Threads for jlarocco

  1. 1

    At work I’m churning though bugs, but may get pulled into a project upgrading a large library we use.

    At home I’m ostensibly learning Rust by implementing a 3D snake game. So far it’s not winning me over, but we’ll see how the project goes.

    1. 6

      FYI, showing seconds CAN be done. It’s a registry key change. Some of those ‘Tweak Windows’ apps can set if for you if you want it.

      1. 2

        This kills me about Windows and OSX.

        They’re “user friendly” until you want to change something, and then you’re jumping around sketchy websites, entering registry hacks from strangers.

        “Edit this config file,” on Linux may not be the best UI, but at least it’s (usually) documented and consistent for all of the config settings.

      1. 2

        I’m always curious why projects choose to create an entirely new Lisp dialect instead of a new implementation of an existing Lisp (like Common Lisp or Scheme).

        Personally, I’d rather use a standardized language and be able to choose the best implementation for my needs. Especially in the Lisp world, where syntax isn’t a big deal because of macros - if I like something Fennel is doing, I can write macros to do it in Common Lisp. And there are a lot of existing Scheme and CL libraries, and a whole bunch of books and other documentation.

        I can see why it’s practical for Lua users, but for people not already tied to that ecosystem, what’s the advantage over Common Lisp?

        1. 6

          I’m always curious why projects choose to create an entirely new Lisp dialect

          There’s a page for this on the Fennel web site if you’re curious: https://fennel-lang.org/rationale

          if I like something Fennel is doing, I can write macros to do it in Common Lisp.

          This isn’t true in a meaningful way; a lot of the advantage of what Fennel provides is what it omits; by removing the ability to do certain things you end up with more predictable, obvious code and powerful guarantees. Simplicity cannot be added to an existing language by piling on macros.

          I can see why it’s practical for Lua users, but for people not already tied to that ecosystem, what’s the advantage over Common Lisp?

          For the past few years, there’s been a lisp game jam in the spring and autumn. Before Fennel came around it was mostly Schemers and CL programmers, but since Fennel has been introduced, most of the events have been won by Fennel games, and every time Fennel makes up the majority of the top 5 entries. https://itch.io/jam/spring-lisp-game-jam-2021/results

          This is 100% due to the ecosystem; the CL programmers end up spending a lot of time building things from scratch which are readily available to Fennel programs. When it’s time to go rate the games, the Fennel versions are always easy to download without any manual hunting down of dependencies, (because these problems have already been solved by the developers of love2d and TIC-80) but it’s like 50/50 whether I can even get the CL ones to run at all on my machine.

          You don’t have to be already tied to that ecosystem to see the advantage there.

          1. 1

            lot of the advantage of what Fennel provides is what it omits; by removing the ability to do certain things you end up with more predictable, obvious code and powerful guarantees

            It is possible to embed complete languages with arbitrary semantics; see e.g. coalton.

          2. 1

            I’m p sure the answer is that it’s easy to get started implementing a lisp, and for a certain sort of person, fun.

          1. 4

            I don’t quite understand why people are interested in learning a language using spaced repetition and/or memorizing.

            When you start working with a new language, you naturally adopt a spaced repetition-like approach to learn the constructs as you try to write code to accomplish tasks. Memorizing is never effective anyway, you won’t know where and how to use what you memorized.

            I dunno maybe I’m the odd duck 🤷‍♂️

            1. 9

              I initially did this mainly for the less-used functions.

              I used to pair-program alongside https://github.com/jeremy — one of the inital contributors to Rails — an absolute master of Ruby, and a really inspiring programmer to watch.

              I was blown away by how he seemed to know the entire Ruby standard library, and have it all in his head, and at his fingertips. Knowing it was there to use, and already knowing how to use it, kept him in the flow and working so quickly and easily.

              So that’s why I started doing flashcards for learning programming things. It’s worked out well.

              Then when learning a new language I find it helps it get into my head quicker and deeper than if I were to just let it happen slowly and naturally. Similar reasons. Deliberately putting things into my memory that might not have worked their way there otherwise.

