1. 0

    Don’t reach for a profiler, don’t try to set a global variable, or do start/stop timing in code. Don’t even start figuring out how to configure a logger to print timestamps, and use a log output format.

    Then when you’ve done all this, rerun the command and pass it through a command that attaches timestamps to every output line.

    That’s some terrible writing. Cool tool, though.

    1. 1

      Thank you for reading.

    1. 7

      Ha, me on this issue three years ago: https://kev.inburke.com/kevin/invalid-username-or-password-useless/ Different sites, same idea!

      1. 10

        It’s hard to reproduce failures

        If this is the case you’re doing it wrong. When using faked data and randomised test order in RSpec it seeds the RNG with a value that is printed at the end of the tests so you can rerun with exactly the same order and faked values. No need for trial and error.

        1. -1

          That sounds like a useful feature that Faker does not have or appreciate the need for.

          1. 8
            1. 4

              This type of comment makes it sound like the article is meant as a hit job where the faker readme talks about setting a seed (as skade points out)

              1. 1

                I’ve now worked at three different companies that have used it and no one has raised or mentioned even this feature before, apologies for missing it. I think my point still stands.

          1. 7

            Mentions fuzzing but fails to mention property-based testing. :-(

            1. 1

              Ah, sure. I’m not as familiar with it but it’s certainly a solution! TBH I think of them in the same bucket.

              1. 2

                You might find this article and discussion helpful. My comment on the bottom gives brief background on where the names came from far as I could tell from my own reading that is.

                https://lobste.rs/s/p1flip/property_based_testing_is_fuzzing

                1. 2

                  Thanks! The lobster comments basically say everything I want to say on the overlap.

                  Depending on how one defines fuzzing and PBT, one is a subset of the other, or they’re equivalent. Or, as you say, in their original definitions they’re complementary regions in that shared space. Your POV is what I was getting at here.

                  What I meant with my comment here was that I’m sad the author didn’t take the chance to evangelize the specificic techniques used within PBT, as QuickCheck is just mentioned as a generic fuzzer.

                  What they’re criticizing is single-sample randomization, and fuzzing avoids that, but in PBT there’s also guided randomization, memorized critical examples and minimization, which further help reduce the overall flakiness and help that freak case become less of a freak and more of an identified edge case.

            1. 2

              Here’s the Go API:

              // Plaintext to be encrypted
              pt := []byte("Hello, world!")
              
              // Nonce to encrypt it under
              n := miscreant.GenerateNonce(c)
              
              // Associated data to authenticate along with the message
              // (or nil if we don't care)
              ad := nil
              
              // Create a destination buffer to hold the ciphertext. We need it to be the
              // length of the plaintext plus `c.Overhead()` to hold the IV/tag
              ct := make([]byte, len(pt) + c.Overhead())
              
              // Perform encryption by calling 'Seal'. The encrypted ciphertext will be
              // written into the `ct` buffer
              c.Seal(ct, n, pt, ad)
              

              That… still seems too complicated, I guess? I wouldn’t expect to have to compute the overhead myself, or wonder what the “associated data” is or should be.

              1. 2

                If you don’t compute the overhead you can’t provide the output slice and the function would have to allocate. Additional data can just be nil. Also, this matches cipher.AEAD.

              1. 4

                So, here’s the thing - I posted a comment around this at the original site / post but it looks as if it’s been deleted.

                The author basically is taking a big old poop all over CircleCI because of token / javascript bleed. Fine, that’s a reasonable potshot to make - BUT what’s not clear to me, and what I asked in my question - is has the author actually done the work to compare and contrast against another hosted CI provider?

                This feels like a lazy smear to me. There are trade offs to be made when you choose to trust your sources to a hosted provider like this, and I am not convinced that CircleCI is doing anything at all untoward here other than needing to do a better job of communicating its dependencies to its users.

                1. 3

                  I tend to agree, but in a way you have to question the judgement of the developers when they include so many trackers. I don’t think it’s surprising that someone has latched onto this issue and it can be raised with many products that have a business model that doesn’t rely on advertising. Launch Darkly might actually be functional compared to the others listed by the author. I see Facebook references blocked by EFF’s Privacy Badger when I log into the product.

                  I wonder if these trackers are toggled off when I use a paid version of their product? I think that’s a possible trade-off since they are letting you test the product for free. Toggling these off might result in a loss of analytics data that they wouldn’t want, so there is a vicious circle.

                  1. 3

                    I used CircleCI in a past job, and it does something pretty unique among SaS CI vendors - it lets you use an arbitrary number of VMs to run your unit tests.

                    So, we were able to halve the amount of time it took our unit tests to run by increasing the number of simultaneous servers running them. When you’re an org dealing with a legacy code base where the test corpus is taking HOURS and HOURS to run, that is some serious bottom line ROI right there.

