Threads for joepie91

  1. 75

    The fact that the NFT spec only stores an image URL on the blockchain, and no hash to verify the image, is just absolutely astounding. Moxie is more generous than I am; IMO it highlights the grift that NFTs are – like whoever threw it together gave no thought to security or longevity.

    1. 29

      Yeah to me this is the “tell” that the main thing driving it is other people’s FOMO money.

      Basically software devs in this ecosystem realized they didn’t have to do their jobs to make money. The whole system keeps working even if you don’t do your job!!!

      You just have to repeat the memes long enough, and it doesn’t matter if the tech actually does what it says it does, because nobody’s checking! Nobody really wants to stand up their own copies of these things and check if it works.

      There’s little benefit in that. The benefit is talking about it and repeating it to your friends.


      I was interested in IPFS before it grew the blockchain component. I went back the original paper, and it is genuinely a good idea, and something we still need: a cross between git and BitTorrent (it mentions this in the abstract). I have long wanted Debian repos, PyPI, CPAN, etc. to be stored in such a system, i.e. consistently versioned with metadata.

      But it’s 6 years later, and when I go to look at it, apparently it just doesn’t work very well. And it probably won’t because it grew so many components. (Gall’s law: to get a big working system, you have to start from a small working system.)

      https://news.ycombinator.com/item?id=20137918

      So what should we expect of IPFS? At five years old, is this a project that’s usable ‘here and now’, as the homepage promised in 2017? Are all the parts in place, just waiting for web and application developers to see the light? Have the stumbling blocks I noticed in 2017 been smoothed over?

      No

      IPFS is still not usable for websites.

      https://esteroids.medium.com/how-can-ipfs-reach-wide-adoption-42b9a5011bdf

      As one commenter astutely put it, “IPFS struggles to host a plaintext bulletin board with logins like you’d find in the late 80s”


      And to give some light on the other side … Despite having some interest in BitCoin since 2013 or so, I first bought it last year.

      Because the founder of SciHub asked for donations in crypto on her site. https://en.wikipedia.org/wiki/Alexandra_Elbakyan

      So I just did it via CoinBase and I suppose it worked. So I would say there’s non-zero number of real use cases for cryptocurrency and blockchain. I think IPFS started out as genuine too, but it basically got ruined as working tech by an influx of money and employees.

      1. 11

        The situation with IPFS also affected gittorrent, another combination of git and bittorrent. Blockchains are like fig trees; as they grow, they choke whatever software projects originally gave them structure and purpose.

        1. 2

          Hm what happened to it? It doesn’t look like very much code.


          Thinking more about the original comment … To “steel man” the blockchain, I do think there is a place for regular old web apps to serve data from a blockchain. I don’t think that is inherently a bad architecture. You just have to be honest about it!

          I think there will always be a place for money in the blockchain, however niche, as the Scihub example shows.

          It’s more logical for an end user like me to use Coinbase, which is centralized, but that’s OK. (Also big irony: it relies on sending your driver’s license in for verification, so it’s building on top of US state regulations which they want to be free of.)

          One viewpoint I heard is “Bitcoin is a settlement network, not a payment network”. That is, the logical end user is banks and companies like Coinbase, not consumers. It could make sense to have a two-tiered system.

          (Although then you have the same problem that those banks are subject to regulation of the countries they operate in, so you’ve lost a lot of the purported benefit of blockchain. I think people will gradually come to understand this and a much smaller set of use cases will be ironed out.)

          But I do think the logical evolution of blockchain is to evolve to be less “consumer” and more “enterprise”.

          I think the problems with the centralization of the cloud are real, and while web3 is mostly a BS term, and it’s not really a solution as is, I can see this type of distributed consensus as a useful primitive for small but important parts of real systems.

        2. 2

          I believe that the Dat protocol and its successor Hypercore are both basically Bittorrent plus version control, but with no connection to blockchains or cryptocurrency that I know of. Please correct me if I’m incorrect :)

          I think Beaker Browser is a really cool project that suggests what could be done with Hypercore, but unfortunately a lot of websites and apps that were designed for its first iteration using Dat didn’t succeed in making the transition to the Hypercore version. I think the tech change cost it some momentum / users. Hopefully it will build up steam again, but I’m afraid IPFS has stolen its thunder by providing similar tech plus a chance to get rich quick :(

          1. 2

            Dat is so good aside from one critical flaw (IMHO, anyway): the “spec” is more or less “whatever the version you pull from NPM right now does.” Yes, there is some additional documentation, and a running reference implementation is great, but going a decade+ without a compatible version in some environment other than Node is a pretty big handicap and IMHO a major oversight by the project owners.

            Secure Scuttlebutt suffers from the same problem, and the “rewrite it in Rust” efforts for both are at best implicitly— if not explicitly, as in the most recent SSB -> Rust work — aimed at performance, not broad interop or adoption.

            So neither one can effectively run without hundreds of MBs of JS packages, there’s no support for languages that offer better native platform integration or type safety…heck, they don’t even ship TS definitions, and the internal APIs are so idiosyncratic it’s extremely difficult to build new apps on the platform.

            In a world where I had infinite time and attention to spend on an open software + network stack I would love to built a libdat or libssb that was straightforward to link in a Python project, or an iOS app, or really anything that can do normal C FFI. Alas, I don’t, so I haven’t. Maybe someday.

            1. 2

              Hm I heard of Dat a few years ago, but I didn’t know about Hypercore. Thanks for the pointer!

              I think eventually we will get something like this … just because there is a need. In the meantime I might write my own with shell scripts invoking git, and then curl or BitTorrent :)

              I forget which post I read this in, but there are really 2 kinds of “decentralized systems”, i.e. ones that don’t rely on “the cloud”:

              1. Something like git, where it’s trivial to stand up your own. BitTorrent is also in this category. As well as a web server with Apache or Nginx.
              2. Something like BitCoin where there’s no central node.

              Notably, it’s not only hard to run your own Ethereum node, but you also don’t want to run your own Ethereum network!

              So the word is overloaded, and they have very different architectures. I care more about the first kind. So really I don’t want a global file system like IPFS – I’d rather have distributed storage that runs on a few nodes, is easy to administer, etc.

              1. 1

                Whoops, it seems Beaker Browser is being discontinued: https://github.com/beakerbrowser/beaker/discussions/1944

                I’m not surprised but I am really sad about this. I thought it had a lot of potential for building a resilient web that could e.g. handle network outages by making it trivial to continue sharing websites over a LAN. It seemed to be great at sharing static websites which are where I’m putting my development efforts these days, but it appears the developer was frustrated by this and wanted people to share web apps instead.

                Agregore looks like it may be continuing on with support for Hypercore, but it also supports IPFS and I saw not interacting with Protocol Labs and their reliance on / promotion of cryptocurrency as a significant feature.

                1. 1

                  IPFS is a very pure “better BitTorrent” and the fact that some web3 stuff hosts content on IPFS should not taint the protocol, even if you happen to hate web3. Lots of web1 content on IPFS too, the protocol predates web3 by a lot, etc

                  1. 4

                    Part of the problem here is that “hosts content on IPFS” is a misnomer, for the same reason that things aren’t “hosted on BitTorrent”. IPFS is a distribution mechanism, not a storage mechanism (despite what their marketing implies), and so something can only be distributed through IPFS - it needs to be hosted somewhere else, and that “somewhere else” is left undefined by IPFS.

                    That might sound like pedantry, but it has some crucial implications: it means that by default, the network cannot provide meaningfully better availability than BitTorrent can, which is to say the availability is really bad and unsuitable for hosting websites on. You could address this by seeding your content from a server, but then what have you really accomplished, other than a potential ‘download accelerator’ (which is again distribution, not storage)?

                    1. 1

                      which is to say the availability is really bad and unsuitable for hosting websites on. You could address this by seeding your content from a server

                      This seems like a contradiction. Of course you cannot host an IPFS powered website without seeding it from somewhere! That doesn’t make availability bad or unsuitable any more than HTTP is bad or unsuitable. What I love about IPFS is that I can pin my websites on any computer connected to the internet, and usually much more than one! No special setup is needed, and if I want to change what computer pins the content I can easily do so at any time without changing any settings anywhere else. It just seamlessly keeps working.

                2. 1
                  IPFS is still not usable for websites.
                  

                  I have been using IPFS for websites for years. It works great.

                  1. 1

                    Where do you persist user-mutable state and how?

                    1. 2

                      Websites do not have user-mutable state. I guess if you want your blog to have a user theme toggle or some other appy feature a website might want you can use a cookie or localStorage just as you would on the regular web.

                3. 7

                  Moxie is more generous than I am

                  Indeed. That’s what makes this a balanced critique. Good-faith.

                  1. 44

                    I don’t think bad faith is necessary to provide valid criticism. The fact that NFTs are sold to the public as ‘stored forever in the blockchain’ and the reality is that there’s no actual mechanism storing anything other than a URL pointing to the content is almost by definition a scam. If I was going around selling ownership contracts to a house I don’t own, I’d be charged with fraud.

                    1. 4

                      I don’t think bad faith is necessary to provide valid criticism

                      That’s not what I meant. When @tao_oat said “Moxie is more generous than I am”, the difference between a “generous” take and a “not generous” take can often be the assumption of good faith. Are you trying to take a keep a neutral eye while evaluating this argument, or are you just looking for more evidence confirm your existing bias, that’s the difference between having good faith or approaching a topic cynically.

                      I think you’re prejudiced against NFTs and are just looking to criticize them. That’s fine, I think NFTs being used to attest art and their associated speculation is pretty stupid, so you aren’t gonna find me defending any of this. I also agree with each of Moxie’s criticisms. That said, I just don’t think the sort of cynical, charged rhetoric in this thread is indicative of good faith. Your comment even assumes a position from me that I don’t have. Good faith keeps discussions intellectually interesting IMO. I don’t have that much more to say here, I’ll let everyone else continue ranting in anger.

                      1. 4

                        FWIW I agree with you – on doing more research, a good-faith take would be that whoever wrote the ERC721 spec might have seen the promise of an image that changes over time. They might not have foreseen that art collectibles would be the primary driver behind NFTs. In the spec they write:

                        A mechanism is provided to associate NFTs with URIs. We expect that many implementations will take advantage of this to provide metadata for each NFT. The image size recommendation is taken from Instagram, they probably know much about image usability. The URI MAY be mutable (i.e. it changes from time to time). We considered an NFT representing ownership of a house, in this case metadata about the house (image, occupants, etc.) can naturally change.

                        (Though having a sentence like “The image size recommendation is taken from Instagram, they probably know much about image usability” in an official spec doesn’t exactly scream professionalism or care to me).

                        I should direct my critique against those who push art NFTs without mentioning the serious technical issues, and not the spec authors themselves.

                        I think the broader question is: when you keep seeing red flags in an ecosystem/community how long can or should you make an effort to retain good faith?

                        1. 1

                          I think the broader question is: when you keep seeing red flags in an ecosystem/community how long can or should you make an effort to retain good faith?

                          I think that’s the wrong question to ask. Technology usually has two components. One is the design and engineering that goes into it. Think with XMPP the protocol and standards used to send/receive messages. The other is adoption: this can be success in number of users, its usage, or its revenue. There’s plenty of technologies, ones much less complicated and more “clearly” incremental than a blockchain, that have failed purely because their adoption was lacking, despite years of attempts to make themselves relevant. Examples here are Laserdisc, Betamax, HD-DVD, and more. Adoption of a technology has much more to do with culture, user-experience, or business considerations than the engineering behind the technology. These questions you’re asking, about whether the space is filled with hucksters and such, are questions affecting the adoption of the technology. Discussions concerning the adoption of a technology are much more complicated (well IMO at least, probably because I’m an engineer first and foremost!) than discussions dealing with the design and engineering behind a technology, and also off-topic for Lobsters (probably due to the challenge of dealing with the nature of those discussions properly.) I will say though, a space filled with fraud doesn’t exactly instill confidence, especially when it’s a person’s money or other resources on the line…

                          But I also don’t think it’s necessary to get inordinately angry at the blockchain space. Businesses are made and die every day, some full of hucksters, others just blatant copies of existing businesses. Community projects are made and die every day. It’s the churn of human creativity. If humans knew exactly which projects would succeed and which would fail, then we’d already have solved our problems, wouldn’t we?

                      2. 3

                        I don’t really care for collectibles, real or virtual, but to be fair the NFT is stored in the blockchain. The media is not the NFT, just an associated decoration.

                        1. 24

                          This sounds like a solution looking for a problem, and then someone inventing a problem for the solution to fix. One thing I’ll give ‘crypto bros’ - specially those pumping the NFT racket - is that they’ve managed to befuddle the world into thinking they created something actually revolutionary. Every single problem the article describes is stuff anyone who understands this technology works could’ve guessed from day 1. Ultimately ‘web3’ is just a nebulous term that means nothing and everything, depending on who you ask and what time you ask them.

                          1. 2

                            Sure, I don’t collect baseball or magic cards either, so the while thing doesn’t connect with me personally.