              1. 2

                and have it all in his head, and at his fingertips

                This level of fluency really does make a big difference. It’s one of the reasons I think the modern trend of piling on tools is so damaging. With a large toolset, it is impossible to reach that kind of mastery with all your tools. And what you lose is usually not compensated by the “right tool for the job” benefit.

                1. 1

                  Thank you Derek.

                  Actually, I think I end up doing something similar but without the help of an app. I keep track of links for how to do various things. It’s much slower to work off of links of course. I could try using a dedicated app instead, both as a search engine and also spaced repetition learning

                2. 1

                  I’ll admit that I’ve never used flash cards for computer code. As an educator, I have a slight bias against them. I’ve seen too many physics students use flash cards to memorize every problem from every assignment over the semester, only to bomb the final due to the questions not being exact copies of earlier problems.

                  That said, I could also see two places where this would have helped me. I’m writing some Emacs scripts that talk to libpurple over DBus. I’ve been working on this off and on for a couple of months and doing quite a bit of debugging to figure out why the signals I get don’t match my expectations. Yesterday, learned that there has been a dbus-monitor command that would have told me everything I wanted to know. Had I done a set of flash cards of the dbus commands before setting out, this wouldn’t have been surprising information.

                  Similarly, I’ve been maintaining two code paths to update the chat log, both on the signal of a message being sent and on a signal of a message being received. A journey into the documentation today found that there was a signal that triggered on both of these events that cut everything down to watching a single signal. A little time with flash cards of the available signals would have told me to look there before wasting time writing a bunch of duplicate code.

                  1. 2

                    Yesterday, learned that there has been a dbus-monitor command that would have told me everything I wanted to know. Had I done a set of flash cards of the dbus commands before setting out, this wouldn’t have been surprising information.

                    Why not just read (or skim) the documentation?

                    1. 1

                      I did skim the documentation, but I quickly forgot 90% of it by the time I started writing. When I was in the middle of the code was when I needed this information and I didn’t remember it. It was on a second skim that I found the issue.

                      That said, I’m not particularly advocating for flash cards. Just trying to provide for a possible example.

                1. 2

                  PEP 654 … introduces ExceptionGroups. With them, we’re able to raise multiple exceptions simultaneously

                  I’m not familiar with the pattern of raising multiple exceptions. What other languages support this? I’m interested to see where and how they become useful.

                  try:
                      raise ExceptionGroup("Validation Errors", (
                          ValueError("Input is not a valid user name."),
                          TypeError("Input is not a valid date."),
                          KeyError("Could not find associated project.")
                      ))
                  except* (ValueError, TypeError) as exception_group:
                      ...
                  except* KeyError as exception_group:
                      ...
                  
                  1. 4

                    The ExceptionGroups has primarily been introduced to support proper error handling in the asyncio TaskGroups

                    1. 1

                      That’s interesting. In Go, I have a multierror that I use to consolidate errors when running concurrent gorountines. Of course, errors are just a normal interface in Go, so it’s pretty easy to just add an Error method to a slice of errors. It doesn’t need any special language support.

                      I wrote a gist to try to combine Python exceptions once, but it was sort of a kludge. It’s nice that it will be a first class thing now.

                      1. 1

                        That’s basically what asyncio.gather() already does, but PEP 654 exists to make the process less cumbersome.

                    2. 3

                      It’s not built-in, but if I’m understanding the feature correctly it wouldn’t be difficult to do with Common Lisp conditions.

                      1. 1

                        This reminds me a bit of pydantic: if you have errors in your model it should give you multiple validation errors instead of blowing up on the first one. Maybe it would also be useful in that context?

                        1. 4

                          I don’t think it’s for that use case. Within a single library, you can do:

                          from typing import List
                          
                          class ValidationError:
                              line_number: int
                              reason: str
                          
                          class ValidationErrors(Exception):
                              errors : List[ValidationError]    
                          

                          So based on above discussion it sounds like it’s more about combinations of multiple different exceptions.

