1. 24

    Lobsters needs a whole “I didn’t read and misunderstood GDPR” tag. There’s just every week another article like this. People thinking they can be clever and circumvent laws with technology, just like some of the bitcoin fans believing they can avoid taxation.

    kornel already said everything that’s to be said on this topic.

    1. 9

      This is also an issue with some people insisting you need to ask consent for any and all data you collect, which isn’t actually the case; the GDPR is more nuanced than that and has a list of items under which it considers data processing to be lawful, consent being just one of them. @kornel’s comment (“If you’re collecting non-essential information, you need consent”) is somewhat lacking in nuance in that regard.

      Whether that’s a good or bad thing is up for grabs, but it’s certainly not as simple as often claimed.

      1. 6

        Wat? Did you read the article? Your fears are addressed in the 3rd paragraph. It’s even above the fold.

        A few quick opening remarks: The whole point of this piece is to spark discussion and awareness in the industry and among users. Personally, I would never advocate for employing these tracking practices and I am glad to be working for an analytics vendor, that has always put privacy, transparency, and integrity first. Besides, from a legal perspective, this technique does not circumvent the GDPR or similar privacy laws. Just because ETags are technically not cookies, does not mean they are not covered within such guidelines and require no user consent.

        Emphasis, mine.

        1. 9

          I am pretty sure that sentence wasn’t there when I read that article.

          1. 1

            Correct. You can see an older version in Google’s cache: https://webcache.googleusercontent.com/search?q=cache:https%3A%2F%2Flevelup.gitconnected.com%2Fno-cookies-no-problem-using-etags-for-user-tracking-3e745544176b

            The third para was simply:

            One quick opening remark: The whole point of this piece is to spark discussion and awareness in the industry and among users. Personally, I would never advocate for employing these tracking practices and I am glad to be working for an analytics vendor, that has always put privacy, transparency, and integrity first.

      1. 14

        While suckless as a way to build software is definitely interesting (and a lot of the benefits of suckless come from disregarding edge cases, internationalization and accessibility), I’d argue that suckless as a project is something one should handle really carefully.

        They’re doing literal torch hikes through southern Germany at their conferences, fighting online against “cultural marxism”, and their mail server has the hostname “Wolfsschanze” (see: https://twitter.com/pid_eins/status/1113738766471057408)

        I recommend reading this thread (with a suckless.org developer with enabled hat speaking officially) and looking at this photo from one of their conferences.

        1. 19

          The topic pops up here and there, and one should always consider that Lennart Poettering used this bait to easily escape from a discussion about his software that I personally think should take place. Suckless is not directly a coherent group and more of a group of like-minded individuals, so I’m careful to speak “for” the project even though I’m first chair of the legal entity suckless.org e.V..

          What I can say is that we are probably one of the very very few software projects left that do not politicize. We have members from all political spectrums, but make it work, because we only discuss software and nothing else. Those disagreeing with us or unaccustomed to non-political software projects try to put us into a corner, but it makes no sense when it is used to disregard the suckless philosophy itself, which is non-political.

          Torch hikes are nothing unusual in Germany and there was no political intent behind it. Though I do understand now that it might send a different message worldwide, I expect more cultural sensibility from every observer before “calling us out” for allegedly re-enacting nazism or celebrating a Charlottesville march, which is a ridiculous assessment.

          1. 23

            One should always consider that Lennart Poettering used this bait to easily escape from a discussion about his software that I personally think should take place.

            Perhaps, but I don’t think calling out getting emails from a wolfsschanze host is that unreasonable to be honest; as I mentioned in my other post I’m not going to attach far-fetched conclusions to it but I do find it in pretty bad taste. At any rate, to ask it plainly, what’s the deal that?

            1. 3

              There is no such thing as “non-political”, because we live in a society with power imbalances. Therefore not taking an explicit political stance, translates to implicitly supporting the status quo, whatever that status quo is in a given society at a given time. You’ll find that people in underrepresented demographics will largely avoid your project as a result, regardless of the political views among members of your project.

              If supporting the status quo is what you intend to do, then that is one thing. But please stop presenting it as “non-political”, because that is simply not the reality of it. It only looks non-political if you yourself are in a position where the status quo benefits you. Which I am also - so this is not a personal accusation, to be clear. But it is something you need to be aware of.

              1. 17

                not taking an explicit political stance, translates to implicitly supporting the status quo

                No no no, I cannot agree with that. Let’s take an example. I’m working on a crypto library, that on many aspects is very close to the Suckless ideals: it’s in C, it’s small, it’s easy to integrate into other projects… One of the motivations for it was to fight unnecessary complexity. A fairly political goal if you ask me: if software becomes as simple as I think it can (and should) be, the changes could be felt throughout the global economy itself.

                My project also has an implicit endorsement of the status quo: it is written in English, and I have no intention to translate the documentation, or even the web site to other languages. Not even French, my native language. Sorry, you need to learn English to use my project. That’s kind of an implicit endorsement of US hegemony. Not that I’m very happy about that, but not fighting that fight does make me reinforce the ubiquity of the English language.

                But there’s no way my project can have a stance on everything. Its stance on many many subjects is really neutral. It does not fight nor reinforce the status quo. Veganism? Patriarchy? White supremacy? I hardly have a community to speak of, there’s just not enough people to warrant something like a code of conduct. That does not mean my project implicitly rejects vegan transgender black women. In fact, I do hope they’ll feel as welcome as anyone else. And right now, I believe being nice to whoever contacts me is enough.

                1. 8

                  I couldn’t have put it better, thanks for sharing your thoughts. I always like to consider the example of Chemistry: In the 19th and 20th century, German scientists were leading in chemistry and most papers were published in German. Chemistry students were more or less forced to learn German to understand these papers, and German became the lingua franca of Chemistry, which has changed to English though.

                  In computer science, English is the lingua franca. I don’t think it’s exclusionary to only offer software documentation and code comments in English.

                2. 7

                  That is a good point and I understand what you mean with that. For our conferences, we actually offer those who are unable to attend due to financial reasons to pay their travel expenses and accomodation for them, which was greatly appreciated especially by younger programmers who often don’t have the means to fund such a travel.

                  Apart from income differences, that might be a deciding factor being unable to attend a conference and meeting like-minded people, I see no other factors that might hinder someone from joining us. You basically only need an internet connection and a computer. The computer doesn’t even need to be that fast, unlike if you, for instance, intended to work with deep learning software.

                  And if you still criticize the conferences for being exclusionary in some way: Most communication takes place on a mailing list and IRC, many people use pseudonyms. Factors like race, country of residence, gender are thus irrelevant and even non-determinable, if you choose to, and the development on mailing lists and IRC is the main way development happens and there’s no need to do anything else to partake or make submissions.

                  So, again, I know what you mean, but suckless is not an example for a project supported by the status quo. Most people disregard suckless as too extreme in terms of software philosophy and conclude that we would also be extreme in other areas of life, but suckless, for me, is software zen, and everyone is welcome to adopt this philosophy.

                  1. 5

                    Factors like race, country of residence, gender are thus irrelevant and even non-determinable, if you choose to, and the development on mailing lists and IRC is the main way development happens and there’s no need to do anything else to partake or make submissions.

                    This is a common point of view among those in privileged demographics. However, it is also a misunderstanding of how underrepresented people in demographics actually choose where to hang around and contribute, and why.

                    Imagine for a moment that you are someone in a demographic who’s frequently a target of harassment. The exact demographic doesn’t matter much - maybe you’re black, or you’re a woman, or you’re transsexual, or whatever else. But for the sake of the example, imagine that you are a woman.

                    Now, there are two different communities for you to choose from:

                    1. A community that says “we don’t police member’s politics, this is purely a tech project”.
                    2. A community that says “we actively welcome women”.

                    Where are you going to feel safer? In the second community - because there, it’s clear that if someone finds out you’re a woman, them harassing you over it isn’t going to be tolerated and the harasser is going to be thrown out.

                    In the first community, you just kind of have to stay quiet about your identity, have everyone assume that you’re a guy, and hope that no-one finds out the truth. If they do - maybe there’s some persistent stalker following you around and posting about you in every community you join - you can basically predict ahead of time that harassment and other discriminatory behaviour is not going to be acted upon, because “people’s own politics are not policed”.

                    In a way, there are parallels here to how gay people are “tolerated” in many countries. It’s “fine so long as you don’t bother me with it”, which effectively means that you cannot speak about it publicly or have a public relationship with someone of the same sex, because then the cover falls away and you are no longer “okay”, because your identity can no longer be ignored. Harassment (and often violence) promptly follows.

                    “Don’t ask, don’t tell” policies like this don’t make for healthy, diverse environments. They make for environments in which the status quo is preserved, and where the only way to be vaguely safe as a minority is to never tell anyone that you don’t fit into that status quo. This is not inclusive, and it absolutely does support the status quo. Those who fall outside of it will silently move on to healthier communities.

                    I would like it if “who you are doesn’t matter, it’s about the project” were the reality, I really would. But that just isn’t how things work by default in a society with power imbalances, and the only way to get there is by actively enforcing it - and that means taking a political stance, one that disavows discriminatory behaviour and harassment.

                    1. 12

                      Now, there are two different communities for you to choose from:

                      1. A community that says “we don’t police member’s politics, this is purely a tech project”.
                      2. A community that says “we actively welcome women”. Where are you going to feel safer?

                      I don’t know how the suckless community is, but I am convinced that, if I had a dime for every company, group or project that claimed to “actively welcome women” or “promote equal opportunity for everyone” or “have a zero tolerance” towards discrimination, sexual harassment or any other one of the multitude of abhorrent behaviours that plague our industry – and then turned out to be cesspools of prejudice and discrimination, I would be so outrageously rich that even thinking about it is embarrassing.

                      (FWIW, in addition to witnessing it enough times that it’s part of why I seriously contemplated switching careers at one point, I have some first-hand experience with some of that: my most useful skill, career-wise, has been an impeccable accent. Slightly Irish-sounding (which lots of folks in the US seem to fetishize for some reason), which I developed purely by accident (I’m from nowhere near Ireland, I’ve never been there, and I am not a native English speaker) and is extremely embarrassing every time I’m talking to someone who has a real Irish accent. I certainly had it easier than my black or hispanic colleagues – most Western managers of various importance in the corporate hierarchy could immediately identify them as worthy of contempt, whereas in my case it could take weeks before they realized I’m not a white expat, just some Eastern European programmer.

                      Edit: in case anyone’s wondering – the reason why I can be so light-hearted about it is that, for better or for worse, this experience has been largely confined to the workplace, after-work drinks, conferences and the like. I got to live with it for like 40 hours a week at most, and never really got a taste of it before well into adulthood. I always had alternatives and always had refuge – I could always put up with it on my own terms, which most people can’t)

                      Coming from a culture whose closet is not devoid of skeletons in this department, either, I certainly agree that the mere act of not discussing race, or gender, or ethnicity is in itself a privilege that not everyone has. And that it’s up to every one of us to actively fight discrimination, and to make the world safer and more inclusive for those whose voices are silenced by intolerance. But I don’t think it’s reasonable to ask people to integrate that in every single thing they do. Even activists don’t fight the good fight 24/7, I don’t think it’s unreasonable that some people choose to do it only to a limited extent, or in a possibly misguided way, as part of their hobby project.

                      1. 9

                        I might’ve been a bit unclear. A don’t-ask-don’t-tell approach can be taken by members, if they prefer (many communities don’t provide that luxury and e.g. require clear-name-contributions), but doesn’t have to be. We just don’t care about genders or other aspects other than your coding skills. I see that you have a different opinion on this, which is cool, but the suckless philosophy does not extend beyond software aspects and I personally (not speaking for the group) don’t see a reason to extend that.

                        1. 5
                          1. A community that says “we don’t police member’s politics, this is purely a tech project”.
                          2. A community that says “we actively welcome women”.

                          The two may not be mutually exclusive. Although there’s certainly a huge overlap, there’s a difference between advocating the revocation of women’s right to vote, and actually harassing women in a particular group, be it an open source project or a chess club.

                          A president of a chess club, or a maintainer of an open source project, can hardly be expected to be aware of the political views of the members, no matter how extreme. He could pry, but that would be uncomfortable for many people, and ultimately exclusionary. We could do it anyway, and define the range of acceptable political opinions, and exclude the outliers. We could exclude traditionalists, or we could exclude gay marriage supporters. We could exclude white supremacists, or we could exclude black panthers sympathisers.

                          In my opinion this would be neither ideal nor possible. As long as people stay courteous and focus on working towards whatever common goal the group has, we could actually have, say, gay and homophobic people working together. So we probably want to define a range of acceptable behaviours instead. For instance, revealing your sexual preferences is generally acceptable (unless maybe you’re too loud about this), and revealing your contempt for people who don’t share that preference is generally not.

                          That’s what codes of conduct ultimately do: they don’t talk about the politics one might have outside of the group, they define a range of acceptable behaviours within the group. Yes, that range will tend to filter out people with some particular political opinions. Few white supremacists will follow a black maintainer. But I would think real hard before I make that filter explicit.

                          I’ve seen it done, and it’s not pretty. I’ve heard of someone being disinvited from some conference because of their political beliefs, even though they (allegedly) never let them seep through or ever behaved inappropriately. I have also heard of someone being fired over their sexual practices (at the behest of SJW, ironically). And at the same time, some people who seem to engage in genuinely harmful behaviour (such as straight up sexual harassment) are not excluded. My suspicion? Enforcement goes after the easy targets, instead of going after the important ones.

                          1. -5

                            we could actually have, say, gay and homophobic people working together.

                            Honestly, this free speech absolutism is whack and that’s why I’m out.

                            You don’t know what the fuck you’re allowing. I do - you’re allowing someone who literally spreads hate to walk into work, meekly get some shit done, then go home to post on the internet how trans people are all pedophiles and should be killed.