                          2. 19

                            But nobody says that an NFT is a URL, i.e. a string starting with “https://…” Because nobody would find such a string, in itself, interesting enough to pay money for.

                            The scam is that people describe and sell NFTs as being a file, or even a unique fingerprint of such a file, when they’re no such thing.

                            It’s like selling you a painting, only it turns out you only bought the frame, and the gallery reserves the right to swap out the canvas for another one, or just take it away, at their pleasure.

                            1. 8

                              Yeah but the funny thing is: who cares if it was actually pinned to the right file?

                              What’s to stop me from minting another NFT for the same artwork and selling it? I just have to convince enough people it’s valuable.

                              As far as I can tell, the thing that makes NFTs “work” in any sense is specific pockets of social media, e.g. Twitter. Reality is socially constructed.

                              Like the artist Beeple has to go on Twitter and say he’s selling some number that represents art that he created.

                              https://twitter.com/beeple

                              And other people witness that and they believe it is him, i.e. the person who keeps creating all the enjoyable pictures. Twitter and other centralized social networks provide some continuity of identity. lobste.rs does this too.

                              If somebody else tries to sell an NFT of his artwork, maybe he can use Twitter to shame them or whatever. That’s about it.


                              As far as I can see, social media is really the thing that matters, and not anything in the blockchain. It seems clear that no end users every really look at the blockchain and verify things. (Hell I didn’t when I sent the donation to the Scihub founder. Did it really get sent? I just trusted Coinbase.)

                              So I think there’s no notion of identity, exclusivity, or authenticity on the blockchain. You always have to make some jump between the number/hash and the “thing”, and other people can make that jump too.

                              I’d be interested in any arguments otherwise … I have never actually used NFTs or Ethereum, but it seems like there is an obvious hole either way.

                              i.e. the blockchain is really built on trust built by social media; it can’t stand alone. Social media is very powerful – the former US president got elected in a large part because of it, and then he got blocked from it with huge consequences, and now he wishes he had his own Twitter and there are multiple efforts in that direction, etc. It has a lot of real consequences in the world, and is intimately connected to it. Blockchain doesn’t have that property at all!

                              1. 9

                                Right — I can just touch one pixel in the image, or add a no-op EXIF tag, and suddenly it’s a different file with a different digest that I can sell as a different NFT.

                                That was my day-one objection to NFTs. In terms of my analogy, it’s like buying a limited edition print where I only have the artist’s promise she won’t issue more. But the realization that it’s just a URL makes them orders of magnitude sillier and more scam-like.

                                1. 8

                                  Yeah this has been beat to death, but I was reading conversations earlier this year, and one analogy is the company that used to sell naming rights to the stars:

                                  https://news.ycombinator.com/item?id=26488430

                                  Like they would sell you a certificate that a star was named after you.

                                  Never mind that anybody can rename the same star for a different person, and sell that. Nobody ever used those names – not even the one scientist who might have a picture of that star or care about it. (Again, reality is socially constructed.)


                                  Another problem is that you’re literally just getting the NFT number itself. You’re not getting the copyright to that work !!!

                                  Like you could buy the NFT, and then the artist can sell the actual artwork to somebody else, which IS enforceable by copyright law !!! But your NFT isn’t.

                                  Also with music, there are separate rights to perform songs in public places, to play recordings at bars, and to publish the sheet music. You do NOT get that if you buy an NFT of a song.

                                  In fact I remember seeing a VC blog or podcast where this was brought up ….

                                  And so that basically proves that it doesn’t matter if the NFT has an immutable hash or not. You’re buying a useless pointer to a thing, not anything related to the thing itself … so it doesn’t matter what’s in it!

                              2. 3

                                I don’t understand this sticking point. An NFT is just a provably-unique (i.e. non-fungible) thing maintained on a chain. What it maps to off-chain, or how it does so, is basically incidental. It’s a contract, meaningful only in a specific domain: for legal contracts, that domain is typically a government jurisdiction; for NFTs, it’s the chain on which they exist.

                                1. 4

                                  I think it’s because the loudest use is for art collectibles so people get hung up on that. For me the best analogy is baseball cards. No one would say “but the card doesn’t contain an actual baseball player! You don’t get the right to boss the real human around!” But somehow NFTs the detractors think should “be” the art or “be” the copyright in a way that they were never intended to be.

                                  1. 7

                                    The problem with that analogy is that the issuer of the baseball card could, if it were an NFT, blank the contents of the card or change it to something else at any point. If baseball cards had that property, would people trade them? If a baseball card just had a QR code on it that let you go to a web page of stats about the player, would they be as valuable? Would they keep being valuable once some of the servers hosting the stats went offline (or would ones pointing to dead URLs become more valuable?)? What about when someone buys the domain for a popular card and points it at a porn site?

                                    1. 2

                                      The problem with that analogy is that the issuer of the baseball card could, if it were an NFT, blank the contents of the card or change it to something else at any point.

                                      In this analogy the NFT, the contract which exists on-chain, is itself the baseball card. The fact that one of the metadata fields of the NFT is a URL that may or may not resolve is more or less incidental.

                                      Would they keep being valuable once some of the servers hosting the stats went offline (or would ones pointing to dead URLs become more valuable?)?

                                      The important properties of NFTs are that, in the context of the chain on which they exist, they’re provably unique, non-fungible, and owned. A broken URL in the metadata doesn’t impact those properties. Of course, value is determined by the market, and the crypto markets are wildly irrational, so you may have a point.

                                      1. 1

                                        In this analogy the NFT, the contract which exists on-chain, is itself the baseball card. The fact that one of the metadata fields of the NFT is a URL that may or may not resolve is more or less incidental.

                                        I’ll buy this, but practically speaking, what then is the use of the NFT? If you’re saying the URL isn’t important, what exactly are you buying?

                                        1. 1

                                          You’re buying something which is guaranteed to be unique and non-fungible, in the context of a specific chain. There is no intrinsic value, any more than a specific painting or whatever is valuable. The value relies on the market belief that the NFT’s chain-specific scarcity is valuable.

                                          It’s kind of like a deed. The property isn’t legally yours until the relevant legal regime accepts that you own the deed. The deed isn’t the property but it uniquely represents the property in a specific domain.

                                          But like value is not the only interesting thing about NFTs. The non-fungibility itself is novel and opens the door to lots of interesting things.

                                    2. 2
                                    3. 2

                                      Sure, but that is absolutely not how NFTs are understood by 99.9999% of people. That mismatch is the scam.

                            2. 3

                              The fact that the NFT spec only stores an image URL on the blockchain

                              This is not universally true. A lot of NFT projects use IPFS, Filecoin or similar decentralized storage.

                              But for the ones using Amazon S3 it’s kinda hilarious, yes

                              1. 3

                                A lot of NFT projects use IPFS, Filecoin or similar decentralized storage.

                                These solutions have a similar problem as with Bittorrent. The stuff that’s not popular won’t get seeded/hosted. It just adds one layer of indirection to the storage issue, but once the business that’s pushing NFTs goes out of business these files are probably not going to get shared.

                                1. 1

                                  I don’t see how that’s a problem in this context? If the URL is IPFS you have a hash, which was the objection being replied to here.

                                  1. 1

                                    My understanding of how this works is: the NFT is an object on the blockchain, whose rules enforce its uniqueness. We’re gonna assume the chain is going to be continued to be mined and therefore “exist” indefinitely.

                                    The NFT contains a hash denoting a location on IPFS. Accessing it using an IPFS gateway will show the user the JPG portraying whatever they paid $2.4M in funny money for. But that JPG has to reside on disk somewhere. And when the company or user goes out of business or the VPS is decommissioned or they get kicked out of AWS for scamming, where is the JPG?

                                    Of course, concerned parties can… right click on the image, save it to disk, and then use that as a source of data for the IPFS hash, but that does kind of put a lie to the popular imagination on how all this nonsense works.

                                    1. 2

                                      You can become a node in the IPFS network yourself, and host just the image.

                                      1. 1

                                        Just like the baseball player the “hash” (picture) on a baseball card may die, so may the hosting for an NFTs associated JPG go away. Of course if you want to preserve it you can simply pin it yourself and thus your own computer becomes a host for it. So it’s actually more resiliant than the baseball player :). The NFT is not the image, the image is an associated decoration

                              1. 21

                                I was worried that it’d be some horror story about malicious non-compliance, retaliation, or legal problems, but company just taking down the offending service isn’t that terrible.

                                1. 13

                                  If you drive without a driver’s license you can’t tell the officer, “I was inspired by this other car”, or say “hey man I’m doing this three years already, but now you’ve caught me, I’ll throw away this car”. You’ll be fined anyhow.

                                  1. 13

                                    In terms of what actions they could take now, I guess you’d have preferred them opening up the source but closing down the service is still ceasing to abuse your copyright, so it doesn’t seem like a bad outcome at all.

                                    If you want reparations for the last three years, well, that’s a tangential issue, and you’d probably need to go through courts for that no matter what their actions today.

                                    1. 2

                                      If you want reparations for the last three years, well, that’s a tangential issue, and you’d probably need to go through courts for that no matter what their actions today.

                                      That’s a rather interesting issue. Normally you’d file charges for damages or lost profit, but that’s not really the case here, so I don’t really see what a court could do, really. There have been GPL cases against companies, but that’s where they were still infringing, and shipping products with the software. You can’t just stop infringing by no longer using the software with hardware still out there, where consumers continue to be disadvantaged by not having access to the source code.

                                      With a web service, they can just take it down and there isn’t really anyone who continues to be disadvantaged in any way.

                                      1. 3

                                        In certain juristictions, having a registered copyright might allow for statutory damages on the past infringement. Otherwise, with an actor this small, I agree there’s unlikely to be other recourse. IANAL

                                    2. 11

                                      Only because you are caught by an agent of the law. If you are caught by your non officer parents, you won’t be fined

                                      1. 2

                                        Driving without a driving license is a much greater offence though. And it’s not like police will fine every single last violation; giving warnings is not uncommon.

                                        I wouldn’t be surprised if this is a fairly small company run by just a few people without a legal department or review procedures. What probably happened is that someone set this up in a day as a side project and didn’t vet the license properly. Not great, but … it happens.

                                        Some people are so quick to assume malicious intent in all sorts of things, but I find this is usually isn’t the case.

                                      2. 8

                                        If we consider this acceptable, then that essentially translates to “violating open-source licenses is fine so long as you don’t get caught”.

                                        So no, I don’t think this is fine at all. Considering it acceptable sets a terrible precedent.

                                        1. 6

                                          Yes, exactly. Site takedown is your best case scenario from a court injunction, and you got it without hiring a lawyer. Looks like a win.

                                          1. 5

                                            I would consider the best scenario in an AGPL case a release of the source code with modifications, and attribution. The entire point of using the AGPL is so that people can benefit from improvements made to the code. Taking down the website is the next best alternative, but in that case there are only losers:

                                            • The customers who were using the service
                                            • Others who would like to host or study the software with those improvements (including the original author)
                                            • Possibly the author not reaching fame due to missing attribution
                                            • Even the company who is no longer able to host the service because they’re not willing to comply, and the hassle they admittedly got themselves into.
                                            1. 2

                                              I absolutely agree, but source release is not something a court can order, it can only be got as a settlement to allow the violator to continue distributing. If they don’t need/want to keep distributing then there is no way to get that so takedown is, under thise circumstances, the best case.

                                              1. 3

                                                source release is not something a court can order

                                                Why is that not possible?

                                                1. 3

                                                  Because of the legal mechanism at play here, namely, a copyright license. Copyright provides the author with certain rights and “right to require source release” is not one of them. The license allows parties to make use of some of the author’s righs in exchange for certain conditions (source release, in this case, among others) but if those conditions are not met it simply means the violator does not have the legal right to make use of the author’s rights. So a court can enfoce that and require they cease using the author’s rights (such as by takedown) but they cannot require the party do things outside that scope.

                                                  1. 3

                                                    Interesting! Thanks for explaining this.

                                        1. 9

                                          Massive kudos to this guy for not putting up with this SJW madness. I wish him all the best!

                                          We at suckless are heavily opposed to code of conducts and discriminatory organizations of any shape or form.

                                          1. 15

                                            Suckless takes a similarly principled stand against runtime config files.

                                            1. 12

                                              How does suckless oppose discrimination?

                                              1. 9

                                                By being very diverse and doing fackelmärsche of course. https://suckless.org/conferences/2017/

                                                1. 7

                                                  @FRIGN What’s the purpose of this “torchlight hike” in the context of producing code that sucks less? Don’t you see that the activities you choose to have during your conferences are a cultural stance, and because of that, can be perceived as exclusive by programmers that don’t recognize themselves in these activities?

                                                  1. 2

                                                    I get your point, but must honestly say that your argument sadly aligns with the ever-excluding and self-segregating destructful nature of cultural marxism. By eating food together at the conferences, do we exclude anorexics that might otherwise be willing to attend such a conference? I don’t drink any alcohol and never have. Still, it was not a problem when we went to a local Braukeller and some people drank alcohol and others like myself didn’t.

