Threads for jswrenn

  1. 22

    No surprise Rust has fallen flat here. Rust isn’t a language you can pick up in an hour or two. Also when your program is small enough to fit in your head, you don’t need any language-provided guarantees.

    1. 23

      Even for a simple program like this, I’d still probably reach for Rust, just because it makes it so easy to pull in dependencies: structopt for parsing command-line arguments, walkdir for filesystem traversal, and regex for pattern matching — not to mention the standard library for its awesome iterator adaptors.

      So, out of curiosity, I gave it a shot! It took me <30min, which included checking Serge’s source code to make sure I was matching their functionality.

      What struck me about Serge’s implementation is that it doesn’t rely on any dependencies, or even Cargo. That’s definitely diving into Rust in hard-mode, and I’m very curious about what challenges they encountered. The Rust implementation of glob is very similar to the Zig implementation, so I’d guess most of the time was spent on walk. In contrast, I spent virtually no time at all writing that function, since I simply pulled in walkdir as a dependency.

      (To be clear: I agree completely that Rust isn’t a language you can pick up in an hour to two!)

      1. 12

        And walkdir won’t use a call stack whose size is proportional to the input.

        1. 2

          True. But in fairness to a recursive implementation, the stack depth is proportional to the depth of the input directory tree, which is almost certainly <100. Not always, I’m sure there’s some fringe case, but the max depth on my entire Mac filesystem is 27.

          1. 4

            I wonder how many of these impls fail when the filesystem isn’t necessarily real, or when there’s a circular symlink

            1. 3

              Or a circular filesystem. I don’t recall, can you create loops with mount --bind?

            2. 1

              I recall in the past using OSes with 1) maximum path length 256 characters, and 2) maximum of 8 directories in a path.

          2. 8

            One of the things I that always keep me away from Rust are things like Cargo and the culture of external dependencies. Compared to other modern languages like Go, there are far more restrictions on how a project should look like. Since working with Java and Android, there has always been something inherently suspicious to me about those kinds of languages.

            1. 12

              I hear this a lot, but what strikes me is why this is an issue when there is nothing inherently about Rust that keeps one from vendoring dependencies (which even has dedicated tooling), or copy/pasting inline, or just writing everything from scratch. Sure, it’s not super common (although some do it), and probably not the best option; but it’s still an option. If one doesn’t want any external dependencies, don’t use them.

              1. 7

                One of the things I that always keep me away from Rust are things like Cargo and the culture of external dependencies.

                Would you call this the Cargo cult-ure? /s

                1. 1

                  Dang, beat me to it ;)

          1. 2

            Neat! This seems similar to bors, which gets a lot of use in the Rust community. Unfortunately, it’s a bit tricky to set up with Github Actions (though that’s improving). I appreciate MergeQueue’s focus on ease-of-adoption.

            1. 0

              Thanks for pointing bors. Yes this project was inspired from it. Merge Queue simplifies a lot of those complexities. Hope you can try it sometime!

            1. 3

              The volume of the space is a 347-digit-long number, but the maximum distance between points is just 3060 - sqrt(255255144)

              I spent waaaay too long wondering how the maximum distance between points could be zero.

              1. 2

                After going through a coding bootcamp, my wife napped a job at a small web/application development studio. They’re not “big tech”, but they’re also hardly a startup chasing hyper growth either — they’re a just tight-knit team of just the right size.

                I’m wildly envious of her gig!

                1. 13

                  I have to admit I have no context here, and was mislead by the headline into clicking through, because I read “you” as “any arbitrary person,” and not “specific people who got a letter from Brown University about accessing Brown buildings and networks,” so I was curious, and then a little annoyed…

                  But with that out of the way, were there really people surprised by these letters, and needing it spelled out?

                  People are so naive they don’t think the University is tracking access to their buildings and networks? What do they think the access cards are for?

                  1. 13

                    There are college students so naive they don’t think the University is tracking access to their buildings and networks?

                    Yeah. 🙁 This situation has surprised a lot of students on campus.

                    1. 4

                      Disappointing, but fair enough.