                          1. 2

                            Django’s forms library has something similar; instead of forms having a potential attached error, they have a a potential list of attached errors, produced by catching and collecting every django.forms.ValidationError raised during the validation process.

                            1. 1

                              Seeing as we’re talking about new features in recent versions of Python, you don’t need from typing import List anymore, since 3.9 you can just write:

                              class ValidationErrors(Exception):
                                  errors: list[ValidationError]
                              
                              1. 1

                                Good to know! And I guess I actually have one project where I can use Python 3.9 features, but everything else only just dropped 3.6. Going to be a while…

                                1. 1

                                  TIL that you can do from __future__ import annotations as of Python 3.7 for this.

                          1. 1

                            For personal use, I have a late 2013 MacBook Pro. I keep expecting the hard drive will fail, but it keeps chugging along, so I keep using it. I’ve thought about installing Debian, but it’s convenient having an OSX machine sometimes, so I’m not in a hurry.

                            I use it for Common Lisp and OpenGL development. It’s nice to have a low-end OpenGL implementation to test on.

                            I don’t know what I’d replace it with. I’m done with Apple, so probably something in the <$750 price range, running Debian.

                            1. 2

                              Those are neat tools to know about.

                              If it were me, I probably would have ran it under strace and piped the output to a file. It probably would have worked, but it’s not as precise as this way.

                              1. 4

                                Bear in mind this is for AIX targets. Some of the advice about how many instructions it takes to initialize things is not universal.

                                1. 4

                                  Yeah, that threw me for a loop. Does AIX only run on POWER CPUs?

                                  Also, some of the advice seems kind of archaic (like, talking about local and global variables as those are the only kinds, i.e. no such thing as heap allocation or pointers) or obvious (who would use a C string as an enum? Even a series of #defines as in their “good” example is pretty archaic compared to an enum.)

                                  1. 1

                                    Just to nitpick here, global vs local, heap vs stack and pointer vs non-pointer are all describing different, orthogonal attributes of a variable, specifically scope, allocation strategy, and type. In each case global/local, heap/stack, and pointer/non-pointer really are the only options (in C) for those attributes.

                                1. 1

                                  @work I’m clearing a backlog of small PRs and working on a bug with section view export. Our Creo license server was down for a few days last week, which blocked our testing pipelines from completing. Now that it’s back, there’s a backlog of tests waiting to run.

                                  @home I dumped PipeWire and went back to work on Common Lisp bindings to Pulse Audio. I’m learning the PulseAudio API as I go, so that was slowing things down a bit, but I think I’ve got the hang of it, and everything seems to be working so far.

                                  Once I understand the API a little better, I’ll implement a higher level API on top of it.

                                  1. 1

                                    @work I’m churning through bugs. The nice thing about being new is most of my tickets are on the smaller side, so it feels like I’m getting a lot done.

                                    @home I dumped my PulseAudio bindings, and started work on a binding to libpipe-wire instead. This week I’d like to work through a few of their example applications and re-implement them in Common Lisp.

                                    1. 2

                                      I’m catching up on sleep, hanging around the apartment, and going for a hike.

                                      I’d also like to get back to working on my Common Lisp binding to libpulse. I’d like to get a simple working example of an OpenGL visualization that responds to live audio from an input source. In theory this works with what I have already, but I haven’t done it.

                                      1. 2

                                        @work I’m going to profile one of our import plugins and look for performance bottlenecks.

                                        @home I’m working on a Common Lisp binding to Pulse Audio. I’m going to use it to process IQ data from my HF radio and visualize it with OpenGL. I may need a better sound card, so I’m also researching that.

                                        1. 1

                                          @work Working through some bugs while I continue to get up to speed with the code base.

                                          @home I’m looking at porting some older Qt OpenGL programs over to my GLFW OpenGL package.

                                          And I need to tidy up my desk and clean up the living room and closet.

                                          1. 1

                                            @work I’m looking into my first few bugs.

                                            I’ve pinpointed the cause of the first one, but how to fix it isn’t very clear. Our desktop app publishes to a web service, and one of the parameters that we use isn’t fully supported in the web back-end yet. It’s in progress, but not going to be ready for a while. In the meantime, the “powers that be” want the option to default to “on” in the desktop app, so now I’m figuring out the best way to make it work temporarily until the feature is fully implemented to make it work for real.

