted (often hiding behind “libertarianism” while simultaneously claiming women and black folks are just inherently inferior and it’s “just science”).

                          The “good old days” are very often viewed through rose-colored glasses. People were people back then too, for all the good and the bad.

                          1. 16

                            Remember when no one on the internet cared what you looked like, believed, or who you loved? I want to go back to that :/

                            This was never true. People on the internet have always cared about who you are in ways that factor these things in. The fact that the (largely white) nerd culture contingent who had a lot of influence on the early internet has decided to tell this utopian story does not make it any more true than stories your grandpa tells about respectful children and walking both ways uphill in the snow.

                            1. 23

                              It’s less that “No one cared what you looked like” and more “Everyone assumed you were a white dude with roughly conformal beliefs, behaviors, and similar.”

                              1. 3

                                There’s no contradiction. Both those things were true.

                            2. 12

                              Remember when no one on the internet cared what you looked like, believed, or who you loved?

                              And look where it got us. Toxic subcultures, huge gender inequality in the workplace, software products that simply don’t work for many groups people… The field was biased towards white male hackers from the very beginning, and “not caring” only increased this bias. No, I don’t want to go back to that, I want to fix it.

                              Updated:

                              Also, “no one one the Internet cared what you looked like” simply because they technically couldn’t: nicknames and plain text don’t divulge much. As soon as we got real names and YouTube it became obvious that the majority of people care very much about how you look like. So a young girl making a guitar cover or an Ubuntu installation walk-through mostly gets “you’re hot” and “nice boobs” comments.

                              1. 16

                                People with privilege have been getting more and more outraged that the world is discriminating against them. They see it as unfair. Yes, it’s discrimination and that sucks. But it’s infuriating when they paint it as unfair, because that implies they’re somehow being disproportionately discriminated against, that the discrimination is unfairly balanced against them. And of course that’s nonsense. These privileged people, intentionally or not, feel they’re entitled to live free from any and all discrimination at the expense of those less privileged.

                                Remove yourself from the politics and think about a simple model instead of race, sex, gender, or orientation. Just group A and group B.

                                • members of group A receive 120 points a day
                                • members of group B receive 80 points a day

                                Members of group A develop a belief system that they are entitled to their 120 points. When some members of group B try to increase their points to 85, and that lowers the group A points to 119, the members of group A become angry. They say the members of group B are being unfair.

                                Group A believes that group B should not take any action that decreases their daily points. Group A compares their loss of 1 point to group B’s initial 40 point deficit, drawing a false equivalency. Some subset of A, group A’ deliberately take points from group B members around them to restore their original 120 points. Group A’ claims this is fair.

                                Group A’ bands together to institutionalize the 40 point difference. Some extreme members of group A’ even try to widen the 40 point difference. Group A’ comes to believe at an institutional level that the 40 point deficit either doesn’t exist, or is somehow natural and fair. Group A’ believes they hold the moral superiority by defending their 120 points.

                                Members of group B continue to try to elevate themselves, but A’ demands that all work done by group B must benefit group A’ equally. A’ considers this fair. Groups A and B focus on elevating group B rather than bickering with group A’ about whether 1 equals 40. Some members of both groups A and B institutionalize polite exclusion of group A’ just to simplify the whole thing, because they’re tired of bickering.

                                A vocal minority demonizes group A’ for their actions. Some members of group A find this demonization troubling. A larger and less vocal group of A and B think group A’ is a bunch of fucking douchebags, and start to actively exclude A’ rather than deal with their asinine bullshit. A surprising amount of group A wonders if this exclusion is fair or reasonable. Group B, and an increasing amount of group A, respond “are you fucking joking my ass what the actual fuck?”


                                If you’re a member of group A, please try to empathize with group B. Next time you feel discriminated against for your group A membership, take a step back and reflect on how you’re feeling in that moment. Try to imagine what it’s like to feel that way every single day of your life, at work, on the street, or in your own home through the media.

                                1. 2

                                  But it’s infuriating when they paint it as unfair, because that implies they’re somehow being disproportionately discriminated against

                                  I think there is more to this implication than you’re letting on, because it makes assumptions about what “fairness” actually means from the person wielding the term. You’ve assumed one definition, but perhaps someone else has another in mind. As a nominal example, consider this implication in different ethical frameworks (say deontological or Kantian ethics versus utilitarian). Is it true in all of them? Alternatively, do you dismiss ethical frameworks in which it isn’t true as nonsense or intractable? Either way, those are important assumptions to state, because your entire comment appears to rest on them.

                                  (I do wholeheartedly agree with your final paragraph, but try my best to perhaps apply it as much as possible, with a healthy dose of perspective taking on all sides. I don’t always succeed!)

                                2. 4

                                  I’m glad to see this trend of standing up against poltiical [sic] exclusion in Open Source.

                                  Me too, I just wish more people would up and leave, instead of stick around and yell about “reverse discrimination” and such. I’m definitely coming at it from a selfish angle (and concern for my friends,) I’m just really tired of people who “disagree” with us existing, at best, and actively harass us at worst. The only way I can participate in open source is anonymously, which means it’s mostly uncredited work. It’s just not worth the toll it takes on my mental health. Of course, whenever possible, I contribute to projects/communities who show that they are aware of these issues, and are actively doing something about it.

                                  Looking forward to the Incorrect, Off-topic, and Troll downvotes.

                                  1. 4

                                    I think it’s a loss when someone who can write code leaves a OSS project. I also think that discrimination, which you refer to as “reverse discrimination” in certain contexts, is bad, end of story. I don’t want anyone to be discriminated against. “Contribute good code” is all I ask off people looking to work with me. Politics are boringly unproductive towards that goal.

                                    1. 4

                                      I think it’s a loss when someone who can write code leaves a OSS project.

                                      I don’t, if they keep other people away who can also write code. I honestly can’t understand what’s wrong with participating in this, unless you believe (actual) discrimination isn’t real.

                                      1. 2

                                        I do believe actual discrimination is real but I think discriminatory internships aren’t the solution as they only lead to problems down the road. It’s great that outreachy is doing it and I believe they honestly think it’s the correct solution but I simply can’t agree on that.

                                1. 28

                                  After reading the article and many HN comments, I found the headline to be highly misleading as if they’re targeting Signal for their activities in fighting censorship. It’s actually more incidental. They’re targeting a fraudulent practice Signal is doing that violates terms of service. Signal is doing it for good reasons but others might not. Google and Amazon are trying to stop it wholesale. A proper headline might be that “Several providers threaten to suspend anyone doing ‘domain fronting’ via hacks, including us.” Average person reading something like that would think it sounds totally to be expected. A technical person liking Signal or not should also notice the MO is an operational inconsistency that shouldn’t exist in the first place.