                      1. 4

                        The silver lining is that now there will be an increased awareness of this behavior, so that’s something (even if it is fleeting for the most part…)

                      2. 8

                        It’s interesting how many people do not realize this and more. Few year ago some students broke into campus in Maryland and sprayed some swastikas and racial messages. They were caught because their phones connected to school wifi with their logins…

                        1. 6

                          They think the access cards are to get into buildings - it doesn’t occur to them that it’s an entire, campus-wide networked system because it doesn’t look like it is. It’s easy for us in a technology forum to realize that this kind of tracking is possible and probably occurring, but imagine you didn’t have the technical background to understand that there must be some sort of centralized network/database/etc. Do you really think you would make the connection? Both that this kind of logging is possible in the first place, but also that the university might actually be doing this (extremely invasive) logging? IT is generally a trusted entity whose job is to keep students safe; it wouldn’t even occur to most students that IT might be hostile (at least, from their perspective).

                          1. 6

                            I doubt even many computer science students have this in their threat models…

                            1. 9

                              Exactly. I mean frankly I spend a lot of time/effort protecting my privacy and security and am pretty much the most paranoid person I know on my campus (at least when it comes to technology). I assume my university WiFi is hostile (especially because on the guest network, which admittedly seems to be run by a different organization than the regular network, I have used OONI Probe to catch them censoring traffic), and generally speaking I do not fully trust the IT department. And even I didn’t seriously consider that the university might be going to this extreme level to surveil students, although I did wonder if they were monitoring building swipes to enforce no-guest policies*.

                              It isn’t news that Brown (or my university, or presumably tons of other universities) has these capabilities. It’s just a reminder that they do, and that those surveillance systems are ripe for abuse. But more importantly, what’s really noteworthy here is that Brown actually decided that it was a good idea to deploy this kind of invasive surveillance and tracking against students. Whether the public health benefit of enforcing the Student Code of Conduct’s COVID-19 policies outweighed the cost of the invasive way they did so is a separate, highly complex issue that honestly I don’t want to comment on without having more information. But I don’t think it’s controversial to say that said cost was quite high.

                              *: it was later confirmed to me by a university official that they considered this - implemented this? I can’t remember - but that it wasn’t/wouldn’t be effective because swipe access is deactivated for residential buildings you don’t have authorization to be in. So most students wouldn’t even try the swipe because they knew it wouldn’t work; instead they’d just call their friend they were going to see to let them into the building.

                              1. 6

                                I TAed my university’s security class. For one of the assignments (which really was a CTF I put together), I gave our students access to a rpi3 that they could comb for flags.

                                I don’t know how much nmapping of the school network was done from the pi, but I do know that it was a nonzero amount, mostly by accident by scanning too many subnets in the process of learning how nmap worked. And no one seemed to care ultimately…

                                The extra credit on the assignment was to break into my Linux account via a privilege escalation. Only one team succeeded, but I had a pair of students determine which building I lived in from examining reverse DNS. I wish I could have given them extra credit for that.

                                Anyway, it was the coolest group of students ever.

                                1. 3

                                  Man, that sounds fantastic. I wish I could take that class!

                                  1. 2

                                    They had fun. The group that basically was able to track me down with metadata in our pentest assignment made lots of that grading worth it.

                                    There was another group that said that I had been social engineered by giving them an account on the raspberry pi. Technically correct, since it was given to them so they could do the assignment :-)

                                    On our binary exploitation project, another group accidentally got a shell on one of the targets with ROP. That’s a discussion for another day…

                            2. 1

                              IT is generally a trusted entity whose job is to keep students safe; it wouldn’t even occur to most students that IT might be hostile (at least, from their perspective).

                              Doesn’t helping to enforce quarantine during a pandemic count as keeping students safe?

                              1. 1

                                The rule being enforced relates more so to where you quarantine, not whether you’re quarantining. It does not apply to the significant number of Brown students in Providence who elected to take an academic leave this semester (but are oftentimes still employed as TAs).