                                            @home: I finally got around to writing a script to mirror my GitHub repos on SourceHut, and I need to learn about systemd timers so I have it done automatically.

                                            I should also make it support more use cases… right now it only supports GitHub to SourceHut, and probably breaks if the SourceHut repo has changes that aren’t in GitHub.

                                            I also want to finish reading “A Ditch In Time”, which I almost finished reading a week and a half ago, but still haven’t sat down to finish.

                                            1. 1

                                              Half day of skiing today, and possibly tomorrow.

                                              Also want to tidy up my apartment and finish reading a book.

                                              1. 1

                                                Interesting.

                                                The implementation sounds like it could be improved a little bit, but it doesn’t sound like too much work (easy for me to say ;-). Personally, I’d skip parsing the AST and add a thin layer of function calls over the concurrency primitives, where the functions print out the logging and then does what it need to do. It could be made to be turned on or off at runtime that way, and is a little easier to work with, IMO.

                                                The stdout synchronization might be avoidable by sending each thread to its own file, and then merging the files (or just parsing multiple files) in the visualizer, where timing doesn’t matter so much.

                                                I’m curious if he’s tried this in any larger applications? Has it found bugs?

                                                1. 2

                                                  Work:

                                                  I spent most of last week getting settled into my new job, and this week I’m digging into my first tickets. I haven’t worked in 6 months, haven’t worked in an office in 3 years, and haven’t worked on Windows in over a decade, so my head is spinning. I’m already learning a lot and my coworkers are all really nice, so it’s awesome so far.

                                                  Home:

                                                  Mostly just relaxing after work, but also working on a tool to clone all of my GitHub repos and add them to Sourcehut, and maybe also to BitBucket.

                                                  1. 35

                                                    Why did GitHub remove his account/projects?

                                                    1. 44

                                                      That’s the part that bothers me.

                                                      I understand it wasn’t a nice thing to do, and that people are upset, but it’s his own code in his own repos. He even announced ahead of time he would do something like this, so “buyer” beware.

                                                      I realize GitHub TOS covers them to remove accounts and repos at their discretion, but it’s a little unsettling that they’ll actually do so arbitrarily without a clear TOS violation. It might be time I move everything to Sourcehut and treat GitHub as a mirror…

                                                      1. 24

                                                        It might be time I move everything to Sourcehut…

                                                        The Sourcehut guy has always seemed a little unstable to me (didn’t he get banned from this site, in fact?) So, why would I trust him any more than I trust GitHub?

                                                        1. 33

                                                          I banned him and I would not call him unstable. Not just because that kind of insult is inappropriate here, but because it obviously doesn’t apply. He writes inflammatory hyperbole that’s not a good fit for this site, but he’s a skilled, accomplished professional who looks like he’s seeing a lot of success in his life.

                                                          1. 11

                                                            I didn’t mean to insult him. Maybe “erratic” would have been a better word without any mental health connotations (which I absolutely didn’t intend)? Poor word choice on my part, I’m sorry for that.

                                                            …but he’s a skilled, accomplished professional who looks like he’s seeing a lot of success in his life.

                                                            Sure, same goes for the GitHub guys. A person who can’t tone it down enough to keep a Lobsters account just isn’t someone I feel I can trust to host my code, particularly given that he’s in charge of the whole operation. Obviously everyone is free to decide who to trust and for what reasons.

                                                            1. 9

                                                              A person who can’t tone it down enough to keep a Lobsters account just isn’t someone I feel I can trust to host my code

                                                              Bear in mind, Linus Torvalds would also probably have been banned from here multiple times in the past.

