1. 23

    If you want to emulate current software in the future, use virtual machines. From a headline going around lobste.rs some time ago: “Memory Safety Bugs Form 70 Percent Of Vulnerabilities” https://www.i-programmer.info/news/149-security/12538-memory-safety-bugs-form-70-percent-of-vulnerabilities.html Is it really worth it keeping broken stuff around? 🤔

    1. 1

      Philosophically I’m not sure if using virtual machines to get old programs working is any different to having to modify code to get old programs working. Sometimes you are lucky and a standard VM setup fixes the problem, other times it’s much more complicated (eg games like Midtown Madness). Sometimes you are lucky and the code changes are simple, other times they’re complex and insidious.

      “Memory Safety Bugs Form 70 Percent Of Vulnerabilities” https://www.i-programmer.info/news/149-security/12538-memory-safety-bugs-form-70-percent-of-vulnerabilities.html

      That’s looking at software from now and ignoring the past. An equally accurate headline is “90% of software ever made broken due to changes over time”.

      Is it really worth it keeping broken stuff around? 🤔

      To flip your line on its head: is it worth trying to make memory-safe (or sim.) programs if they won’t stick around?

      What’s the difference between code breaking or becoming insecure from memory-safety issues versus becoming broken or insecure with time (external changes)? Both lead to the same result.

      1. 12

        To flip your line on its head: is it worth trying to make memory-safe (or sim.) programs if they won’t stick around?

        What’s the difference between code breaking or becoming insecure from memory-safety issues versus becoming broken or insecure with time (external changes)? Both lead to the same result.

        Memory unsafe code can cause huge harm in the real world through exploitation and information theft. I’d rather my browser from 10 years ago didn’t work than my current browser getting my identity stolen or my parent’s computer infested with ransomware.

        1. 8

          To flip your line on its head: is it worth trying to make memory-safe (or sim.) programs if they won’t stick around?

          Yes, they will be memory safe while they are used.

          What’s the difference between code breaking or becoming insecure from memory-safety issues versus becoming broken or insecure with time (external changes)? Both lead to the same result.

          Memory-safe software won’t become less safe with time.

          Software is a tool to be used now foremost, I may or may not care if the firefox I use today still compiles in 50 years, but I sure care that it works and doesn’t crash today.

          1. 3

            Memory-safe software won’t become less safe with time

            Disagree. New kinds of attacks will be developed, just like they always have.

            1. 3

              They might have meant less memory-safe over time.

      1. 2

        Unfortunately, implemented in client side JavaScript.

        Hehe

        1. 1

          Client-side Python actually! :)

          1. 1

            What could go wrong :).9(

          1. 1

            Two letter variable names. Line numbers. No indenting. Nirvana.

            1. 15

              I’m having a hard time seeing how it threatens most consultants. It seems like it’s intended to crack down on those “consultants” who solely function as employees of a single company.

              For people who are really doing consulting as a business and want the ability to have more than one client, by my read of the article there’s an easy out: set up an LLC, LLP or S-Corp. That’s cheap and easy and a very good idea (for more than just moving yourself outside the purview of this law) if you’re serious about being in the consulting business.

              Am I missing some way this law threatens people who aren’t just using “independent contractor” as a loop hole to avoid an employment relationship and all the obligations that carries?

              1. 6

                This sounds much like the German law on Scheinselbstständigkeit (“fake independence”), but 2 loopholes closed in. The reason for that law to be passed was that companies happily circumvented all labor laws by putting people on contract: no obligations to pay them holidays, leave, social security, the ability to fire them easily. At the same time, they expected performance of a workforce: be there at 9, sit at your allocated desk, work 40 hours. Many even were confused when such a person suddenly started working for a different client. And that’s just IT. Making every package deliverer a contractor was quite common.

                The “fix” for the first wave of legislation was to encourage people to form a limited company, which lead to the law getting stricter: this does not protect you anymore. There’s other loopholes, like working through a company that is in itself a shell for multiple people. This now requires registration (it’s literally called “employee lending”) - it is (sometimes) checked if your employee is actually under your command as a business owner. (Indications: who do they ask for leave days? You or your client?)

                The huge problem of this is that businesses regularly skirt the rules, which makes the rules become stricter and stricter. Other companies have to shield themselves against being hit by such a restriction - people who end up proving that they are actually employees will be able to sue themselves into your company. And by such encouraging other people employed at the same time to do the same, easily costing you millions in social security (for the last few years).