                                                    The fundamental point I think is that one can never fully and analytically claim that a certain process is completely unaffected by something else. If we dive down into these details we would then move on and say that the different choice of clothings, hairstyle, means of travel and means of accomodation all affect the coding process at suckless. This can be taken further and further with no limit, as we all know about the butterfly effect. At some point it is just not measurable any more.

                                                    If you ask me, this is a gross overstretching of what I said. There are quite a lot of people who do not attend the conferences but still work together with us on projects during that time. What really matters is that we e.g. do not ignore patches from these people or give them less relevance than those of others. To pick the example up: The torchlight hike did not affect any coding decision in a direct way, but it really bonded the team further together and was a very nice memory of this conference that I and the others are very fond of from what I’ve heard. On top of that, during the hike we were able to philosophize about some new projects of which some have become a reality. The net-gain of this event thus was positive.

                                                    In classical philosophy, there are two main trains of thought when it comes to evaluating actions: Deontology and Teleology. Deontology measures the action itself and its ethical value, completely ignoring the higher goal in the process. Teleology is the opposite, evaluating actions only by their means to reach a goal, completely ignoring the value of the action itself. The best approach obviously should be inbetween. However, there is a much more important lesson that can be taken from here: When evaluating a decision, one needs to realize what they are measuring and what is unimportant for a decision. What I meant is that to reach the goal of software perfection, the gender and other factors of the submitters do not matter. So even though we here at suckless have a goal, we are not teleologists, as we just ignore the factors that do not matter for coding.

                                                    It is an ethical question which norms you apply to a decision.

                                                    If we look at organizations like Outreachy, one might be mistaken to think that they are deontologists, striving to improve processes. However, after closer inspection it becomes clear that this is not the case and they are actually working towards a certain goal, increasing the number of trans and minority people in such communities. No matter how you think about this goal, it makes one thing clear: When you are working towards such a goal and also do not ignore irrelevant factors in your norms (and they in fact do by not ignoring e.g. race and gender), you quickly end up discriminating against people.

                                                    I hope this clears this up a bit, but as a short sentence, what can be taken from here is: When discussing ethical matters, it’s always important to make clear which norms are applied.

                                                    1. 17

                                                      fackelmärsche

                                                      I’m not going to wade into anything else on this, but I’d like to just take a second and let you know that, while you may not mean it in this way the phrase “cultural marxism” is very, very often used as a stand in for “jews”. Some links for the record:

                                                      https://www.splcenter.org/fighting-hate/intelligence-report/2003/cultural-marxism-catching

                                                      https://newrepublic.com/article/144317/trumps-racism-myth-cultural-marxism https://www.smh.com.au/world/cultural-marxism--the-ultimate-postfactual-dog-whistle-20171102-gzd7lq.html

                                                      1. 13

                                                        wow, uh, kind of a weird red flag that pointing this out is getting seriously downvoted. I picked these links pretty quickly, and anybody who comes behind and reads this and wonders how serious this is, do yourself a favor and image search and see how many memes have the star of david, greedy merchant, world strangling octopus or any of a number of openly anti-semitic imagery. Its not hidden, its not coy. If you’re tossing “cultural marxism” around you’re either willfully ignoring this or blatantly playing along. Its not a thing in the world. There are no leftists (at all) who call themselves “cultural marxists”, and in fact there is a sizeable faction of marxists who are openly disdainful of any marxism that eschews political struggle. The new republic article linked above goes into this, Perry Andersons “Considerations on Western Marxism”, a well known, well regarded text across a number of marxist subsects, is explicitly based on this. Anyway, enjoy contributing to a climate of increasing hostility toward jews. good stuff.

                                                        edit: have some fun with this https://www.google.com/search?q=cultural+marxism&client=firefox-b&source=lnms&tbm=isch&sa=X&ved=0ahUKEwjz2tWrhvnaAhUJ7YMKHVgcCccQ_AUIDCgD&biw=1247&bih=510#imgrc=_

                                                        1. 4

                                                          The term ‘Cultural Marxism’ describes very well what it is, and not all leftists are cultural marxists. The classical theory of marxism, roughly spoken, is to think of society as being split in two camps, the Proletariat and the Bourgeoisie, eternally involved in a struggle, where the former is discriminated against and oppresed by the latter.

                                                          Cultural Marxism applies these ideas to society. In the Frankfurt School it was called ‘Critical Theory’, calling people out to question everything that was deemed a cultural norm. What is essentially lead to was to find oppressors and oppressed, and we reached the point where e.g. the patriarchy oppressed against women, white people against minorities, christians against muslims and other religions and so forth. You get the idea. Before you go again rallying about how I target jews or something please take a note that up to this point in this comment, I have just described what cultural marxism is and have not evaluated or criticized it in any way, because this here is the wrong platform for that.

                                                          What you should keep in mind is that the nature of cultural marxism is to never be in a stable position. There will always be the hunt for the next oppressor and oppressed, which in the long run will destroy this entire movement from the inside. It was a friendly advice from my side to you not to endulge in this separatory logic, but of course I understand your reasoning to the fullest.

                                                          Just as a side note: I did not see you getting ‘seriously’ downvoted. What do you mean?

                                                          1. 10

                                                            Generally people who use “cultural marxism” as a pejorative are sloganeering. The idea of an “eternal struggle” is completely foreign to any kind of marxism which is based on a theory that classes come out of the historical process and disappear due the historical process. Marxism claims that the proletariat and bourgeosie are temporary divisions that arise from a certain type of economic organization. Whatever one thinks of that idea, your characterization of Marxism is like describing baseball as a game involving pucks and ice. Your summary of “cultural marxism” is even worse. Maybe take a class or read a decent book.

                                                            1. 11

                                                              Did you actually read any of the links I posted? Specifically the New Republic and SPLC links? I don’t know how else to say this and you pretty much side stepped what I said the first time so I’ll try to reiterate it: There is no such thing as “Cultural Marxism”. At all. Its not a descriptive category that any marxist actually self applies or applies to other marxists. I’m fully aware of the Frankfurt School, Adorno, Horkheimer, etc. I’ve read some of them and many, many of their contemporaries from Germany, people like Karl Mannheim. I read marxist publications everyday, from here in the states and from Europe. I’m a member of an explicitly marxist political party here in the states. I can’t emphasize this enough, “cultural marxism” isn’t real and is roughly on par with “FEMA camps”, “HARRP rays” and shape shifting lizard jews, meaning; its a far far right wing paranoid fantasy used to wall off people from other people and an actual understanding of the material conditions of their world. I also didn’t say, specifically in fact pointing out that I wasn’t saying this, that you were “targeting jews”. That being said, if you use a phrase that has its origins in anti-semitic polemics, is used explicitly and over-whelmingly by anti-semites, than that is on you. (Did you take a look at the linked image search? Does that sort of thing not give you pause?) To say that you “just described what cultural marxism is” is also inaccurate, you absolutely used it in a descriptive way

                                                              I get your point, but must honestly say that your argument sadly aligns with the ever-excluding and self->segregating destructful nature of cultural marxism.

                                                              White supremacist organizing is experiencing an enormous upsurge, not only here in the states but in Europe as well. From Le Pen to AfD to SVO in Austria and on and on. These people are not interested in polite conversation and they’re not using “cultural marxism” as a category to illuminate political opponents, its meant to denigrate and isolate, ironically given thats exactly what Neo Nazis and white supremacists here in the states accuse left wingers and “SJWs” of doing.

                                                              I appreciate that you’re discussing this peacefully but I’m going to bow out of this thread unless you’re interested enough to take some time and read the links

                                                              FWIW these also dismantle the trope and point out pretty much exactly what I’m saying around anti-semitism: https://www.vice.com/en_us/article/78mnny/unwrapping-the-conspiracy-theory-that-drives-the-alt-right https://www.theguardian.com/commentisfree/2016/feb/22/chris-uhlmann-should-mind-his-language-on-cultural-marxism

                                                              1. 4

                                                                I took some more time to read it up and from what I could see, I found that indeed cultural marxism has become more of a political slogan rather than a normal theoretical term in the USA.

                                                                Here in Germany the term “Kulturmarxismus” is much less politically charged from what I can see and thus I was surprised to get this response after I just had “translated” this term into English. It might be a lesson to first get some background on how this might be perceived internationally, however, it is a gigantic task for every term that might come around to you.

                                                                So to reiterate my question, what term could be better used instead? :)

                                                                1. 2

                                                                  interesting that it has a different grounding/connotation in Germany, but then again I’m not surprised since thats where its supposed to have originated from. I’ll reread your other posts and come up with a response thats fair. Thanks for taking the time to read those links.

                                                              2. 2

                                                                It’s uncommon to find such a well-put explanation; thanks for that.

                                                                There will always be the hunt for the next oppressor and oppressed, which in the long run will destroy this entire movement from the inside.

                                                                If the movement runs out of good targets (and falls apart because they can’t agree on new ones), wouldn’t that imply that it will self-destruct only after it succeeds in its goals? That doesn’t sound like a bad thing.

                                                                1. 2

                                                                  I’m glad you liked my explanation. :)

                                                                  That is a very interesting idea, thanks for bringing this thought up! It’s a matter dependent on many different factors, I suppose. It might fall apart due to not being able to agree on new targets or when everybody has become a target, but it is a very theoretical question which one of these outcomes applies here.

                                                            2. 6

                                                              It’s not my fault that some idiots don’t understand this term or it’s critical analysis. Cultural marxism, as the term implies, is the classical theory of marxism applied to culture. It has nothing to do with jews directly, it’s just an idea. If you know any better term to describe it, please let me know.

                                                              Anyway, in the philosophical realms it’s known as ‘Critical Theory’, which originated in the Frankfurt School. However, nobody knows this term.

                                                              Unless a better term is found, I disregard your argument and won’t accept your attempt to limit language of perfectly acceptable words to describe an idea. At the end of the day, terminology must be found that adequately describes what a certain idea is, and I see no reason why this should be wrong.

                                                              Regarding the torch hike: Yes, marching with torches was abused by the NSDAP as a means of political rallying. However, at least in Germany, it is a much older and deeper-reaching tradition that dates back hundreds of years.

                                                              1. 2

                                                                You have amply demonstrated that you don’t know anything about the topic. You could start with the decent Wikipedia article. https://en.wikipedia.org/wiki/Frankfurt_School

                                                      2. 15

                                                        It’s very simple. Any non-technological matters during software development move the software away from its ideal form. Thus, to make your software suck less, you only take the best developers no matter what race, gender, heritage, etc. these persons have.

                                                        We do not believe in equal status (i.e. e.g. forcibly obtaining a 50/50 gender ratio), as this immediately leads to discrimination. We do however strongly believe in equal rights, naturally. You also naturally cannot have both.

                                                        1. 115

                                                          Any non-technological matters during software development move the software away from its ideal form.

                                                          Suckless makes a window manager: a part of a computer that human beings, with all their rich and varying abilities and perspectives, interact with constantly. Your choices of defaults and customization options have direct impact on those humans.

                                                          For example, color schemes determine whether color-blind people are able to quickly scan active vs inactive options and understand information hierarchy. Font sizes and contrast ratios can make the interface readable, difficult, or completely unusable for visually impaired people. The sizes of click targets, double-click timeouts, and drag thresholds impact usability for those with motor difficulties. Default choices of interface, configuration, and documentation language embed the project in a particular English-speaking context, and the extent to which your team supports internationalization can limit, or expand, your user base.

                                                          With limited time and resources, you will have to make tradeoffs in your code, documentation, and community about which people your software is supportive and hostile towards. These are inherently political decisions which cannot be avoided. This is not to say that your particular choices are wrong. It’s just you are already engaged in “non-technical”, political work, because you, like everyone else here, are making a tool for human beings. The choice to minimize the thought you put into those decisions does not erase the decisions themselves.

                                                          At the community development level, your intentional and forced choices around language, schedule, pronouns, and even technical terminology can make contributors from varying backgrounds feel welcome or unwelcome, or render the community inaccessible entirely. These too are political choices. Your post above is one of them.

                                                          There is, unfortunately, no such thing as a truly neutral stance on inclusion. Consider: you wish to take only the best developers, and yet your post has already discouraged good engineers from working on your project. Doubtless it has encouraged other engineers (who may be quite skilled!) with a similar political view to your own; those who believe, for instance, that current minority representation in tech is justified, representing the best engineers available, and that efforts to change those ratios are inherently discriminatory and unjust.

                                                          Policies have impact. Consider yours.

                                                          1. 9

                                                            I don’t know if that was your goal, but this is one of the best arguments for positive discrimination I’ve read. Thanks for posting it, and also thanks for noting that all decisions have some inherent politics whether we like it or not.

                                                            Unfortunately there is simply no solution: positive discrimination is opposed to meritocracy. Forced ratios are definitely an unethical tool, as they are a form of discrimination. However, this unethical tool brings us to a greater good, which is a final product that incorporates diversity on its design and accommodates more users, which is a desirable goal on itself, for the reasons you explained.

                                                            1. 1

                                                              Unfortunately there is simply no solution: positive discrimination is opposed to meritocracy.