                                                              I’d be perfectly happy to trust someone that volatile a lot (and I guess I do, running Linux since 1996 :) ). But I would be careful which groups and forums I invited them to :)

                                                              1. 2

                                                                …I guess I do, running Linux since 1996

                                                                Very different, at least to me. If Linux was a service, control would have been taken away from Linus a long time ago (I mean, as it is they made him step back for awhile to work on his issues). But it’s not, it’s just code that other people then build into something, often applying patches in the process. If Linus had a meltdown there is already sufficient infrastructure in place that the vast majority of us wouldn’t even notice.

                                                                I wouldn’t trust a code hosting service Linus ran by himself either.

                                                                1. 1

                                                                  Nobody made Linus step back. He recognized that he had issues and took a sabbatical to deal with them himself. Are you saying you wouldn’t trust a service by a guy who has been diligently working on the same project for 30 years? Not to mention the guy who invented the base of all of the services discussed in this thread.

                                                                  Why do people assume that “Bigger is better” when it comes to web services? The two most reliable services I use are Pinboard, run by an insanely opinionated and outspoken developer, and NewsBlur, who was, and may still be, a one man shop that just quietly does his own thing. In the same time as those services have been faithfully up and running, Google has shut down more services than I can count, because “It didn’t fit with their corporate vision”

                                                                  It’s misguided, and harmful.

                                                                  1. 1

                                                                    Nobody made Linus step back.

                                                                    We’ll probably never know for sure, but the subtext (well, and the text) of his announcement email sure makes it sound like his hand was forced, at least to me.

                                                                    Are you saying you wouldn’t trust a service by a guy who has been diligently working on the same project for 30 years?

                                                                    No, I’m saying I wouldn’t trust a service run by a guy who randomly goes off on people in totally inappropriate ways (his admission). Or, as is the case here, a guy who can’t even behave himself well enough to keep a Lobsters account.

                                                                    Not to mention the guy who invented the base of all of the services discussed in this thread.

                                                                    That has literally nothing to do with anything. A person can be productive or brilliant and also have other, undesirable, qualities.

                                                                    Why do people assume that “Bigger is better” when it comes to web services?

                                                                    I don’t, so I can’t answer that.

                                                                    Google has shut down more services than I can count…

                                                                    Agree with you there! I don’t trust Google for anything but search (I don’t even use Gmail), because that’s the one thing I don’t think they’ll ever kill (or break). I don’t think GitHub is going anywhere either, the worst case scenario is that Microsoft sells it.

                                                                    It’s misguided, and harmful.

                                                                    If there was a person who had the views you seem to ascribe to me, then I might agree!

                                                          2. 30

                                                            That’s unfair to Drew. He’s passionate, and rude, and opinionated, and submissions here from his site generally stirred up giant flamewars. But I do believe he’s got what it takes to keep sourcehut running.

                                                            1. 18

                                                              GitHub will keep running, too. I’m not sure we’ve answered the question of

                                                              why would I trust him any more than I trust GitHub?

                                                              1. 8

                                                                Not only is the sourcehut software available under the AGPL, the issue trackers and such give you export and import functions to pull your data into another instance easily. The software itself is not trivial to host, but it’s not prohibitively hard either. If I needed to eject because Drew became untrustworthy, I am very comfortable that I could do that.

                                                                Even though that’s a non-zero amount of work, GitHub gives me no comparable ability. That’s a good reason to trust him more than I trust GitHub, in my opinion.

                                                                1. 3

                                                                  GitHub gives me no comparable ability.

                                                                  The GitHub command line client provides this functionality, as does the API. Obviously, the data formats are specific to the way GH works, but there are ways to extract most if not all of the relevant data (I use this heavily with my team to script up our findings workflow, for example).

                                                                  1. 5

                                                                    Interesting. Unless I’m missing something, you can’t stand up your own self-hosted instance of github, and import that, can you? The ability to stand up my own instance of the forge and import my data, to use on a self-hosted site, is what I meant by “comparable”. (That’s the angle I was coming from… if Drew won’t let me use his hosted service, I can just set up my own copy on any host I want since upstream is AGPL, then import my data from the sr.ht export since sr.ht exposes those functions.)