                We have weird situations like explicit “contractor desks” without markings to make clear that you are definitely not part of the workforce. Other companies have started to create “bridgeheads” where only some people are allowed to give contractors tasks and isolate them.

                It’s an absurd situation, but in a weird way, I can’t hold it against the state: every loophole has been so aggressively used that something had to be done. Now we are now in a situation where the lawyers rule. And lawyers are damn conservative when it’s not clear where the boundary will move next.

                1. 1

                  It’s an absurd situation, but in a weird way, I can’t hold it against the state: every loophole has been so aggressively used that something had to be done.

                  No, something doesn’t have to be done. But everyone always assumes that, so we get more and more laws which require more enforcement, more inspections, more friction, and less opportunity.

                  1. 3

                    No, something doesn’t have to be done.

                    Let me rephrase this, then.

                    If we want labor laws to remain relevant, then something has to be done. If you’re fine with de-facto employees working less than minimum wage with no benefits and no employee protections, then nothing needed done.

                    1. 2

                      We could either go for a completely different system (with different rules), but boundary skirting situations will always lead to those effects, independent of the boundaries.

                  2. 7

                    I feel like everybody pushing back against this is shilling for big business.

                    1. 4

                      My consulting business certainly fits the eight required criteria, including having more than one customer, an LLC, etc.

                      However this just adds additional risks that my customers may not want to deal with anymore. For example it may be easier to stop all consulting until things get sorted out.

                      1. 6

                        I think the original point of the law is to protect Uber drivers and similar gig economy people who are “exploited” by big business.

                        Lots of industries got exceptions added to the law so that their contractors wouldn’t be affected like medical doctors and hairdressers.

                        No one spoke up for software freelancers, so no exception for them.

                        Should be interesting have the unexpected effects work themselves through the system.

                        1. 2

                          No one spoke up for software freelancers, so no exception for them.

                          Not surprising, given our level of organisation/representation structurs.

                          1. 2

                            Yeah this law was a bad idea, driven by hate of the Uber/Lyft business model (which I think is in turn driven by an ideological dislike of people having additional transportation options besides public transit). If “lots of industries” gain exceptions to the law because someone thought to lobby for that industry specifically, and other industries are getting screwed by the law because they happened not to have the right connections to get themsleves written an exception (I’ve seen freelance journalists and writers complain about this law in exactly the same terms as this article), then why was it a good idea for Uber/Lyft drivers in the first place?

                          2. 4

                            I was not thinking of customers who’d be so irrationally risk-averse that they’d even stop using consultants who were obviously OK.

                            The way I’m reading the news, it’d be a little surprising if there’s even a whiff of enforcement against anyone who’s not using 1099s in a few specific anti-patterns, so I hope your business does not suffer.

                            I don’t expect this to make either of my CA-based customers change their practices at all.

                            1. 3

                              It’s actually not as surprising as you make it seem. Most big companies don’t hire independent contractors directly probably for very similar reasons; the consultant then has to go through one of the approved vendors of the big corp to be hired as a sub-contractor, which often eliminates the main benefits of being an independent contractor in the first place — much higher hourly rate (wouldn’t necessarily be possible anymore if a third party has to get their cut, too, plus all the potential liabilities for the employer to support unemployment benefits), the ability to deduct your own office space and equipment, being able to be hired and fired on a very short notice etc.

                              1. 1

                                Most big companies don’t hire independent contractors directly probably for very similar reasons; the consultant then has to go through one of the approved vendors of the big corp to be hired as a sub-contractor,

                                While I can’t speak to “most”, that does not align with my experience. The ones I’ve dealt with (fortune 50/USG scale) have either been able to contract directly with us or direct a prime to contract with us on their behalf in a way that preserves the benefits you mention.

                                The thing that would surprise me would be if the authorities in CA enforce this new law against anyone who’s not using 1099s in one or more of a few crappy ways. My gut is that any CA corporation who’s hiring subs from a company with any kind of customary structure will be completely outside the scope of what the CA government is going for with this law.

                        1. 4

                          I know what this game looks like but it just seems unfathomable to have an article about the game and not have a screenshot.

                          1. 4

                            Yeah, first thing I thought as well. Looks amazing otherwise, huge pile of effort.