                                  So, they’re not doing a bad thing given the situation. They’re just an apathetic, greedy party in a business context fixing a technical problem that some good folks were using to help some other good folks deal with evil parties in specific countries. Sucks for those specific people that they did it but they’re not aiming at Signal to stop their good deeds. They’re just addressing an infrastructure problem that affects anyone hacking around with their service. Like they should.

                                  I wish Signal folks the best finding another trick, though.

                                  1. 16

                                    I think the correct headline would be “AWS is fixing a bug allowing domain fronting and calling it Enhanced Domain Protections”. An analogous situation would be console homebrew people exploiting buffer overflows in Nintendo games. Of course Nintendo should fix them, and like you, I root for console homebrew people to find another one.

                                    1. 3

                                      That’s another good one. It’s just a bug in their services. Them not fixing it would be more questionable to me.

                                    2. 9

                                      I found the headline to be highly misleading as if they’re targeting Signal for their activities in fighting censorship. It’s actually more incidental.

                                      And that’s why they immediately sent signal an email containing a threat to close the account immediately, instead of a regretful email telling them that this will stop working due to abuse prevention measures.

                                      1. 1

                                        It my experience that’s generally how they treat literally any issue.

                                      2. 5

                                        Signal is doing it for good reasons but others might not.

                                        I’m failing to think of a way to use domain fronting for a not good reason, especially one where the provider being fronted is still happy to host the underlying service.

                                        1. 4

                                          There is nothing fraudulent about domain fronting. Show me one court anywhere in the world which has convicted someone of fraud for domain fronting. That’s a near-libelous claim.

                                          Can you provide an example of a “bad reason” for domain fronting?

                                          As the article points out, the timing of Amazon’s decision relative to the publicity about Signal’s use of domain fronting suggests that Signal is in fact the likely intended target of this change, not incidental fallout.

                                          The headline is accurate. Your comment really mischaracterizes what is happening.

                                          1. 3

                                            I meant it in the popular definition of lying while using something. Apparently, a lot of people agree its use isn’t what was intended, the domains supplied are certainly not them, and service providers might negatively react to that. It would probably be a contract law thing as a terms of use violation if it went to court. I’m not arguing anything more than that on the legal side. I’m saying he was doing something deceptive that they didn’t want him to do with their services. Big companies rarely care about the good intentions behind that.

                                            “the timing of Amazon’s decision relative to the publicity about Signal’s use of domain fronting suggests that Signal is in fact the likely intended target of this change”

                                            The article actually says he was bragging online in a way that reached highly-visible places like Hacker News about how he was tricking Amazon’s services for his purposes. Amazon employees stay reading these outlets partly to collect feedback from customers. I see the cloud people on HN all the time saying they’ll forward complaints or ideas to people that can take action. With that, I totally expected Amazon employees to be reading articles about him faking domains through Amazon services. Equally unsurprising that got to a decision-maker, technical or more lay person, who was worried about negative consequences. Then, knowing a problem and seeing a confession online by Signal author, they took action against a party they knew was abusing the system.

                                            We can’t just assume a conspiracy against Signal looking for everything they could use against it with domain fronting being a lucky break for their evil plans. One they used against Signal while ignoring everyone else they knew broke terms of service using hacker-like schemes. If you’re insisting targeted, you’d be ignoring claims in the article supporting my position:

                                            “A month later, we received 30-day advance notice from Google that they would be making internal changes to stop domain fronting from working entirely.

                                            “a few days ago Amazon also announced what they are calling Enhanced Domain Protections for Amazon CloudFront Requests. It is a set of changes designed to prevent domain fronting from working entirely, across all of CloudFront.

                                            It’s a known problem they and Google were apparently wanting to deal with across the board per his own article. Especially Google. They also have employees reading forums where Signal was bragging about exploiting the flaw for its purposes. I mean, what did you expect to happen? Risk-reducing, brand-conscious companies that want to deal with domain fronting were going to leave it on in general or for Signal since that one party’s deceptions were for good reasons according to claims on their blog?

                                            Although I think that addresses it, I’m still adding one thing people in cryptotech-media-bubble might not consider: the manager or low-level employee who made the decision might not even know what Signal is. Most IT people I’ve encouraged to try it have never heard of it. If you explain what it does, esp trying to get things past the governments, then that would just further worry the average risk manager. They’d want a brick wall between the company’s operations and whatever legal risks the 3rd party is taking to reduce their own liabilities.

                                            So, there’s at least several ways employees would react this way ranging from a general reaction to an abuse confession online to one with a summary of Signal about dodging governments. And then, if none of that normal stuff that happens every day at big firms, you might also think about Amazon targeting Signal specifically due to their full knowledge of what they’re doing plus secret, evil plans to help governments stop them. I haven’t gotten past the normal possibilities, though, with Amazon employees reading stuff online and freaking out being most likely so far.

                                            1. 3

                                              This rings true to me (particularly the middle-management banality-of-evil take), bar one nitpick:

                                              The article actually says he was bragging online in a way that reached highly-visible places like Hacker News about how he was tricking Amazon’s services for his purposes.

                                              How did you get that impression? The article states:

                                              We’re an open source project, so the commit switching from GAE to CloudFront was public. Someone saw the commit and submitted it to HN. That post became popular, and apparently people inside Amazon saw it too.

                                              I haven’t read the mentioned HN thread, but that hardly constitutes “bragging online”.

                                              1. 2

                                                I can’t remember why I originally said it. He usually blogs about his activities. I might have wrongly assumed they got it out of one of his technical write-ups or comments instead of a commit. If it was just a commit, then I apologize. Thanks for the catch regardless.

                                          2. 3

                                            “Service provider warns misbehaving customer to knock it off after repeated RFC violations.”

                                          1. 3

                                            CentOS had the same problem almost 10 years ago now. They apparently managed to sort it out a couple of months after they went public, so hopefully Void manages to do the same.

                                            1. 5

                                              Those are some pretty flaky arguments regarding OpenBSD. What is “theoretical” SMP? I’m running this from a 4-core OpenBSD laptop. You know, non-theoretically. Same language snark goes with vmm: they tried to implement a hypervisor? I’ll be sure to inform mlarkin of his failure to execute. It may not be what the author wants, but that’s a different story. Anyway, if there are good comparisons between the two systems security-wise, they look like they’re in that chart from https://hardenedbsd.org/content/easy-feature-comparison. Is it up to date with the recent anti-ROP efforts?

                                              1. 2

                                                It is. OpenBSD has an SROP mitigation, whereas HardenedBSD doesn’t. HardenedBSD has non-Cross-DSO CFI (Cross-DSO CFI is actively being worked on), whereas OpenBSD doesn’t. HardenedBSD also applies SafeStack to applications in base. CFI provides forward-edge safety while SafeStack provides backward-edge safety (at least, according to llvm’s own documentation.)