                          1. 7

                            Buy a good [~10% of bicycle value] lock

                            I give this same advice to new bike owners (who are likely to underspend on their lock), but this advice now really grates on me. I own a seven thousand dollar bike (bikes that are friendly to people with disabilities aren’t cheap 😞). How do I protect it when I’m away from home? $700 bike locks aren’t really a thing, and if you if you thought bike insurance rates on “cheap” bikes were bad…

                            1. 5

                              Compared to a typical $7k bike, I’d guess that yours is far more difficult to fence. I hear that a stolen bike is usually chopped up for parts, and you have

                              • an asymmetrical wheel set in two unusual sizes
                              • no stem or handlebars
                              • a frame not compatible with typical wheel sets

                              So perhaps it has the theft appeal of an inexpensive bike? (Despite how cool I think it is :)

                              I would still downgrade or lock your rear seat, though!

                              1. 2

                                This comment is a really insightful addition to @calpaterson’s threat model. Even Powertool Percy’s fences might be stymied by, say, a penny farthing. (Or at least, I really hope that’d be the case.)

                                Due to COVID, we haven’t had a situation in the past year where we’ve left our bike outside unattended for any amount of time, but I expect our eventual theft-mitigation efforts will be some combination of:

                                • locks, and more locks
                                • paint the bike to be more distinctive
                                • embed a gps tracker (or two?) in the frame
                                • remove the steering pin when leaving the bike unattended
                                • insure the bike (ugh)

                                Despite how cool I think it is :)

                                It’s awesome. Totally has ruined “normal” bikes for me. The ability to easily maintain conversations with someone on a long ride is a game-changer in itself!

                              2. 4

                                Obviously seven $100 locks. /s

                                1. 2

                                  That’s a really cool bike! Unlike a normal recumbent bike, I’m not seeing anywhere for the rider in front to hold onto with their hands. Is there a seatbelt or some other solution so that the rider in front doesn’t fly off during an emergency stop?

                                  1. 2

                                    There are handles beneath the front seat! You can also order a seatbelt as an accessory, but the font seat feels very secure—even during abrupt braking!

                                    1. 1

                                      a normal recumbent bike

                                      No such thing. An “ordinary” bicycle frame is actually a high-wheeler. The typical diamond frame design is a “safety”. Anyway, USS has been one school of recumbent design since the 1970s at least.

                                    2. 2

                                      How do I protect it when I’m away from home?

                                      The obvious first choice is to bring it into your home. If that’s not an option, maybe you can rent space in a neighbor’s garage or at some nearby storage service? There is no safe way to lock a bike up outside for multiple hours (see Percy, from the article).

                                      1. 1

                                        There is no safe way to lock a bike up outside for multiple hours (see Percy, from the article).

                                        Given a thief with an angle grinder, there isn’t even a safe way to lock a bike up outside for multiple minutes! Of course, I can keep the bike safe at home, but at some point it’s more furniture than bike.

                                        1. 1

                                          Ah, I read your “when I’m away from home” as “when I’m away and the bike is at home”, which, in hindsight, doesn’t make much sense, oops. Sorry.

                                          When I drag my bike into areas where theft is seemingly high, I get very unshy about taking my bike into the building and stashing it next to the receptionist, cashiers, etc. Most of the time they don’t seem to care, but I suspect this could be different if you’re in an area where cyclists are looked down on more than they are here..

                                      2. 2

                                        $700 bike locks aren’t really a thing

                                        https://securityforbikes.com/products.php?cat=Extreme+Security+Chain+and+Lock+deals

                                        I bought some of the products from Stephen Briggs (I think was a founder together with his wife Sarah. Company name was Pragmasis), this was about 9-10 years ago or so.

                                        I am overall very happy with product, and the quality of interaction I had with Stephen. Thankfully, the chains (I bought several, as had different needs for different weight/length configs) – were not tested.

                                      1. 2

                                        I have two three problems with this.

                                        1. Namespaces in XML/HTML are not “voodoo”. The MDN docs specify exactly what the resolver function does. Just because you don’t understand something, doesn’t make it “voodoo”.

                                        2. Really, you’re still extending native prototypes? I guess the JavaScript community really hasn’t learn it’s lesson from the “smoosh”-pocalypse a few years ago?

                                        3. The third attempt, where the author attempts to access the text node directly, could have easily been adapted to simply iterate over text nodes checking for existence of the string to be replaced. I think XPath actually is a good tool to use here, but the author is clearly out of his/her depth if namespaces are “voodoo”, so iterating over nodes using the DOM is probably a safer alternative.

                                        1. 5

                                          but the author is clearly out of his/her depth if namespaces are “voodoo”, so iterating over nodes using the DOM is probably a safer alternative.