                            1. 5

                              Fixed - I knew I left something out. I have added a little video. Thanks for the feedback.

                          1. 1

                            I remember waiting for magazine to arrive to get next installment of this

                            1. 5

                              C++‘s standard library isn’t very useful to dynamically link to

                              Well, there’s 814 Kb of something in /usr/lib/libc++.so.1 on my system..

                              C++ can be dynamically linked and used in an ABI-stable way! It’s just that it ends up looking a lot more like a C interface due to the limitations

                              In practice, it looks a lot more like “you’ve updated Boost? You have to rebuild LibreOffice now, even though 90% of Boost is templates, your LibreOffice links to libboost_locale.so and libboost_date_time.so and uses maybe a couple monomorphic functions from there” :)

                              btw, D supports dynamic linking in the same way.

                              1. 4

                                D supports dynamic linking in the same way

                                In the same way as rust? Or c? Or c++?

                                1. 3

                                  C++‘s standard library isn’t very useful to dynamically link to

                                  Well, there’s 814 Kb of something in /usr/lib/libc++.so.1 on my system..

                                  I think your next comment really got at what they were trying to say: because so much of modern C++ is templates-only, and templates-only code has no ABI/isn’t something you can put in a dynamic library, you’re in practice getting very few benefits from dynamic linking—this despite C++ having a formalized ABI on at least AMD64 these days. (Well, two of them, because Windows has a different calling system than literally everything else. (Not maliciously; there are good reasons for Windows to be the odd duck out here that largely have to do with them standardizing a subset of the C++ ABI for COM on x86 in ways that were useful for them to preserve for porting reasons, but that no one else needed to worry about. But it puts us in the same spot of two ABIs, regardless.))

                                  On your D comment, are you saying it’s the same as C++ or as Swift or as Rust?

                                  1. 2

                                    On your D comment, are you saying it’s the same as C++ or as Swift or as Rust?

                                    C++ of course, the whole comment was about C++.

                                    1. 2

                                      Could you please share some document/link/more info about why MS has chosen a different ABI than the rest of the (small, but still) world? I’m genuinely interested in this.

                                      1. 6

                                        It’s literally entirely Microsoft wanting to maintain binary compatibility with x86 binaries, and Unixes not caring.

                                        Looking purely at how register are used, for example: the Windows fastcall convention, which is dominant for later Win32 apps, uses ECX and EDX for argument passing, and otherwise spills to the stack. While Microsoft appreciated that adding some registers for arguments would be good, they wanted to do so conservatively, so they left the usage of the named registers as-was and only added R8 and R9 as extra argument parameters.

                                        Unixes, by contrast, generally do not care about binary backwards compatibility. In that world, it’s fine to re-purpose named registers, and passing more arguments by registers is better, so Unixes generally just developed their ABI fresh in the way best for AMD64 and AMD64 opcode patterns. That results in values going in RDI, RSI, RDX, RCX, R8, and R9.

                                        There are lots of other differences, but they keep coming back, again and again, to making it much easier for Windows to run 32- and 64-bit apps side-by-side. This Stack Overflow answer honestly does a great job getting into the weeds if you’re curious.

                                  1. 8

                                    Note that TensorFlow is licensed under Apache 2.0 and this patent is necessarily infringed by using TensorFlow’s BatchNormalization, so patent license is granted. Whether you can use batch normalization with PyTorch is anyone’s guess.

                                    1. 2

                                      I guess anyone worried about infringing will have to integrate with or wrap TensorFlow to capture the patent grant. Alternatively, pieces of TensorFlow. Edit to add I’m just going by your comment since I don’t use that software.

                                      1. 3

                                        Patents cause code bloat… Who knew?

                                        1. 3

                                          That’s pretty clever. Mainly cuz I might be able to use a generalization of it in arguments for patent reform.

                                          Come to think if it, making metrics worse for everyone to allow a patent holder overcharge for better ones is what the system does by design. May or may not help since that’s the point. It might have a different effect on general public than prior talking points.

                                    1. 4

                                      I get my internet this way. “Long range” antenna is about a mile away.

                                      1. 3

                                        Can you elaborate? I am in a rural area, so I would like to understand how someone uses this practically. Do you own the “long range” antenna and pay for the internet/WiFi service that it connects to?