                            Fact is, you can’t divorce your life from politics because where many of us stand, all minorities, live under the continuous threat that we’ll be murdered, denied service, beaten and reviled all because some free speech absolutist like you envisions a future where racists and their victims can work side by side.

                            My community just had their 12th death. Death because people like you continually give deference to allow our killers to bask in their hate speech until one of them spots us and brutally kills us.

                            You enable this. I’m so happy (not) to be the sacrificial lamb for your perverse ideology.

                            1. 2

                              we could actually have, say, gay and homophobic people working together.

                              Honestly, this free speech absolutism is whack and that’s why I’m out.

                              Who said anything about free speech? I never said hate speech should be allowed. Actually, I do believe we free speech should have limits (though I’m not sure exactly what those should be), and people who cross those limits should be punished.

                              The question is who should punish them, and how. Forums can (and most probably should) ban hate speech however they can. Police and Judges could intervene whenever appropriate. The worst offenders could be sent to jail.

                              Wholesale ostracism though? Exclusion from all groups, not just wherever they spread their filth? That’s a death sentence: no job, no home, no shelter. Are you prepared to follow through all the way? (Not a rhetorical question: sometimes, killing your enemy is the right thing to do. But this question is so fraught with self serving cognitive biases that one must be very careful about it.)

                              Then there are false positives. The guy who was fired over his sexuality? He practised BDSM. One way of putting it is that he liked to whip bound women. When he was outed, there was an SJW outcry about him being some twisted archetype of patriarchy that should be removed from any public position.

                              I don’t know the guy, I haven’t investigated, so I cannot presume. I’m not even certain this story is even true. But I guess this may have been a huge misunderstanding. See, done properly, BDSM is very careful about safe words, physical and psychological safety… everyone is supposed to enjoy this, including (perhaps even primarily) the bound and gagged “victim”. Being a good dom typically requires empathy and respect for their sub. Pretty far from the simplistic image of the misogynistic man taking pleasure from the suffering of women.


                              Going back to gays and homophobic working together, that probably requires that they are mutually unaware of their position. It’s when they do become aware of their position that we have a problem, and the group may have to make a choice. My first step would be something like “you don’t like them being gay? deal with it or get the fuck out”. If it’s just gay people being uncomfortable, we may need to know why. If it’s because the other dude displayed an homophobic attitude within the group, that’s pretty obvious grounds for exclusion. If it’s because gay people learned of his views outside the group, this is more delicate, and I honestly have no right answer.

                              The problem is made even harder because actual bullying, embarrassment, and other inappropriate behaviour within a group, are often hard to see for anyone but the victim. Hence the temptation to rely on more visible, but less reliable, external signs.

                              For instance, let’s imagine: religious people and atheists working together in the same group. One atheist have written in their blog about how religion is stupid, unfounded, and how religious people are either critically misinformed, or just plain delude themselves. Oh and by the way if there is a God, it’s morals are highly questionable at best. So there we go: no personal insult, but a harsh criticism and a good dose of blasphemy.

                              Should we exclude this atheist from a chess club because some religious people in that club feel uncomfortable being next to someone who has written a blasphemous pamphlet? Should we exclude the religious people from the club because wearing a cross, a star, or a scarf makes the atheist uncomfortable? Depending on who you ask, you’ll have very different answers.

                      2. 4

                        On the other hand, I don’t think it’s realistic to expect every project to look in depth at difficult social problems and form some sort of consensus on how to best deal with it.

                        You’ll find that people in underrepresented demographics will largely avoid your project as a result

                        Why would that be the case?

                        1. -4

                          On the other hand, I don’t think it’s realistic to expect every project to look in depth at difficult social problems and form some sort of consensus on how to best deal with it.

                          I think that’s entirely reasonable. This is pretty much the basis of community management in general. It doesn’t even need to be done by the core developers, but someone in the community needs to do it, if you want a healthy community.

                          Why would that be the case?

                          Because they know that their safety is not assured in communities that refuse to take an active stance against bigotry of various kinds. I’ve gone into more detail about this in this other subthread.

                          1. 4

                            Because they know that their safety is not assured in communities that refuse to take an active stance against bigotry of various kinds.

                            But there is a difference between belief and action. If someone is actually doing something bad within the project then obviously that’s an issue. If someone just believes something you disagree with (whether you label it bigoted or not) then refusing to work with them in a non-political atmosphere just makes you seem like a bit of a dick, IMO.

                        2. -4

                          There’s no such thing as “non-political” software projects because any political actor can decide that the way your software project run things is bad and should be made to change. And if you resist this, you find yourself in a political conflict, even if you didn’t want to be.

                          1. 1

                            Why would you care what a political actor thinks about your free software project? Do you mean an actual national politician? Why would they be concerned with a free software project?

                            1. 1

                              No, anyone trying to argue that a software project should change their practices for political reasons is a political actor with respect to software, not just national politicians. Tech industry activists are political actors. joepie91 in this thread is a political actor. I’m a political actor too, for trying to prevent other political actors from carrying out their will.

                        3. -1

                          What are you doing to keep this kind of toxic behaviour from forming inside of the suckless communities you participate in?

                          You have not denied that these people exist in your community. How are they not a problem for you?

                          1. 3

                            Calling people toxic, I think, is the wrong approach. What matters is how people behave in the context of the community. I couldn’t care less about their private political/social/other endeavours as long as it doesn’t affect their actions within the community.

                            I don’t know why there is such a push to politicize software projects, from the inside and outside. It may make something look more homogenous on the outside, but I believe it mostly creates social stress and shifts the focus on issues that shouldn’t be a problem in the first place. But this is just my opinion, and I don’t think there’s a true or false answer to that. It heavily depends on your Weltanschauung.

                            1. 1

                              I’m sorry, my first approach was a bit antagonistic and too political because I tried to keep my questions short.

                              People sometimes express their political ideologies in behavioural ways, which might cause exclusion and secularity in the communities that they take part in. I haven’t been much in contact with the suckless community, although I have used and I respect the software and the philosophy, but I have seen communities suffer this. I have no prejudice, but toxic (extreme, hateful) ideologies do lead to toxic behaviour, especially in like-minded groups where it can be cultured. This is why people feel the need to keep them from spreading to their own group.

                              Have you noticed any exclusive or secular behaviour in the suckless communities that you take part in? If yes, what have you been doing to counter it?

                              1. 2

                                Have you noticed any exclusive or secular behaviour in the suckless communities that you take part in? If yes, what have you been doing to counter it?

                                No, I’ve never seen such secular behaviour like that. The conferences we organize have always been very harmonic and there was never such a push or even a culturation. Thanks though for elaborating what you meant, and I have to say that I’ve seen this problem occuring within other communities. I am and will be very careful that this won’t happen within our community.

                        4. 20

                          I was subscribed to the suckless mailing list for a long time (though no longer, simply out of disinterest), and never had the impression I was dealing with a group of extremists (other than a rather extreme take on software). I don’t recall any political discussion off-hand, and would certainly have unsubscribed if people started ranting about “cultural Marxism” and the like.

                          I read the Lobsters thread you linked and there are many things I personally don’t agree with, but I also find it’s a lot more nuanced than what you’re suggesting (specifically, there was a lot of confusion what was even intended with “Cultural Marxism”). I saw that on HN you (or someone else?) linked to an old tweet of yours that screenshotted just the initial “Cultural Marxism” mention of FRIGN, and I think that’s unfairly out of context. That’s not a defence of the contents if his posts, only a defence of treating people with fairly and with kindness.

                          I find putting the picture of the torches next to literal Nazis and the “Unite the Right” rally incredibly tasteless and offensive. Note the suckless event happened before the Charlottesville march (not that it really matters). [edit: incorrect, see follow-up]. I’ve done torch hikes – they’re actually used to celebrate the end of Nazi occupation in my home town every year and participated regularly. I’ve also done them with scouts just for the fun of it. Maybe some day someone will dig up a picture of that too and put it next to a bunch of Nazis to prove a point… I’m very disappointed anyone would try to make a point like that, here or elsewhere. This part of your post in particular is really bad in many ways IMHO; it’s really not acceptable to just sling around grave insinuations like that based on a friggin’ contextless photo of what is almost certainly just a harmless social event.

                          The mail server belongs to an individual (@FRIGN here). I agree it’s in very bad taste, offensive, and that Poettering was completely right in calling that out, but it’s hardly proof that “they’re a bunch of Nazis”. I find the jump from “edgy hostname” to “literal neo-Nazis” a bit of a leap.


                          I doubted for a long time if I should post this reply as it has the potential to spark a long heated discussion, but I find public casual comparisons to Nazis in particular serious enough to warrant something of a rebuttal.

                          1. 6

                            Note the suckless event happened before the Charlottesville march (not that it really matters).

                            I just want to comment on this one factual point, according to the suckless website this event happened in September 2017, just a couple of weeks after Charlottesville.

                            https://suckless.org/conferences/2017/

                            I do think the proximity in time to the Unite the Right rally is important, especially given the insistence that they were just enacting a German cultural practice.

                            1. 6

                              Oops, I checked the website and I misread that date as being on “2017-01-03”, instead of “2017-09-(01-03)”. How silly 😅🤦‍♂️

                              I’m not sure it matters all that much though; it still seems incredibly tenuous at best. This happened on the other side of the world and I’m not sure if the entire world should tip-toe around sensitive topics in the United States. Were these people even aware of Charlottesville? And to what degree? Me, personally, I mostly stopped following US news since the 2016 election as I find it emotionally draining and serving little purpose as it’s not in my power to do something about anyway.

                              Either way, I’d sure like to see some more evidence exactly because I take it serious: you just don’t go around insinuating people of such serious things with such slim “surely it can’t be coincidence…” type of stuff.

                              1. 30

                                I was at the torch hike and hadn’t even heard of the Charlottesville marches then. When I heard the accusation that we in some way celebrated it, which would make no sense in the context of a software conference, I first had to look up what they were.

                                The thing is, Americans tend to overestimate the importance of domestic events like the Charlottesville marches and think that nothing happens in the whole world and, e.g., we Germans are just sitting at home and waiting for something to happen in the USA to witness it.

                                The truth, and I think everyone would agree that this also makes much more sense, is that torch hikes are perfectly normal in Germany. I have an understanding for this cultural misunderstanding, and I’ve been guilty of those, as well, but it doesn’t help when one continues to spread this nonsense that this torch hike was some political event every time suckless is discussed here.

                                To give an example for how normal torch hikes in Germany are, there is a so-called Sommertagszug in the Kurpfalz which also involves torch hikes at night. They are also offered by tourist organizations, e.g. Breitbach Klamm.

                                1. 8

                                  What’s with the mail server host name though? Do you think that’s fine?

                                  1. 2

                                    It bothers me that he is actively ignoring this question and by saying nothing, he is saying enough.

                                  2. 2

                                    As an American, thanks for sharing your perspective. It makes me wonder if the Internet, and particularly social media, make it too easy to carelessly make connections between things that should remain disconnected. Maybe Facebook’s stated mission of making the world more connected (whether or not that’s their real mission) isn’t a totally good thing.

                                    1. 5

                                      It definitely comes at a cost. Still, as I could see from my own experience, after a few years one gets more careful with culture-relative judgements. There are still many things Americans do that I don’t quite understand or find interesting.

                                      To give an example, I found out a few years ago that the German “mhm” (i.e. the expression to acknowledge you are listening to someone while he speaks) is often interpreted by Americans as a “huh?”. You could imagine how much confusion that caused.

                                      Cultural differences are valuable, though, and I would not want to miss them, even if they become troublesome. I can imagine an American coming to Germany to experience a torch hike and liking it.

                                      1. 0

                                        To give an example, I found out a few years ago that the German “mhm” (i.e. the expression to acknowledge you are listening to someone while he speaks) is often interpreted by Americans as a “huh?”. You could imagine how much confusion that caused.

                                        I have never in my life seen or heard “mhm” interpreted as “huh?”, and while I’m just one American and this is anecdotal I’ve lived in three fairly distinct regions of the USA.

                                        1. -1

                                          German “mhm” is very distinctly different to American “mhm”. I wouldn’t know how to describe it in words, though.

                                          1. 0

                                            It’s it very distinct from the British “mhm”?

                                    2. 1

                                      Going on a torchlit hike at night sounds fun to me in the abstract, and also like the sort of activity that could hardly be unique to any one place, time, or culture. For ages before the invention of electric flashlights, how else were human beings supposed to light their way when walking around at night, wherever in the world they happened to be? I was unaware that some people associated the practice of going on torchlit hikes with specifically the NSDAP (or maybe just going on a torchlit hike while being an ethnic German??) until I saw people mentioning it in the context of suckless. Even if it’s true that the historical Nazis practiced torchlit hikes (which I assume is true, because I think it would be very easy for any group in human history to do so), I don’t think that confers any obligation on people alive today to refrain from it, any more so than Adolf Hitler’s famous vegetarianism confers any obligation on people today not to be vegetarians.

                                      1. 3

                                        I agree. I’m pretty well read on the topic, including having read Shirer’s “Rise and Fall of the Third Reich,” and I hadn’t heard about the association between torchlit hikes and Nazis before it was brought up in the context of suckless either. If I’m actually educated on the topic and still didn’t know about it, how could I really expect others to know about the association?

                                        Personally, a torchlit hike sounds like a blast to me. If the opportunity presented itself to me, I would absolutely participate.

                                        I agree with others in this thread that people are generally way too quick to bring up Nazi associations. I like to think I’m not naive about it either, since there are trolls and Nazis online that like to play these kinds of games. But I personally expect some pretty firm evidence before I’m willing to entertain Nazi accusations seriously. It’s a pretty serious thing to say.