                                          This is needlessly exclusionary, and is exactly the sort of attitude that gives XML-related technologies a bad rap. You absolutely do not need to have a thorough understanding of namespaces to use XPath effectively.

                                          1. 1

                                            I didn’t say you need a thorough understanding.

                                            Calling something “voodoo” is a long way from “I don’t understand this thing in depth”

                                          2. 2

                                            Really, you’re still extending native prototypes? I guess the JavaScript community really hasn’t learn it’s lesson from the “smoosh”-pocalypse a few years ago?

                                            What event was this?

                                            1. 5

                                              There’s a whole writeup about it here: https://developers.google.com/web/updates/2018/03/smooshgate

                                              TL;DR: There was a proposal to add Array.prototype.flatten to JavaScript, but it turns out that would have been incompatible with MooTools’s Array.prototype.flatten, so some websites which used MooTools would have been broken. The proposal’s author jokingly suggested renaming the new function to “smoosh,” which is where the name comes from.

                                              1. 2

                                                I would have expected a more local implementation of the method to override the default implementation. Isn’t this the case for JS?

                                                1. 1

                                                  No. The impact is page-global. If you’re doing webdev, you absolutely should not extend native prototypes (polyfills excepted).

                                                  (That said, the “javascript community” extends beyond webdev. In certain (mostly non-webdev) contexts, extending native prototypes can be completely harmless.)

                                                  1. 1

                                                    Well it depends how the JS implementation is written. Some will only add the method if it doesn’t already exist (imagine a polyfill). Why you would do that for a method that isn’t a polyfill I have no idea..

                                              1. 9

                                                XPath is a funny little technology. Along with XML Schema and XML itself, it comes from an era when JSON didn’t yet exist, web APIs were new, and we thought all web pages were going to become “valid” XML documents via XHTML. Funny, because, even though JSON largely replaced XML, it turned out that XPath and XML Schema were mostly YAGNI technologies, and so we hardly use alternatives to them when we work with JSON. And, nowadays, the idea of an HTML page being valid structured data against some schema seems quaint – what with the focus on “does it render across browsers?”, “is it responsive?”, “Is it fast?”, etc.

                                                1. 12

                                                  And don’t forget XSLT! ;-) Dredging up these old technologies can feel like wandering into an alternate reality.

                                                  XPath is indispensable for quick-and-dirty web-scraping, and XSLT is, well, something—there isn’t really any direct replacement for it! I find myself writing XSLT about once a year. Most recently: rendering ALTO files as SVG overlays on scanned newspapers (to make the text selectable) completely on the client-side!

                                                  1. 5

                                                    XSLT is interesting for sure. I used it on a job for about 4 years. It was great for converting source documents into the specific format our system knew how to ingest.

                                                    I haven’t written any since I left that project and can’t say I miss it, even though it was really effective for our use case.

                                                    1. 1

                                                      Hi5 XSLT buddy!

                                                      I used it early in my career for more years than I’d like to remember but it was on point for that specific employer: It was a publisher that converted XML into a whole load of other formats and also added meta-data.

                                                      The ‘crown’ of my work was converting the XML into RTF.

                                                      1. 2

                                                        Ha ha ha! Yeah, it’s a good tool for those jobs. Sounds like we did the opposites. I took in lots of different XML sources and converted them all into our one XML format.

                                                  2. 10

                                                    And, nowadays, the idea of an HTML page being valid structured data against some schema seems quaint

                                                    I don’t think it’s surprising or necessarily bad that web pages aren’t, but the state of schema validation for JSON that does represent structured data makes me kinda sad. JSON Schema seems to have enough momentum that I’m not worried about its future, but the validator ecosystem doesn’t feel particularly healthy… and also, it’s just not as capable as XML schema.

                                                    As for the rest of the XML tooling, it still does get used in some areas, and for me personally it’s a massive relief when I need to analyse data from some random proprietary thing and it turns out to be backed by XML, because it means the tooling to let me write queries about it is just there. Despite how popular JSON is, it hasn’t really ever got there (jq is good but limited by design; jsoniq… exists, I guess).