                                        1. 5

                                          There’s a local service provider that caters to semi rural areas. As long as you have if you have one of their antennas you can join their Network.

                                          I get about 25 megabit, with low enough latency to play video games. Have never had trouble with rain or fog.

                                          I also have an alternative which is DSL in this area. Not as good or as reliable.

                                          Would love to have fiber or cable internet but it’s never coming here.

                                          1. 2

                                            I live in central London and all I can get on my building is a 10mb ADSL connection, it feels the early 00s. I’d be quite happy at the moment with 25mb. :-)

                                      1. 1

                                        Triggers are out of favor?

                                        1. 1

                                          That surprised me too.

                                          1. 2

                                            One of the core tenets of modern development is keeping logic together where it can be modified atomically through deploys (that can be deployed, run in split mode, and reverted), and database triggers have fallen heavily out of use because they struggle to provide these properties.

                                            The only part of this that triggers don’t necessarily suit very well is the “run in split mode” part. You can certainly deploy and revert triggers via migrations. I guess most people who’re using some A/B testing don’t have that integrated with their DB, so maybe that’s the concern: it’s hard to conditionally activate a trigger (is it?).

                                            I also think the author may be overestimating how many products are doing that degree of split testing, and the extent to which that testing really impacts upon the use of triggers.

                                        1. 3

                                          I like that it’s a single file with tests.

                                          1. 16

                                            No need for my Atlassian account anymore…

                                            1. 15

                                              Agree. The only reason I had a BitBucket account was my mercurial repositories.

                                              If only Atlassian could sunset JIRA. That would be nice…

                                              1. 12

                                                If only Atlassian could sunset JIRA. That would be nice…

                                                Like all right-thinking people, I detest JIRA and every microsecond I spend in it feels like a million agonizing years, but what’s the alternative for bug tracking? Most software of this ilk is not purchased by the people who have to use it, so it responds not to actual user pressure, but to CTO sales pressure. That’s my pet theory about while enterprise software is uniformly terrible, at least.

                                                1. 6

                                                  That’s my pet theory about while enterprise software is uniformly terrible, at least.

                                                  That’s quite close to the theory of the old-timers I’ve asked about it, but there’s an important difference.

                                                  CTOs ask consultants what software they should use. Consultants who recommend software that’s simple and easily configured go out of business, because most of the money is in helping clients configure/install/start using software.

                                                  1. 3

                                                    I like Phabricator much better, and it’s free software too.

                                                    1. 2

                                                      GitHub issues are fine.

                                                    2. 1

                                                      I do not understand the hate against JIRA. I think it is good software with many useful features. Yes, it can be abused to make tracking your issues really bad, but that is problem of those who use the software and not the software itself.

                                                    3. 4

                                                      Good luck actually closing your Atlassian account though :-( I’ve tried to do it many times but still get email from them occasionally when they discover vulnerabilities in products I’ve never used.

                                                    1. 1

                                                      Is this better/ different/ worse than SAFE?

                                                      1. 3

                                                        It’s different. It’s F# on WebAssembly, much less mature, but might be useful for people who need more performance. The syntax though is borderline identical (if not identical) between SAFE and Bolero. Given my current understanding it’s pretty easy to move from one to the other. Bolero also supports html templates akin to Vue’s style. I would recommend experimenting with it a good bit before using it for something important.

                                                      1. 11

                                                        Hmm, reminds me a bit of “Pizza Hut”, which isn’t necessarily the best association.

                                                        1. 35

                                                          Oh?

                                                          1. 8

                                                            I actually liked that it reminded me of Pizza Hut. Hey, hackers love pizza!

                                                            1. 2

                                                              As an European, I can’t accept calling Pizza Hut’s produce “pizza”.

                                                              1. 4

                                                                As an American, I can’t accept calling Pizza Hut’s pizza “produce”.

                                                            2. 4

                                                              I got my sr.ht stickers in FOSDEM 4 days ago but I really want this now.

                                                              1. 2

                                                                @kragniz We’re counting on you to make this happen next fosdem. :)

                                                                1. 1

                                                                  I’ll do my best

                                                              2. 1

                                                                i love it

                                                                1. 1

                                                                  This is amazing, thanks

                                                                2. 3

                                                                  What do you have against pizza?

                                                                  1. 1

                                                                    Nothing, it’s just so-called american “pizzas” I dislike.