                                                HardenedBSD inherits MAP_STACK from FreeBSD. The one thing about OpenBSD’s MAP_STACK implementation that HardenedBSD may lack (I need to verify) is that the stack registers (rsp/rbp) is checked during syscall enter to ensure it points to a valid MAP_STACK region. If FreeBSD’s syscall implementation doesn’t do this already, doing so would be a good addition in HardenedBSD.

                                                So, there’s room for improvement by both BSDs, as should be expected. It looks like OpenBSD is starting the migration towards an llvm toolchain, which would allow OpenBSD to catch up to HardenedBSD with regards to CFI and SafeStack.

                                                Sorry for the excessive use of commas. I enjoy them perhaps a bit too much. ;)

                                                1. 1

                                                  I haven’t read the whole article, because I’m not interested in HardenedBSD.

                                                  What is “theoretical” SMP? I’m running this from a 4-core OpenBSD laptop. You know, non-theoretically.

                                                  The article is indeed vague about it, but I think the author meant scalability issues. Too much time spent in the kernel space.

                                                  Same language snark goes with vmm: they tried to implement a hypervisor? I’ll be sure to inform mlarkin of his failure to execute.

                                                  I don’t have any experience with virtualization, but the point seems to be that you can only have OpenBSD and Linux guests under an OpenBSD host which compares less than something like bhyve.

                                                  1. 1

                                                    SMP

                                                    From what I have read about SMP on OpenBSD its not that it would not detect 4 or 64 cores, its that its subsystems (like FreeBSD 5.0 for example) were not entirely rewritten to fully itilize all cores, that in many places still so called GIANT LOCK is used, may have changed recently, sorry if information is not up to latest date.

                                                    vmm

                                                    Now ints very limited, can You run Windows VM on it? … or Solaris VM? Last I read about it only OpenBSD and Linux VMs worked.

                                                    Is it up to date with the recent anti-ROP efforts?

                                                    I am not sure, You may ask here - https://www.twitter.com/HardenedBSD - or on the HardenedBSD forums - https://groups.google.com/a/hardenedbsd.org/forum/#!forum/users

                                                    1. 3

                                                      or Solaris VM? Last I read about it only OpenBSD and Linux VMs worked.

                                                      It runs Illumos derivatives (eg. OpenIndiana). There’s a speicific feature missing that FreeBSD/NetBSD need which is being worked on. It doesn’t run Windows because Windows needs graphics.

                                                      1. 2

                                                        Thanks for clarification, I hope that graphics support/emulation will also came to vmm soon.

                                                        I added that information to the post.

                                                    2. 1

                                                      I’m not sure, the article seems like it makes an honest enough comparison between hardenedBSD and OpenBSD that I make OpenBSD a priority to consider the next time I need truly secure OS.

                                                      1. 3

                                                        The “One may ask…” paragraph is so slanted toward HardenedBSD over OpenBSD that I’d have immediately assumed a HardenedBSD developer or fan was writing it.

                                                        1. 1

                                                          Tried my best, I thought that it was clean enough from the article that OpenBSD is secure for sure while HardenedBSD aspires to that target with FreeBSD codebase as start …

                                                        2. 1

                                                          Tried my best, I thought that it was clean enough from the article that OpenBSD is secure for sure while HardenedBSD aspires to that target with FreeBSD codebase as start …

                                                      1. 2

                                                        Congrats! Is anybody using DragonFly on production? Why do you choose it over FreeBSD or OpenBSD?

                                                        1. 3

                                                          Because HAMMER. OpenBSD doesn’t have an equivalent filesystem option. FreeBSD has ZFS, which is very nice, but it’s also huge. HAMMER by comparison is a simple implementation of a “modern” (snapshoting, checksuming, deduping) filesystem.

                                                          1. 1

                                                            I have never used HAMMER. Apart from having a simpler implementation (that is really nice and difficult to do), is there any big advange of using HAMMER over ZFS? Apart from HAMMER there is any other feature that you recommend us checking out?

                                                        1. 10

                                                          This isn’t a Gmail issue, this is a Netflix issue. I had the same type of email come to an account that I didn’t use for Netflix, and it was a single-click login to someone else’s account. They’re sending a link in plaintext via email that requires no authentication to access your account!

                                                          1. 2

                                                            Is it surprising that access to the associated email address grants access to the account? This is the security model of an awful lot of websites (including the one you’re reading this on) because that’s where password reset links go.

                                                          1. 12

                                                            I’m planning to build (and open source) a ~13” e-ink tablet, with a kickstand so I can use it as my personal computer as well (alongside my Atreus keyboard). I’d ideally like to run OpenBSD on it—currently I use macOS for work for pragmatic reasons (on a 2015 Macbook Air), but wish to more fully align with my ideals and so my plan currently is to put OpenBSD on an external SD card and see what my pain points are.

                                                            Would love to hear about the current best options for desktop BSDs! I just like OpenBSD’s philosophy, and feel I can make a fun project out of addressing any pain points I have with it (I’m a little worried to see the current state of font rendering, for instance—but that is completely unfounded and I really just need to dive into OpenBSD this weekend.)

                                                            As far as my e-ink display project, it’s a tool that I want to exist but doesn’t. While researching to make sure I wasn’t reinventing the wheel, I did find an eerily similar product, but it doesn’t meet all of my criteria. I’m not worried about the cost of developing such a device, as it’s a passion project. Once it’s finished, I’ll gauge interest in crowdsourcing a production run for anybody else who would find it useful. I still have research to do on the current state of e-ink refresh rates and multicolor e-ink tech, as well as a hefty amount of research to do on actually architecting the device. Once I have any sort of progress done, I’ll be sure to share. :-) I’m just grinding through my life’s backlog currently.

                                                            1. 16

                                                              I’m a little worried to see the current state of font rendering, for instance—but that is completely unfounded and I really just need to dive into OpenBSD this weekend.)

                                                              I can assure you—you get used to Comic Sans being the only font on the system. It’s not so bad.

                                                              1. 3

                                                                I can assure you—you get used to Comic Sans being the only font on the system. It’s not so bad.

                                                                It’s not nice to tease /u/molloy like that. OpenBSD has lots of nice fonts packaged, like Source, Fira, Roboto, Noto, Cantarell, Ubuntu, etc.

                                                                1. 4

                                                                  I love being teased ^_^

                                                                  But I appreciate your thoughtfulness <3

                                                              2. 5

                                                                I’m a little worried to see the current state of font rendering, for instance

                                                                Is your problem that fonts look blurry? OpenBSD has freetype’s autohint disabled by default, the difference is night and day. See here for the general idea of how to enable it.