                              2. 9

                                As an engineer child of social scientists, I’ve concluded that mental models like that are basically what you get when you take an engineering approach to social systems to its logical conclusion without considering people as, well, people. You end up with very efficient, streamlined, rational systems that place no value upon the people who are crushed in the process. It’s a simple, effective solution to the very complicated problem of human society, and it makes the complicated problem simple by saying “the people on the losing side don’t matter”. You can see this approach working efficiently and effectively all throughout human history, usually in the form of mass graves.

                                Everything should be made as simple as possible, but no simpler.

                                1. 3

                                  Because I can’t be sure which comment you’re replying to (AFAIK there’s no “parent” link for comments here), can you please clarify what you mean by “mental models like that”?

                                  1. 4

                                    Sorry, I was talking about mental models such as the ones described by this comment: https://lobste.rs/s/nf3xgg/i_am_leaving_llvm#c_01mpwm . Essentially “we are not going to worry about equity and equality because it is irrelevant to the problem we are actually trying to solve”. Works fine when the problem you are trying to solve is “design a machine that does a particular thing well”, but ignores lots of ugly externalities when it comes down to the social structures and organizations of the people actually doing the design. Like unfettered free-market capitalism, it sounds ideal in theory and that makes it an appealing position. But my observation has been that it works great for the people already powerful enough or lucky enough to be unaffected by those externalities, and does not actually make the world a better place for anyone else.

                                2. 3

                                  Extremes are rarely good. There should not be an aura of aggressivity around any project.

                                  1. 1

                                    They’re doing literal torch hikes through southern Germany

                                    I have no idea what holding torches might mean in this context. Could you explain, or provide links?

                                    1. 6

                                      It looks like one of those things Nazis ruin for everyone - https://www.theatlantic.com/politics/archive/2017/08/why-they-parade-by-torchlight/537459/. Whether that is intentional on the part of the suckless folks, is not clear to me.

                                      The other top hit I got when googling was a torchlit tourist hike through Partnach Gorge in Garmisch-Partenkirchen. I’ve been to that gorge (not by torchlight) and it’s pretty cool!

                                  1. 6

                                    Here’s an interesting anecdote from my work:

                                    We’re using 80-columns as limit for all code, not because of choice or history – but because we have a programmer with limited eyesight who has to have text so large, despite a 21:9 34” screen, only 80 characters fit on one line for him.

                                    Accessibility is an issue I personally never thought about before when discussing column limits, so I wanted to mention this interesting anecdote :)

                                    1. 2

                                      Wow! If I may ask, how long has he been with you guys?

                                    1. 13

                                      The RFC explicitly forbids this kind of use, only allowing the lowest identifier to be a wildcard, and only if it is not a public suffix itself.

                                      This is very surprising that browsers don’t match on this properly.

                                      1. 16

                                        While it’s a little easier for you to write “the RFC”, it would be helpful for you to mention which RFC for those of us reading.

                                        1. 3

                                          https://tools.ietf.org/html/rfc6125#section-6.4.3 says SHOULD.

                                          What are you talking about?

                                          1. 1

                                            The Certification Authority (CA)/Browser Forum baseline requirements (11.1.3) require that before issuing a wildcard certificate, Certificate Authorities ensure that such a certificate is not issued for entries in the Mozilla PSL, e.g. *.co.uk,or that the entity actually owns the entirety of the public suffix

                                            Please read all sub-threads before posting a reply :)

                                            1. 3

                                              This is an requirement for CA’s, not user agents. This certificate would not be issued by a (public) CA, but it is not invalid for browsers. It is perfectly valid for private CA’s to do this, e.g. so you could MITM all of your workers traffic.

                                          2. 2

                                            Which RFC? How is “public suffix” defined? Does it simply defer to the Public Suffix List?

                                            1. 2

                                              There are two kinds of public suffixes – those defined by ICANN, also included in the public suffix list, and the not really official private definitions in the public suffix list.

                                              And quoting the ICANN advisory on this:

                                              The Certification Authority (CA)/Browser Forum baseline requirements (11.1.3) require that before issuing a wildcard certificate, Certificate Authorities ensure that such a certificate is not issued for entries in the Mozilla PSL, e.g. *.co.uk,or that the entity actually owns the entirety of the public suffix

                                              So while it’s not an RFC, it’s still a standard – and an even stronger at that

                                              1. 3

                                                it’s still a standard – and an even stronger at that

                                                You are confused. That is not a quote from a standard for web browsers or TLS implementations, but for people who want to make a certificate signing authority that CA/B members (like Mozilla, Google, Microsoft, and so on) would include in their web browsers.

                                                There are lots of reasons to make certificates that Mozilla (For example) would not include in the Firefox web browser, and it is required that valid TLS implementations interpret them according to the actual standard where that’s broader than what you’re reading here.

                                                1. 3

                                                  Sounds like a political limitation, not a technical limitation. Unless SSL consumers start to enforce this on their end, it wouldn’t prevent a malicious CA from issuing a cert like this that could be used to MITM all traffic.

                                                  1. 6

                                                    Sounds like a political limitation, not a technical limitation.

                                                    That’s the state of web PKI in a single sentence.

                                                    1. 4

                                                      That’s exactly the point – I was expecting browsers to actually implement this spec and verify this for certificates (as I already do this in a limited way in Quasseldroid)

                                              1. 2

                                                Not sure if the author is from the US but I’ve had this discussion a few times in my life. It seems to be no problem there to just present yourself with your non-given name and everyone runs with it. (Dick Cheney came to mind, Richard Bruce Cheney, I’ll reference this further down).

                                                Here in Germany that doesn’t fly. Sure, sometimes, depending on your work place you might be Andy and not Andrew, but getting people to call you Brian when your email reads “andrew.foo@” is usually hard or at least not easy, don’t even talk about getting “brian.foo@” instead of the other one. It’s simply not very common. I think I can remember 1 (one) politician in the last 20-30 years who didn’t run with their legal name (Not the full one, we mostly leave off all but 1 given name). (cf. Dick Cheney example above, and it’s not a good example, he could also be Ricky Cheney or Bruce Cheney but he’s not Adam Cheney - maybe football trainers are a better example, they sometimes have a “nickname” name, and not their legal name, but not politicians)

                                                Maybe I should expand on that a little, of course there are sometimes nicknames (offline or online handles) and people are mostly well-known by this, but I’m still saying it’s absolutely the exception and not the norm, even in small or medium companies without a lot of bureaucracy.

                                                In any case, it’s possible that their “legal name” isn’t the name on their credit card or bank account, if, for instance, they recently changed it;9 if your software can’t account for that, it’s not just annoying, it’s incorrect.

                                                I’m pretty sure it is correct 90% of the time here. I’ve never heard of anyone being issued bank stuff with a different name than the legal name.

                                                Also, you can’t even change your name here (except in certain cases) so maybe this is also a factor in why the culture is different. (Examples I can think of spontaneously: Last name: marriage and adoption or if it causes you distress because it’s like a literal swear word, First name: only when getting German citizenship and you transliterate it or after transition)

                                                I’m neither advocating the status quo nor do I like it - but the points given in the post, especially “you as a software developer should do this better” whereas I say the typical developer doesn’t have a say in this, maybe not even the product owner. I do think it’s worth debating but this post feels so much “if I could change the world to work how I want it” without even acknowledging that the world is a very diverse place.

                                                1. 7

                                                  It very much depends on culture. Insistence on exact “legal name” may be correct for some cultures, but can be offensive in other cultures (there are cultures, for example, where the correct way to address someone is highly context-dependent, and changes based on factors such as relationship, familiarity, age, and so on). So using it as a universal is certain to be incorrect for some people.

                                                  1. 3

                                                    But that’s exactly why under German law, you don’t have to use your legal name anywhere except for bank accounts or run-ins with the police.

                                                    No one else has a right to know your legal name, and you can sign contracts under different names, get degrees under different names, etc. That’s all possible and legal - and people are actually okay with that. You can even get a bank card under a name that’s not your legal name.

                                                    1. 1

                                                      I didn’t quote a lot of law stuff because I don’t know enough about it.

                                                      I was merely saying in my experience it is very hard because it uncommon.

                                                  1. 2

                                                    At first I thought it was Firefox with WebRender which broke everything, but then I saw it’s even worse in Chromium.

                                                    Note how the white circles have a semi-visible border on some characters: https://i.k8r.eu/cwj8zw.png

                                                    1. 1

                                                      As I run everything in kubernetes anyway, so servers have no task assigned to them directly, I just name mine after elements of the periodic table, with isotopes used if an identical server is replaced, and new elements used if a new server is added.

                                                      1. 3

                                                        Apache doesn’t, with HTTP, say “userdirs are enabled, so the origin of this resource should be /~username rather than /”, and Firefox doesn’t say “the URL path starts with /~, so set an origin just to be safe.” Ah, oh well.

                                                        Isn’t this fundamentally an in-band signalling problem?

                                                        1. 4

                                                          Apache doesn’t, with HTTP, say “userdirs are enabled, so the origin of this resource should be /username rather than /”, and Firefox doesn’t say “the URL path starts with /, so set an origin just to be safe.” Ah, oh well.

                                                          Isn’t this fundamentally an in-band signalling problem?

                                                          No.

                                                          Apache doesn’t say the origin is anything; it is Firefox which makes the decision what the origin is by looking at the URL, a few infrequently-updated databases shipped with Firefox, and a complex set of rules for applying the two together.

                                                          1. 2

                                                            There is no such feature in the web stack. That’s not how it’s supposed to work. The concept of the origin is universally defined, and can’t be changed on per-response basis.

                                                            At best the server could lock things down with CSP headers, but even CSP itself thinks in origins.

                                                            1. 1

                                                              Well yes, because the concept of the Origin is fundamentally broken, and was from the beginning. Userdirs existed before JS, so JS has to be changed, not userdirs.

                                                          1. 56

                                                            I’m not sure why Free Software was thrown into this. I fully agree with the author’s points regarding the severe lack of privacy associated with discord, BUT I disagree that Free Software can only be developed/supported using communication mechanisms that respect privacy.

                                                            Email is an acceptable choice for Free Software projects, and has been for many decades. Same for IRC. None of those are inherently secure/privacy-friendly.

                                                            Discord is a terrible choice for Free Software projects because it’s a proprietary walled garden, not because it’s ‘not private’.

                                                            1. 21

                                                              BUT I disagree that Free Software can only be developed/supported using communication mechanisms that respect privacy.

                                                              Of course you can develop free software with proprietary tools and services.

                                                              It’s just discriminatory and excludes those who need or want to maintain their privacy. I don’t think free software projects should be discriminatory or exclusionary.

                                                              Email is an acceptable choice for Free Software projects, and has been for many decades. Same for IRC. None of those are inherently secure/privacy-friendly.

                                                              Email and IRC are absolutely privacy-friendly, despite being unencrypted. You can create an entirely anonymous free account and use them, via Tor, just like any other participant and not be excluded.

                                                              From the article:

                                                              Discord is proprietary, non-free software, held closely by a for-profit company. How you personally feel about this is dependent upon your own philosophical views, but, objectively, it is not very consistent with the ideals of most groups dedicated to free software or open collaboration to produce and improve free software.

                                                              It seems to me inappropriate for an organization that believes in free software to choose proprietary and privacy-disrespecting tools when free and private alternatives are readily available and can be hosted very inexpensively.

                                                              1. 20

                                                                Yes, I read the bit about it being proprietary in the article, but the main points being made in the article are not about it being a poor choice because it’s non-free, but because it’s “not private”.

                                                                Anyways, I hope fewer projects choose this path (and slack, which i put squarely in the same boat as discord), and instead choose IRC, matrix, XMPP, and other similar protocols.

                                                                1. 6

                                                                  Well, the main reason it’s discriminatory and exclusionary is because of privacy. Not everyone can give up their privacy, so any project using it is discriminating against all of those people.

                                                                  Also from the article:

                                                                  If you have done so in the past, please stop recommending IRC as a replacement for Slack and Discord. It’s absolutely not. IRC is great, but it is not simply “open source Slack” (that’s Mattermost). They are both chat systems, but they are different tools for different jobs. I love IRC, but it’s simply not a useful tool for most groups.

                                                                  Are there any good matrix implementations yet? I’ve been meaning to run one.

                                                                  1. 7

                                                                    If you have done so in the past, please stop recommending IRC as a replacement for Slack and Discord. It’s absolutely not. IRC is great, but it is not simply “open source Slack” (that’s Mattermost). They are both chat systems, but they are different tools for different jobs. I love IRC, but it’s simply not a useful tool for most groups.

                                                                    Yeah.. I disagree with that bit too. All of the Mesa development happens over IRC, and mailing lists (with some moving to gitlab, e.g. patch review). It works really, really great for that. For a (long) while, Mozilla used it. But I guess it wasn’t ‘hip’ enough so they moved to something else (matrix I think?)

                                                                    IRC is a very simple protocol, you can implement a client for it very easily, it has been ‘battle tested’ for decades. One of the big missing ‘features’ is accessing the backlog while you are away, and many folks (including myself) use a bouncer on some 24/7 system to fill that gap, but I understand that’s not for everyone.

                                                                    Are there any good matrix implementations yet? I’ve been meaning to run one.

                                                                    I’m also interested to know this. ~2yrs ago the (only?) homeserver implementation out there was hard to set up, and didn’t scale well at all (something about it being written in javascript? lol). Maybe that’s different now. I’ve yet to see any widespread adoption of E2EE in matrix, for any channels I’ve seen. People tout E2EE as the major reason to use matrix, but basically no one uses it, AFAIK.

                                                                    1. 16

                                                                      Yeah.. I disagree with that bit too. All of the Mesa development happens over IRC, and mailing lists (with some moving to gitlab, e.g. patch review). It works really, really great for that. For a (long) while, Mozilla used it. But I guess it wasn’t ‘hip’ enough so they moved to something else (matrix I think?)

                                                                      Because it works well for some groups does not mean it works well for most groups.