                                                                    1. 2

                                                                      GitLab supports importing to a self-hosted instance from GitHub [1], although I’m sure it’s not perfect, so it may or may not be useful. It also isn’t clear to me based on a 15 second review whether you can import from some kind of local data dump or raw GitHub API responses or if your GitHub account needs to be currently active.

                                                                      [1] https://docs.gitlab.com/ee/user/project/import/github.html

                                                                      1. 2

                                                                        That looks much better than I thought, particularly if it turns out to work off saved data/responses. And it’s nice that Gitlab enable that for all their tiers.

                                                                      2. 1

                                                                        Unless I’m missing something, you can’t stand up your own self-hosted instance of github, and import that, can you?

                                                                        GitHub Enterprise can be bought as a GitHub-hosted or self-hosted thing. These support (most of) the same APIs as the public GitHub, so you can run your own instance if you are willing to pay.

                                                                        1. 2

                                                                          It would be an interesting experiment to see whether they would sell an enterprise installation to someone whose account they forcibly closed. I was sort of assuming that if they won’t let you be a customer of their public service, they won’t sell you the private one, but that is uninformed speculation.

                                                                  2. 3

                                                                    Because sourcehut is open source so nothing is lost when I leave. More than that chances are if sourcehut goes a bad route there would likely be others jumping in.

                                                                  3. 2

                                                                    Not that you exactly claim otherwise, but Drew also makes some nice things and has created a business structure that enables at least one other developer to make some nice things.

                                                                    Quite apart from that, though, and similarly quite apart from whether he has what it takes to keep sourcehut running, he’s given me an out so that I don’t, strictly speaking, need him to. He’s released the software that runs the forge under the AGPL, here. And it exposes ways for me to export the hosted stuff and import it into a self-hosted instance.

                                                                    So regardless of whether I trust Drew personally, he’s made it so I don’t need to for this purpose.

                                                                    If Drew got angry and decided I couldn’t be his customer anymore, I could stand up my own instance or pay someone to do that for me and import my data. My repos wouldn’t be down at all, my tickets, docs, etc. would be down for a day or so, and my mailing lists might see a bit more disruption than that. If github decided that I shouldn’t be their customer anymore, I’d have my repos. For the rest, I’d kind of be out of luck. (I think this last paragraph is more responsive to @glesica ‘s comment than the one I’m replying to, and I’m too lazy to split it to another reply.)

                                                                  4. 17

                                                                    Because “more than I trust Microsoft” is a damn low bar.

                                                                    1. 7

                                                                      It’s like a little devil hovering over my right shoulder, and a slightly less predictable devil hovering over the other.

                                                                  5. 6

                                                                    From other options there’s also fediverse approach with Gitea, and p2p approach will be available soon with Radicle.

                                                                    1. 11

                                                                      It might be time I move everything to Sourcehut and treat GitHub as a mirror…

                                                                      That time was years ago, but hey, better late than never.

                                                                      1. 5

                                                                        Consider hosting your own, instead. I published a blog post with a list of defunct code hosting sites which I update occasionally. Maybe that list is a good reminder. Remember, it’s not just code that goes away with such sites, it’s also issue queues and in some cases, wikis and mailing lists too.

                                                                        1. 4

                                                                          Are you also start hosting a list of defunct private websites that used to host Git repos that are gone forever and where the disappearence came completely unexpected? I would trust Github more with staying online since that’s their job than a developer running a Gitweb on some VPS with some domain name that requires regular payment to stay online.

                                                                          Kinda like I registered callcc.org after it lapsed to make sure the links to the CHICKEN website don’t break and it doesn’t get domain-squatted and I’m redirecting to the official website these days.

                                                                          1. 1

                                                                            Are you also start hosting a list of defunct private websites that used to host Git repos that are gone forever and where the disappearence came completely unexpected?

                                                                            I can’t think of anything offhand where I’ve taken a dependency that’s done that. But when I do take a dependency on something, I generally mirror the SCM repo if there is one. And I am very reluctant to take dependencies on things I can’t have the source to. Since the things I depend on generally haven’t gone away, I haven’t bothered to publish my mirrors, but I would if the license permits it.