                                                              This is not necessarily the case. One’s skills are strongly a result of the opportunities available to them, and meritocracy as it is commonly interpreted (“whoever has the best skills right now”) is basically just a proxy metric for who had the most privilege growing up. This is an obviously unreasonable metric if your goal is good software.

                                                              There’s a different interpretation of “meritocracy”, however; that is, you ensure that the same opportunities are available to everyone, and then look at who comes out most competent. This interpretation of meritocracy requires positive discrimination, as it means active outreach to underprivileged demographics and giving them the same opportunity to learn and grow that privileged demographics got automatically.

                                                              Another way to look at that, is that you are massively increasing the pool of people who have the opportunity to manifest their competence, by lifting up those who are societally disadvantaged. Even just from a “building good software” perspective, ignoring the ethical side, this is a great approach.

                                                            2. 4

                                                              color schemes determine whether color-blind people are able to quickly scan active vs inactive options and understand information hierarchy. Font sizes and contrast ratios can make the interface readable, difficult, or completely unusable for visually impaired people. The sizes of click targets, double-click timeouts, and drag thresholds

                                                              Let me see if I understand what you’re saying. Are you claiming that when color schemes, font sizes and drag thresholds are chosen that that is a political decision? I think that many people would find that quite a remarkable claim.

                                                              1. 7

                                                                It’s impossible to not be political. You can be “the status quo is great and I don’t want to discuss it”, but that’s political. The open source “movement” started off political - with a strong point of view on how software economics should be changed. In particular, if you say a CoC that bans people from being abusive is unacceptable, you are making a political statement and a moral statement.

                                                                1. 3

                                                                  It’s impossible to not be political

                                                                  Could I ask you to clarify in what sense you are using the word “political”?

                                                                  Merriam-Webster (for example) suggests several different meanings that capture ranges of activity of quite different sizes. For example, I’m sure it’s possible to act in a way which does not impinge upon “the art or science of government” but perhaps every (public) action impinges upon “the total complex of relations between people living in society”.

                                                                  In what sense did you use that term?

                                                                  1. 8

                                                                    Let’s start off with a note about honesty. FRIGN begins by telling us “We do not believe in equal status (i.e. e.g. forcibly obtaining a 50/50 gender ratio)” as if someone was proposing the use of force to produce a 50/50 gender ratio - and we all know that wasn’t proposed by anyone. There’s no way to discuss this properly if people are going to raise false issues like that. What comment’s like FRIGN’s indicate is an unwillingness to have an open and honest conversation. The same bogus rhetoric is at the heart of Damore’s memo: he claims to be in favor of equal rights and just against mythical demand for 50/50 gender equality so that he can oppose obviously ineffective affirmative action programs at Google where 80% of technical staff are male (Damore’s misappropriation of science is similarly based on an objection to a position that nobody ever argued.).

                                                                    The next point is that some people are objecting that a CoC and a minority outreach program are “political”. That’s true, but it involves the use of the more general meaning of “political” which the Collins dictionary provides as “the complex or aggregate of relationships of people in society, esp those relationships involving authority or power”. If we are using that definition, of course a CoC and a minority outreach program are political, but opposition to a CoC and a minority outreach program fits the definition as well. If you have an opinion one way or another, your opinion is political. You can’t sensibly use this wide definition of political to label the effort to adopt a CoC and to recruit more minorities and then turn around and claim your opposition to those is somehow not political. So that’s what I mean by “it is impossible to not be political”. The question is a political question and those who try to claim the high ground of being objective, disinterested, non-political for their side of the question are not being straightforward (perhaps it’s just that they are not being straightforward with themselves).

                                                                    1. 3

                                                                      I agree that a CoC, a minority outreach program, and opposition to a CoC all impinge upon “the complex or aggregate of relationships of people in society, esp those relationships involving authority or power”.

                                                                      Would you also agree that there is a popular ideological political movement in favour of CoCs (some combination of the feminist, civil rights and social justice movements)? Perhaps there is also a popular ideological movement against CoCs (some combination of MRAs and the alt right). Are you also claiming that if one claims a “neutral” stance on CoCs one is de facto supporting one of these ideologies?

                                                                      1. 5

                                                                        I’m not sure it is possible to have a neutral stance. In fact, I doubt it.

                                                                        1. 1

                                                                          Interesting! Do you also doubt it is possible to take any action that is neutral with regard to a political ideology?

                                                                          1. 4

                                                                            You are introducing something different. I don’t think you have to line up with one “side” or another, but you can’t avoid being a participant.

                                                                            1. 1

                                                                              You said “It’s impossible to not be political” so I’m trying to understand what you mean by that. So far I’m not clear whether you think every action is political. I’d appreciate it if you’d clarify your position.

                                                                              1. 5

                                                                                I’m making a very concrete assertion, which I sense does not fit into your schema. My assertion is that there is no neutrality on workplace equality and inclusion for anyone involved in the workplace. Anyone who, for example, participates in an open source development effort has a position on whether efforts should be made to make it more inclusive even if that position is “this is not important enough for me to express an opinion.”

                                                                                1. 1

                                                                                  Thank you for clarifying. When you originally said “It’s impossible to not be political” I got the wrong impression.

                                                                                  Do you also hold the same point of view when it comes to roughly comparable statements in other spheres? For example ‘Anyone who eats has a position on vegetarianism even if that position is “this is not important enough for me to express an opinion.”’?

                                                              2. 1

                                                                You’ve been quoted by LWN: https://lwn.net/Articles/753709/

                                                              3. 11

                                                                AKA shut up and hack? :)

                                                                1. 2

                                                                  The suckless development process has no non-technical discussions?

                                                                  How are the best developers identified?

                                                                  1. 8

                                                                    just curious, why would you need to identify the best developers? Wouldn’t the quality of their code speak for that?

                                                                    1. 5

                                                                      I also fail to see what the reasoning is. Just send your code, get the non technical discussions out.

                                                                      1. 1

                                                                        Apparently, quoting @FRIGN from above, “to make your software suck less.”

                                                                      2. 9

                                                                        How are the best developers identified?

                                                                        I think this is a totally reasonable question, and one I’d like to see the answer too–if for no other reason than it might help those of us on other projects find more objective metrics to help track progress with.

                                                                        Do you all at suckless use something like:

                                                                        • defect rate
                                                                        • lines of code/feature shipped
                                                                        • execution time
                                                                        • space in memory, space in storage

                                                                        Like, what metrics do you use?

                                                                        1. 8

                                                                          You know, suckless is not a big company and the metrics that can be applied are more of a heuristic. A good developer is somebody who e.g. supplies a patch with a bug report, provides feedback to commits, makes contributions to the projects, thinks his commits through and doesn’t break stuff too often and does not personally identify with their code (i.e. is not butthurt when it’s not merged).

                                                                          What needs to be stressed here is that the metric “lines of code” is completely off. There are horrible programmers who spit out lots of code and excellent ones who over time drop more lines than they add. Especially the latter group is very present among us and thus the LOC-metric will only give false results. Same with execution time, you find that when not enough time is spent on a problem you end up solving it wrong, in the worst case having to start all over.

                                                                  2. 19

                                                                    I’m not going to remove this because you’re making a public statement for suckless, but please don’t characterize positions you disagree with as madness. That kind of hyperbole generally just leads to unproductive fights.

                                                                    1. 9

                                                                      Please don’t remove anything unless it’s particularly vulgar…

                                                                      1. 0

                                                                        Removing differing viewpoints? It is precisely this kind of behavior that maddens people who complain about SJW, who (the SJW) seem unable to take any discussion beyond calling their opponent’s position “evil”, “alt-right”, “neo-nazi”, or, if they are exceptionally well-spoken, “mad”.

                                                                        1. 16

                                                                          No, removing abuse and hyperbole that acts as flamebait regardless of the political opinions expressed. So far I’ve removed one post and hope not to remove more.

                                                                          1. 3

                                                                            It’s hard for me to see a reason to remove things when we have the voting system in place, neither are perfect but one is at your sole discretion whereas the other is the aggregate opinion of the users.

                                                                            1. 23

                                                                              Voting isn’t a replacement of moderation. It helps highlight and reward good comments and it can punish bad comments, but it’s not sufficient for running a community. I’m trying to head off places where people give up on argument and just try to hurt or tar the people they disagree with because it doesn’t lead to a good community. Lobsters is a very good place for discussing computing and I haven’t seen that in communities this size with hands-off moderation (but I’d love counter-examples to learn from!) From a quick query, we’ve had comments from 727 unique users in the last 30 days and there’s around 15k unique IPs in the logs per weekday, so people are constantly interacting with the others who don’t know their background, don’t share history, can’t recognize in-jokes, simply don’t have reason to trust when messages are ambiguous, let alone provocative. Friendly teasing like “ah yeah, you would think that” or “lol php sucks” that’s rewarding bonding in a small, familiar group hurts in a big one because even if the recipient gets the joke and laughs along or brushes it off as harmless, it’s read by thousands of people who don’t or can’t.

                                                                              1. 3

                                                                                Lobsters is a very good place for discussing computing and I haven’t seen that in communities this size with hands-off moderation

                                                                                I support your position on sub-topic but even my Trial you linked to shows a bit otherwise on just this point. This site has more flexible, hands-off moderation than many I’ve seen with this much political dispute. Even in that link, we saw an amount of honest, civility, and compromise I don’t usually see. There’s been quite a bit better results in this thread than usual elsewhere. There seems to be enough community closeness despite our size that people are recognizing each others positions a bit. Instead of comments, you can actually see it by what’s not said more since it’s prior ground we’ve covered. The others are learning as discussion furthers. Then, there’s the stuff we don’t want which seems to be basically what those individuals are intending in a way that has nothing to do with site’s size.

                                                                                So, I support you getting rid of just pure abuse, trolling, sockpuppeting, etc. I don’t think we’ve hit the full weaknesses and limited vision of large sites yet despite our increase in comments and views. We’re still doing a lot better than average. We’re still doing it with minimal intervention on things like politics relative to what I’ve seen elsewhere. I think we can keep at current moderation strategy for now because of that. For now.

                                                                                Just wanted to say that in the middle of all this.

                                                                                1. 0

                                                                                  Voting isn’t a replacement of moderation. It helps highlight and reward good comments and it can punish bad comments, but it’s not sufficient for running a community.

                                                                                  I’m not sure if I see why it’s not a good replacement. To me, I see voting as distributed moderation and the “real” moderation is automatically hiding (not removing) comments when they fall below a threshold.

                                                                                  I’m trying to head off places where people give up on argument and just try to hurt or tar the people they disagree with because it doesn’t lead to a good community.

                                                                                  I think this method relies on an accurate crystal ball where you can foresee people’s actions and to an extent, the reactions of the people reading the comments.

                                                                                  I’d have to question what you mean by “a good community”, it seems like it’s just a place where everyone agrees with what you agree with and those that disagree aren’t heard because it risks offending those that do agree.

                                                                                  I think the best discussions on here are because we have many people with wide and varied opinions and backgrounds. The good comes from understanding what someone else is saying, not excluding them from the discussion. The only places I see that warranted is where someone has said something purposely and undeniably vile.

                                                                                  1. 11

                                                                                    The automatic hiding of low-scoring comments is also a “sole discretion” thing; jcs added it and I tweaked it a few months ago. The codebase enforces a lot of one moderator’s ideas of what’s good for a community in a hands-off way and the desire to do that motivated its creation.

                                                                                    I strongly agree that a community where everyone agrees with the moderator would be bad one, even if I am that moderator. It’s tremendously rewarding to understand why other people see things differently, if for no other reason than the selfish reason that one can’t correct learn or correct mistakes if one never sees things one doesn’t already agree with.

                                                                                    I think the crystal ball for foreseeing problems is experience, from many years of reading and participating in communities as they thrive or fail. I think it’s possible to recognize and intervene earlier than the really vile stuff because I’ve seen it work and I’ve seen its absence fail. I keep asking for examples of excellent large communities without active moderators because I haven’t seen those, and after a couple decades and a few hundred communities I see the anthropic principle at work: they don’t exist because they self-destruct, sink into constant vileness, or add moderation. At best they have maintain with signal-to-noise ratios far below that of Lobsters where the thoughtful commentary is crowded out by trolling, running jokes, ignorance, and plan low-quality comments because it doesn’t seem worth anyone’s while to care when posting.

                                                                                    But moderation is not a panacea in and of itself. Without good experience, judgment, and temper a bad moderator swiftly destroys a community, and this is a very common way communities fail. If it helps any, the author of the comment I removed agrees that it wasn’t done to suppress their opinion.

                                                                                    1. 1

                                                                                      The benefit I see from moderation being part of the codebase is that it’s public, predictable and repeatable (it terms of reliability). When you take moderation decisions into your own discretion many of these virtues are lost.

                                                                                      As for experience, I think that’s tricky because it can easily lead you to making the same mistake twice. It’s also made of your personal experiences and you’re using that to curate the discussion of other people, I would caution that it’s another method of controlling dialog (perhaps subconsciously) to what you find acceptable, not necessarily what’s best for everyone.