                                                                1. 1

                                                                  JPEG artifacts kinda kill the comparison.

                                                                  1. 4

                                                                    Hmm, let’s try again with an image host that hopefully doesn’t compress PNGs like imgur does.

                                                                    Bonus: newsblur is among the worst I’ve seen when autohinting is disabled.

                                                                    1. 3

                                                                      Bonus: newsblur is among the worst I’ve seen when autohinting is disabled.

                                                                      Hmm, are you saying NewsBlur makes thing blurry?

                                                                      1. 2

                                                                        The word newsblur there is a link to an image showing what it looks like with autohint enabled vs disabled. Hyperlinking the word newsblur probably made it look like a link to the site, I should have chose that better.

                                                                        1. 3

                                                                          Sorry, I was trying to make a joke, and it failed badly.

                                                                2. 5

                                                                  I still have research to do on the current state of e-ink refresh rates and multicolor e-ink tech

                                                                  Prepare for some disappointment. :-) I mean, I’ve been checking refresh rates on e-ink OEM spec sheets for the past few years and they’re improving, but not even close to usable for a general-purpose display. See for example the PC Mag review of the product you linked to. (Unless perhaps you’re really patient and can adapt to paging rather than scrolling, etc?) It comes down to the basic physics of e-ink, which involves mechanical rotation of micro-capsules: sort of intrinsically slow relative to electronics. Some devices optimize for updating only a very small part of the display at a time: the best I know of is the reMarkable, which put a lot of work into that.

                                                                  As for color e-ink tablets, I’ve never seen such a thing, but a coworker claims that some Russian schools use them, just the colors are very faded.

                                                                  If (like me) you just want a sunlight-readable display, you’d be better off with a transflective LCD… which are also hard to find. Can’t beat e-ink for low power consumption, though.

                                                                  1. 4

                                                                    OMG this sounds amazing! (I say this, typing on an atreus!)

                                                                    Please do share when you’ve done it!!

                                                                    1. 3

                                                                      Yes indeedy I would read and upvote such a post with relish :)

                                                                      1. 2

                                                                        Will do! I’ll most likely blog about the process as well :-)

                                                                    1. 2

                                                                      How many OpenBSD users? Note that the user-agent for chromium on OpenBSD contains (X11; OpenBSD amd64; Linux x86_64) because of sites that serve degraded pages when they don’t recognise the OS.

                                                                      1. 2

                                                                        TIL! Seems to be 12 unique IP addresses (10 unique user agents) that have both Linux and OpenBSD in their agents, another one with FreeBSD.

                                                                      1. 8

                                                                        Nothing hugely shocking here. If you have a decentralized system without end to end crypto then servers can read all your stuff, its the same with email and gmail scanning all of your emails.

                                                                        1. 6

                                                                          Which is why we shouldn’t build decentralised (or centralised) systems without end-to-end crypto any longer.

                                                                          There’s no reason why something like Mastodon couldn’t have anonymous (unsigned, unencrypted), public (signed, unencrypted), group (signed, encrypted to a group — ‘friends’ is merely one group), and unlisted (signed, encrypted) posts. Yes, there are some key management challenges (particularly around key management & re-encryption as one adds & deletes friends), but they are no insurmountable.

                                                                          I strongly believe that writing systems without cryptographically-strong privacy in 2018 is an error.

                                                                          1. 8

                                                                            Secure Scuttlebutt is a pretty good example of this, you have public messages and private messages. If a message is private then it is encrypted and only people mentioned in the post can decrypt the message. But ssb does have serious key management issues.

                                                                            1. 5

                                                                              What are the key management issues? I was just coming here to mention ssb, but I’m very new to it and was unaware of this. Can you share more?

                                                                              1. 4

                                                                                Well off the top of my hat, key management issues arise whenever you try to use it across multiple machines. Now you could manually copy the key from machine to machine, but if you ever use two machines simultaneously it creates a sort of fork in your identity on the network, which causes plenty of trouble.

                                                                                There are a few solutions under research, most notable a master / slave system, but last time I checked it was still very much in the design phase.

                                                                            2. 4

                                                                              This is easily said, but both end to end crypto and key management add a huge amount of complexity to the system. If you need the privacy that e2e can provide, this is of course worth it, but it’s not at all clear that every service needs this. The fediverse is meant for public and targeted messages, not private ones. For those usecases, people can easily use e2e encrypted systems like matrix or gpg.

                                                                              1. 3

                                                                                Hear hear! I think everyone has this vision of a perfect crypt-opia where we can conduct our social networking safe from the prying eyes of government or BigCorps, but the realities of making this happen are as you say not at all trivial.

                                                                                It’s a great goal, and one I think people should continue working towards, but the logistics are hard.

                                                                                1. 3

                                                                                  Privacy and social media are kind of at odds with each other anyway. People want to share their posts with the world but also not have that data used against them. If you didn’t want everyone to know then you shouldn’t be sharing it.

                                                                                  1. 1

                                                                                    I don’t know if I agree. When I publish toots on Mastodon, all they know is that feoh@amicable.feoh.org said blah blah blah.

                                                                                    When I use Facebook, they are collecting a SUPER rich trove of demographic data on me, cross referencing it with other commercial sources (my employer for one :) and linking it in with my “social graph” where my friends data is taken into account. It’s the difference between a linked list of nodes with 2 or 3 fields and a full on acyclic graph with zillions of nodes and zillions more connections.

                                                                                    1. 1

                                                                                      all they know is that feoh@amicable.feoh.org said blah blah blah.

                                                                                      Anyone can also see who you are following, who you reply too, whos posts you like, what kind of content you like and then draw a graph based on this data. The main thing you lose is the tracking using apps to see more than what you post but a huge huge amount of data anyone can see can be used to track you and build a profile on you.

                                                                                      1. 1

                                                                                        By ‘anyone’ you mean ‘any Fediverse user’ right? Also there’s a huge difference between having to scrap the correlate vast gobs of data yourself and having it handed to you for analysis on a silver platter by the platform.

                                                                                        Anyway, this is silly. I agree that social media is at odds with privacy to an extent, but some platforms are factually, provably better than others.

                                                                                2. 1

                                                                                  also there’s nothing stopping you from using clientside tools that provide this.

                                                                                3. 3

                                                                                  I totally disagree. I think there is a place in the world for social network protected by crypto, and also for those that aren’t.

                                                                                  Let’s not let the perfect be the enemy of the good.

                                                                                  1. 1

                                                                                    How would you do this while still allowing mastodon to be used from a web interface? If it’s implemented using javascript you’re in the exact same situation of having to trust the instance administrator.

                                                                                    1. 1

                                                                                      How would you do this while still allowing mastodon to be used from a web interface?

                                                                                      I’d either use a native client, or a web client running on localhost. It’s the only way to assure privacy & security.