                                                                      Mozilla didn’t quit IRC because it wasn’t “hip” enough. They wrote about it when they did it: it wasn’t serving their needs.

                                                                      For most groups, asynchronous mobile applications with native notifications and multiclient are hard requirements. Unless you pay for irccloud, you’re not getting any of that. IRC’s “very simple protocol” is actually a hindrance for the majority of users: it means that if you can’t maintain a TCP connection, you can’t maintain an active session. The vast majority of people these days only access social networking via mobile devices. That forces them onto a paid bouncer like irccloud, or into a bad UX. There’s a reason that Slack and Discord are so massively popular. IRC advocates entirely fail to understand those reasons.

                                                                      Use of Discord discriminates against all the users who need privacy.

                                                                      Use of IRC discriminates against all the users who don’t know screen, znc, and the command line, or users who primarily use mobile phones.

                                                                      1. 7

                                                                        Use of Discord discriminates against all the users who need privacy.

                                                                        But in the context of publicly discussing open source development, I don’t see how you do? So frankly I don’t really see the objection here.

                                                                        The other day someone on Reddit was complaining about a Google mailing list not being private. The privacy of what? Your public messages sent to a public mailing group?

                                                                        I’m unconvinced by the “you need a telephone” argument; the fact is that spam and abuse are a serious problem, and it’s a reasonably effective at stopping it. I don’t buy the “complete privacy” argument, and I don’t think that they ask it “just to get more data about you”. That’s ignoring the very real problems people have to deal with.

                                                                        The “human right” argument seems misplaced. I also have the “human right” to call anyone an asshole here (freedom of speech) or to proselytize my religion (freedom of religion), but that doesn’t mean this platform needs to accept that. Again, the context here is publicly discussing a public project.

                                                                        In your article you wrote that “you should be able to use your communications tools to mock and ridicule people, if you so wish”. Seriously? If someone comes in a OSS project to “mock and ridicule people” then I’d kick them out faster than you can say “freedom of speech”.

                                                                        The word “privacy” seems to be subject to quite some inflation these days. I think this is a serious distraction from actual privacy issues.

                                                                        1. 6

                                                                          The privacy of what? Your public messages sent to a public mailing group?

                                                                          the connection between your web identity and your in-real-life identity. The messages are obviously public but you might not want, for example, your boss to know that “coder_742” is you.

                                                                          1. 2

                                                                            Do people not just make new email accounts for their “alt” identities? Virtually all online services use email as the primary proof of identity and it is trivial to create a new one. Discord requiring an email and an account are hardly barriers to privacy.

                                                                            1. 5

                                                                              They also require your physical location via your IP. If you use Tor or a VPN to preserve your personal privacy, the things that happen (dozens of captchas, frequent inability to log in, DMing links gets your account auto deleted) are huge barriers to entry.

                                                                              1. 1

                                                                                Hard disagree. Tor is very frequently used for spam (among other nefarious things), so it’s no surprise that IPs for exit nodes are blacklisted or put under more scrutiny. If you go out of your way to obfuscate your origin and you behave like a spambot, you’re going to get treated like one. These are good things, it makes the network better for the vast majority of people who use the service. That being said, I use Discord through a major VPN provider all the time and have never had any issues with retaining my session or logging in. Captchas are hardly an issue either, they’re just slightly annoying.

                                                                        2. 4

                                                                          Use of IRC discriminates against all the users who don’t know screen, znc, and the command line, or users who primarily use mobile phones.

                                                                          FYI, there are some great IRC clients for Android.

                                                                          Also, ‘discrimination’ is an intentional action, not accidental. When people set out to create IRC, they didn’t scheme in some dimly lit room and decide “we must prevent users who don’t know screen, znc, and command line from using this. Oh, and fuck mobile users too!”. They simply made a thing that lots and lots of people started using.

                                                                          1. 12

                                                                            Also, ‘discrimination’ is an intentional action, not accidental.

                                                                            Nah, you can absolutely discriminate accidentally. An app demanding only five digit US numeric zip codes or ten digit phone numbers that start with a +1 is discriminating against non-US users even if they didn’t intend to.

                                                                            They simply made a thing that lots and lots of people started using.

                                                                            Yeah, in like 1990, for 1990-style programs. Just because there are decent IRC clients for android doesn’t mean IRC’s protocol is good for modern communication. It doesn’t do multi-client, it needs a persistent TCP connection, it doesn’t do multiline or rich text or media, doesn’t have any sort of cryptography, et c. It’s a bad protocol, and it should be left in the past.

                                                                            1. 10

                                                                              You complain a lot, but most of the things you complain about are already solved, or being solved.

                                                                              IRC isn’t dead, it’s a living, breathing protocol, improving every day.

                                                                              And especially mobile usage isn’t that complicated to do right, especially if you treat IRC the way Matrix treats their protocol between homeservers, and have a separate protocol for clients (like e.g. IRCCloud or our own Quassel/Quasseldroid do: https://quasseldroid.info/).

                                                                              It’s being worked on, and it has a major community still using it. Which is a massive improvement over the flavour-of-the-day Slack clone you see elsewhere.

                                                                              Now to get into specifics:

                                                                              it doesn’t do multiline

                                                                              or rich text or media

                                                                              it needs a persistent TCP connection

                                                                              doesn’t have any sort of cryptography

                                                                              1. 14

                                                                                IRC isn’t dead, it’s a living, breathing protocol, improving every day.

                                                                                As a long time IRC user who has monitored the progress of IRCv3 for years, and talks to many of its former developers, I find this hard to believe. Even with IRCv3 efforts, everything was stillborn and many of those developers are sad at how everything passed them by.

                                                                                1. 4

                                                                                  These are all open issues or PRs for the past couple of years. ‘These are being worked on’ does not make IRC a viable alternative for the required feature set of today.

                                                                                2. 3

                                                                                  it doesn’t do multiline or rich text or media

                                                                                  Those are definitely features, IMHO. But I can see there’s no way we can agree here :)

                                                                                  I look forward to something like Matrix (if Matrix doesn’t improve), that is FLOSS, lightweight, secure, federated, and easy for all to use.

                                                                            2. 4

                                                                              The official reference implementation, synapse, has been production-ready for a long time and also scales pretty well nowadays. It can be easily hosted on NixOS, there are Docker images and a Debian repository. I have been running my personal Matrix server for 1-2 years now and I never had problems. Just make sure presence is turned off for better performance.

                                                                              E2EE adption has not been as widespread as it should because the UI/UX had been lacking. It’s not that easy to get right for a federated multi-device service. But a few weeks ago that last missing feature to make E2EE usable, cross-signing of devices, got implemented. It is now being integrated and tested and will soon go live. After that all new private rooms will be E2EE by default.

                                                                              Much has happened on the Matrix project in the last years, I suggest you give it another try :)

                                                                            3. 1

                                                                              Are there any good matrix implementations yet? I’ve been meaning to run one.

                                                                              See my comment below.

                                                                          2. 8

                                                                            It’s just discriminatory

                                                                            I’d say it’s exclusionary, not discriminatory. Discriminatory heavily implies it’s on the basis of an immutable category. But project leaders have to dictate to some extent what software their employees will use, and their employees have the ability to use other tools for private communication.

                                                                            You may say the bar to entry for those other tools is higher, but whose responsibility is that? The project leader’s? I think regardless of what you believe, your comment holds the wrong people to account—that is, if blame is even an apt paradigm here!

                                                                            1. 5

                                                                              Tools that spy on us are bad tools. If project leaders chose Discord, and Discord’s policies regarding privacy mean that people who need privacy are excluded from participating in that group, then I think it’s reasonable to say that group leaders should not make those sorts of choices.

                                                                              It’s just the same as if you had a club meeting at a place with a specific dress code that excludes a cultural form of dress. The people who organized the meeting who chose that venue would be legitimately open to criticism (just as would the venue be) for discriminating against people who dress that way.

                                                                              Free software and public benefit groups and projects should not be discriminatory or exclusionary, and they should not make tool choices that perpetuate discrimination.

                                                                            2. 4

                                                                              I care about privacy, but this definition of “exclusive” and “discrimination” is a bit silly. You could say any tool “discriminated against” or “excludes” anyone who doesn’t like it for any reason, and then wag your finger saying, “you don’t want to be discriminatory or exclusive, do you?”. It doesn’t exclude people who care about privacy, we just don’t like it. And as a maintainer, I’d probably elect for the usable tools over those that trade everything for privacy (or more likely, privacy theater).

                                                                          1. 19

                                                                            I’ve worked on an open source project. Not so tiny, it used to be preinstalled with several major distros, and is still quite popular.

                                                                            Early 2018 we had a major CVE, with remote code execution. We had a patch ready within of 8 hours of discovery, had it tested and in our official releases within of a few days.

                                                                            Debian took over a month to patch it (and continued using an old version with major bugs, only patching security issues themselves). And they were the fastest. Alpine 3.7 was the first to ship the fix, and that took an eternity. Previous alpine versions (at the time still officially supported) never got the patch.

                                                                            Now, we’re moving towards snap/flatpak for desktop and docker for server, and building our own packages and bundles, because distro maintainers are basically useless, always ship ancient broken versions, users come to us to complain about stuff being broken (and distros refuse to ship bugfixes or versions from this decade), and the maintainers are never reachable, and even security updates are shipped at glacial speed.

                                                                            Honestly, distro maintainers are a massive security risk, and after this experience, I’m kinda mind blown.

                                                                            1. 10

                                                                              As an Arch packager, I can’t help but feel a little bit offended by what you said there. >:(

                                                                              1. 12

                                                                                Arch is actually one of the few distrso where this issue never existed - but that’s because arch, being rolling release, actually just uses our upstream sources, and updates frequently and reliably.

                                                                              2. 8

                                                                                because distro maintainers are basically useless

                                                                                That’s quite an offensive statement.

                                                                                1. 6

                                                                                  If major software that’s preinstalled and in the default start menu of Kubuntu is so outdated that it has remotely exploitable bugs, months after developers have released patches for all version branches, including the one used by Debian/Ubuntu/etc, then how can you really trust the packages installed on your system?

                                                                                  How many programs from the repos do you have installed which are not that common, or complicated to package. Are you sure they’re actually up to date? Are you sure there are no vulnerabilities in them?

                                                                                  Ever after this, I can’t trust distros anymore.

                                                                                  1. 3

                                                                                    And that makes distro maintainers basically useless?

                                                                                    1. 8

                                                                                      Yes. If there’s no practical value add, that statement is true.

                                                                                      It’s harsh to take, but yes, it’s okay to ask groups that insist on their status - especially in a role prone to gatekeeping - to stand for their value.

                                                                                      1. 3

                                                                                        If you can’t trust software distributed by your distro to be up-to-date and safe, what use does it have then? Stability is never more important than safety.

                                                                                        The whole point people use distributions, and especially reputable ones, is because they want to ensure (a) stuff doesn’t break, and (b) stuff is secure.

                                                                                        1. 2

                                                                                          If you can’t trust software distributed by your distro to be up-to-date and safe, what use does it have then?

                                                                                          Of course packagers try to keep stuff up to date and secure, but a) things move fast, and spare time and motivation can be at a premium; and b) there’s too much code to audit for security holes.

                                                                                          distro maintainers are basically useless

                                                                                          Come on now… I assure you, you’d be pretty upset if you had to build everything from source.

                                                                                          1. 4

                                                                                            Of course packagers try to keep stuff up to date and secure, but a) things move fast, and spare time and motivation can be at a premium; and b) there’s too much code to audit for security holes.

                                                                                            And this is where @arp242’s sentiment comes from. “In a world where there is a serious shortage of volunteers to do all of this, it seems to me that a small army of ‘packagers’ all doing duplicate work is perhaps not necessarily the best way to distribute the available manpower.”

                                                                                            1. 1

                                                                                              In a world where there is a serious shortage of volunteers

                                                                                              This is false. All too often it is difficult to find good software to package. A lot of software out there is either poorly maintained, or insecure, or painful to package due to bundled dependencies, or has hostile upstreams, or it’s just not very useful.

                                                                                              It’s also false to imply that all package maintainers are volunteers. There are many paid contributors.

                                                                                            2. 2

                                                                                              Come on now… I assure you, you’d be pretty upset if you had to build everything from source.

                                                                                              I don’t necessarily have to — the distro can provide a clean base with clean APIs, and developers can package their own packages for the distro. As some operating systems already handle it.

                                                                                    2. 3

                                                                                      Various distributions, including Debian, backport security fixes to to stable versions even when upstream developers don’t do it. It’s not uncommon that the security fixes are released faster than upstream.

                                                                                      Your case is an exception. Sometimes this can be due to applications difficult to package or difficult to patch or low on popularity.

                                                                                      Besides, it’s incorrect to assume that the package mantainer is the only person doing security updates. Most well-known distributions have dedicated security teams that track CVEs and chase the bugs.

                                                                                      1. 1

                                                                                        We already provide backported security fixes, as .patch simply usable with git apply, and provide our own packages for old and recent branches. It’s quite simple to package too. Popularity, well, it was one of the preinstalles programs on Kubuntu, and is in Kubuntus start menu (not anymore recently, but on older versions it still is).

                                                                                        The fact that many distro maintainers still take an eternity updating patches, and sometimes not even apply those, makes relying on distro packages quite an issue. I don’t trust distro maintainers anymore, not after this.

                                                                                      2. 3

                                                                                        Honestly, distro maintainers are a massive security risk, and after this experience, I’m kinda mind blown.

                                                                                        I think this is mostly because you have a one-sided experience of this and it’s most likely a bit more nuanced and down to several factors.

                                                                                        One of them being that the CVE system is broken and hard to follow. How did you disclose and announce the CVE and fix? Did the patches need backports for the given release and where those provided? I don’t know the CVE number, so this is hard to followup on. But the best approach is to announce on a place like oss-sec from open-wall and it should be picked up by all distribution security teams.