                                                                                      1. 3

                                                                                        The benefit I see from moderation being part of the codebase is that it’s public, predictable and repeatable (it terms of reliability). When you take moderation decisions into your own discretion many of these virtues are lost.

                                                                                        Most of them go into the Moderation Log. I’ve been watching it since the jcs days since it’s what folks are supposed to do in a transparent, accountable system. Gotta put effort in. I haven’t seen much of anything that bothered me. The bans and deletes I’ve been able to follow @pushcx doing were trolling, alleged sockpuppeting, and vicious flamewaring. Some I couldn’t see where I’d rather the resource go off the front page rather getting deleted so someone looking at logs could see it for whatever it was. Nonetheless, his actions in the thread about me, the general admining, and what I’ve seen in moderation have been mostly good. A few really good like highlighting the best examples of good character on the site. I think he’s the only one I’ve seen do that on a forum in a while.

                                                                                        You have little to worry about with him in my opinion at the moment. Do keep an eye on the comments and log if you’re concerned. Scrape them into version storage if concerned about deletions. What goes on here is pretty public. Relax or worry as much as you want. I’m more relaxed than worried. :)

                                                                                        1. 3

                                                                                          Yeah, I agree on the pitfalls of experience. As SeanTAllen noted in a separate branch of this thread a minute ago, there’s “but you didn’t say” and other wiggle room; I think that’s where automatic moderation falls down and human judgment is required. Voting has its own downsides like fads, groupthink, using them to disagree (which is all over this thread), in-jokes, a drifting definition of topicality, all the parallels to the behaviors of political rhetoric, etc. Lobsters has never been voting only and I don’t see a compelling reason to change that. jcs’s involvement in the site was steadily declining so I’m certainly more actively moderating, but I don’t see that as a change in character. I guess what it comes down to is that I agree with you about what successful communities do and don’t look like, but I haven’t seen one that works on the model you’ve outlined and I don’t see that kind of fundamental change as a risk worth taking.

                                                                              2. 2

                                                                                So FRIGN writes to oppose “SWJ madness”, and you chime in to complain that “SWJ” calls opponents “mad”. Are you calling FRIGN “SWJ” or what? It’s kind of hard to discern your point in that cloud of grievance.

                                                                                1. 2

                                                                                  “SJW” for “social justice warrior.”

                                                                                  @COCK is sarcastically non-replying because you typo’ed.

                                                                                  1. 2

                                                                                    Not exactly, I was sarcastically non-replying because I assumed he was intentionally misunderstanding me. I assumed this because I didn’t see any ambiguity in my answer. On later inspection I noticed the ambiguity so I gave an actual reply:

                                                                                    https://lobste.rs/s/nf3xgg/i_am_leaving_llvm#c_yzwuux

                                                                                    1. 2

                                                                                      The interesting thing is how people agreeing with Mr. cock pile on the insults against the people who they complain are insulting them by forcing them to sign on to codes of conduct which prohibit insults. It’s almost as if there was a good reason for those codes.

                                                                                      1. 2

                                                                                        I doubt the irony is lost on anyone supporting a CoC.

                                                                                    2. -1

                                                                                      Yes, I’m calling FRIGN a “SWJ”.

                                                                                    3. 1

                                                                                      The only comment that was removed was against FRIGN point of view. Nobody is removing differing point of view, just enforcing civil discussion.

                                                                                  2. 7

                                                                                    It’s responses like yours that really make the case for codes of conduct.

                                                                                    1. 3

                                                                                      Are you speaking for the group or is that your own opinion? Knowing that the group aligns itself with that position would certainly make me not interested in working with it or contributing.

                                                                                      1. 8

                                                                                        To be fair, suckless is not well-organised enough to be a group that can have a single opinion to be spoken for.

                                                                                        That said, FRIGN is a prominent contributor and I from what I’ve seen most contributors are heavily on the side of “the code will speak for itself”.

                                                                                    1. 15

                                                                                      While suckless as a way to build software is definitely interesting (and a lot of the benefits of suckless come from disregarding edge cases, internationalization and accessibility), I’d argue that suckless as a project is something one should handle really carefully.

                                                                                      They’re doing literal torch hikes through southern Germany at their conferences, fighting online against “cultural marxism”, and their mail server has the hostname “Wolfsschanze” (see: https://twitter.com/pid_eins/status/1113738766471057408)

                                                                                      I recommend reading this thread (with a suckless.org developer with enabled hat speaking officially) and looking at this photo from one of their conferences.

                                                                                      1. 20

                                                                                        The topic pops up here and there, and one should always consider that Lennart Poettering used this bait to easily escape from a discussion about his software that I personally think should take place. Suckless is not directly a coherent group and more of a group of like-minded individuals, so I’m careful to speak “for” the project even though I’m first chair of the legal entity suckless.org e.V..

                                                                                        What I can say is that we are probably one of the very very few software projects left that do not politicize. We have members from all political spectrums, but make it work, because we only discuss software and nothing else. Those disagreeing with us or unaccustomed to non-political software projects try to put us into a corner, but it makes no sense when it is used to disregard the suckless philosophy itself, which is non-political.

                                                                                        Torch hikes are nothing unusual in Germany and there was no political intent behind it. Though I do understand now that it might send a different message worldwide, I expect more cultural sensibility from every observer before “calling us out” for allegedly re-enacting nazism or celebrating a Charlottesville march, which is a ridiculous assessment.

                                                                                        1. 23

                                                                                          One should always consider that Lennart Poettering used this bait to easily escape from a discussion about his software that I personally think should take place.

                                                                                          Perhaps, but I don’t think calling out getting emails from a wolfsschanze host is that unreasonable to be honest; as I mentioned in my other post I’m not going to attach far-fetched conclusions to it but I do find it in pretty bad taste. At any rate, to ask it plainly, what’s the deal that?

                                                                                          1. 3

                                                                                            There is no such thing as “non-political”, because we live in a society with power imbalances. Therefore not taking an explicit political stance, translates to implicitly supporting the status quo, whatever that status quo is in a given society at a given time. You’ll find that people in underrepresented demographics will largely avoid your project as a result, regardless of the political views among members of your project.

                                                                                            If supporting the status quo is what you intend to do, then that is one thing. But please stop presenting it as “non-political”, because that is simply not the reality of it. It only looks non-political if you yourself are in a position where the status quo benefits you. Which I am also - so this is not a personal accusation, to be clear. But it is something you need to be aware of.

                                                                                            1. 19

                                                                                              not taking an explicit political stance, translates to implicitly supporting the status quo

                                                                                              No no no, I cannot agree with that. Let’s take an example. I’m working on a crypto library, that on many aspects is very close to the Suckless ideals: it’s in C, it’s small, it’s easy to integrate into other projects… One of the motivations for it was to fight unnecessary complexity. A fairly political goal if you ask me: if software becomes as simple as I think it can (and should) be, the changes could be felt throughout the global economy itself.

                                                                                              My project also has an implicit endorsement of the status quo: it is written in English, and I have no intention to translate the documentation, or even the web site to other languages. Not even French, my native language. Sorry, you need to learn English to use my project. That’s kind of an implicit endorsement of US hegemony. Not that I’m very happy about that, but not fighting that fight does make me reinforce the ubiquity of the English language.

                                                                                              But there’s no way my project can have a stance on everything. Its stance on many many subjects is really neutral. It does not fight nor reinforce the status quo. Veganism? Patriarchy? White supremacy? I hardly have a community to speak of, there’s just not enough people to warrant something like a code of conduct. That does not mean my project implicitly rejects vegan transgender black women. In fact, I do hope they’ll feel as welcome as anyone else. And right now, I believe being nice to whoever contacts me is enough.

                                                                                              1. 8

                                                                                                I couldn’t have put it better, thanks for sharing your thoughts. I always like to consider the example of Chemistry: In the 19th and 20th century, German scientists were leading in chemistry and most papers were published in German. Chemistry students were more or less forced to learn German to understand these papers, and German became the lingua franca of Chemistry, which has changed to English though.

                                                                                                In computer science, English is the lingua franca. I don’t think it’s exclusionary to only offer software documentation and code comments in English.

                                                                                              2. 8

                                                                                                That is a good point and I understand what you mean with that. For our conferences, we actually offer those who are unable to attend due to financial reasons to pay their travel expenses and accomodation for them, which was greatly appreciated especially by younger programmers who often don’t have the means to fund such a travel.

                                                                                                Apart from income differences, that might be a deciding factor being unable to attend a conference and meeting like-minded people, I see no other factors that might hinder someone from joining us. You basically only need an internet connection and a computer. The computer doesn’t even need to be that fast, unlike if you, for instance, intended to work with deep learning software.

                                                                                                And if you still criticize the conferences for being exclusionary in some way: Most communication takes place on a mailing list and IRC, many people use pseudonyms. Factors like race, country of residence, gender are thus irrelevant and even non-determinable, if you choose to, and the development on mailing lists and IRC is the main way development happens and there’s no need to do anything else to partake or make submissions.

                                                                                                So, again, I know what you mean, but suckless is not an example for a project supported by the status quo. Most people disregard suckless as too extreme in terms of software philosophy and conclude that we would also be extreme in other areas of life, but suckless, for me, is software zen, and everyone is welcome to adopt this philosophy.

                                                                                                1. 5

                                                                                                  Factors like race, country of residence, gender are thus irrelevant and even non-determinable, if you choose to, and the development on mailing lists and IRC is the main way development happens and there’s no need to do anything else to partake or make submissions.

                                                                                                  This is a common point of view among those in privileged demographics. However, it is also a misunderstanding of how underrepresented people in demographics actually choose where to hang around and contribute, and why.

                                                                                                  Imagine for a moment that you are someone in a demographic who’s frequently a target of harassment. The exact demographic doesn’t matter much - maybe you’re black, or you’re a woman, or you’re transsexual, or whatever else. But for the sake of the example, imagine that you are a woman.

                                                                                                  Now, there are two different communities for you to choose from:

                                                                                                  1. A community that says “we don’t police member’s politics, this is purely a tech project”.
                                                                                                  2. A community that says “we actively welcome women”.

                                                                                                  Where are you going to feel safer? In the second community - because there, it’s clear that if someone finds out you’re a woman, them harassing you over it isn’t going to be tolerated and the harasser is going to be thrown out.

                                                                                                  In the first community, you just kind of have to stay quiet about your identity, have everyone assume that you’re a guy, and hope that no-one finds out the truth. If they do - maybe there’s some persistent stalker following you around and posting about you in every community you join - you can basically predict ahead of time that harassment and other discriminatory behaviour is not going to be acted upon, because “people’s own politics are not policed”.

                                                                                                  In a way, there are parallels here to how gay people are “tolerated” in many countries. It’s “fine so long as you don’t bother me with it”, which effectively means that you cannot speak about it publicly or have a public relationship with someone of the same sex, because then the cover falls away and you are no longer “okay”, because your identity can no longer be ignored. Harassment (and often violence) promptly follows.

                                                                                                  “Don’t ask, don’t tell” policies like this don’t make for healthy, diverse environments. They make for environments in which the status quo is preserved, and where the only way to be vaguely safe as a minority is to never tell anyone that you don’t fit into that status quo. This is not inclusive, and it absolutely does support the status quo. Those who fall outside of it will silently move on to healthier communities.

                                                                                                  I would like it if “who you are doesn’t matter, it’s about the project” were the reality, I really would. But that just isn’t how things work by default in a society with power imbalances, and the only way to get there is by actively enforcing it - and that means taking a political stance, one that disavows discriminatory behaviour and harassment.

                                                                                                  1. 12

                                                                                                    Now, there are two different communities for you to choose from:

                                                                                                    1. A community that says “we don’t police member’s politics, this is purely a tech project”.
                                                                                                    2. A community that says “we actively welcome women”. Where are you going to feel safer?

                                                                                                    I don’t know how the suckless community is, but I am convinced that, if I had a dime for every company, group or project that claimed to “actively welcome women” or “promote equal opportunity for everyone” or “have a zero tolerance” towards discrimination, sexual harassment or any other one of the multitude of abhorrent behaviours that plague our industry – and then turned out to be cesspools of prejudice and discrimination, I would be so outrageously rich that even thinking about it is embarrassing.

                                                                                                    (FWIW, in addition to witnessing it enough times that it’s part of why I seriously contemplated switching careers at one point, I have some first-hand experience with some of that: my most useful skill, career-wise, has been an impeccable accent. Slightly Irish-sounding (which lots of folks in the US seem to fetishize for some reason), which I developed purely by accident (I’m from nowhere near Ireland, I’ve never been there, and I am not a native English speaker) and is extremely embarrassing every time I’m talking to someone who has a real Irish accent. I certainly had it easier than my black or hispanic colleagues – most Western managers of various importance in the corporate hierarchy could immediately identify them as worthy of contempt, whereas in my case it could take weeks before they realized I’m not a white expat, just some Eastern European programmer.