                                                                                      1. 0

                                                                                        Exactly. You said that there’s no reason why it couldn’t do this, there’s your reason.

                                                                                  2. 3

                                                                                    agreed. It seems mostly useful for like novices.

                                                                                    1. 1

                                                                                      What scares me is the resignation to this state of things.

                                                                                      1. 4

                                                                                        If you store things on other people’s servers they are on other people’s servers. I don’t see how this statement is a resignation. If you want your posts to be private in the fediverse, encrypt it. If you want your emails, posts,etc to be private, encrypt them.

                                                                                        1. 5

                                                                                          I was not talking about @mercer article: as you said it can be pretty useful for novices.

                                                                                          What scares me is that we could design something better, but there is not much research about the topic.

                                                                                          No one really try to challenge the status quo with original engineering solutions, in a sort of resignation.

                                                                                          At best, people are waiting for mathematicians to create a cheap fully homomorphic encryption scheme.

                                                                                          But I’m afraid it’s not lazyness, but lack of vision, interest and hope.

                                                                                          1. 5

                                                                                            Vision, interest, and hope are not valid inputs to compilers.

                                                                                            I think a reasonable compromise in new system design (taken in some side projects of mine) is to assume that the channels of communication are compromised by hostile actors, that storage exists in the datacenters of hostile actors who are actively trying to munge through the contents, and that mere possession of encrypted material is of significant interest to the hostile actors.

                                                                                            You end up with a sort of “I am Spartacus” setup for communication systems under those constraints, where everybody by definition has open-access to all communications but all communications are also encrypted such that if you have a key you can read it and otherwise you are just providing storage–and because everybody has copies of the content, the metadata of how it moves through the system is not super interesting. Of course, the flipside is that participation in such a system is almost always a red flag.

                                                                                            1. 1

                                                                                              Well… vision alone gave UNIX pipelines. And stacks. And timesharing systems… ;-)
                                                                                              Interest gave us Linux. And hope gave us GNU.

                                                                                              But, your system description look interesting… can you share links to some free software designed that way?

                                                                                            2. 3

                                                                                              If you can’t read the code on the server, and you can’t, then you can’t know it was actually encrypted. The only thing you can do is end to end encryption, which you can already do on top of all of these existing services. What we need is education of the tools that already exist and also improving ease of use. The moment you put the tech on the server you’ve already lost. Otherwise the tech you’re describing already exists.

                                                                                              1. 3

                                                                                                I agree with you about education. I deeply agree.

                                                                                                But with fully homomorphic encryption you can know it’s encrypted even without seeing the code.

                                                                                                I’m not entirely sure that no other mitigation is possible: my insight is that too few have tried to challenge the http/dns/browser/javascript stack to get a chance to find a solution.

                                                                                                My bet is that we just need to open our minds.

                                                                                                Still, you are right: there’s no cloud, just another person’s computer… ;-)

                                                                                    1. 2

                                                                                      Are Nokia/HMD selling phones directly to end users? They only have to provide the source (or a written offer to provide the source) to anyone they’re supplying phones to. It’s up to whoever sells you the phone to provide the same to you. I’m not even sure section 3.c of GPLv2, which lets you pass on a written offer from someone else, can be invoked when selling phones since it specifically excludes commercial distribution.

                                                                                      1. 3

                                                                                        Are Nokia/HMD selling phones directly to end users? They only have to provide the source (or a written offer to provide the source) to anyone they’re supplying phones to.

                                                                                        They’re distributing OTA Android updates to end users (see eg: here). That alone is enough to require them to provide the source to any GPL software they are distributing to any users who receive it.

                                                                                      1. 6

                                                                                        linux on the desktop is 45% stockholm syndrome, 15% wishful thinking, 15% undergrad code shambles, 15% cargo cult microsoft aping, and 10% cynical corporate complexity to sell support contracts.

                                                                                        1. 6

                                                                                          What’s your preferred alternative? The walled, proprietary gardens of Apple or Microsoft? OpenBSD?

                                                                                          It’s a serious question, Debian Stable as a desktop OS is working reasonably well for me. I wan’t a unix-like system - No Windows - which offers broad choices of hardware - no OS X - and it should be free software - one of them. I’d switch to OpenBSD for most of my work, but I need stuff like docker for work and want resonable gaming support at home. I could switch between different OSes for different tasks, but why bother? Debian truly is “the universal operating system” for me, even with all it’s faults.

                                                                                          1. 2

                                                                                            FWIW, I use FreeBSD on my Laptop. I know it is not ideal but I choose to do it and work through the pain because I can and because I think it’s good to support options.

                                                                                            1. 1

                                                                                              What is the preferred DE on *BSDs? GNOME?

                                                                                              1. 2

                                                                                                I just use i3. TrueOS is pushing for Lumina. Gnome is basically Linux only at this point with all of its systemd coupling, from what I understand.

                                                                                                1. 3

                                                                                                  OpenBSD has good Gnome3 support, see here, although note that the instructions mentioned are out of date, it’s best to follow the readme that is installed when you pkg_add gnome.

                                                                                                  1. 2

                                                                                                    “systemd coupling” is mostly logind. It’s only really necessary for starting gnome-shell as a Wayland compositor. Someone should try either reimplementing logind for *BSD (there were such projects but I don’t think anyone got it completely working) or adding support for something like my little loginw thing to gnome-shell :) same for kwin_wayland.

                                                                                                    I actually use Weston right now, and going to write my own libweston-based compositor eventually… (loginw was created for that)

                                                                                                    For X11, both gnome-3.26 and plasma5 should work.

                                                                                                    1. 1

                                                                                                      Do you write your own scripts for stuff like volume/backlight control, locking etc? Having used I3 for over a year, this was the least enjoyable part for me because sometimes stuff would break/change/rename and I’d have to fiddle with my scripts.

                                                                                                      1. 1

                                                                                                        Yes I’ve been writing my own scripts. I haven’t had any issues with it. But like I said, I’m explicitly deciding to add some pain in my life to support something I think is bigger, so it’s not for everyone. Lumina, though, is a full DE AFAIK so that should handle the things you’ve brought up.

                                                                                                2. 1

                                                                                                  Huh. Because my Linux desktop is peerlessly stable, bears no resemblance to anything Microsoft has released in the past thirty years, and is community developed and supported. I in fact find that the commercial desktop environments are unstable, unusable buggy garbage, and I’ve had the misfortune to have to use both of them fairly significantly.

                                                                                                  Don’t confuse “Linux on the desktop” with “GNOME on the desktop” (or, for that matter, “intentionally using unstable software on the desktop”).