                                                                                        The other side of this, which is what distribution maintainer see, but few upstreams realize, is patching dependencies is where most of the work is done. Distributing your app as a snap/flatpak works great if you also patch the dependencies and keep track of security issues with those dependencies. This is where most upstreams fails, and this is where distribution maintainers and the distro security teams improve the situation.

                                                                                        1. 1

                                                                                          The other side of this, which is what distribution maintainer see, but few upstreams realize, is patching dependencies is where most of the work is done. Distributing your app as a snap/flatpak works great if you also patch the dependencies and keep track of security issues with those dependencies

                                                                                          That’s why, if you ever build such images yourself, you need to automate it, have it as CI, and update those dependencies at least daily, and generate a new image whenever new dependencies are available. Obviously, you need automated tests in your build procedure to ensure everything still works together, as sometimes some dependencies break important stuff even in patch releases.

                                                                                          How did you disclose and announce the CVE and fix? Did the patches need backports for the given release and where those provided

                                                                                          We provided patches for every version distros used, as nice patch files that could directly be applied with git apply, and in addition to the more common ways, we also directly contacted the package maintainers for our package for the important distros via email or instant messaging.

                                                                                          In general, personally, I’m not a fan of the stable model anyway, though. We’ve done great work to ensure the software stays 100% binary compatible for all its protocols since 2009, we support every supported version of debian and ubuntu even with our absolutely newest builds, and yet, in the end, it’s the distro maintainers shipping not only outdated versions (apparently some users prefer buggy old versions), but also take time to apply security fixes.

                                                                                          1. 2

                                                                                            That’s why, if you ever build such images yourself, you need to automate it, have it as CI, and update those dependencies at least daily, and generate a new image whenever new dependencies are available. Obviously, you need automated tests in your build procedure to ensure everything still works together, as sometimes some dependencies break important stuff even in patch releases.

                                                                                            Which again, few upstream do this, and they surely do not keep an eye on this at all. You sounds like a competent upstream and it’s nice when you encounter them :)

                                                                                            We provided patches for every version distros used, as nice patch files that could directly be applied with git apply, and in addition to the more common ways, we also directly contacted the package maintainers for our package for the important distros via email or instant messaging.

                                                                                            And this is how you should proceed. I would however contact the linux distro list if it’s a widely used piece of software multiple distributions package, and the CVE is critical enough. https://oss-security.openwall.org/wiki/mailing-lists/distros

                                                                                            In general, personally, I’m not a fan of the stable model anyway, though. We’ve done great work to ensure the software stays 100% binary compatible for all its protocols since 2009, we support every supported version of debian and ubuntu even with our absolutely newest builds, and yet, in the end, it’s the distro maintainers shipping not only outdated versions (apparently some users prefer buggy old versions), but also take time to apply security fixes.

                                                                                            The work is appreciated, but I’ll still urge you to not let one bad experience ruin the whole ordeal. Distribution security teams is probably one of the least resourceful teams and sometimes things do fall between two chairs.

                                                                                            1. 3

                                                                                              The work is appreciated, but I’ll still urge you to not let one bad experience ruin the whole ordeal. Distribution security teams is probably one of the least resourceful teams and sometimes things do fall between two chairs.

                                                                                              But given that the main argument of distros is security, that statement flies directly in the face of their promises.

                                                                                              1. 2

                                                                                                But given that the main argument of distros is security, that statement flies directly in the face of their promises.

                                                                                                I don’t think it’s the main argument, but surely one them. If you want to be completely covered you need a well paid team able to respond. You wont get this with community based distribution, we are unpaid volunteers, just like most upstreams. You’ll have to use something backed by a paid team if you expect premium service and full coverage.

                                                                                                Anything else is only on a best effort basis. The CVE system is sadly hard to navigate, ingest and process. Some things are going to bubble up faster, and something is going to be missed.

                                                                                                1. 2

                                                                                                  I have absolutely no issue with all your statements, but it is a cornerstone argument.

                                                                                                  I’m fine with community distributions, if they own it, and agree that paid distros are a good way to go. RHEL licenses are actually worth their money.

                                                                                                  I disagree with the reading of best-effort, though, because it goes both ways. If your work is impacting others, either through making them have more support requests or slowing down their iteration speed, you need to make sure you don’t add undue labor.

                                                                                        2. 3

                                                                                          With this attitude, which a lot of developers seem to have nowadays, it doesn’t make sense to have your software included in distributions. As a packager I’d call this a hostile upstream… Just distribute it as a flatpak and/or snap and be done with it.

                                                                                          Relevant here may be a blog post from an upstream fully embracing the distribution instead of fighting it: https://www.enricozini.org/blog/2014/debian/debops/

                                                                                          1. 3

                                                                                            It allows me to rely on Debian for security updates, so I don’t have to track upstream activity for each one of the building blocks of the systems I deploy.

                                                                                            That’s exactly what I used to believe in, too, but after this experience, the facade has cracked. I can deal with 90% of my packages being years out of date and full of bugs because the distro wants to be stable and refuses to apply bugfixes or update to newer versions, but if security updates aren’t reliably applied even if they have a CVE (and debian just ignores issues entirely if they have no CVE), then how can one still trust the distro for security updates? Having a remotely exploitable unauthenticated DoS if not even RCE in a publicly facing software for 30 days is absolutely not fine.

                                                                                            As a packager I’d call this a hostile upstream… Just distribute it as a flatpak and/or snap and be done with it.

                                                                                            We actively maintain all version branches, and provide even backported security patches as nice little .patch file even for all the major.minor.patch releases debian/ubuntu still use. You can build it nice and simple, you just have to apply one little patch. It’s not like this we’ve been actively hostile - what more should we have done, in your opinion?

                                                                                            1. 2

                                                                                              how can one still trust the distro for security updates?

                                                                                              Fair enough. If they are not applied. I personally know at least one Debian package maintainer (not me, I don’t like Debian) that takes excellent care of their packages, including in the stable releases. So it may depend on the maintainer. But maybe that is your point, that there is no universal standard for maintainers…

                                                                                              what more should we have done, in your opinion?

                                                                                              I don’t know this specific case. There are a number of other ‘historical’ cases where packagers gave up on packaging ‘upstream’ software, e.g. https://www.happyassassin.net/2015/08/29/looking-for-new-maintainer-for-fedora-epel-owncloud-packages/. I also wrote a blog post about it in 2016: https://www.tuxed.net/fkooman/blog/owncloud_distributions.html I guess the best one can do is follow these discussions and if possible make it easier for distributions to package the software. Especially the ownCloud case back then bugged me a lot. But as you can see from some other people in those discussions, we just gave up on ownCloud and used something else instead…

                                                                                        1. 1

                                                                                          Slight OT: the event just seems kind of poorly timed to me… most people are spending times with their family around now, and travel is a mess around this time because of the Christmas rush.

                                                                                          1. 4

                                                                                            I suspect it’s because it has student roots? Lots of students have free time around now, and might be travelling for holidays anyway.

                                                                                            (I’m just wildly guessing, I know nothing about C3 or German academic holiday traditions).

                                                                                            Edit: besides, it’s the Chaos Computer Club, not “Easy for Suits to Attend” Computer Club.

                                                                                            1. 3

                                                                                              It is happening between Christmas and New Year since 36 years and it is constantly growing. 10 years ago it was ~2000 people, now already 16000. Seems like the timing is not so bad after all.

                                                                                              1. 1

                                                                                                Damn. Do hotel rooms book up like … the day after the conference is over?

                                                                                                1. 3

                                                                                                  I went last year and I found it pretty easy to get a room near Leipzig HbF (a single 30m tram ride from the event). It’s big, but it’s also held in cities.

                                                                                                  1. 1

                                                                                                    If it took you 30m from Hbf, you took the wrong train. :-)

                                                                                                    1. 1

                                                                                                      Well yes. He didn’t take a train, he took the tram! Which is sometimes quicker depending where you are.

                                                                                                      1. 1

                                                                                                        Heh, it’s been a year, time enough to forget the finer details of the trams. I only found out in August that the wristband was good for the S-bahn in addition to the tram.

                                                                                                    2. 2

                                                                                                      The day after is NYE, which is still high season for travel.

                                                                                                      1. 2

                                                                                                        You only get tickets through vouchers or the ticket queue (which is basically a lottery) in october/november, but once that’s over, hotel rooms are booked within of seconds.

                                                                                                        Right now even hotels kilometers away from everything else are booked out.

                                                                                                        1. 2

                                                                                                          Ticket queue is actually very manageable: get a couple friends, use a wired connection, refresh the page a bit before the opening time (there’s an HTTP keep-alive on the server (*)), then refresh continously right before the opening time, stop when the page content is different and solve the very simple captcha (last time: clicking on leipzig on a map).

                                                                                                          (*) HTTP keep-alive helps with latency but that doesn’t matter that much if you’re refreshing continously right before the opening time; but when they introduced the queue and the system was crawling through requests, opening your connection 10 minutes earlier and keeping it open was profitable.

                                                                                                          As for hosting, I got fed up with leipzig: everything is now non-cancellable, prices have increased a lot (it’s probably one of the few cities where prices for nights on the 29th are higher than those for the 31th), and the city wasn’t very cooperative either (it took 3 years to get classrooms for people who can’t afford better rooms). Really feels like they’re trying to milk as much as possible from the participants, which is a shame considering how much the city earns without having to try to get more.

                                                                                                    3. 1

                                                                                                      People had 36 years to prepare their families for the event. :-)

                                                                                                    1. 6

                                                                                                      One major issue we’ve had in the Android world with reproducible builds (useful for having f-droid ship APKs signed with the developers key) was that sometimes, filesystems behave non-deterministic.

                                                                                                      Iterating over files will return them in a different order depending on where and how you run the same program, which is quite an issue, as Android’s official build tools produce a resource bundle which lists the resources in the order the filesystem returned them, so the resource bundle will be different on every system (but on each system, it will be consistent with each run).

                                                                                                      It’s been fixed now (see https://issuetracker.google.com/issues/110237303?pli=1), but it’s a good example of issues people might not even think about regarding reproducible builds.

                                                                                                      A different example, mentioned in the blogpost, of using _TIME_ to have the build time in the build (e.g. for an about screen) can luckily be nicely avoided (and still provide the same functionality) by using the timestamp of the current git commit instead.

                                                                                                      In general I can recommend https://reproducible-builds.org/ for information about and common issues with reproducible builds :)

                                                                                                      1. 4

                                                                                                        I’ll be trying this out, the situation with IRC bouncers is quite horrible, so almost anything is an improvement. A while back I tried to find ZNC alternatives, and found these

                                                                                                        The joke is that almost every second one hasn’t been updated in the last ten years, and their code quality probably also varies substantially.

                                                                                                        1. 8

                                                                                                          The joke is that almost every second one hasn’t been updated in the last ten years, and their code quality probably also varies substantially.

                                                                                                          I don’t know, it seems to me like an IRC bouncer is something you write, and then you’re done. What updates were you hoping for?

                                                                                                          1. 6

                                                                                                            In general I agree; I’m not planning to have to make many releases of pounce. However there have been some useful developments in IRC in the last 10 years, such as the server-time extension, that do improve the situation for bouncers.

                                                                                                            1. 1

                                                                                                              There’s a feature I would like in a bouncer which (I believe) does not exist, and therefore this might be used as a data point that there’s still room for updates or innovation in bouncers.

                                                                                                              On the other hand, my feature, and indeed OP’s feature here, might be feasibly implemented in a ZNC plugin. Which would be a data point against the need for another cilent.

                                                                                                              My feature request is: I would like to be able to make one client->bouncer connection and for the bouncer to provide a view over multiple IRC networks in some fashion, so for example, from my client’s POV, I might join the channel “#oftc#debian-uk”, and the bouncer routes that to an OFTC server connection, channel #debian-uk. As things stand, I have to make a half-dozen individual client→bouncer connections, one per IRC network.

                                                                                                              1. 3

                                                                                                                Quassel does this, the problem with this idea is that you need a custom protocol between the bouncer and the client. Having to switch from your favourite IRC client to replace it with your bouncer’s only supported client isn’t always fun.

                                                                                                                1. 2

                                                                                                                  I’ve thought about this sort of thing too, having some network connections where I use only one channel. Unfortunately it breaks down pretty quickly (unless you start using a custom protocol as @xi points out). How do you route commands that aren’t directly tied to channels, such as WHOIS or private messages for that matter? What happens if your nick ends up different on one network from another? It seems like it would end up more hassle than just a bunch of separate connections.

                                                                                                              2. 3

                                                                                                                I’m not exactly an IRC power-user, but I’ve been running weechat-headless on my server together with its relay feature, it fulfills my need for persistent and cross-device history.

                                                                                                                1. 1

                                                                                                                  I’ve tried it once, but I hate having to ssh to any server for chats. As an Emacs user I much prefer to have a “proper” UI (ie. what I’m used to) and use something like rcirc or ERC – and to have a persistent setup with these client, a functioning bouncer is necessary.

                                                                                                                  But what you mention is probably interesting, because that might be a reason that there hasn’t been much development on the bouncer front, since the intersection between those who think that’s ok and use IRC is not really getting smaller (percent-wise).

                                                                                                                  1. 3

                                                                                                                    I don’t actually ssh into it to use IRC, I use a “relay” web client. In the future you should be able to use weechat itself as a relay client, if you prefer its UI.

                                                                                                                    1. 1

                                                                                                                      Ah, I forgot about that. But it doesn’t help me, I don’t want to use Weechat, but want a real bouncer.

                                                                                                                      1. 1

                                                                                                                        Thanks for linking to Glowing Bear! I use weechat off and on, and that looks pretty slick for a wee-chat front-end

                                                                                                                  2. 2

                                                                                                                    I’ve been enjoying using Quassel, but it’s more of a fully fledged client rather than a CLI like weechat, but the “core” idea they have is very good. I just wish there was a bit more development on it to polish out the kinks.