                    They just need to update their comms to VERY CAREFULLY indicate what’s happening and everybody can choose to use them or not. What bugs me about the original post is the slapdash nature of the accusations levied and the lack of any kind of even handedness.

                    Also, when I posted my question to the original article, my comment was deleted. Their bat and ball, their rules, but if we’re gonna question judgement or motivation I think we can point the flying fickle finger of fate at this post’s author as well.

                    1. 4

                      the slapdash nature of the accusations levied and the lack of any kind of even handedness.

                      I don’t understand this. What was I supposed to do differently be “even-handed”? Companies imbue CircleCI with an enormous amount of trust, and they do an incredibly risky thing with that trust. “If I am going to pay you thousands of dollars a month, please don’t build a dashboard where my source code gets stolen if someone hacks Quora.js” seems like a reasonable request. I suppose I could have said “By loading third party Javascript in a secure environment, CircleCI is picking up pennies in front of a steamroller, but in fairness, they do have the pennies.”

                      I posted my question to the original article, my comment was deleted.

                      I didn’t delete your comment; I manually approve all comments that appear on my website, there should have been a notice above the post that said “Comments are heavily moderated.”

                      I haven’t looked at your comment and couldn’t say, but generally I get low quality comments on posts and approving them isn’t really a priority for me.

                      1. 0

                        Thanks for the clarification. Have you considered simply disabling comments for your blog in that case? Offering them but leaving them in limbo seems like a questionable practice. Your bat and ball, etc.

                        1. 2

                          Thanks. Occasionally I get a good comment, one that does not describe hours of research and writing as a “lazy smear,” for that reason I like having the option to approve them.

                          1. 0

                            Would you disagree that calling a particular vendor out for particular problems might warrant citing similar issues with other vendors in the name of even handedness?

                            1. 5

                              You called my article a “lazy smear” because there are, supposedly, other CI companies that let arbitrary third party Javascript run in a trusted environment and access CSRF tokens/create API tokens that could result in data compromise, but you’ve provided zero evidence that such companies exist. I can, however, cite many CI tools that do not let arbitrary 3rd party Javascript run in a trusted environment, as Circle does: Phabricator, Jenkins, Gitlab, Travis.

                              Even if they did exist, no, I am under no obligation to cite them. The fact that many people drive drunk is not an excuse for your own decision to drink and drive. You are welcome to do your own research and post your own findings about other companies.

                              1. 3

                                I would disagree. Someone pointed out problems, why should we demand extra work? We should be thankful that someone has pointed out problems.

                      2. 1

                        I wonder if these trackers are toggled off when I use a paid version of their product?

                        No, they are not, everyone gets them, even if you pay them thousands of dollars per month. You can collect analytics data on the server side, and there’s no way a compromise of your server side analytics provider affects the security of my source code.

                      3. 3

                        This is like complaining that arresting someone for drunk driving is unfair because other people also drive drunk and did not get caught. Across the entire industry companies don’t care enough about third party javascript that runs on secure pages (dashboards, credit card input forms, API token creation, more). It’s a dangerous situation and consumers should demand better. I understand there are tradeoffs to be made letting a third party run CI, but I don’t think that “outsource my company’s source code security to Quora.js” is a reasonable one. I also think those companies overstate the benefit compared to the risks, the benefits are small and immediate, the risks are larger and unquantifiable.

                        There are steps they could take to secure important fields - for example, use a different domain for marketing/dashboards, require an HMAC token that the third party Javascripts don’t have access to, but they did not take those steps.

                      1. 2

                        Here’s a question for the ages: are there any actually-existing good hosted CI providers out there?

                        1. 7

                          Not if you need speed: http://bitemyapp.com/posts/2016-03-28-speeding-up-builds.html

                          I would honestly pay good money for reliable, tested deployment automation that stood things like CI up.

                          1. 1

                            Who’d you end up going with for the dedicated server / what are the specs on that machine like?

                            1. 2

                              Approximately this with NVMe RAID: https://www.ovh.com/us/dedicated-servers/infra/173eg1.xml

                              tbqh, most the time we saved on compilation was lost to the GHCJS build later on. I was very sad.

                          2. 5

                            We use buildkite at my company. One nice aspect is that we get an agent to run on /our/ “hardware” (we just use large vm instances). It works pretty well.

                            1. 3

                              Another vote for buildkite here - their security posture is markedly better and you have much more control over performance.

                              1. 2

                                It’s probably worth mentioning here that GitLab offers similar functionality with their GitLab CI offering. You can use their infrastructure or install runners (their equivalent of agents) on as many machines as you like. Disclaimer: I haven’t used either yet but attended a meetup event where somebody praised them highly and ditched their Atlassian stack for that single reason.