                                                                                                1. 10

                                                                                                  All good reasons, IMO. But it fails to mention any of the well-known problems with C, which would have prevented many vulnerabilities in SQLite. So it reads like they’re just trying to justify their choice, rather than an honest assessment of C. I don’t know what the intention or purpose of this page is, though. And to be fair, I would probably have made the same choice in 2000.

                                                                                                  1. 40

                                                                                                    I don’t know what the intention or purpose of this page is

                                                                                                    Probably to stop people asking why it’s not written in Rust.

                                                                                                    1. 14

                                                                                                      Since it mentions Java but not Go or Rust, I suspect it’s an older page.

                                                                                                      1. 25

                                                                                                        That’s the beauty of C, it refutes all future languages without having to be recompiled.

                                                                                                        1. 1

                                                                                                          It mentions Swift, too.

                                                                                                            1. 1

                                                                                                              Yeah, looking at the parent page, it appears it showed up sometime in 2017. I was mislead by the mention of Java as an alternative, because I think it’s rather obviously unsuited for this job.

                                                                                                        2. 4

                                                                                                          I tried finding a list of vulnerabilities in SQLite and only this page gave current info. Now, I’m unfamiliar with CVE stats so I don’t know if 15 CVE’s in 8 years is more than average for a project with the codebase and use of SQLite.

                                                                                                          1. 7

                                                                                                            […] I don’t know if 15 CVE’s in 8 years is more than average for a project with the codebase and use of SQLite.

                                                                                                            I don’t know either! I looked at the same page before writing my comment, and found plenty of things that don’t happen in memory-safe languages. There were fewer entries than I expected, but also some of them have descriptions like “Multiple buffer overflows […],” so the number of severe bugs seems to be higher than the number of CVEs.

                                                                                                            1. 7

                                                                                                              The 4 in 2009 appear to have been in some web app that used SQLite, not SQLite itself.

                                                                                                              1. 4

                                                                                                                The security community generally considers CVE counts a bad mechanism to argue about the security of a project, for the following reasons:

                                                                                                                Security research (and thus vulnerability discovery) are driven by incentives like popularity, impact and monetary gain. This makes some software more attractive to attack, which increases the amount of bugs discovered, regardless of the security properties of the codebase. It’s also hard to find another project to compare with.

                                                                                                                (But if I were to join this game, I’d say 15 in 8 years is not a lot ;))

                                                                                                              2. 1

                                                                                                                15 vulnerabilities of various levels in the past 10 years.

                                                                                                                https://www.cvedetails.com/vendor/9237/Sqlite.html

                                                                                                                How does that compare to other products or even similar complicated libraries?

                                                                                                              1. 5

                                                                                                                DragonFlyBSD has been doing some great work.

                                                                                                                It makes me wonder if having fewer devs than FreeBSD (project it was originally forked from years ago) has necessitated trimming features, which presumably makes some things easier due to not having to support/maintain so many interfaces – for example DragonFlyBSD has 1 firewall (ipfw2), instead of the 3 (ipfw, pf, ipf) in FreeBSD.

                                                                                                                If so, FreeBSD would be well served trimming some detritus.

                                                                                                                1. 4

                                                                                                                  I’ve often wondered that. A long time FreeBSD-er I know talks about the distro never really recovering after the BSDI merge.

                                                                                                                  1. 3

                                                                                                                    Oh interesting. Do you have any background on that or further recollections on the impacts on FreeBSD?

                                                                                                                    It’s also interesting that apparently a company started as OffMyServer, by two BSDi employees, later purchased iXsystems and subsequently rebranded themselves as such. Further, according to wikipedia:

                                                                                                                    In 2007, iXsystems acquired FreeBSD Mall, Inc., reuniting all the portions of the original BSDi that had been spun off to Wind River Systems.

                                                                                                                    1. 1

                                                                                                                      Ah. For some reason I thought they dropped it. Thanks for the correction.

                                                                                                                    2. 2

                                                                                                                      I don’t think they’re comparable anymore. I think you can compare dragonflybsd more to openbsd than to freebsd. They’re a relatively small project with a strong philosophy and project goal who are very good at what they do (in this case performance), but they have a lot of quirks that might leave some users uncomfortable while they make hobbyists very enthusiastic.

                                                                                                                      As such they don’t shy away from removing features that they judge aren’t meaningful to their users/community anymore (non-amd64 support, some older network interfaces, some legacy code that’s still in freebsd but not in dragonfly). The project philosophy is so different that the parallels you can make from them coming from the same root aren’t entirely accurate anymore. Keep in mind the fork happened 15 years ago, with development happening independently over that time. That’s also important.

                                                                                                                      Also, dragonfly has ipfw3 and pf. According to the documentation (https://www.dragonflybsd.org/docs/ipfw3/), ipfw3 was written from scratch.

                                                                                                                      1. 1

                                                                                                                        Keep in mind the fork happened 15 years ago

                                                                                                                        Wow. Time sure passes quickly. Seems like not that long ago..

                                                                                                                    1. 5

                                                                                                                      Race Cache With Network” is interesting, if it thinks disk IO is slow it’ll request cached resources from the network as well as the disk and use whichever loads first.

                                                                                                                      1. [Comment removed by author]

                                                                                                                        1. 24

                                                                                                                          Using the AGPL accomplishes their goal while keeping the software free (by the FSF’s definition) and open source (by OSI’s definition). If they used a “don’t be evil license” their software wouldn’t be included in various package repos, and couldn’t be linked with GPL-licensed code.

                                                                                                                          1. 1

                                                                                                                            Hm, maybe a “you can’t use this software to deprive others of their basic human rights” sort of clause in the (A)GPL could be good. I’m sure there would be some drawbacks (especially enforceability WRT government agencies), but it might help.

                                                                                                                            1. 9

                                                                                                                              i doubt it would. entities who consciously violate basic human rights don’t care about following licenses. if they could be prosecuted for a license violation, they could be prosecuted for their human rights violations regardless of license.

                                                                                                                              1. 4
                                                                                                                                1. 2

                                                                                                                                  Ah, this was the article I was trying to remember. Probably too late to be noticed now.

                                                                                                                                  https://www.gnu.org/licenses/hessla.html

                                                                                                                                  1. 1

                                                                                                                                    Hm, I found the first essay you posted to be more convincing. I think Stallman brings up a good point that these are licenses based on copyright law - not human rights laws. Either way, I’m convinced now that it would probably be a net loss.

                                                                                                                              2. 3

                                                                                                                                Except licenses that try to not to approve of “evil” end up badly.

                                                                                                                                1. 3

                                                                                                                                  If you’re prepared to admit that corporations naturally trend toward violence

                                                                                                                                  What’s that supposed to mean?

                                                                                                                                1. 4

                                                                                                                                  Hopeful that someday it makes it to one of the BSDs. Fingers crossed.