                                                  1. 7

                                                    Pyret looks very well designed, but the compiler implementation looks very frustrating. It’s a 4-stage bootstrapping process involving massive compiled JS blobs checked into the source tree. I wonder why it’s not a 2-stage compiler, with a minimal compiler written in JS and the full compiler written in Pyret.

                                                    I’ve thought about writing another compiler so that Pyret can be used without the bootstrapping madness.

                                                    1. 4

                                                      I work on Pyret. You’re not wrong. I’ve often daydreamed about writing an interpreter, or a compiler in OCaml with bucklescript!

                                                      If you ever get around to writing that compiler, our group would love to hear about it. :-)

                                                      1. 5

                                                        This is such a small thing but I love how pyret lets you use dashes in identifiers! I’ve never seen this in a non-lisp before, other than forth.

                                                        1. 5

                                                          COBOL allows dashes in identifiers. Only a dash surrounded by spaces is interpreted as a minus.

                                                        2. 3

                                                          Are there any weird language corners/features/bugs that a future interpreter/compiler implementor should know about? Things like Python’s descriptor protocol, etc, etc

                                                          1. 1

                                                            i’ve daydreamed of exactly that too, though i was envisioning a gradual migration of the existing compiler to bucklescript. not something i could do on my own but if there were people doing it i would love to jump in and help!

                                                            a command line interpreter in ocaml would be awesome too.

                                                        1. 8

                                                          Single-file version control. I do have something I called fh, but it’s mostly a joke given its design constraints (and performance characteristics as a result of them). The only drive I have is personal issues with licensing on the existing solutions SCCS (CDDL) and RCS (GPL or OpenBSD’s that has some 4-clause BSD files); SRC is just a wrapper around the aforementioned ones. The part that scares me the most is definitely the diffing. I kind of do want to use interleaved deltas on the backend, but I’ve failed multiple times to even retrieve data from an SCCS weave, much less insert a diff.

                                                          Liberally licensed elliptic curve cryptography over a binary field (e.g. NIST B-163). I just kind of feel like I should know this and occasionally I do run into one of those obscure binary field curves. However, I wholly lack the mathematics for it and never felt like actually sitting down for a week to learn discrete math and elliptic curves and whatnot. Library support is actually lacking (does anything other than OpenSSL even support these curves?) but OpenSSL is kind of the be-all-end-all of cryptography libraries to begin with.

                                                          Self-hosted, open source base for DRM. Keygen and Qeys have some very attractive solutions for DRM that are simple to integrate. But I kind of sort of want my own and have it be open source so that people with a lot of paranoia won’t have to rely on third parties. The irony of open source DRM is not lost on me, no.

                                                          Yet another typesetting system. TeX has great output and is painful to actually work with if you want to customize it; LaTeX exists for a reason after all. Troff has mediocre output (let’s not get into the nitty-gritty tradeoff that is choosing between groff and heirloom-troff here) and is somewhere between amenable and hell to actually work with. Why not both?

                                                          1. 2

                                                            Yet another typesetting system. TeX has great output and is painful to actually work with if you want to customize it; LaTeX exists for a reason after all. Troff has mediocre output (let’s not get into the nitty-gritty tradeoff that is choosing between groff and heirloom-troff here) and is somewhere between amenable and hell to actually work with. Why not both?

                                                            (La)TeX is lovely and Knuth is brilliant, but his lack of PLT expertise shows. I’m exceedingly eager to see what would happen if a PL expert tackled typesetting languages. (Unfortunately, the story of Tex is itself a cautionary tale for any PLT PhD students thinking they’d might like to tackle the problem and finish their dissertation within a decade.)

                                                            1. 4

                                                              TeX is the way it is not because Knuth couldn’t do a better language, but because it was built at a time computer’s couldn’t fit an AST in memory. The TeX compiler has to generate the output with few sequential passes through the code.

                                                              1. 2

                                                                A lot of people also confuse latex (Lamport) with Tex (Knuth)

                                                                Knuth was not interested in creating a markup system but to produce a professional typesetting tool for the expert user that pushed the boundaries of what had been done before.

                                                                It’s unfair to say he didn’t care about abstractions, rather I think he chose the abstractions that served his goals and did not abstract where they were unhelpful or introduced performance penalties.