                                                                            1. 3

                                                                              But when I do take a dependency on something, I generally mirror the SCM repo if there is one.

                                                                              I learned that the hard way when Rubyforge went down, a few employers ago. We weren’t that active in the Ruby community anymore, so we missed the notice. When the site went away and I had to do some small maintenance tasks on a legacy project, all the third party svn subtrees from Rubyforge were no longer working (and, more painfully, another project of ours was completely gone too). Note that Rubyforge was huge in the Ruby community back in the day.

                                                                            2. 1

                                                                              I would trust Github more with staying online since that’s their job than a developer running a Gitweb on some VPS with some domain name that requires regular payment to stay online.

                                                                              Like I said, history has shown these hosting sites are not as trustworthy as people like to believe they are. The GitHub company can get sold to an untrustworthy partner (har har, like that’d ever happen… oh wait) or go out of business (what if MS decides to sell the company to, I dunno, Oracle or something because it’s not making a profit?), or there might be some other new VCS that comes out that completely blows git out of the water. I’m sure nobody saw coming what happened to Bitbucket - it started out as a Mercurial hosting site, then started offering git and finally dropped Mercurial after Atlassian took over. Its founders probably never would have let that happen if it were still in their power.

                                                                              From my own perspective, I’ve personally ran into at least five hosting sites who were hosting projects I started or heavily contributed to that are no longer available now (Rubyforge, Dutch govt OSOSS’ uitwisselplatform, Berlios, Bitbucket and Google Code). And then there’s Sourceforge which at least still hosts some of my defunct projects, but had for a while been injecting malware into downloads. If I or my employers (as the case may be) had hosted our own projects from the start, this pain would’ve been completely avoided. These are projects in which I had a stake, and it was in my interest to not let them die.

                                                                              Now, having said that, I agree that from a third party perspective (someone who is using the hosted code) that’s different. I understand your point saying you don’t want to rely on some random developer’s VPS being up, and neither would I. But then, people change repositories on code hosting sites all the time, too. They move to other hosting sites, or rename repositories etc. Links rot and die, which is unfortunate and something we all have to live with.

                                                                              Case in point:

                                                                              Kinda like I registered callcc.org after it lapsed to make sure the links to the CHICKEN website don’t break and it doesn’t get domain-squatted and I’m redirecting to the official website these days.

                                                                              Thanks for doing that. AFAIK this domain was never communicated as being official, but I might be wrong.

                                                                        2. 8

                                                                          I don’t know what the GitHub rationale was, but the ‘limitation of liability’ bit in most open source licenses only goes so far. If I intentionally introduce malicious behaviour into one of my open source projects, knowing that it would damage downstream consumers, then I’d probably be liable under the Computer Misuse Act in the UK and similar legislation elsewhere. GitHub’s T&C’s don’t explicitly prohibit using their service for criminal purposes but that’s normally implicit: if GitHub didn’t act then they might end up being liable as an accessory (at least as an accessory after the fact). Their distribution channel (NPM) is being used by a malicious actor to attack other users.

                                                                          It’s normally difficult to prove malicious intent in this kind of thing (incompetence and malice look similar) but it seems pretty clear here from the author’s own statements.

                                                                          1. 12

                                                                            I don’t know what the GitHub rationale was, but the ‘limitation of liability’ bit in most open source licenses only goes so far.

                                                                            This is disturbing. Software is provided as is, with no liability whatsoever, but the author should still be liable for what happens when other people use it, because it broke things? What if the author decided to completely change the library’s API, or recycle it to just print squares of color, because they liked the name?

                                                                            If find what the author did pretty stupid, but frankly, suggesting it falls into criminal behavior call for some stepping back and put things in perspective.

                                                                            1. 8

                                                                              There is a difference, and it’s not subtle at all, between making a possibly unwanted change in software that is provided without any warranty, and deliberately making a crippling change with the express intent of breaking other people’s applications.

                                                                              To put it another way: if you accidentally commit an integer overflow bug that causes batteries to blow up, that is, presumably, just bad engineering. But if you deliberately commit a clever hack that causes people’s batteries to blow up, with the express intent of getting people injured, or at least destroying their phones, I think it makes a little sense to not put it under “well, it did say no warranty of any kind on the box, didn’t it?”.