                                1. 1

                                  Their website looks intriguing could you elaborate on their security posture? Is it just an artifact of the on-premise build agent, or is there more to it than that?

                              2. 5

                                If you happen to run on Heroku, Heroku-CI works quite well. You don’t wait in a queue—we just launch a new dyno for every CI run, which happens while you blink. It’s definitely not as full features as Circle, or even Travis, but it’s typically good enough.

                                1. 1

                                  At $WORK we run some things on Heroku but we can’t or don’t want to for most things — it’s either too expensive or the workload isn’t really well-suited for it.

                                2. 4

                                  What do you need? I like Travis, they also get vastly better when you actually use the paid offering and they offer on-premise should you actually need it.

                                  1. 2

                                    I need builds to not take 25-30 minutes.

                                    Bloodhound averages 25 minutes right now on TravisCI and that’s after I did a lot of aggressive caching: https://travis-ci.org/bitemyapp/bloodhound/builds/286053172?utm_source=github_status&utm_medium=notification

                                    Gross.

                                    1. 2

                                      I was asking cmhamill.

                                      But, just to be clear: your builds take 8-14 minutes. What takes time for you is the low concurrency settings on travis public/free infrastructure. It’s a shared resource, you only get so many parallel builds. That’s precisely why I referred to their paid offering: travis is a vastly different beast when using the commercial infrastructure.

                                      I also recommend not running the full matrix for every pull request, but just the stuff that frequently catches errors.

                                      1. 3

                                        I was asking cmhamill.

                                        You were asking in a public forum. I didn’t ask you to rebut or debate my experiences with TravisCI. https://github.com/cmhamill their email is on their GitHub profile if you’d like to speak with them without anyone one else chiming in. I’m relating an objection that is tied to real time lost on my part and that of other maintainers. It is a persistent complaint of other people I work with in OSS. I’m glad TravisCI’s free offering exists but I am not under the illusion that the value they’re providing was brought into existence ex nihilo with zero value derived from OSS.

                                        It’s a shared resource, you only get so many parallel builds. That’s precisely why I referred to their paid offering: travis is a vastly different beast when using the commercial infrastructure.

                                        We use commercial TravisCI at work. It’s better than CircleCI or Travis’ public offering but still not close to running a CI service on a dedis (singular or plural).

                                        I had to aggressively cache (multiple gigabytes) the build for Bloodhound before it stopped timing out. I’m glad their caching layer can tolerate something that fat but I wish it wasn’t necessary just to keep my builds working period.

                                        That combined with how unresponsive TravisCI has been in general leaves a sour taste. If there was a better open source CI option than something like DroneCI I’d probably have rented a dedi for the projects I work on already.

                                        1. 5

                                          You were asking in a public forum. I didn’t ask you to rebut or debate my experiences with TravisCI.

                                          You posted in a public forum and received some valid feedback based on the little context of your post ;)

                                      2. 1

                                        How long does it take on your local machine as a point of comparison?

                                        1. 2

                                          https://mail.haskell.org/pipermail/ghc-devs/2017-May/014200.html

                                          That’s just build, doesn’t include test suite, but the tests are a couple more minutes.

                                          1. 1

                                            Hm, that’s roughly the time your travis needs, too?

                                            https://travis-ci.org/bitemyapp/bloodhound/jobs/286053181#L539 -> 120.87s seconds

                                            1. 0

                                              Nope, the mailing list numbers do not include --fast and that makes a huge difference.

                                              You are off your rocker if you think the EC2 machines Travis uses are going to get close to what my workstation can do.

                                              1. 2

                                                Would you rather pay for a licensed software distribution that you drop in a fast dedicated computer you’ve bought and it turns that computer into a node in a CI cluster that can be used like Travis?

                                                Would you rather pay for a service just like Travis but more expensive and running on latest-and-greatest CPUs and such?

                                                1. 3

                                                  Would you rather pay for a licensed software distribution that you drop in a fast dedicated computer you’ve bought and it turns that computer into a node in a CI cluster that can be used like Travis?

                                                  If it actually worked well and I could test it before committing to a purchase, probably yes I would prefer that to losing control of my hardware or committing to a SAAS treadmill but businesses loooooooove recurring revenue and I can’t blame them.

                                                  Would you rather pay for a service just like Travis but more expensive and running on latest-and-greatest CPUs and such?

                                                  That seems like a more likely stop-gap as nobody seems to want to sell software OTS anymore. Note: it’s not really just CPUs, it’s tenancy. I’d rather pay SAAS service premium + actual-cost-of-leasing-hardware and get fast builds than the “maybe pay us extra, maybe get faster builds” games that most CI services play. Tell me what hardware I’m actually running on and with what tenancy so I don’t waste my time.

                                      3. 1

                                        Has anyone done this kind of dependency scan on Travis that this guy did on CircleCI? I suspect you will see much the same.