                                                                                                                                  1. 4

                                                                                                                                    Yeah would be nice to see it be another quality VPN standard. One of the WireGuard developers did mention being open to porting it to the BSD’s, as well as re-liscensing.

                                                                                                                                    1. 2

                                                                                                                                      That was 2 years ago and it’s still GPL. It doesn’t look like they require copyright attribution from contributors, so re-licensing now may be difficult.

                                                                                                                                      I hope they didn’t believe what the self-proclaimed “hardcore BSD user” said in that thread, which is completely wrong.

                                                                                                                                      1. 13

                                                                                                                                        I’m still up for porting this to the BSDs. If you know any BSD kernel developers who would like to work on this with me, please do put them in touch.

                                                                                                                                  1. 4

                                                                                                                                    I’ve added an illumos tag and backfilled the tag on these stories.

                                                                                                                                    1. 1

                                                                                                                                      Fantastic, thanks a lot!

                                                                                                                                    1. 3

                                                                                                                                      Nixpkgs / NixOS has run in to this problem as well, with the same strictness of hash checking. We’ve instead developed tools to normalize the results from GitHub, and compare the hash after normalization, not prior. This works for us since the contents of the archive is what we care about, and not the implementation detail of the archiving process.

                                                                                                                                      1. 2

                                                                                                                                        Does this mean archives are being extracted before they’re verified?

                                                                                                                                        1. 2

                                                                                                                                          Yes

                                                                                                                                          1. 2

                                                                                                                                            This opens up an attack vector through your tar & compression implementations - a bug in them could lead to code execution via maliciously crafted archive.

                                                                                                                                            1. 3

                                                                                                                                              Indeed. Only in specific cases are the archives extracted prior to verification, and GitHub is one of the few. However: Nix with sandboxing turned on (and everybody should have sandboxing turned on) will extract the contents in a very limited sandbox, with read access to limited paths, and write access to a single directory. The code could execute, but couldn’t do very much to the host itself. Other potential concerns involve access to a limited set of environment variables, and possibly the nscd socket. There is the chance of sandbox escapes and kernel vulnerabilities, yes, but we’ve found this to be an acceptable trade off in the few cases we’ve needed it.

                                                                                                                                              1. 2

                                                                                                                                                I applaud sandboxing. However I believe we (as the general community of people packaging software for various OSes) should coordinate on fixing the root issue. Get people to upload release tarballs, stop them from silently moving tags etc. Many people are just not aware, asking them nicely may be enough to solve it - one by one. You won’t get all of them to switch, but many more will if approached - instead of working around the issue.

                                                                                                                                                1. 3

                                                                                                                                                  I completely agree, and as a community we advocate for efforts in reproducible builds and good packaging practices. I’m sure we’ve asked people to make good releases in the past. I applaud OpenBSD’s efforts to push here as well.

                                                                                                                                              2. 2

                                                                                                                                                I mean, gunzip + untar is a lot less complicated than, say, TLS 1.2 + HTTP2 + gzip. Which we pass untrusted data through all the time.

                                                                                                                                                Perhaps this fear is really an issue with the raw C implementation in gnutar.

                                                                                                                                                1. 3

                                                                                                                                                  Reducing attack surface anywhere in the chain is valuable.

                                                                                                                                        1. 6

                                                                                                                                          This video is what I use when countering the myths about how C was designed. It goes to the papers and constraints that led Richards’ team to chop ALOL into BCPL. Then, the modifications from BCPL to B to C. Understanding the context of why C was the way it was might help folks understand why we should upgrade given we’re no longer in those constraints either in hardware or programming features.

                                                                                                                                          1. 10

                                                                                                                                            I think there is a reasonable argument that C won on its merits. The following is a list of some languages that were available in 1975 and my opinion of why they lost out to C. C is pretty much the only language on this list with a portable implementation that ran on minicomputers.

                                                                                                                                            Algol 60 - call by name is expensive, not really intended for system software

                                                                                                                                            Algol 68 - complex to implement, standard uses an obscure formal semantics, requires a runtime, compilers did not emerge for years

                                                                                                                                            Algol W - first implementation was for IBM mainframes in an infix assembly language, few other implementations

                                                                                                                                            BCPL - untyped, inferior to C in some ways, limited support for byte addressing

                                                                                                                                            BLISS - semantics for assignment are unusual, untyped, no portable compiler, only for DEC architectures

                                                                                                                                            Coral66 - British military standard, may not have had recursion

                                                                                                                                            Fortran 66 - not really suited to system software, although a number of vendors wrote operating systems in an extended Fortran

                                                                                                                                            Forth - different programming model, mostly interpreted

                                                                                                                                            IMP72 - implemented mostly on supercomputers, low level of abstraction (Fortran II), complex (extensible) grammar

                                                                                                                                            Jovial73 - DoD standard, no standard IO

                                                                                                                                            LRLtran - no implementations for minicomputers

                                                                                                                                            MAD - low level of abstraction, implementations ran on mainframes

                                                                                                                                            NELIAC - low level of abstraction

                                                                                                                                            Pascal - weak standard, no separate compilation, Wirth moved on to new languages

                                                                                                                                            PL.8 - internal to IBM, compiler ran on mainframes

                                                                                                                                            PL/I - complicated to implement, early implementations were slow

                                                                                                                                            PL/S - internal to IBM, compiler ran on mainframes

                                                                                                                                            RTL/2 - British language for realtime systems, probably unknown in the US.

                                                                                                                                            Simula 67 - uses garbage collection, inventors wanted license fees

                                                                                                                                            1. 2

                                                                                                                                              Great list. Remember that there’s two parts to this: one is how they designed it; one is what happened later. Your list seems to be what happened later after comparing its design to everything else unmodified. Whereas, mine says they’d have cherry-picked the best of anything on that list modifying it for their situation. In each case, they’d pick whatever was safest or cleanest by default switching to unsafe only where necessary. As hardware improved, the safety and maintainability would improve.

                                                                                                                                              That’s the approach Wirth took with Modula-2 and the rest of his languages. Most others did as well doing languages for safety or programming in the large. It’s now the standard way to do things with many citing an escape from the safety and maintainability problems of C. So, the evidence leans toward Wirth’s choice.

                                                                                                                                            2. 1

                                                                                                                                              If I wanted to both re-write indent(1) in not-C and continue to distribute it as a part of FreeBSD, NetBSD, OpenBSD - which programming language should I “upgrade” to? What choice do I have?

                                                                                                                                              1. 2

                                                                                                                                                My top choices for contenders would be rust, zig, myrddin and nim. zig being the closest to C with many fixes.

                                                                                                                                                1. 4

                                                                                                                                                  One issue with rust currently is that building the compiler will dominate compile times until most of the distribution is ported to rust.

                                                                                                                                                  1. 3

                                                                                                                                                    What about Wirth’s new Oberon-07?