                                                                                                    Edit: in case anyone’s wondering – the reason why I can be so light-hearted about it is that, for better or for worse, this experience has been largely confined to the workplace, after-work drinks, conferences and the like. I got to live with it for like 40 hours a week at most, and never really got a taste of it before well into adulthood. I always had alternatives and always had refuge – I could always put up with it on my own terms, which most people can’t)

                                                                                                    Coming from a culture whose closet is not devoid of skeletons in this department, either, I certainly agree that the mere act of not discussing race, or gender, or ethnicity is in itself a privilege that not everyone has. And that it’s up to every one of us to actively fight discrimination, and to make the world safer and more inclusive for those whose voices are silenced by intolerance. But I don’t think it’s reasonable to ask people to integrate that in every single thing they do. Even activists don’t fight the good fight 24/7, I don’t think it’s unreasonable that some people choose to do it only to a limited extent, or in a possibly misguided way, as part of their hobby project.

                                                                                                    1. 9

                                                                                                      I might’ve been a bit unclear. A don’t-ask-don’t-tell approach can be taken by members, if they prefer (many communities don’t provide that luxury and e.g. require clear-name-contributions), but doesn’t have to be. We just don’t care about genders or other aspects other than your coding skills. I see that you have a different opinion on this, which is cool, but the suckless philosophy does not extend beyond software aspects and I personally (not speaking for the group) don’t see a reason to extend that.

                                                                                                      1. 5
                                                                                                        1. A community that says “we don’t police member’s politics, this is purely a tech project”.
                                                                                                        2. A community that says “we actively welcome women”.

                                                                                                        The two may not be mutually exclusive. Although there’s certainly a huge overlap, there’s a difference between advocating the revocation of women’s right to vote, and actually harassing women in a particular group, be it an open source project or a chess club.

                                                                                                        A president of a chess club, or a maintainer of an open source project, can hardly be expected to be aware of the political views of the members, no matter how extreme. He could pry, but that would be uncomfortable for many people, and ultimately exclusionary. We could do it anyway, and define the range of acceptable political opinions, and exclude the outliers. We could exclude traditionalists, or we could exclude gay marriage supporters. We could exclude white supremacists, or we could exclude black panthers sympathisers.

                                                                                                        In my opinion this would be neither ideal nor possible. As long as people stay courteous and focus on working towards whatever common goal the group has, we could actually have, say, gay and homophobic people working together. So we probably want to define a range of acceptable behaviours instead. For instance, revealing your sexual preferences is generally acceptable (unless maybe you’re too loud about this), and revealing your contempt for people who don’t share that preference is generally not.

                                                                                                        That’s what codes of conduct ultimately do: they don’t talk about the politics one might have outside of the group, they define a range of acceptable behaviours within the group. Yes, that range will tend to filter out people with some particular political opinions. Few white supremacists will follow a black maintainer. But I would think real hard before I make that filter explicit.

                                                                                                        I’ve seen it done, and it’s not pretty. I’ve heard of someone being disinvited from some conference because of their political beliefs, even though they (allegedly) never let them seep through or ever behaved inappropriately. I have also heard of someone being fired over their sexual practices (at the behest of SJW, ironically). And at the same time, some people who seem to engage in genuinely harmful behaviour (such as straight up sexual harassment) are not excluded. My suspicion? Enforcement goes after the easy targets, instead of going after the important ones.

                                                                                                        1. -5

                                                                                                          we could actually have, say, gay and homophobic people working together.

                                                                                                          Honestly, this free speech absolutism is whack and that’s why I’m out.

                                                                                                          You don’t know what the fuck you’re allowing. I do - you’re allowing someone who literally spreads hate to walk into work, meekly get some shit done, then go home to post on the internet how trans people are all pedophiles and should be killed.

                                                                                                          Fact is, you can’t divorce your life from politics because where many of us stand, all minorities, live under the continuous threat that we’ll be murdered, denied service, beaten and reviled all because some free speech absolutist like you envisions a future where racists and their victims can work side by side.

                                                                                                          My community just had their 12th death. Death because people like you continually give deference to allow our killers to bask in their hate speech until one of them spots us and brutally kills us.

                                                                                                          You enable this. I’m so happy (not) to be the sacrificial lamb for your perverse ideology.

                                                                                                          1. 2

                                                                                                            we could actually have, say, gay and homophobic people working together.

                                                                                                            Honestly, this free speech absolutism is whack and that’s why I’m out.

                                                                                                            Who said anything about free speech? I never said hate speech should be allowed. Actually, I do believe we free speech should have limits (though I’m not sure exactly what those should be), and people who cross those limits should be punished.

                                                                                                            The question is who should punish them, and how. Forums can (and most probably should) ban hate speech however they can. Police and Judges could intervene whenever appropriate. The worst offenders could be sent to jail.

                                                                                                            Wholesale ostracism though? Exclusion from all groups, not just wherever they spread their filth? That’s a death sentence: no job, no home, no shelter. Are you prepared to follow through all the way? (Not a rhetorical question: sometimes, killing your enemy is the right thing to do. But this question is so fraught with self serving cognitive biases that one must be very careful about it.)

                                                                                                            Then there are false positives. The guy who was fired over his sexuality? He practised BDSM. One way of putting it is that he liked to whip bound women. When he was outed, there was an SJW outcry about him being some twisted archetype of patriarchy that should be removed from any public position.

                                                                                                            I don’t know the guy, I haven’t investigated, so I cannot presume. I’m not even certain this story is even true. But I guess this may have been a huge misunderstanding. See, done properly, BDSM is very careful about safe words, physical and psychological safety… everyone is supposed to enjoy this, including (perhaps even primarily) the bound and gagged “victim”. Being a good dom typically requires empathy and respect for their sub. Pretty far from the simplistic image of the misogynistic man taking pleasure from the suffering of women.


                                                                                                            Going back to gays and homophobic working together, that probably requires that they are mutually unaware of their position. It’s when they do become aware of their position that we have a problem, and the group may have to make a choice. My first step would be something like “you don’t like them being gay? deal with it or get the fuck out”. If it’s just gay people being uncomfortable, we may need to know why. If it’s because the other dude displayed an homophobic attitude within the group, that’s pretty obvious grounds for exclusion. If it’s because gay people learned of his views outside the group, this is more delicate, and I honestly have no right answer.

                                                                                                            The problem is made even harder because actual bullying, embarrassment, and other inappropriate behaviour within a group, are often hard to see for anyone but the victim. Hence the temptation to rely on more visible, but less reliable, external signs.

                                                                                                            For instance, let’s imagine: religious people and atheists working together in the same group. One atheist have written in their blog about how religion is stupid, unfounded, and how religious people are either critically misinformed, or just plain delude themselves. Oh and by the way if there is a God, it’s morals are highly questionable at best. So there we go: no personal insult, but a harsh criticism and a good dose of blasphemy.

                                                                                                            Should we exclude this atheist from a chess club because some religious people in that club feel uncomfortable being next to someone who has written a blasphemous pamphlet? Should we exclude the religious people from the club because wearing a cross, a star, or a scarf makes the atheist uncomfortable? Depending on who you ask, you’ll have very different answers.

                                                                                                    2. 5

                                                                                                      On the other hand, I don’t think it’s realistic to expect every project to look in depth at difficult social problems and form some sort of consensus on how to best deal with it.

                                                                                                      You’ll find that people in underrepresented demographics will largely avoid your project as a result

                                                                                                      Why would that be the case?

                                                                                                      1. -4

                                                                                                        On the other hand, I don’t think it’s realistic to expect every project to look in depth at difficult social problems and form some sort of consensus on how to best deal with it.

                                                                                                        I think that’s entirely reasonable. This is pretty much the basis of community management in general. It doesn’t even need to be done by the core developers, but someone in the community needs to do it, if you want a healthy community.

                                                                                                        Why would that be the case?

                                                                                                        Because they know that their safety is not assured in communities that refuse to take an active stance against bigotry of various kinds. I’ve gone into more detail about this in this other subthread.

                                                                                                        1. 4

                                                                                                          Because they know that their safety is not assured in communities that refuse to take an active stance against bigotry of various kinds.

                                                                                                          But there is a difference between belief and action. If someone is actually doing something bad within the project then obviously that’s an issue. If someone just believes something you disagree with (whether you label it bigoted or not) then refusing to work with them in a non-political atmosphere just makes you seem like a bit of a dick, IMO.

                                                                                                      2. -3

                                                                                                        There’s no such thing as “non-political” software projects because any political actor can decide that the way your software project run things is bad and should be made to change. And if you resist this, you find yourself in a political conflict, even if you didn’t want to be.

                                                                                                        1. 1

                                                                                                          Why would you care what a political actor thinks about your free software project? Do you mean an actual national politician? Why would they be concerned with a free software project?

                                                                                                          1. 2

                                                                                                            No, anyone trying to argue that a software project should change their practices for political reasons is a political actor with respect to software, not just national politicians. Tech industry activists are political actors. joepie91 in this thread is a political actor. I’m a political actor too, for trying to prevent other political actors from carrying out their will.

                                                                                                      3. -1

                                                                                                        What are you doing to keep this kind of toxic behaviour from forming inside of the suckless communities you participate in?

                                                                                                        You have not denied that these people exist in your community. How are they not a problem for you?

                                                                                                        1. 4

                                                                                                          Calling people toxic, I think, is the wrong approach. What matters is how people behave in the context of the community. I couldn’t care less about their private political/social/other endeavours as long as it doesn’t affect their actions within the community.

                                                                                                          I don’t know why there is such a push to politicize software projects, from the inside and outside. It may make something look more homogenous on the outside, but I believe it mostly creates social stress and shifts the focus on issues that shouldn’t be a problem in the first place. But this is just my opinion, and I don’t think there’s a true or false answer to that. It heavily depends on your Weltanschauung.

                                                                                                          1. 1

                                                                                                            I’m sorry, my first approach was a bit antagonistic and too political because I tried to keep my questions short.

                                                                                                            People sometimes express their political ideologies in behavioural ways, which might cause exclusion and secularity in the communities that they take part in. I haven’t been much in contact with the suckless community, although I have used and I respect the software and the philosophy, but I have seen communities suffer this. I have no prejudice, but toxic (extreme, hateful) ideologies do lead to toxic behaviour, especially in like-minded groups where it can be cultured. This is why people feel the need to keep them from spreading to their own group.

                                                                                                            Have you noticed any exclusive or secular behaviour in the suckless communities that you take part in? If yes, what have you been doing to counter it?

                                                                                                            1. 3

                                                                                                              Have you noticed any exclusive or secular behaviour in the suckless communities that you take part in? If yes, what have you been doing to counter it?

                                                                                                              No, I’ve never seen such secular behaviour like that. The conferences we organize have always been very harmonic and there was never such a push or even a culturation. Thanks though for elaborating what you meant, and I have to say that I’ve seen this problem occuring within other communities. I am and will be very careful that this won’t happen within our community.

                                                                                                      4. 21

                                                                                                        I was subscribed to the suckless mailing list for a long time (though no longer, simply out of disinterest), and never had the impression I was dealing with a group of extremists (other than a rather extreme take on software). I don’t recall any political discussion off-hand, and would certainly have unsubscribed if people started ranting about “cultural Marxism” and the like.

                                                                                                        I read the Lobsters thread you linked and there are many things I personally don’t agree with, but I also find it’s a lot more nuanced than what you’re suggesting (specifically, there was a lot of confusion what was even intended with “Cultural Marxism”). I saw that on HN you (or someone else?) linked to an old tweet of yours that screenshotted just the initial “Cultural Marxism” mention of FRIGN, and I think that’s unfairly out of context. That’s not a defence of the contents if his posts, only a defence of treating people with fairly and with kindness.

                                                                                                        I find putting the picture of the torches next to literal Nazis and the “Unite the Right” rally incredibly tasteless and offensive. Note the suckless event happened before the Charlottesville march (not that it really matters). [edit: incorrect, see follow-up]. I’ve done torch hikes – they’re actually used to celebrate the end of Nazi occupation in my home town every year and participated regularly. I’ve also done them with scouts just for the fun of it. Maybe some day someone will dig up a picture of that too and put it next to a bunch of Nazis to prove a point… I’m very disappointed anyone would try to make a point like that, here or elsewhere. This part of your post in particular is really bad in many ways IMHO; it’s really not acceptable to just sling around grave insinuations like that based on a friggin’ contextless photo of what is almost certainly just a harmless social event.

                                                                                                        The mail server belongs to an individual (@FRIGN here). I agree it’s in very bad taste, offensive, and that Poettering was completely right in calling that out, but it’s hardly proof that “they’re a bunch of Nazis”. I find the jump from “edgy hostname” to “literal neo-Nazis” a bit of a leap.


                                                                                                        I doubted for a long time if I should post this reply as it has the potential to spark a long heated discussion, but I find public casual comparisons to Nazis in particular serious enough to warrant something of a rebuttal.

                                                                                                        1. 6

                                                                                                          Note the suckless event happened before the Charlottesville march (not that it really matters).

                                                                                                          I just want to comment on this one factual point, according to the suckless website this event happened in September 2017, just a couple of weeks after Charlottesville.

                                                                                                          https://suckless.org/conferences/2017/

                                                                                                          I do think the proximity in time to the Unite the Right rally is important, especially given the insistence that they were just enacting a German cultural practice.