                                                                                                                    1. 5

                                                                                                                      A worrying thing about Quassel is that communication with the “core” uses some Qt object serialization format which iirc isn’t necessarily stable and isn’t exactly designed for a network protocol

                                                                                                                      1. 9

                                                                                                                        We actually fixed that recently in 0.12.5/0.13.0.

                                                                                                                        It’s still the exact same protocol, but we use custom serialisation/deserialisation to ensure it’s a stable protocol, and is safe to be used over the network.

                                                                                                                        You’re right that it used to be undocumented and unstable, but we’ve spent a lot of work to keep everything compatible — a current 0.13.1 core or client can communicate with any client or core since 0.5.2, which was released in 2009 :)

                                                                                                                        1. 1

                                                                                                                          I have never really had an issue with the connection. It has had a few hiccups every now and then, but I have never bothered to spend time debugging it as it could be anything from my server throwing a fit, PostgreSQL doing a thing, certificate renewals via Let’s Encrypt or just some network buggery going on. All problems I have had have all disappeared in seconds as well, further making me not bother to deal with it :P

                                                                                                                          Might be an issue for some, but I have never had much of a problem.

                                                                                                                        2. 4

                                                                                                                          What are those kinks you feel need to be polished? I’d love to hear about them, so we can actually start working on improving them :)

                                                                                                                          1. 3

                                                                                                                            Cool to see you around here as well! I hang around on the IRC for when I need to get some help :)

                                                                                                                            My biggest peeve is honestly the documentation and the convoluted setup of the core. My core is probably a bit outdated because I really don’t want to deal with the upgrade as I would have to figure out way too much stuff again. Here’s a few things that could be better about it though:

                                                                                                                            • Setting up the database is documented on the website, but I don’t see why it couldn’t just have been a script?
                                                                                                                            • Why is there a commandline switch to select the backend when you also have to provide a config file? Couldn’t it be specified there so the service setup would be simpler?
                                                                                                                            • User administration is a bit of a drag to deal with. Adding a user is simple enough (commandline switches like that is a bit of a pain, but I can manage), but managing them requires dealing with the database directly (deleting for example).
                                                                                                                            • It would be nice if more settings were synced between the clients, like the chat monitors and the input widget for example. Having to configure that every time is a bit of a pain. Also, it would be nice if the stylesheet would be synchronized between the clients.
                                                                                                                            • Also, push notifications while disconnected would be nice, but I realize this isn’t completely straight forward to do.

                                                                                                                            And a few words of praise!

                                                                                                                            • The documentation on the website has improved greatly since I used it last. There are many things there that weren’t around when I tinkered with it last time. Good job on that :)
                                                                                                                            • The client <-> core solution works very well in general. I feel this solution is way better than any other IRC client/bouncer combos I have ever used. It’s painfree to hop between clients.
                                                                                                                            • Everyone on the IRC channel is very helpful and whenever I have asked about things I have gotten a decent answer, and even had some of the issues I brought up fixed in the next version; like being able to reload the core for SSL cert renewals.
                                                                                                                            1. 2

                                                                                                                              Why is there a commandline switch to select the backend when you also have to provide a config file? Couldn’t it be specified there so the service setup would be simpler?

                                                                                                                              The command line switch automatically migrates between databases, while the config (or the new ENV variables) don’t automatically migrate, but only use that database.

                                                                                                                              Setting up the database is documented on the website, but I don’t see why it couldn’t just have been a script?

                                                                                                                              That’s actually planned, but we haven’t had time for that so far.

                                                                                                                              User administration is a bit of a drag to deal with. Adding a user is simple enough (commandline switches like that is a bit of a pain, but I can manage), but managing them requires dealing with the database directly (deleting for example).

                                                                                                                              That’s long been planned, but as you all know, we don’t have enough volunteers, and not enough time.

                                                                                                                              Also, push notifications while disconnected would be nice, but I realize this isn’t completely straight forward to do.

                                                                                                                              That’s actually my #1 priority right now (due to Quasseldroid), and it’s almost done! So you should see that within of 2020 :)

                                                                                                                              1. 3

                                                                                                                                Don’t get me wrong! I know you are all working hard on it and I see the progress all the time :)

                                                                                                                                When I said this:

                                                                                                                                I just wish there was a bit more development on it to polish out the kinks.

                                                                                                                                I was pretty much referring to what you say here:

                                                                                                                                but as you all know, we don’t have enough volunteers, and not enough time.

                                                                                                                                It’s really getting there :)

                                                                                                                      1. 5

                                                                                                                        I self host these user-facing services:

                                                                                                                        1. Seafile for cloud storage, with each user (me, my partner, some close friends) having their own accounts, and some shared libraries
                                                                                                                        2. Jellyfin for audio/video/ebooks, with the shared libraries from seafile mounted into jellyfin (don’t ask how, it’s hacky)
                                                                                                                        3. GitLab for git and container registry, as well as CI
                                                                                                                        4. A veeeery custom mailu solution, for mail
                                                                                                                        5. Rainloop for webmail
                                                                                                                        6. Quassel core for IRC
                                                                                                                        7. A custom image host, which actually scales images gamma correct
                                                                                                                        8. Websites and fdroid repos for my own projects
                                                                                                                        9. Minecraft
                                                                                                                        10. Some IRC bots
                                                                                                                        11. API proxies for e.g. German railway APIs (German railway APIs are almost all exclusively horrifyingly painful XML with no namespace and single-letter names and arrays-in-attributes, my proxies provide the same APIs, but as nice, english, json with standard formats and timestamps)

                                                                                                                        using the following infrastructure services:

                                                                                                                        1. Keycloak for auth for everything
                                                                                                                        2. Postgres for database, redis for job queues and caches
                                                                                                                        3. an S3 clone for storage minio
                                                                                                                        4. PowerDNS for DNS and reverse zones
                                                                                                                        5. Prometheus, Loki and Grafana for monitoring and metrics

                                                                                                                        and quite some more :)

                                                                                                                        All of this is running on a self-hosted kubeadm-created kubernetes cluster

                                                                                                                        (Almost) everything uses keycloak SSO for auth (soon it’s gonna be everything), and actually everything uses postgres for database, the same S3 for storage, and redis as cache and job queue. Combined with the unified metrics, monitoring and logging solution it’s actually quite nice to work with.

                                                                                                                        Regarding email, I actually am 100% trusted and never considered spam for all mail hosts except Outlook. Google, Yahoo, Fastmail, etc all handle it fine, with Outlook it’s just a matter of training, I’ve started chatting with some friends who have outlook, instead of through e.g. IRC, almost exclusively through email in recent weeks, and asked them to mark each email as “not spam”, to help train outlooks spam filter :)

                                                                                                                        1. 14

                                                                                                                          Advice: avoid reading the comments.

                                                                                                                          1. 5

                                                                                                                            What a ride. These people are fanatics.

                                                                                                                            1. 3

                                                                                                                              There is one I sort of agree with, which is that the downside is fragmentation with every bank implementing their own thing and then trying to force use of it. So instead of today where there’s a small number of widely-deployed options for mobile payment and most people have access to a way to do one of them, you’ll have to either go back to using a physical card, or else hunt around for the one place that works with the FirstBankOfEastPodunkPay™ app because that bank refuses to authorize any other mobile payment system.

                                                                                                                              1. 15

                                                                                                                                In Germany, that’s not an issue, there’s already a payment system they’re going to use.

                                                                                                                                Basically, the banks cooperatively developed a card and payment system (over 15 years ago, actually), which is now girocard/EC, which ends up with only 0.125% total end-to-end fees¹, chip+PIN since 2004 and very fast transactions. Obviously, this is much cheaper for the banks and merchants than VISA or MasterCard, and was the reason why for many years merchants such as ALDI only accepted this system.

                                                                                                                                Girocard/EC also has an NFC standard, girogo, also with significantly lower fees than PayPass or PayWave, and is supported with basically all terminals in Germany.

                                                                                                                                Girocard/EC is extremely popular, 3-4 times more popular than VISA/MasterCard credit/debit cards in Germany, and basically everyone has them.

                                                                                                                                So it’s quite likely we’ll just end up with German banks simply using the payment network they already own ;)


                                                                                                                                1. comparatively, VISA/MasterCard used to be around 2-3%, now forced by the EU to lower those to 0.2%, cash payments end up around 0.2% at the scale of merchants due to processing, transport, etc. This actually led to some places, such as official agencies in some cities, only taking girocard/EC payment, not any other cards nor cash.
                                                                                                                                1. 8

                                                                                                                                  So it’s quite likely we’ll just end up with German banks simply using the payment network they already own ;)

                                                                                                                                  Sorry, but banking/payment in Germany sucks. If you are at bank A, you have to pay a fee if you use an ATM of bank B. This often led to the bizarre situation (my wife is German and we lived in Germany for 5 years) where Germans have to go to another ATM to avoid transaction fees, while I can get cash anywhere with my Dutch card without extra fees. In the Netherlands there is also one system, but you never pay fees, regardless of which bank’s ATM you use.

                                                                                                                                  Unrelated, but don’t get me started on card payments in Germany. All the small shops, like bakeries expect you to pay cash. In supermarkets, you can pay with a card, but very often they don’t use PINs. But you have to hand over your card and literally sign a paper sheet, and then the cashier compares your signature to that on your card. Except for the internet banks (such as ING), the internet banking sites are absolutely horrible. At some point we were with Sparkasse and the password for internet banking was literally a 4-digit PIN. Transferring money from one account to another can take days. For every small thing (like ‘unlocking’ payment in more countries) you had to go to a bank office.

                                                                                                                                  Meanwhile we are back in The Netherlands. I never carry cash and I don’t even need a wallet, because I can pay contactless everywhere with my phone, watch, or card. Transfers are (nearly) immediate. We split the bills and pay them with ‘Tikkie’ over WhatsApp/iMessage.

                                                                                                                                  1. 4

                                                                                                                                    I’ve been getting back into using cash lately. I can’t trust the data collecters not to abuse my payment history, and if switching to cash slows its decline a little bit, that’s great.

                                                                                                                                    1. 4

                                                                                                                                      If you are at bank A, you have to pay a fee if you use an ATM of bank B.

                                                                                                                                      They pretty much bundled up into 3 networks now, so you have a 1:3 chance to run into the right shop. Or you share your money transactions with the whole world by using a credit card that is now often “free” with German accounts as well, getting the same trade-off you have with foreign credit cards (free ATMs, no privacy due to the card issuer).

                                                                                                                                      Credit cards weren’t popular in Germany for a long time due to their excessive fees, so merchants didn’t support them. EC (the local system) was better, but cash is still the only free option. EU regulations forced credit card issuers to drop their fees to more attractive levels and suddenly they’re getting supported by everybody. who would have thought?

                                                                                                                                      In supermarkets, you can pay with a card, but very often they don’t use PINs.

                                                                                                                                      The background to that is that signatures are used for offline transactions which work with less effort in the backend. Getting less common these days because supermarkets carry more risk on them compared to online transactions (that use PINs), so it’s really just a fallback when the terminal can’t connect to the servers. Contactless options are increasingly accepted without any authentication at all below a certain value (20-50€, depending on the bank).

                                                                                                                                      Transferring money from one account to another can take days.

                                                                                                                                      Transfers now have to clear next bank day (Mo-Fr) at the latest, but usually happen faster. I last encountered transfers that take days in 2005 or so.

                                                                                                                                      I can pay contactless everywhere with my phone, watch, or card

                                                                                                                                      Given that some of the experiences you report sound rather outdated to me, I wonder if you’re comparing apples to apples here. There were no cards, watches or phones that could have paid contactless in 2005.

                                                                                                                                      1. 0

                                                                                                                                        I don’t think they are outdated. I lived in Germany until August last year and this is based on my experiences in Germany (Baden Württemberg) from 2013-2018.

                                                                                                                                        1. 2

                                                                                                                                          Maybe you were just with a shitty bank? I’m sure the netherlands also have shitty banks, but I literally haven’t had any of your experiences ever since using cards or transfers for payment, and that was since 2014.

                                                                                                                                          1. 2

                                                                                                                                            I live in Berlin and this is also my experience. It is getting marginally better, some places are starting to accept cards, but you cannot rely on your EC card or Visa/Mastercard to get around.

                                                                                                                                            Online banking is still a joke, but has been getting better, probably due to some pressure from competitors like Number26.

                                                                                                                                            I also don’t understand how so many people here don’t want to use cards because of privacy reasons, but they are happy to give their private data to Facebook and it’s companies (whatsapp, instagram, etc).

                                                                                                                                            1. 2

                                                                                                                                              I also don’t understand how so many people here don’t want to use cards because of privacy reasons, but they are happy to give their private data to Facebook and it’s companies (whatsapp, instagram, etc).

                                                                                                                                              Why are you assuming they are using these services?

                                                                                                                                              1. 2

                                                                                                                                                I am not assuming, I am known from people I talk to. I didn’t mean to answer the person in this thread that mentioned that.

                                                                                                                                              2. 2

                                                                                                                                                I also don’t understand how so many people here don’t want to use cards because of privacy reasons, but they are happy to give their private data to Facebook and it’s companies (whatsapp, instagram, etc).

                                                                                                                                                For what it’s worth (since I brought up privacy upthread), I’m not using Facebook’s services, and very limited Google services despite working there (and I soothe my privacy concerns with that I can see how the sausage is made)

                                                                                                                                          2. 3

                                                                                                                                            As a German living in the Netherlands now, I agree with all of the above.

                                                                                                                                            1. 2

                                                                                                                                              But you have to hand over your card and literally sign a paper sheet, and then the cashier compares your signature to that on your card.

                                                                                                                                              That’s actually technically not allowed, the merchants still do it because they’re cheap, but it means 100% of the risk is on the merchant.