                                                                Like people complain about having to rerun latex to page numbering right in the table of contents. Iirc knuths text document just generate the TOC at the end and he can then reorder pages in a production step.

                                                                One counterexample to the “no abstractions” argument would be metafont.

                                                              2. 2

                                                                What is “PLT” and how does it apply here? I think the issue with TeX doesn’t have to do with “theory” – it has more to do with design, i.e. the “soft” parts of programming languages.

                                                                It doesn’t really make sense to say Knuth lacks “PLT” expertise. First, he invented a lot of the theory we use in practice, like LR parsing.

                                                                As another example, he also showed up in the LLVM source code for a minimum spanning tree algorithm:

                                                                https://www.reddit.com/r/ProgrammingLanguages/comments/b22tw6/papers_and_algorithms_in_llvms_source_code/

                                                                And: this might be a nitpick, but I’ve heard at least one programming language researcher say that “PLT” doesn’t mean anything outside of PLT Scheme. It seems to be an “Internet” word.

                                                                So bottom line, I don’t disagree that TeX could be improved upon after several decades, but your analysis doesn’t get to the core of it. People who study theory don’t write the programming languages we use. Probably Haskell is the counterexample, but Haskell is also known for bad tooling like package management. On the other hand, Go is known for good, usable tools but not being “exciting” in terms of theory.

                                                                I don’t think you need a Ph.D. anymore to write TeX. When Knuth wrote it, that may have been true, but the knowledge has been disseminated since then.

                                                                1. 6

                                                                  PLT is the initialism for Programming Language Theory. PLT Scheme got its name because it came out of the Rice PLT research group. PLT is simply the field of exploring the abstractions we use to program (and creating the theoretical tools to reason about those abstractions). While we very rarely directly use systems created by researchers (Haskell being a notable exception), the abstractions they develop absolutely shape the development of the programming languages we do use.

                                                                  I’m not arguing that you need a Ph.D. to write TeX. I’m claiming that the task of developing the right abstractions for a typesetting programming language have largely been ignored by the group of people who study abstractions and programming languages (PLT researchers!).


                                                                  Addenda: There’s a very distinct flair common to Knuth’s programming projects. His language design is primary influenced by the details of the machine which they program and the algorithmics of executing them. For instance, the reason TeX documents may require multiple rounds of computation before they’re “done” is because Knuth baked the requirement that a TeX compiler be single-pass into TeX’s execution model. Conversely, Knuth wasn’t at all concerned about statically reasoning about TeX programs, as evidence by the fact that merely parsing TeX is itself turing complete. (And TeX’s development happened during a really exciting period for PLT research: right around the discovery of Hindley-Milner type inference and hygienic macros!)

                                                                  1. 6

                                                                    Words aside, it’s silly to say that Knuth lacks expertise in “PLT”, since his work was foundational to the field.

                                                                    Secondly, I don’t buy the claim that lack of abstractions are what’s wrong with TeX – at least without some examples / justification. Like anything that’s 30 years old, I think you could simply take the knowledge we have today and make a nicer version (assuming you have 5-10 years free :-/ ).

                                                                    TeX is constrained by compatibility and a large user base, which I imagine explains most of its warts – much like Unix shell, and Unix in general. And there’s also the problem that it’s a huge amount of work that you won’t likely won’t get paid for.

                                                                  2. 0

                                                                    LR parsing is completely irrelevant to what PLT research is about.

                                                                  3. 2

                                                                    You should have a look at scribble.

                                                                    1. 1

                                                                      Also SILE, which takes the good parts of TeX, rips them out with no remorse, and glues together using Lua for ease of hacking. One important con is it doesn’t have math typesetting yet… which is, fittingly to the theme of the thread, why I tried to add the support ;)

                                                                  4. 2

                                                                    I’ve always thought of open sourcing Keygen. But I’m trying to grow it into a viable business, and I don’t think that would be wise at the moment. However, I do think open source tooling for things like this are incredibly valuable. (Disclosure: I’m the founder of Keygen.)

                                                                    1. 3

                                                                      But I’m trying to grow it into a viable business, and I don’t think that would be wise at the moment.

                                                                      I can’t help but be curious about the magic sauce (and run my own—despite not even selling any software), but oh well. Maybe someday.