                                                                    1. 3

                                                                      Italians love American pizza too!

                                                                      That’s why it’s called the pizza effect!

                                                                      https://en.wikipedia.org/wiki/Pizza_effect

                                                                      1. 1

                                                                        You mean “creativity fuel”?

                                                                    2. 0

                                                                      you fuck right off with that

                                                                    1. 3

                                                                      When I first read the headline I thought that this article would be about how to find potential employees who have good work-life balance.

                                                                      1. 20

                                                                        If there are wires connecting two backups, it’s one backup. USB drive is a pretty decent backup, but it should be disconnected when not in use. (Possibly rotating drives to avoid mishaps while backing up.)

                                                                        1. 2

                                                                          Great point! That’s why folks in high-reliability recommend octocouplers for situations where there would be a shared wire. Fiber if one doesn’t want embedded. Each side’s hardware should be from different suppliers with differing implementations.

                                                                          1. 3

                                                                            Even with optocoupler’s, make sure power coming from different places…

                                                                            1. 1

                                                                              I was thinking about that. Since I dont know hardware, best I can say is through two, different UPS’s.

                                                                        1. 1

                                                                          Aren’t reverse engineering tools illegal?

                                                                          1. 3

                                                                            Nope. Tools seldomly are, but using them to e.g., commit a crime is. There are lots of profitable businesses as well as great open source tools in the reverse engineering space.

                                                                            radare2, IDA Pro, BinDiff,…

                                                                          1. 1

                                                                            One good thing about C/C++ is that you’re closer to making a mental model of how CPU hardware works. I think there’s value in that.

                                                                            Of course, by this argument, schools should teach assembly first.

                                                                            1. 3

                                                                              I agree that a mental model of how CPU works is important. I disagree that C/C++ is actually close to how hardware works, or that a useful mental model of computers has to be closer to metal.

                                                                              C/C++ is as far from how hardware works as pretty much any other imperative language. The distance between C and Java or Python is a lot smaller than the distance between C and actual circuits.

                                                                              The machine that C/C++ pretends exists is an abstraction, and that is the machine that is good to have a mental model of. But every other imperative language works on top of that machine, anyways. Given that, I think it makes more sense to choose something with higher signal to noise rate. I had Pascal in college, python is also a good choice, in my opinion. Javascript has a worse signal to noise ratio (where signal is expressing basic ideas of algorithms and data structures, and noise is specific syntax and semantics), but has the upside of being everywhere that is a browser.

                                                                              Update: This is a longer article about this and some other things that says in more (and better) words what I mean.

                                                                              1. 2

                                                                                C/C++ seems like a good balance between low level assembly and higher level languages that do all the memory management for you (among other things).

                                                                                1. 1

                                                                                  It’s closer than some but also an abstract machine with its own oddities. I’ve always been a fan of educational languages that get down to the essence of it. So, after they learn computational thinking with easy language, they can learn more about low-level programming with a simple, imperative language (example) with pointers, modules, and compound types. Teach them pointers, stacks, heaps, and caches with coding examples in easy language and lower-level language language. Teach them about temporal errors like use-after-free along with ways to prevent and/or detect them. Then, follow up with concurrency mentioning memory models and atomic instructions. Then, parallel programming with basic multicore and SIMD, maybe covering parallel languages. Show assembly for each of these.

                                                                                  Then, they’ll have a mental model of how the CPU’s work vs how C wants them to work. Plus, how to code for them.

                                                                                  EDIT: Looking at their syllabus, I found out that computational thinking that @mikelui brought up is the first goal they mention. I might have to look into the C0 work more closely.

                                                                                1. 12

                                                                                  One of my pet peeves: desktop OS is too busy for me to type full speed. Or mouse full speed.

                                                                                  Humans are glacially slow compared to CPU.

                                                                                  Any time I’m trying to do something, pc should prioritize me.

                                                                                  1. 1

                                                                                    I’ve been having problems with my windows 10 laptop at work where processes I’m running take 75% of cpu resources and some mysterious OS processes are eating the other 25%. Everything grinds to a halt, but I have little visibility into what’s causing it. Very frustrating.

                                                                                    1. 2

                                                                                      I had the same experience on a work machine, while none of that on a privately owned PC dedicated to gaming. My guess would be the IT department doesn’t know/care what are they doing.