                                                                                                                                              For every small thing (like ‘unlocking’ payment in more countries) you had to go to a bank office.

                                                                                                                                              Never had that, was at a bank office 3 times in my life, once when the account was opened, once when it was turned from a child to an adult account, and once when I moved across states.

                                                                                                                                              Transferring money from one account to another can take days

                                                                                                                                              Literally wrong, as per SEPA rules 24 hours has been the max for years, and thanks to SEPA-ICT almost all banks offer up to 15’000€ in under 15 seconds, and I’m using this quite frequently.

                                                                                                                                              I never carry cash and I don’t even need a wallet, because I can pay contactless everywhere with my phone, watch, or card. Transfers are (nearly) immediate

                                                                                                                                              And you pay 2% extra for everything, as that’s the fees mastercard/VISA collect, which ends up for an average household being a 40€/month fee. If this wasn’t a hidden fee, but actually visible to you, pretty much no one would use it anymore.

                                                                                                                                              1. 1

                                                                                                                                                No, I am not paying 2% extra. I am literally paying what the product/bill costs, no extra cost. Apple Pay is not associated to our credit card, but directly to the bank account (debit card). In fact, I can even switch on the fly from which of the (possible) 20 IBANs the debit card/Apple Pay should subtract from.

                                                                                                                                                I don’t care that I am indirectly paying for it, because everyone is. There is no difference in cost for me in using or not using Apple Pay.

                                                                                                                                                1. 2

                                                                                                                                                  And that’s exactly the tragedy of the commons: everyone only looking out for their own benefit, and as result, everyone being worse off.

                                                                                                                                                  It makes sense for you, personally, but for us, as society, it’s absolutely the wrong solution. And it’s the reason why this can’t be fixed by the market, but has to be fixed through laws, e.g. by banning credit card fees, or creating an EU-funded card network directly.

                                                                                                                                                  Alternatively, we could have a law forcing people to pay the fee associated with their payment method directly – you’d also suddenly start using cheaper card systems or cash again if you’d save 2% on everything.

                                                                                                                                                2. 1

                                                                                                                                                  That’s actually technically not allowed, the merchants still do it because they’re cheap, but it means 100% of the risk is on the merchant.

                                                                                                                                                  I don’t know if it’s not allowed but happens to me at least every week.

                                                                                                                                                  Never had that, was at a bank office 3 times in my life, once when the account was opened, once when it was turned from a child to an adult account, and once when I moved across states.

                                                                                                                                                  I currently have my account blocked because I pressed the wrong button on the UI. Have to go to the bank now.

                                                                                                                                                  Literally wrong, as per SEPA rules 24 hours has been the max for years, and thanks to SEPA-ICT almost all banks offer up to 15’000€ in under 15 seconds, and I’m using this quite frequently.

                                                                                                                                                  I don’t think it’s 24 hours, it’s a business day and only counts before 15:00 or something like that. But this is true, if you transfer before 15:00 it will be on the other account the next day.

                                                                                                                                                  And you pay 2% extra for everything, as that’s the fees mastercard/VISA collect, which ends up for an average household being a 40€/month fee. If this wasn’t a hidden fee, but actually visible to you, pretty much no one would use it anymore.

                                                                                                                                                  I don’t think this is how prices work. If they didn’t have that 2% fee do you think merchants would just lower their prices? Or they would use it for profit or some other investment? I think it would just mean the money would go somewhere else but it’s not certain it would go to the customer.

                                                                                                                                                  1. 1

                                                                                                                                                    If they didn’t have that 2% fee do you think merchants would just lower their prices?

                                                                                                                                                    Look at the price pressure on the German market, and you’ll realize, yes they would.

                                                                                                                                                    Profit margins in grocery in most countries are in the double digits, some German grocery store chains have profit margins in the sub-single-digit range. The market is heavily fought over, and if a merchant could reduce their price even a half percent in any possible way, they would.

                                                                                                                                        1. 19

                                                                                                                                          I’m glad to hear that. I’ve been using Gentoo since 2012 and I really appreciate their dedication towards init-system-diversity.

                                                                                                                                          The Debian developers were optimistic and kind-hearted in regard to systemd, hoping that it would not expand further despite having a monopoly. The systemd developers seized more and more control, suffocating more and more aspects of the user space below it.

                                                                                                                                          Does systemd work? Yes. Does it work better than sysvinit? Definitely. But this is not the point! The point is that it should not matter which init system you run when trying to run a desktop environment or something else high in user space. Systemd has become too complicated and a huge baggage. Another matter is that systemd drastically increases Red Hat’s influence on the Linux ecosystem in general. Wasn’t pulseaudio enough?

                                                                                                                                          The approach to possibly adopt elogind is a good thing. It brings many technological advances brought by systemd, but keeps it manageable and well-separated; as it should be.

                                                                                                                                          1. 11

                                                                                                                                            I read this the other way around, more as a move that might end token init-system diversity because it’s a large burden with few people interested in doing the work. (Which, might be argued, proves the point of those claiming systemd’s non-modular approach results in “embrace extend extinguish”.)

                                                                                                                                            1. 6

                                                                                                                                              Systemd has become too complicated and a huge baggage.

                                                                                                                                              I was thinking about this recently, and was surprised to realize that there hasn’t ever been a major fork or reimplementation of systemd, desipte Lennart claiming that the concept is modular…

                                                                                                                                              1. 6

                                                                                                                                                there is, e.g. elogind is a fork of systemd-logind.

                                                                                                                                                Or what would you consider “fork”? After all “systemd” is just like “KDE” or “OpenBSD”, a project developing on many different pieces of software, so it’s not like you can fork it — you can fork individual parts, like you can fork KDE’s Plasma desktop, or systemd’s login daemon, or OpenBSD’s SSH server.

                                                                                                                                                1. 2

                                                                                                                                                  There was uselessd and a few others I can’t find now. They’re all abandoned though.

                                                                                                                                                  https://github.com/abandonware/uselessd

                                                                                                                                              1. 2

                                                                                                                                                “Owning” your step count — an interesting question would be, how would you collect this data yourself directly on the devices, and log it to your own servers, without interruption, and without relying on Google for it?

                                                                                                                                                Because right now, it seems as if Google has closed pretty much any APIs for this use case, and apps can only get step data while they’re in foreground, not total step data nor anything else.

                                                                                                                                                1. 2

                                                                                                                                                  Maybe use a device that’s not tied to Google (or any other vendor)?

                                                                                                                                                1. 4

                                                                                                                                                  Assuming your domain is constantine.su, I wonder whether the issue might be a combination of:

                                                                                                                                                  1. 4

                                                                                                                                                    Hetzner

                                                                                                                                                    Oh boy. Possibly related, possibly unrelated, but at work recently we had to block an entire IP range from Hetzner due to misbehaving crawlers that were not respecting various robots.txt rules and nofollow on internal links. There is a chance that there are probably some legitimate IPs in that range, but not worth the BS we were getting from those crawlers.

                                                                                                                                                    Also seconding your recommendation of rDNS. It has been essential for many, many years now.

                                                                                                                                                    1. 9

                                                                                                                                                      Well in that case you won’t get my mails, or be able to interact with any of my services, or update Quasseldroid.

                                                                                                                                                      Hetzner is one of the few hosters offering dedicated hosting powered with fully renewable energy, and one of the few hosters actually handing abuse reports correctly (as in, not terminating service from any abuse report, but only from court orders, which is useful behavior if you’re getting SWATed by internet trolls, who’ve also found they can use abuse reports for the same purpose)

                                                                                                                                                      1. 4

                                                                                                                                                        +1 for Hetzner. Their support and service is great! I’m using them as well because of their use of renewable energy. Changed from Linode a while back.

                                                                                                                                                        1. 3

                                                                                                                                                          They also aren’t crooks like some of their competitors. I’ve had Scaleway (Online SAS) increase prices for old dedicated servers without much advance notice, either; which is really a shame, because the only reason I bought the server was a low price (one of them I didn’t even have powered on, apparently). OVH appears to have played similar games as well. Hetzner does the opposite for long-term customers.

                                                                                                                                                        2. 2

                                                                                                                                                          Not to worry, I will still get your mail and all the rest!

                                                                                                                                                          AFAIK it the block was various front-end web services. I do not think it even applies to API instances, just those serving up full web pages. So you couldn’t access the various websites from a script that is deployed to Hetzner. And I suppose if you did mail a web instance, it wouldn’t receive them, but the IP block wouldn’t be the only reason for that.

                                                                                                                                                          Also good to hear another anecdote on Hetzner as a host. Aside from your comment, my only exposure to them is as the host of a hive of over-aggressive and poorly-configured crawlers over the last year.

                                                                                                                                                          I shared my anecdote because it might be relevant to the article’s main concern: If we had to block one of their IP ranges for web traffic, it is conceivable that other entities have blocked them for email.

                                                                                                                                                        3. 1

                                                                                                                                                          Oh that’s unfortunate. They’re a good host. I only moved off them because they finally stopped offering the VPS I was on after seven years.

                                                                                                                                                        4. 5

                                                                                                                                                          No, I’ve never used that domain for mail; it’s too long.

                                                                                                                                                          • Note that this is not a TLD issue, either, because only one of my domains is affected by “low reputation”, the other ones in the very same TLD are not. This has been 100% reproducible over the last few weeks.

                                                                                                                                                          • Hetzner IP space is not involved here, either — none of these rejects or accepts were over Hetzner IP space. Regardless, you’re ignoring the fact that Google has blacklisted a specific domain name, not the IP address which I’m using, because the very same IP address with the very same email body and the very same TLD, just a different (rarely-used) domain itself in From and MAIL FROM, gets accepted by Gmail, and doesn’t even end up in the Spam folder, either — goes straight to Inbox. Again, this has been reproducible 100% in the last few weeks. And just because some users report issues with their newly purchased servers at a huge provider like Hetzner doesn’t mean that it’s something that’s not supported or isn’t supposed to work. Of course, with enough volume and enough churn, some individual IPs may come blacklisted, which doesn’t mean that it’s representative for the whole space.

                                                                                                                                                          • And let’s not get all McCarthyism here on Lobsters, shall we? All those stories from 2013 about .su being used for spam and scam have zero credence, and are built around some scammer from abuse.ch shopping the very same story across multiple venues, going as far as Fox News (reprinting AP, I guess). Their suggestion on their own blog at the time was to completely block .su. (I don’t recall ever communicated with anyone from .ch. Should I maybe block .ch? Why don’t we all just block and blacklist each other?) And even if you disregard the potential bias of these databases and unclear methodologies, .su is still one of the cleanest TLDs out there, especially for how many domain name registrations that it has. Your own Spamhaus link reports .us at 33% bad (ouch!), .biz at 24%, .cn at 18,4%, so, .su at 11,5% bad comes out pretty clean in comparison (.com and .net are between 4 and 5%, which is hardly very clean, either, especially given the absolute numbers). This is even if you disregard the potential bias of their methodologies in the first place.

                                                                                                                                                          1. 2

                                                                                                                                                            I just re-read your email and it looks like the sequence of events is this:

                                                                                                                                                            • you configured your server to forward mail from your primary domain to your free GMail account
                                                                                                                                                            • GMail began thinking a significant portion of emails from your domain were malicious
                                                                                                                                                            • after a few months of this happening, GMail began blocking emails from your domain

                                                                                                                                                            I can see how this situation suggests that there should an easy way to get your domain unblocked. I also can see why Google doesn’t make it easy for actual malicious actors.

                                                                                                                                                            I ran my own email server (on a VPS provider with as many reputation issues as Hetzner) for more than a decade. I stopped not because my emails were being sent to spam or were being rejected, but because running your own email server correctly is hard. I think I can assume you weren’t running an open relay and had SPF and DKIM set up correctly, but without knowing the domain (which you didn’t mention in your original email and haven’t mentioned here) or the contents of the messages you were forwarding to GMail, it’s impossible for anyone to state that Google is overreaching by not accepting email from your domain.

                                                                                                                                                            1. 2
                                                                                                                                                              • The server has been forwarding the mail and running cron jobs for many years. Same domain, same IP, same recipient Gmail account. It’s not actually a free Gmail, BTW, because I was duped into believing that the mailbox size is infinite, whereas it has stopped growing at 15GB; so, due to all the mailing list archives, I now have to pay 1,99 USD/mo to be able to continue to receive new mail.

                                                                                                                                                              • In a newly added cron job a couple of months back, I’ve started sending myself a list of a few dozen domain names which I don’t control over to my Gmail. This has been done exclusively to my own Gmail address. How could you possibly classify a few dozen of plaintext domain names as malicious in a clean room?

                                                                                                                                                              • You make it a point that I’ve been sending these “malicious” emails for a “few months”, but you’re ignoring the fact that they aren’t actually malicious, nor were these the only emails that were being sent. How was I even supposed to know that one or two of these emails daily, in the presence of dozens of emails not so marked, would turn my domain name into having a persistent “low reputation”?

                                                                                                                                                              BTW, I do not actually use DKIM, but do use SPF and DMARC; note that these rejected emails do pass both SPF and DMARC; DMARC requires either SPF or DKIM to pass with domain alignment in order to generate a DMARC pass. My forwarding doesn’t appear to mangle existing DKIM signatures, but it would seem that even those emails are rejected, too. (However, emails from my own secondary domains without DKIM but with an SPF pass do get through.)

                                                                                                                                                          2. 1

                                                                                                                                                            Just as a semi-relevant data point, I send bulk mail from a server hosted at Hetzner and Gmail doesn’t block that. Gmail blocked that mail at the start and so did several others, because the server’s IPv4 address had been used for all kinds of evil things (the previous customer ran an unpatched wordpress site and was 0wned). But then I

                                                                                                                                                            • investigated each and every 4xx and 5xx SMTP response, and took care of every problem
                                                                                                                                                            • signed everything with DKIM and added an explicit SPF yes
                                                                                                                                                            • made the hostnames match, even ones that shouldn’t need to

                                                                                                                                                            It took a month or two for the old reputation to age away, and investigating every SMTP transaction for bulk mail was tedious, but the mail has been flowing smootly since. I don’t know what OP is doing, but “being hosted at Hetzner” isn’t a problem in itself, even if you start with your IPv4 address on a half-dozen blacklists.