                                                                              Obviously, this didn’t kill anyone, so I’m obviously not thinking it ought to be treated as murder. But “no warranty” is not a license to do anything.

                                                                              It’s not like software is being given special treatment here, it’s how warranties work everywhere. If you sell boats with two years’ servicing warranty and they break down after three years, that’s one thing, but if you fit them with bombs that go off after two years and one day, with the express intent of killing anyone on them, that still falls under “murder”, not “what happens after two years isn’t our problem, it says so on the purchase contract”.

                                                                              (Edit: obviously IANAL and this is not legal advice, either, I’m only parroting second-hand, non-lawyer advice about how insurance works for some high-stakes software projects)

                                                                              1. 5

                                                                                I guess that makes sense, when you put it that way :)

                                                                              2. 3

                                                                                I am not a lawyer, this is not legal advice:

                                                                                My understanding is that it comes down to intent. If I upload a buggy piece of crap to GitHub with an open source license, and you use it, then it sucks to be you. If I upload something to GitHub, wait for you to deploy it and then intentionally introduce a vulnerability or other malicious behaviour in it then legally dubious. Normally it’s very difficult to prove intent. If I submit a patch to the Linux kernel that introduces a vulnerability, if you wanted to prosecute me then you’d have to prove that I did so knowing that the bug was there and with the intent to cause harm. That’s very difficult to do in the general case (the NSA null-pointer dereference bugs are a great case in point here: people suspect that the NSA knew about that vulnerability class and introduced it deliberately, but no one can prove it and there’s enough reasonable doubt that it would never stick in court unless there was some corroborating evidence - it could easily have been accidental). If, before I submit the patch, I post publicly about how I am going to intentionally break things for the people using my code and then I push a new version out to public repositories then it’s likely to be easy to prove malicious intent. The author of these packages did exactly that: posted saying that he was going to break things for people if they didn’t pay him and then, when they didn’t pay him, broke things. That may (again, not a lawyer) count as blackmail, as well as computer misuse.

                                                                                1. 3
                                                                                  1. Code license != Github TOS.
                                                                                  2. Liability could only be disclaimed to the extent permitted by law. You cannot put a sign “free food, no liability whatsoever” and then put poison inside and expect that disclaimer to save you from prison. E.g., GPL states “THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.”
                                                                              3. 7

                                                                                I think until they make a statement about it, nobody knows but them. But my assumption is that this happened on a weekend, and whoever was on call figured that the easiest thing to do to minimize disruption till Monday was to suspend the account and hard revert the content until more people could be brought in. I’m also assuming suspending the account just automatically says that you violated the ToS.

                                                                                1. 3

                                                                                  I could imagine that somebody identified this as a possible account hack and thus locked it.

                                                                                  1. 2

                                                                                    They didn’t, they suspended his account so he can’t log in. You are still free to troll him on GitHub without any recourse whatsoever.

                                                                                  1. 3

                                                                                    My desktop hasn’t changed much since at least 2018. It’s pretty basic StumpWM, with Emacs, a terminal, Spotify, Chromium, and whatever else may be open. In this case it’s a hexagonal cellular automata because an empty black screen makes for a boring screenshot.

                                                                                    The primary monitor is a 4k BenQ. The smaller monitor is a 1080p Dell salvaged from an e-recycling bin years ago. It sits under my desk most of the time because I don’t need the extra space, but sometimes I put things over there while coding.

                                                                                    The physical desktop is more interesting, but the clutter is honestly a little embarrassing right now so there’ll be no picture. Highlights are a Vari standing desk, a 3DConnexion “SpaceMouse”, a Kinesis Advantage keyboard with a wired 3DConnexion mouse on the desk, and a small bluetooth Apple keyboard with a wireless 3DConnextion mouse for the couch across the room. My apartment is small, so the big monitor doubles as my TV, and the wireless keyboard/mouse allow me to control it from across the room.