                                                                                                                                                    Recently it has got a new promising little compiler to C, OBNC.

                                                                                                                                                    1. 2

                                                                                                                                                      Hadn’t seen that, will check it out.

                                                                                                                                                      1. 1

                                                                                                                                                        I’d really appreciate your opinion, since you cited Myrddin, which is my favourite contender for the package system of Jehanne.

                                                                                                                                                        I do not really know any of the two (I used Pascal years ago.. but Oberon seem better).

                                                                                                                                                        But of all the C alternatives I could decide to integrate in Jehanne (the way Perl was integrated in Unix) these seem the best two candidates for their balance between simplicity and practicality.

                                                                                                                                                        Wirth’s Oberon win on simplicity, but Obi’s Myrddin win on practicality (according to my shallow understanding so far… take this with a grain of salt!)

                                                                                                                                                        1. 2

                                                                                                                                                          FWIW, Myrddin is probably going to be the easiest to port to Jehanne, since it already runs on Plan 9, and has a very small system abstraction layer.

                                                                                                                                                          1. 1

                                                                                                                                                            Hi Orib! Yes, you are right! Myrddin is the most practical choice for Jehanne.

                                                                                                                                                            Also it provides language features I like, such as ADT and pattern matching, and it already has a practical standard library.
                                                                                                                                                            But honestly I haven’t had the time to try your hints: I saved them from my irc log, but… really I didn’t had the time… :-(

                                                                                                                                                            Nevertheless I’m also rather fashinated by Oberon-07: Wirth keeps cleaning it, removing redundant features. I know this add pressure to the library and applicative code, but…

                                                                                                                                                            I think you can see the affinity with my strive for simplicity in Jehanne.

                                                                                                                                                    2. 4

                                                                                                                                                      All of those fall over on portability. Rust is amd64 and i386 only, myrddin is amd64 only, and building the zig compiler requires llvm. nim has the best story with amd64, i386, ppc and arm, which still isn’t enough.

                                                                                                                                                      1. 1

                                                                                                                                                        I think you are wrong about rust, there have been plenty of posts of embedded arm and other processors targetted by rust. LLVM has lots of targets and can compile itself, so it is relatively portable, though extremely complex.

                                                                                                                                                        1. 3

                                                                                                                                                          Is rust on other architectures done natively or by cross-compiling? I don’t know about the others but OpenBSD requires that the base install can build itself on every architecture.

                                                                                                                                                          1. 1

                                                                                                                                                            https://forge.rust-lang.org/platform-support.html - it seems like rustc can run on at least 5-6 architectures. and the groundwork is there for more.

                                                                                                                                                            Zig itself has two stdlibs, one is based on libc so I bet that it could run on more platforms.

                                                                                                                                                            1. 6

                                                                                                                                                              He is right, the only platforms at the moment able to self-build rust are amd64 & i386. OpenBSD requires much more. You participated in a previous thread so you know that rust in the base system is not likely to happen. Hence rust is not the answer to:

                                                                                                                                                              If I wanted to both re-write indent(1) in not-C and continue to distribute it as a part of FreeBSD, NetBSD, OpenBSD - which programming language should I “upgrade” to? What choice do I have?

                                                                                                                                                              With the current status quo, the only language fitting the above question I believe is Perl.

                                                                                                                                                              1. 2

                                                                                                                                                                https://github.com/Microsoft/checkedc seems to be one of the more practical approaches to upgrading C, though obviously not ready.

                                                                                                                                                    3. 2

                                                                                                                                                      Maybe Vala. It compiles to C but has dependency on GObject.

                                                                                                                                                      1. 2

                                                                                                                                                        The answer is C++. Every architecture that OpenBSD currently supports has a C++ compiler in base (well actually compXX.tgz). I’d imagine the answer is similar for FreeBSD and NetBSD. You may be able to get away with C++11 on the popular architectures but I think the less popular ones you’re stuck with C++03 or even C++98.

                                                                                                                                                        1. 1

                                                                                                                                                          The general choice is anything that compiles to C. If they’re picky about coding standards, what you would have then is a cultural argument instead of one on language capabilities. They wouldn’t allow something better. Then, you might be forced to do what folks like Per Brinch Hansen did back when hardware couldn’t run ALGOL: write in one language you can’t share for its benefits with a second version done against that in language you can share. To automate that, I recommended a while back someone make a safe, clean, superset language that’s compatible with C plus exports to readable code in that language. Throw in real macros and REPL for an extra reason to use it.

                                                                                                                                                          Then, we don’t have a CVSup-style situation where author uses a safe, maintainable, high-level language for its benefits but people eventually rewrite that stuff in C anyway.

                                                                                                                                                      1. 5

                                                                                                                                                        How about solaris, so it covers all possibilities?

                                                                                                                                                        1. 12

                                                                                                                                                          solaris today means oracle solaris. illumos as a project and as a community stand for very different things even if the code history is shared.

                                                                                                                                                          Sometimes terms such as solarish or SunOS (after uname) are used to mean both, the closed version and it’s open source descendants, but I’m not sure how meaningful such a tag would be.

                                                                                                                                                          1. 2

                                                                                                                                                            Isn’t Solaris dead?

                                                                                                                                                            1. 2

                                                                                                                                                              No, Oracle just released a new version like, a week ago. Plus you’d cover any other Solaris forks that exist.

                                                                                                                                                              1. 2

                                                                                                                                                                Wouldn’t OpenIndiana or OpenSolaris be a better name?

                                                                                                                                                                Oracle fired pretty much all Solaris and SPARC engineers in 2017.

                                                                                                                                                                As far as I know any work on Solaris is limited to maintenance, and no new features are planned.

                                                                                                                                                                1. 6

                                                                                                                                                                  illumos is the community continuation of OpenSolaris. OpenIndiana is one of the illumos distributions, but there are others like SmartOS, OmniOS and Tribblix.

                                                                                                                                                                  1. 4

                                                                                                                                                                    I mean, it seems like naming the linux tag ubuntu to me. Cover all branches with the parent.

                                                                                                                                                                    1. 9

                                                                                                                                                                      There’s been almost 10 years of divergence between Illumos and (Open)Solaris. I think it would be more like having a 4.4BSD tag to cover all of {Net,Free,Open,Dragonfly}BSD.

                                                                                                                                                                      1. 2

                                                                                                                                                                        Mhh, I thought that my naming ideas were more inclusive, because Solaris in my mind refers to the proprietary product, while e.g. OpenSolaris covers all the descendants from the open source project.

                                                                                                                                                                        1. 9

                                                                                                                                                                          While we descended from OpenSolaris, that name doesn’t really refer to anything anymore. We (illumos) have been a wholly separate thing for around a decade now.