                                                                                                                                                            1. 1

                                                                                                                                                              It took a month or two for the old reputation to age away

                                                                                                                                                              You don’t really have to do that, BTW. I think it’s pretty standard practice for providers to exchange the IP address in case you get one that’s burned and where it’s an issue for you (it might as well not be for their next customer).

                                                                                                                                                              1. 1

                                                                                                                                                                It’s not much time, anyway, and mostly overlapped with the time to investigate other possible problems. Noone had checked the recipient list, for a start.

                                                                                                                                                          1. 0

                                                                                                                                                            Note:

                                                                                                                                                            When submitting a URL, the text field is optional and should only be used when additional context or explanation of the URL is needed. Commentary or opinion should be reserved for a comment, so that it can be voted on separately from the story.

                                                                                                                                                            1. 5

                                                                                                                                                              Dear WilhelmVonWeiner

                                                                                                                                                              Thank you for the comment. I’m new to this community and therefore it is my turn to learn the rules of this community. Therefore, I’m very grateful to any hints.

                                                                                                                                                              Having said this, I did read the guidelines before posting. And, from personal experience, I would claim that most people wouldn’t know what this post is about just from the title. Hence, I added some context to the submission. It’s neither commentary nor opinion. In fact, the context that I provided is verbatim the very beginning of the blog post.

                                                                                                                                                              Did I go wrong in my assumption that people won’t understand with more context or with the implementation that I added context by copying the beginning of the post? Or, did I read the guidelines correctly?(;

                                                                                                                                                              1. 8

                                                                                                                                                                Some people prefer to have a summary or excerpt (as you did) before going to the linked article, some others do not.

                                                                                                                                                                In any case, if you are quoting from the article it would be good to mark it as quoted text, by prefixing it with “> as documented in the “Markdown formatting available” link under the input box when you are composing your post.

                                                                                                                                                                1. 3

                                                                                                                                                                  That sounds very reasonable! I’ll do that in the future. Thank you 🙏

                                                                                                                                                                2. 2

                                                                                                                                                                  The contents of the post should stand on its own. There’s no need to summarize or repeat its content.

                                                                                                                                                                  The text field is appropriate if the title is, for example “I’m over the moon today!” and the actual contents refers to, for example, a long-awaited release of a software project relevant to this site. Even so, information like the domain name and the tags will give context.

                                                                                                                                                                3. 3

                                                                                                                                                                  The text here is taken 1:1 from the article, so while an unusual use of the text field, I’d argue that it doesn’t need to be separated from the story.

                                                                                                                                                                  1. 4

                                                                                                                                                                    Plus the site has really terrible contrast and this helps. :)

                                                                                                                                                                    1. 3

                                                                                                                                                                      it’s not that unusual - it’s a fairly common practice to excerpt what you feel is the key paragraph of an article to let people know whether it’s worth their reading (and to serve as a tl;dr for people who don’t).

                                                                                                                                                                      1. 2

                                                                                                                                                                        Since you’re the oldest user of lobste.rs with the most karma in this thread, I’m happy to hear your take on this. I’m especially happy to hear that it seems that I didn’t violate the qualitative standard on my second post(;

                                                                                                                                                                        Thank you for adding your thoughts!

                                                                                                                                                                      2. 2

                                                                                                                                                                        So what’s the point in linking an article at all?

                                                                                                                                                                    1. 7

                                                                                                                                                                      Well, some of us are in this category (as the article points out):

                                                                                                                                                                      If you’re building API services that need to support server-to-server or client-to-server (like a mobile app or single page app (SPA)) communication, using JWTs as your API tokens is a very smart idea. In this scenario:

                                                                                                                                                                      • You will have an authentication API which clients authenticate against, and get back a JWT
                                                                                                                                                                      • Clients then use this JWT to send authenticated requests to other API services These other API services use the client’s JWT to validate the client is trusted and can perform some action without needing to perform a network validation

                                                                                                                                                                      so JWT is not that bad. Plus, it is refreshing to visit a website that says ‘there are no cookies here’… in their privacy policy.

                                                                                                                                                                      1. 17

                                                                                                                                                                        Plus, it is refreshing to visit a website that says ‘there are no cookies here’… in their privacy policy.

                                                                                                                                                                        The EU “Cookie Law” applies to all methods of identification — cookies, local storage, JWT, parameters in the URL, even canvas fingerprinting. So it shouldn’t have any effect on the privacy policy whatsoever.

                                                                                                                                                                        1. 9

                                                                                                                                                                          You still can use sessions with cookies, especially with SPA. Unless the JWT token is stateless and short lived you should not use it. Also JWT isn’t the best design either as it gives too much flexibility and too much possibilities to misuse. PASETO tries to resolve these problems with versioning protocol and reducing amount of possible hashes/encryption methods.

                                                                                                                                                                          1. 1

                                                                                                                                                                            Why shouldn’t you use long lived JWTs with a single page application?

                                                                                                                                                                            1. 4

                                                                                                                                                                              Because you cannot invalidate that token.

                                                                                                                                                                              1. 6

                                                                                                                                                                                Putting my pedant hat on: technically you can, using blacklists or swapping signing files; But that then negates the benefit of encapsulating a user “auth key” into a token because the server will have to do a database lookup anyway and by that point might as well be a traditional cookie backed session.

                                                                                                                                                                                JWTs are useful when short lived for “server-less”/lambda api’s so they can authenticate the request and move along quickly but for more traditional things they can present more challenges than solutions.

                                                                                                                                                                                1. 7

                                                                                                                                                                                  Putting my pedant hat on: technically you can, using blacklists or swapping signing files; But that then negates the benefit of encapsulating a user “auth key” into a token because the server will have to do a database lookup anyway and by that point might as well be a traditional cookie backed session.

                                                                                                                                                                                  Yes, that was my point. It was just mental shortcut, that if you do that, then there is no difference between “good ol’” sessions and using JWT.

                                                                                                                                                                                  Simple flow chart.

                                                                                                                                                                                  1. 1

                                                                                                                                                                                    Except it is not exactly the same since loosing a blacklist database is not the same as loosing a token database for instance. The former will not invalidate all sessions but will re-enabled old tokens. Which may not be that bad if the tokens are sufficiently short-lived.

                                                                                                                                                                                    1. 1

                                                                                                                                                                                      Except “reissuing” old tokens has much less impact (at most your clients will be a little annoyed) than allowing leaked tokens to be valid again. If I would be a client I would much more like the former rather than later.

                                                                                                                                                                          2. 5

                                                                                                                                                                            One of my major concerns with JWT’s is that retraction is a problem.

                                                                                                                                                                            Suppose that I have the requirement that old authenticated sessions have to be remotely retractable, then how on earth would I make a certain JWT invalid without having to consult the database for “expired sessions”.

                                                                                                                                                                            The JWT to be invalidated could still reside on the devices of certain users after it has been invalidated remotely.

                                                                                                                                                                            The only way I could think of, is making them so short-lived that they expire almost instantaneous. Like in a few minutes at most, which means that user-sessions will be terminated annoyingly fast as well.

                                                                                                                                                                            If I can get nearly infinite sessions and instant retractions, I will gladly pay the price of hitting the database on each request.

                                                                                                                                                                            1. 8

                                                                                                                                                                              JWT retraction can be handled in the same way that a traditional API token would; you add it to a black list, or in the case of a JWT a “secret” that its signed against can be changed. However both solutions negate the advertised benefit of JWTs or rather they negate the benefits I have seen JWTs advertised for: namely that it removes the need for session lookup on database.

                                                                                                                                                                              I have used short lived JWTs for communicating with various stateless (server-less/lambda) api’s and for that purpose they work quite well; each endpoint has a certificate they can check the JWT validity with and having the users profile and permissions encapsulated means not needing a database connection to know what the user is allowed to do; a 60s validity period gives the request enough time to authenticate before the token expires while removing the need for retraction.

                                                                                                                                                                              I think the problem with JWTs is that many people have attempted to use them as a solution for a problem already better solved by other things that have been around and battle tested for much longer.

                                                                                                                                                                              1. 7

                                                                                                                                                                                However both solutions negate the advertised benefit of JWTs or rather they negate the benefits I have seen JWTs advertised for: namely that it removes the need for session lookup on database.

                                                                                                                                                                                I think the problem with JWTs is that many people have attempted to use them as a solution for a problem already better solved by other things that have been around and battle tested for much longer.

                                                                                                                                                                                This is exactly my main concern and also the single reason I haven’t used JWT’s anywhere yet. I can imagine services where JWT’s would be useful, but I have yet to see or build one where some form of retraction wasn’t a requirement.

                                                                                                                                                                                My usual go-to solution is to generate some 50-100 characters long string of gibberish and store that into a cookie on the user’s machine and a database table consisting of <user_uuid, token_string, expiration_timestamp> triples which is then joined with the table which contains user-data. Such queries are usually blazing fast and retraction then is a simple DELETE-query. Also: Scaling usually isn’t that big of a concern as most DBMS-systems tend to have the required features built-in already.

                                                                                                                                                                                Usually, I also set up some scheduled event in the DMBS which deletes all expired tokens from that table periodically. Typically once per day at night, or when the amount of active users is low. It makes for a nice fallback just in case some programming bug inadvertently creeps in.

                                                                                                                                                                                But I guess this was the original author’s point as well.

                                                                                                                                                                              2. 1

                                                                                                                                                                                I’ve never done any work with JWTs so this might be a dumb question - but can’t you just put an expiration time into the JWT data itself, along with the session and/or user information? The user can’t alter the expiration time because presumably that would invalidate the signature, so as long as the timestamp is less than $(current_time) you’d be good to go? I’m sure I’m missing something obvious.

                                                                                                                                                                                1. 5

                                                                                                                                                                                  If someone steals the JWT they have free reign until it expires. With a session, you can remotely revoke it.

                                                                                                                                                                                  1. 1

                                                                                                                                                                                    That’s not true. You just put a black mark next to it and every request after that will be denied - and it won’t be refreshed. Then you delete it once it expires.

                                                                                                                                                                                    1. 7

                                                                                                                                                                                      That’s not true. You just put a black mark next to it and every request after that will be denied - and it won’t be refreshed. Then you delete it once it expires.

                                                                                                                                                                                      The problem with the black mark, is that you have to hit some sort of database to check for that black mark. By doing so, you invalidate the usefulness of JWT’s. That is one of OP’s main points.

                                                                                                                                                                                      1. 2

                                                                                                                                                                                        Well, not necessarily. If you’re making requests often (e.g, every couple of seconds) and you can live with a short delay between logging out and the session being invalidated, you can set the timeout on the JWT to be ~30 seconds or so and only check the blacklist if the JWT is expired (and, if the session isn’t blacklisted, issue a new JWT). This can save a significant number of database requests for a chatty API (like you might find in a chat protocol).

                                                                                                                                                                                        1. 1

                                                                                                                                                                                          Or refresh a local cache of the blacklist periodically on each server, so it’s a purely in-memory lookup.

                                                                                                                                                                                          1. 4

                                                                                                                                                                                            But in that case, you’d be defeating their use as session tokens, because you are limited to very short sessions. You are just one hiccup of the network away from failure which also defeats their purpose. (which was another point of the OP).

                                                                                                                                                                                            I see how they can be useful in situations where you are making a lot of requests, but the point is that 99,9% of websites don’t do that.

                                                                                                                                                                                2. 1

                                                                                                                                                                                  For mobile apps, that have safe storage for passwords, the retraction problem is solved via issuing refresh tokens (that live longer, like passwords in password store of a mobile phone). The refresh tokens, are then used to issue new authorization token periodically and it is transparent to the user. You can re issue authorization token, using refresh token every 15 minutes, for example.

                                                                                                                                                                                  For web browsers, using refresh tokens may or may not be a good idea. Refresh tokens, are, from the security prospective, same as ‘passwords’ (although temporary). So their storage within web browser, should follow same policy as one would have for passwords.

                                                                                                                                                                                  So if using refresh tokens for your single page app, is not an option, then invalidating would have to happen during access control validation, on the backend. (Backend, still is responsible for access control, anyway, because it cannot be done on web clients, securely).

                                                                                                                                                                                  It is more expensive, and requires a form of distributed cache if you have distributed backend that allows stateless no-ip-bound distribution of requests…

                                                                                                                                                                                  1. 1

                                                                                                                                                                                    For mobile apps, that have safe storage for passwords, the retraction problem is solved via issuing refresh tokens (that live longer, like passwords in password store of a mobile phone).

                                                                                                                                                                                    But then why use 2 tokens instead of single one? It makes everything more complicated for sake of perceived simplification of not doing 1 DB request on each connection. Meh. And even you can use cookie as in your web UI, so in the end it will make everything simpler as you do not need to use 2 separate auth systems in your app.

                                                                                                                                                                                    1. 1

                                                                                                                                                                                      It makes everything more complicated for sake of perceived simplification of not doing 1 DB request on each connection.

                                                                                                                                                                                      This is not really, why 2 tokens are used (authentication token, and refresh token). 2 tokens are used to a) allow fast expiration of an authentication request b) prevent passing of actual user password through to the backend (it only needs to be passed when creating a refresh token).

                                                                                                                                                                                      This is a fairly standard practice though, not something I invented (it requires an API accessible, secure password store on user’s device ,which is why it is prevalent in mobile apps).

                                                                                                                                                                                      I also cannot see how a) and b) can be achieved with a single token.