                                                                      Open sourcing seems unwise to me, too. Small-scale deployments would just grab the open source edition and run with it. Plus I don’t think it’s entirely unrealistic to expect the big cloud providers to take it and make it theirs.

                                                                      (Possibly there’s a market for obfuscation that you could also work with, but requires very high expertise in very low level development on multiple platforms; Denuvo had decent success there until they didn’t.)

                                                                      While I have your attention, maybe you’ll find these points interesting which I would be doing differently:

                                                                      • Likely a simple pure binary protocol (possibly with a much more lightweight cryptographical protocol than TLS) for the endpoints that clients require. That might be easier to handle in C/embedded platforms.
                                                                      • Possibly drop the notion of a “user” and leave that to the API consumers’ discretion entirely. People need to stop rolling more authentication schemes out.
                                                                      • Built-in license key checksum. I know your license schemes allow for extension with cryptography, but a minor amount of typo correction before making a possibly expensive network request could be helpful, depending on how things are set up.
                                                                      • Elliptic curves (Ed25519 or P-521, specifically) as alternatives or possibly only signing option. Outright drop any padding scheme for RSA that isn’t PSS.
                                                                      • Always sign and encrypt everything on top of TLS so that TLS isn’t your only line of defense against a cracker.
                                                                      • Possibly considering encrypted certificates (X.509 or something of your own) as bundled information about a license. This could save some database lookups based on license ID, allow a “stateless” CDN for delivery—it only has to verify the certificate’s signature and its expiry time. They could also optionally embed (wrapped) encryption keys to wrap contents in, alleviating the catch-22 mentioned in the dist documentation: You could have regular licenses for a stub application that is used to make a request for a certificate and download the real application with the encryption key contained therein.
                                                                      • SHA256 or higher for any sort of file checksum.
                                                                      • Expose a “simple” API that skips the notion of policy, which is instead managed on the backend server. This can be useful for very small deployments.
                                                                      • Flexible elevated access tokens (deleting a product is such a dissimilarly dangerous operation in comparison to creating one or even just issuing new licneses).
                                                                      1. 2

                                                                        Thanks for the great feedback! I’m actually working on a lot of those, especially introducing ECC into the stack and calculating better file checksums (I’m essentially proxying S3 at the moment, which uses MD5 checksums, much to my dismay). And FWIW, user management is an optional feature of the API, so if it’s not needed, one can simply create user-less licenses and be done with it. Better access token privileges has also been on my list since day 1 — just haven’t gotten around to that one yet. But hopefully soon.

                                                                  1. 2

                                                                    As you can see using Emoji solves the classical naming problem you have when programming: waste no more time on “Should I call the table User or Users?”, just use 👤.

                                                                    👤 or 👤s?

                                                                    1. 15

                                                                      👤 or 👤s?

                                                                      Do you mean 👤 or 👥? ;)

                                                                      1. 2

                                                                        The former is the name of your object, the latter is the name of your database table.

                                                                        1. 2

                                                                          Only if you think in objects. If you think in terms of relations (as in, relational algebra), calling it the “user” relation makes sense.

                                                                    1. 7

                                                                      Good read. Anyone knows what competitor he is talking about and where Graydon Hoare worked in 2005?

                                                                      1. 12
                                                                        1. 8

                                                                          Yep. To expand on that:

                                                                          • The technology Brian Cantrill was working on at Sun was DTrace (for Solaris).
                                                                          • SystemTap was a Linux alternative, developed in part by Red Hat where Graydon Hoare was working.
                                                                          • When Oracle bought Sun they started porting DTrace to Linux, but that happened years later.
                                                                      1. 3

                                                                        Further recommendations from past offerings of @shriram’s Programming Language Theory course:

                                                                        I’ve personally referenced both Design Concepts in Programming Languages and TAPL quite a bit. Redex is a really fantastic tool for experimenting with executable operational reduction semantics.

                                                                        1. 1

                                                                          “Design Concepts” could be a bit heavy for a first course in PLT. I’d look at it after you get into the material a bit further. It seems like a decent book, though. I have to sit down and get through it some time.

                                                                        1. 2

                                                                          For me, the space-in-filenames issue is the main thing preventing me from using Make for everything. The limitations on pattern rules make scaling up Makefiles difficult, too.