                                                                                                          1. 6

                                                                                                            Oops, I checked the website and I misread that date as being on “2017-01-03”, instead of “2017-09-(01-03)”. How silly 😅🤦‍♂️

                                                                                                            I’m not sure it matters all that much though; it still seems incredibly tenuous at best. This happened on the other side of the world and I’m not sure if the entire world should tip-toe around sensitive topics in the United States. Were these people even aware of Charlottesville? And to what degree? Me, personally, I mostly stopped following US news since the 2016 election as I find it emotionally draining and serving little purpose as it’s not in my power to do something about anyway.

                                                                                                            Either way, I’d sure like to see some more evidence exactly because I take it serious: you just don’t go around insinuating people of such serious things with such slim “surely it can’t be coincidence…” type of stuff.

                                                                                                            1. 31

                                                                                                              I was at the torch hike and hadn’t even heard of the Charlottesville marches then. When I heard the accusation that we in some way celebrated it, which would make no sense in the context of a software conference, I first had to look up what they were.

                                                                                                              The thing is, Americans tend to overestimate the importance of domestic events like the Charlottesville marches and think that nothing happens in the whole world and, e.g., we Germans are just sitting at home and waiting for something to happen in the USA to witness it.

                                                                                                              The truth, and I think everyone would agree that this also makes much more sense, is that torch hikes are perfectly normal in Germany. I have an understanding for this cultural misunderstanding, and I’ve been guilty of those, as well, but it doesn’t help when one continues to spread this nonsense that this torch hike was some political event every time suckless is discussed here.

                                                                                                              To give an example for how normal torch hikes in Germany are, there is a so-called Sommertagszug in the Kurpfalz which also involves torch hikes at night. They are also offered by tourist organizations, e.g. Breitbach Klamm.

                                                                                                              1. 8

                                                                                                                What’s with the mail server host name though? Do you think that’s fine?

                                                                                                                1. 4

                                                                                                                  It bothers me that he is actively ignoring this question and by saying nothing, he is saying enough.

                                                                                                                2. 2

                                                                                                                  As an American, thanks for sharing your perspective. It makes me wonder if the Internet, and particularly social media, make it too easy to carelessly make connections between things that should remain disconnected. Maybe Facebook’s stated mission of making the world more connected (whether or not that’s their real mission) isn’t a totally good thing.

                                                                                                                  1. 5

                                                                                                                    It definitely comes at a cost. Still, as I could see from my own experience, after a few years one gets more careful with culture-relative judgements. There are still many things Americans do that I don’t quite understand or find interesting.

                                                                                                                    To give an example, I found out a few years ago that the German “mhm” (i.e. the expression to acknowledge you are listening to someone while he speaks) is often interpreted by Americans as a “huh?”. You could imagine how much confusion that caused.

                                                                                                                    Cultural differences are valuable, though, and I would not want to miss them, even if they become troublesome. I can imagine an American coming to Germany to experience a torch hike and liking it.

                                                                                                                    1. 0

                                                                                                                      To give an example, I found out a few years ago that the German “mhm” (i.e. the expression to acknowledge you are listening to someone while he speaks) is often interpreted by Americans as a “huh?”. You could imagine how much confusion that caused.

                                                                                                                      I have never in my life seen or heard “mhm” interpreted as “huh?”, and while I’m just one American and this is anecdotal I’ve lived in three fairly distinct regions of the USA.

                                                                                                                      1. -1

                                                                                                                        German “mhm” is very distinctly different to American “mhm”. I wouldn’t know how to describe it in words, though.

                                                                                                                        1. 0

                                                                                                                          It’s it very distinct from the British “mhm”?

                                                                                                                  2. 1

                                                                                                                    Going on a torchlit hike at night sounds fun to me in the abstract, and also like the sort of activity that could hardly be unique to any one place, time, or culture. For ages before the invention of electric flashlights, how else were human beings supposed to light their way when walking around at night, wherever in the world they happened to be? I was unaware that some people associated the practice of going on torchlit hikes with specifically the NSDAP (or maybe just going on a torchlit hike while being an ethnic German??) until I saw people mentioning it in the context of suckless. Even if it’s true that the historical Nazis practiced torchlit hikes (which I assume is true, because I think it would be very easy for any group in human history to do so), I don’t think that confers any obligation on people alive today to refrain from it, any more so than Adolf Hitler’s famous vegetarianism confers any obligation on people today not to be vegetarians.

                                                                                                                    1. 3

                                                                                                                      I agree. I’m pretty well read on the topic, including having read Shirer’s “Rise and Fall of the Third Reich,” and I hadn’t heard about the association between torchlit hikes and Nazis before it was brought up in the context of suckless either. If I’m actually educated on the topic and still didn’t know about it, how could I really expect others to know about the association?

                                                                                                                      Personally, a torchlit hike sounds like a blast to me. If the opportunity presented itself to me, I would absolutely participate.

                                                                                                                      I agree with others in this thread that people are generally way too quick to bring up Nazi associations. I like to think I’m not naive about it either, since there are trolls and Nazis online that like to play these kinds of games. But I personally expect some pretty firm evidence before I’m willing to entertain Nazi accusations seriously. It’s a pretty serious thing to say.

                                                                                                            2. 9

                                                                                                              As an engineer child of social scientists, I’ve concluded that mental models like that are basically what you get when you take an engineering approach to social systems to its logical conclusion without considering people as, well, people. You end up with very efficient, streamlined, rational systems that place no value upon the people who are crushed in the process. It’s a simple, effective solution to the very complicated problem of human society, and it makes the complicated problem simple by saying “the people on the losing side don’t matter”. You can see this approach working efficiently and effectively all throughout human history, usually in the form of mass graves.

                                                                                                              Everything should be made as simple as possible, but no simpler.

                                                                                                              1. 3

                                                                                                                Because I can’t be sure which comment you’re replying to (AFAIK there’s no “parent” link for comments here), can you please clarify what you mean by “mental models like that”?

                                                                                                                1. 4

                                                                                                                  Sorry, I was talking about mental models such as the ones described by this comment: https://lobste.rs/s/nf3xgg/i_am_leaving_llvm#c_01mpwm . Essentially “we are not going to worry about equity and equality because it is irrelevant to the problem we are actually trying to solve”. Works fine when the problem you are trying to solve is “design a machine that does a particular thing well”, but ignores lots of ugly externalities when it comes down to the social structures and organizations of the people actually doing the design. Like unfettered free-market capitalism, it sounds ideal in theory and that makes it an appealing position. But my observation has been that it works great for the people already powerful enough or lucky enough to be unaffected by those externalities, and does not actually make the world a better place for anyone else.

                                                                                                              2. 3

                                                                                                                Extremes are rarely good. There should not be an aura of aggressivity around any project.

                                                                                                                1. 1

                                                                                                                  They’re doing literal torch hikes through southern Germany

                                                                                                                  I have no idea what holding torches might mean in this context. Could you explain, or provide links?

                                                                                                                  1. 6

                                                                                                                    It looks like one of those things Nazis ruin for everyone - https://www.theatlantic.com/politics/archive/2017/08/why-they-parade-by-torchlight/537459/. Whether that is intentional on the part of the suckless folks, is not clear to me.

                                                                                                                    The other top hit I got when googling was a torchlit tourist hike through Partnach Gorge in Garmisch-Partenkirchen. I’ve been to that gorge (not by torchlight) and it’s pretty cool!

                                                                                                                1. 2

                                                                                                                  Where do you go to find physical meatspace, in-person community gatherings of like-minded individuals, who are curious basically about what Lobste.rs types of people are curious about?

                                                                                                                  I think you won’t find something like this that is useful. Lobste.rs is great because there’s something for everyone. You can ignore what you aren’t interested in. In meat space, this is more socially unacceptable. You should think about what are the top two topics you like here and find groups for those topics.

                                                                                                                  1. 4

                                                                                                                    Healthy hackerspaces typically have members with a wide range of (mainly technical) interests, and it’s generally considered totally okay to just not engage on topics that don’t interest you; so long as you don’t harm the community (by eg. not cleaning up after yourself), of course.

                                                                                                                    In practice, I’ve found that most people tend to become interested in new topics after hanging around a hackerspace for a while. Interacting with other people who are knowledgeable in their interests, broadens your own.

                                                                                                                    1. 1

                                                                                                                      Thanks, that’s a good perspective. Tbh I’ve never been to a hackerspace but I always assumed it was as I had said. I will try it out some time.

                                                                                                                  1. 7

                                                                                                                    Just let go of the romantic idea of a hackerspace. You will learn that “we are all friends”-communism does not work just a few seconds after someone with lower standards chipped the plane blades AGAIN that you have thoroughly sharpened. Or broke all 4mm drill bits and then went on sabatical. Or just laid the lid on paint or glue cans and you stand there with dried&hardened stuff saturday at 7:30 pm

                                                                                                                    Find one or two handful of peers with same mindset and set up a workshop, five is a bit little, ten becomes burdensome.

                                                                                                                    It will work if and only if:

                                                                                                                    • it is no open house
                                                                                                                    • presence is logged
                                                                                                                    • at the end of the day everything is cleaned up
                                                                                                                    • water/electricity/heating meters are logged at least weekly
                                                                                                                    • machines are shared, consumeables ARE NOT
                                                                                                                    • everybody has a liability insurance
                                                                                                                    1. 9

                                                                                                                      I’d like to invite you to come visit RevSpace[1] in the Netherlands, if you’re ever in the area. You’ll see that while things aren’t 100% perfect, it’s quite possible to run a healthy 100+ member hackerspace without resorting to draconian (and IMO community-breaking) measures like “no shared consumables”.

                                                                                                                      Here’s a brief though very limited tour of the space: https://www.nycresistor.com/2019/01/12/hackerspace-envy-a-visit-to-revspace-in-the-hague/

                                                                                                                      We do log door unlocks by members, for example, but it certainly isn’t full presence logging; anyone can visit whenever a member is present. It’s not a fully open house (in that the doors are locked in principle), but anyone is welcome to visit, also repeatedly, even if they’re not a member.

                                                                                                                      It’s more about community management and incentive design than anything else; if you establish a social expectation that everybody cleans their part, and you make cleaning supplies prominently visible in the space… then things get cleaned. It works the same for other expectations. Sometimes they are violated, and you have to talk to the person in question; but the vast majority of the time, it goes fine.

                                                                                                                      I don’t doubt that there are other hackerspaces (that I’m not aware of) that have similar experiences and results. Ultimately, and I can’t repeat this often enough, what makes a hackerspace work is community management. Setting expectations, being clear about what is considered unacceptable behaviour. If you don’t do that, things will go to shit very quickly, like in any community. But it isn’t an inherent problem to hackerspaces.

                                                                                                                      [1] https://revspace.nl/

                                                                                                                      1. 1

                                                                                                                        Thank you for the tip. If it works I’d like to see it. See, I’m a burnt child in this regard, but stil la wee bit optimistic. I have an invitation for a 45. birthday in Almere, and I hope we all can travel again until september.

                                                                                                                        what makes a hackerspace work is community management. and the shared topic as well:

                                                                                                                        • Compilers do not wear off. Plane blades and drill bits will.
                                                                                                                        • Misusing a build farm results in a broken build, some core files also are a nuisance, but no real damage.
                                                                                                                        • Misusing a CNC machine could result in broken tool bits, or really severe damage to humans, buildings (fire) or environment (oil in ground water)

                                                                                                                        Setting expectations, being clear about what is considered unacceptable behaviour.

                                                                                                                        Hey, that is exactly what we did :)

                                                                                                                      2. 1

                                                                                                                        Are you telling me to not desire to go to a cool place?

                                                                                                                        1. 1

                                                                                                                          you’re called “inactive-user” now, but for further reference, it depends on you definition of “cool”.

                                                                                                                      1. 2

                                                                                                                        matrix has become my irc bouncer and client

                                                                                                                        1. 10

                                                                                                                          Not a personal attack, but Matrix users on IRC are pretty troublesome for people using standard IRC clients – especially when they send formatted code blocks, you see a “xyz has sent a long message”; similar message when they upload an image.

                                                                                                                          Please use a standard IRC client.

                                                                                                                          1. 3

                                                                                                                            Ok, I can see how that might be problematic. I typically don’t send formatted code blocks. But usually irc channels ask that you handle pastes via some pastebin. So how different is it really in that case?

                                                                                                                            1. 2

                                                                                                                              I remember at least twice matrix users in this situation:

                                                                                                                              <u1[m]> go check https://[...] for the full message
                                                                                                                                 <u2> don't do that plz
                                                                                                                              <u1[m]> do what? about [topic]?
                                                                                                                                 <u2> no, that "go check https://[...] for the full message"
                                                                                                                              <u1[m]> I just typed a long message
                                                                                                                                 <u2> can't you disable this?
                                                                                                                              <u1[m]> I can try.
                                                                                                                                 <u2> now what were you saying?
                                                                                                                              <u1[m]> go check https://[...] for the full message
                                                                                                                                 <u2> go check https://127.0.0.1 for the full answer
                                                                                                                              <u1[m]> didn't it work? dammit!
                                                                                                                              *u1[m] has left the room*
                                                                                                                                 *u1 has joined the room*
                                                                                                                                <u1> I was asking: are there good IRC bouncers around?
                                                                                                                              
                                                                                                                              1. 2

                                                                                                                                That seems like an argument for a UI cue in the IRC bridge (eg. a “your message has been pastebinned” notice), rather than an argument against auto-pastebinning.