                                                                          I’ve long thought that a prolog-like DSL would be perfect; makefiles are basically already logical specifications—I just needed something that worked with spaces and could perform some sort of unification-like process for smarter pattern rules. I nearly started writing my own.

                                                                          But then I discovered that someone already created such a tool: biomake. I’ve recently started using biomake to automate a large data science research project. It has been absolute bliss! Not only does it those two pain-points with using Make (and countless other pain-points), it features GridEngine integration out-of-the-box, and fantastic debugging information for when things don’t work as expected. I cannot see myself using any other tool.

                                                                            1. 7

                                                                              This made me full of blood rage when I happened upon it a few months ago. I just want to have some well-named markdown files be automatically converted to HTML and also concatenated, converted to HTML, and that HTML converted to PDF. All with good-looking file names with spaces in them. Like how normal people named files.

                                                                            1. 2

                                                                              Do you use Rust as your daily driver for your work/hobby stuff?

                                                                              For work, I now mostly write Pyret. I typically implement my side projects in either Rust or Racket, though! I have a strong preference towards data-oriented languages. The languages I use most (Pyret, Rust, Racket, Bash, MLs) all favor a data-oriented style of programming, so how I choose a language for a project tends to depend on the ‘shape’ of the data I’m working with.

                                                                              What language features do you leverage from Rust, and how do they make those projects easier?

                                                                              I reach for Rust when I need performance, sophisticated types (traits!), and well-defined structured data (ADTs!). It’s a thrill writing code at a high-level of abstraction and being confident that it will be performant. Cargo makes the entire ecosystem a joy to interact with and contribute to.

                                                                              Why aren’t you using your non-Rust languages for that project?

                                                                              There are a handful of projects for which I haven’t reached for Rust. Racket, though not tremendously performant, is tremendously expressive! When your data look like s-expressions, Racket is usually the best choice. I used Racket extensively for my encyclopedia remix project Liber Brunoniana, which involved processing lots of HTML.

                                                                              What could Rust do to make your life easier?

                                                                              I would love to use Rust for programming embedded devices, like Arduinos, and targeting browsers via WebAssembly.

                                                                              1. 5

                                                                                Hi, Pyret developer here (I hack on error messages)! If anyone has any questions, I’ll do my best to answer or grab someone who can!

                                                                                1. 4

                                                                                  A couple questions, about the check and where blocks:

                                                                                  1. Do you know if they’re consciously inspired by the Design by Contract ideas from Eiffel (and other languages)?
                                                                                  2. The front page says “These assertions are checked dynamically” – are those conditions checked at compile time, first execution of each function, only during a separate testing run, or what?
                                                                                  1. 2

                                                                                    check, where and examples blocks all exist to support the ‘examples’ and ‘testing’ phases of How to Design Program’s functional design recipe. The placeholder expression syntax (...) and doc blocks are other features that Pyret has to encourage the design recipe.

                                                                                    Testing statements are executed in the order they appear in the program alongside other top-level expressions. If you run:

                                                                                    print(1)
                                                                                    
                                                                                    check:
                                                                                      print(2)
                                                                                    end
                                                                                    
                                                                                    print(3)
                                                                                    

                                                                                    The result is that 1, 2, and 3 are printed (in that order).

                                                                                    1. 1

                                                                                      Interesting. For the where expressions on function definition: are those executed when the function definition is first encountered, or when the function itself is first executed?

                                                                                      1. 2

                                                                                        At the point when the definitions are “encountered” is a good way to think about it. So, the former.

                                                                                1. 5

                                                                                  Warning: live streams require flash.

                                                                                  1. 3

                                                                                    I adore the simplicity of make as a declarative build tool, but for a build system whose operative principle is a close correspondence with the filesystem, the placement of additional, subtle restrictions on valid filenames are ridiculous. I’d happily trade away most of make’s features for a core that didn’t choke on spaces.

                                                                                    (If anybody knows of such an alternative, please share!)

                                                                                    1. 2

                                                                                      I think it’s pretty common on UNIX platforms to avoid spaces where possible. Finding spaces in filenames is peculiar, and generally not a good sign.

                                                                                    1. 2

                                                                                      Internet: 192.91.235.243 Toponymic: Providence, Rhode Island