                                                                                                                                1. 1

                                                                                                                                  I was more commenting than really arguing.

                                                                                                                                2. 1

                                                                                                                                  Ok, actually just the first 5 messages…

                                                                                                                              2. 3

                                                                                                                                Would you prefer that - like most (all?) ‘standard IRC clients’ with multi-line input - it just spams 40 lines into the channel one after another? Because that situation, which is generally considered undesirable in IRC etiquette, is what this approach is meant to solve.

                                                                                                                                Edit: Correction, not ‘all’. I believe qwebirc just strips the newlines and then sends half of a message, because the remainder exceeds the message length limit and it doesn’t split it up, so it gets cut off.

                                                                                                                                1. 1

                                                                                                                                  Yes. With rate limiting, this isn’t a problem. Having to open a web browser to read text is ridiculous.

                                                                                                                                  1. 2

                                                                                                                                    The rate-limiting makes it more annoying to a lot of people, because it means that the lengthy text is going to be interspersed with conversation for potentially minutes, rather than spamming a single big block of text (that you can scroll past) only once.

                                                                                                                                    Like, I’d be all for having an option in clients/bridges/etc. to disable auto-pasting on a per-channel basis when requested by the channel operator, but frankly I suspect you’re in a strong minority here. There’s a reason that “don’t paste into the channel, use a pastebin” has been etiquette for many many years.

                                                                                                                                    If I’m not mistaken, it’s literally how Pastebin.com came to exist!

                                                                                                                                    1. 1

                                                                                                                                      I think automatic pastebinning is great. The real annoying thing is their URL formatting that they “fixed” (broke) to support some objectively broken software

                                                                                                                            1. 3

                                                                                                                              I think the main benefit is that it feels faster if you have a fast device. Maybe it’s something to do with removing the flicker on page load? I had a plain HTML website and got a ton of complaints that it was “too slow.” After dropping turbolinks onto it, the same people were impressed at how “fast” it was.

                                                                                                                              Of course, that’s not an absolute metric, but it really does feel faster.

                                                                                                                              1. 3

                                                                                                                                It shouldn’t have been slow unless there was some serious latency hitting your server.

                                                                                                                                1. 3

                                                                                                                                  Sure, a white flash could make your site feel slower. But commonly overlooked is that it’s also an important accessibility feature: it signals to the user that the content on the page has changed and needs re-reading, and this is especially important for less tech-savvy users.

                                                                                                                                  I’ve even seen very tech-savvy users go “oh, huh, I didn’t realize that it had loaded already” while waiting for an already-completed content load. The lack of signalling here in SPAs is really a problem.

                                                                                                                              1. 8

                                                                                                                                There’s one legitimate use case for password expiration policy that often gets ignored.

                                                                                                                                If a password is compromised the attacker can possibly quietly access a system behind a user’s back and siphon out information for years and years.

                                                                                                                                For example the CEOs email password has been compromised and a hacker establishes a script to siphon out and archive messages which could last for years.

                                                                                                                                A password expiration policy limits this risk by setting a time window.

                                                                                                                                If you don’t have that you can potentially get into situations where you can not reliably determine what has been compromised and what hasn’t been.

                                                                                                                                Password expiration gives you a frame of reference for when the compromise could and could not have happened.

                                                                                                                                1. 7

                                                                                                                                  The problem with this reasoning is that it ignores the initial attack vector; how did the attacker compromise that password in the first place? It doesn’t just magically fall out of the sky once and then never reappear again.

                                                                                                                                  Very often you’ll find that the password was obtained by compromising a victim’s computer, breaking into an auxiliary system that shares the same passwords, and so on. In these cases it is absolutely useless to change the password, because the attacker could just as easily obtain the new password and continue their business.

                                                                                                                                  There’s a small set of cases where a time window might limit exposure, such as reused passwords in password dumps; but 1) these cases are better mitigated by preventing low-entropy passwords, 2) you’re still vulnerable for 3 months or whatever your window is, which is more than enough time to siphon out all information from most networks, 3) you’d be much better protected by just having proper monitoring of user sessions in the first place.

                                                                                                                                  Is there theoretically a nonzero benefit to password expiry? Yes, but only if your security is already otherwise lacking, and even then it’s not a common case, and at that point it’s absolutely not worth it considering the big downside of forced password expiry: it incentivizes people to pick worse passwords, because remembering complex passwords is a big time investment that’s no longer worth it.

                                                                                                                                  1. 1

                                                                                                                                    This would indeed work if you can use a password manager at that point. If it is at the login prompt, you usually can’t use a password manager. If web service X has a policy to change password every Y months, it wouldn’t be much trouble, I just use my password manager. I do that occasionally (manually) anyway for social accounts.

                                                                                                                                    Also, as the article suggest, for the particular threat you mention, you’d better use 2FA to mitigate that.

                                                                                                                                  1. 1

                                                                                                                                    Mmh. Why does PIA not like the community-run and non-profit ISP I use?

                                                                                                                                    Your ISP: Individual Network Berlin e.V. You are not protected Learn More »

                                                                                                                                    1. 9

                                                                                                                                      Because PIA is a VPN provider, and VPN providers are in the snakeoil and fearmongering business.

                                                                                                                                      EDIT: To be clear, this isn’t just a random rant. I mean this entirely seriously. The entire VPN provider industry runs on lies and misrepresentations about what a VPN service does, exactly. It’s nothing more than a proxy, with all the same security and privacy issues: https://gist.github.com/joepie91/5a9909939e6ce7d09e29

                                                                                                                                      1. 1

                                                                                                                                        Pretty much dead on. They’ll only change that line if they see that you’re coming from one of their VPN servers. Anything else and “You are not protected.”

                                                                                                                                        1. 1

                                                                                                                                          And the irony is that I connect to my ISP via VPN :)

                                                                                                                                      1. 3

                                                                                                                                        It sounds to me like “the desired out come [sic] of a very short URL” needs to be examined: What is so wrong about a long URL? Google use them, and Apple use them. As a content-identifier, a URL should (conceptually) be a hash of its content and accessor, and so very compressed hashes for mostly public information (like on Twtitter) are absolutely acceptable. URLs can get quite large these days, and long URLs may scare people giving them pause before sending them to others. For all these reasons and more, I’d really like to see this point justified further.

                                                                                                                                        However even given that, there’s other strange advice in here as well, like “Do not use obfuscated URLs as a backdoor.” which is silly. A long, hard-to-guess URL is absolutely more secure than a short, easy-to-remember (and frequently-typed) password.

                                                                                                                                        And the proposed protection against timing attacks is troubling in the face of a much simpler solution: Find the max lookup time, and sleep up to it. Add some random fuzz to protect against jitter.

                                                                                                                                        1. 2

                                                                                                                                          A long, hard-to-guess URL is absolutely more secure than a short, easy-to-remember (and frequently-typed) password.

                                                                                                                                          This is false. The problem is that you’re only considering the raw entropy, but not all of the other technical implications - because a URL is not considered sensitive information, it may be retained by proxies, in access logs, browser history, desktop session data, and so on.

                                                                                                                                          It may be sent over a message bus like DBus, or through custom IPC protocols to other applications on the system. Browser extensions may even send this URL elsewhere for purposes like malware scans, because they don’t expect the URL to essentially contain a password. And so on - the possibilities are endless.

                                                                                                                                          This would be a good moment to invoke this article. Deviating from the assumptions under which something is designed, is generally a bad idea because of pitfalls like this.

                                                                                                                                          1. 1

                                                                                                                                            a URL is not considered sensitive information,

                                                                                                                                            And you a password is? That’s so cute.

                                                                                                                                            Should I address you? Or the person working the sock puppet?

                                                                                                                                            It may be sent over a message bus like DBus, or through custom IPC protocols to other applications on the system.

                                                                                                                                            That’s no different than any keychain or password manager.

                                                                                                                                            Browser extensions may even send this URL elsewhere for purposes like malware scans

                                                                                                                                            No, they don’t. But it’s not like they’re smart about security, it’s that they’re smart about the privacy backlash. Software that works that way is illegal in Germany and Switzerland, and about to be made illegal (GDPR) in the rest of Europe.

                                                                                                                                            If you know of a browser extension that does this, you should have it reported.

                                                                                                                                            And so on - the possibilities are endless.

                                                                                                                                            No. They’re really not.

                                                                                                                                            Meanwhile, the very real risk of someone having to remember “yet another password” writes it down with all their other passwords – know an attacker knows by searching for that password which file contains all of the other goodies. Yum.

                                                                                                                                            Or someone decides to change the password. Or reuse it. Or copy/paste it and accidentally paste it into the wrong place.

                                                                                                                                            We have too many passwords and I get it: we think we want to “make things secure” instead of authenticating and confirming authorisation to resources. But that’s just caused by too many cargo-cult programmers who find one blog post they agree with and forget how to think for themselves.

                                                                                                                                          2. 0

                                                                                                                                            It sounds to me like “the desired out come [sic] of a very short URL” needs to be examined: What is so wrong about a long URL?

                                                                                                                                            SMS. You only get 160 characters, and you want as short of a URL as possible. This is the sort of constraint I’ve had to work around for clients in the past.

                                                                                                                                            However even given that, there’s other strange advice in here as well, like “Do not use obfuscated URLs as a backdoor.” which is silly. A long, hard-to-guess URL is absolutely more secure than a short, easy-to-remember (and frequently-typed) password.

                                                                                                                                            That depends on whether or not you allow weak passwords.

                                                                                                                                            And the proposed protection against timing attacks is troubling in the face of a much simpler solution: Find the max lookup time, and sleep up to it. Add some random fuzz to protect against jitter.

                                                                                                                                            Do not use sleep to mitigate timing attacks. It might seem tempting, but it doesn’t work. You either use too short of a delay (and your random fuzz becomes useless with enough samples) or too long of a delay (and expose your server to easier DoS attacks). A Goldilocks strategy won’t work either: the goalposts will move over time, and you’ll need to figure out where/how to calibrate the values for the delays. You’re better off solving the real problem.

                                                                                                                                            1. 1

                                                                                                                                              SMS. You only get 160 characters, and you want as short of a URL as possible. This is the sort of constraint I’ve had to work around for clients in the past.

                                                                                                                                              160 characters is plenty for authenticated secret-key encryption.

                                                                                                                                              Do not use sleep to mitigate timing attacks.

                                                                                                                                              Yes, do. And in fact read the article you just linked to where it suggests exactly my mitigation suggestion: “Make the operation take a minimum time (clamping)”. It suggests a weaknesses to local users and some handwaving about security by obscurity, but no real actual problems with it.

                                                                                                                                              [too long of a delay] and expose your server to easier DoS attacks

                                                                                                                                              Saying “easier” is intellectually dishonest. If someone can DoS your cpu idle, then they can certainly DoS you when your cpu is warm. Process and network utilisation remains almost exactly the same, and in all practical ways of measuring it, you’re introducing no new attacks.

                                                                                                                                              That depends on whether or not you allow weak passwords.

                                                                                                                                              The weak password is the one that someone has to write down in an accessible place, but by all means: put your money where your mouth is and find my secret url.

                                                                                                                                              Just stop using passwords.

                                                                                                                                              1. 1

                                                                                                                                                160 characters is plenty for authenticated secret-key encryption.

                                                                                                                                                Yes, but not “a custom message + the URL”, which is what my past clients wanted.

                                                                                                                                                Saying “easier” is intellectually dishonest. If someone can DoS your cpu idle, then they can certainly DoS you when your cpu is warm. Process and network utilisation remains almost exactly the same, and in all practical ways of measuring it, you’re introducing no new attacks.

                                                                                                                                                The DoS comes in when you have idle connections being used (and using memory) for needlessly long periods of time, which allows an attacker to send more requests than the server can fulfill which blocks legitimate traffic.

                                                                                                                                                Having a long sleep on the server side makes that easier.

                                                                                                                                                I wouldn’t be so quick to call something intellectually dishonest, because all that does is hamper understanding and make future interactions needlessly adversarial.

                                                                                                                                                1. 1

                                                                                                                                                  Yes, but not “a custom message + the URL”, which is what my past clients wanted.

                                                                                                                                                  Two messages are cheap.

                                                                                                                                                  Anyway, I try to avoid making things harder for myself since I’m trying to save my customers their money.

                                                                                                                                                  for needlessly long periods of time, … I wouldn’t be so quick to call something intellectually dishonest, because all that does is hamper understanding and make future interactions needlessly adversarial.

                                                                                                                                                  You keep saying “long”. Be specific. Give timings: This is usec and nsec territory. An attacker that can overload you taking T+100 usec but not T usec doesn’t exist.