                                        Travis does have one clear advantage here in that it’s OSS so you can SEE its dependencies and make your own decisions. See my note about CircleCI needing to be better about communication above.

                                        1. 3

                                          Well… “scan”. They posted a screenshot of their network debugger tab :).

                                          Travis (.org) uses Pusher, but not their tracking scripts. It integrates Google Analytics and as such, communicates with it. ga.js is loaded from google.

                                          The page connects to:

                                          • api.travis-ci.org
                                          • cdn.travis-ci.org (which ends up being fast.ly)
                                          • gravatar.com (loading avatar images)
                                          • statuspage.io (loading some status information as JSON)
                                          • fonts.googleapis.com (loading the used fonts)
                                          • ws.pusherapp.com

                                          All in all, it is considerably less messy then circle-ci’s frontend.

                                          Also, Travis does not have your tokens or code in their web frontend, code is on Github, tokens should be encrypted using the encrypted environment: https://docs.travis-ci.com/user/environment-variables#Defining-encrypted-variables-in-.travis.yml

                                          1. 2

                                            You have proven my point perfectly.

                                            CircleCI’s only sin here is one of a lack of communication. There is nothing actually wrong with any of the callouts the article mentions, they just need to be VERY sure that their users are aware of exactly who is seeing the source code they upload. This should be an object lesson for anyone running a SaS company, ESPECIALLY if said SaS company caters to developers.

                                            1. 4

                                              This is not an apples to apples comparison, in my post I cited Javascripts only (which can make AJAX requests and extract source code), @skade cites that Travis loads fonts, images, and CSS from third party domains, which don’t have those properties; a compromise in CSS might change the appearance of a page but generally can’t result in your source code/API tokens being leaked to a third party.

                                              As far as I follow the only external Javascript run by Travis CI is Pusher. So, no, it has not proven your point perfectly, in fact it demonstrates the opposite.

                                    1. 2

                                      I’m worried this is yet another attack vector against 1P, and provides easier key export for attackers that gain access to your command line.

                                      1. 1

                                        What is the other attack vector?

                                      1. 1

                                        I guess this still has the problem where another thread attempts to concurrently update the document in question. Consider the following sequence, thread 1 uses Fawn, thread 2 uses anything else:

                                        • T1 saves the document
                                        • T1 updates the document
                                        • T2 issues a separate update to the document
                                        • T1 tries an update, but fails
                                        • T1 “rolls back” to the save point

                                        In this case, we’ve lost the change made by T2. Transactions generally protect against this by locking the document (or row) in question until T1 has completed a rollback or a commit.

                                        1. 1

                                          You’re right. It’s also mentioned in the MongoDB docs:

                                          Because only single-document operations are atomic with MongoDB, two-phase commits can only offer transaction-like semantics. It is possible for applications to return intermediate data at intermediate points during the two-phase commit or rollback.

                                          So it really depends on the use case. Most of the time in an application, you only have one update point per collection. If the app has multiple update points for a single collection, using two phase commits does become sketchy.

                                          1. 1

                                            I’ve seen this happen in a variety of ways, most notably an error in a client leads to them sending the same request multiple times in quick succession, or the client has retry logic, or a user hits a button twice…

                                        1. 2

                                          I would guess that once the other options are proposed, context.Context is the least bad option.

                                          1. 2

                                            I’m working on porting parts of the Go standard library to Javascript. I constantly wish for better string formatting and manipulation, time manipulation, figured I would just write it myself.

                                            (before you ask) yes I have heard of GopherJS and no it is not a good fit for a variety of reasons.

                                            1. 2

                                              I am wondering if Go vet would have caught this, it’s supposed to. If it didn’t can you file an issue?

                                              1. 3

                                                Very nice! Are you putting together a proposal to get some of this merged into x/crypto? (I saw some discussion on golang-dev.)

                                                1. 1

                                                  Very nice! Are you putting together a proposal to get some of this merged into x/crypto? (I saw some discussion on golang-dev.)

                                                  Hopefully yes, but the goal is to get people using this first

                                                  1. 1

                                                    As much as I love your code, I’d be reluctant to use it without some audits. :)

                                                    Seems like a great step towards a proposal, though.

                                                  1. 15

                                                    I want to reiterate - please tell the Go team if you can share concrete problems, or if you found something you could do but was too hard to do. A lot of Go team members work at Google which has a ton of different processes and specialized tools for everything and might not understand how you are using or trying to use Go.

                                                    If you don’t want to share publicly you can email me privately - kevin@burke.services

                                                    1. 4

                                                      Thank you for the hard work, it’s a beautiful programming language!

                                                      1. 2

                                                        I want to use Go also on embedded devices where I work, but the executable sizes are currently too large. For example, 10MB is too much for a small utility, but 1MB would be passable. Unless there are some tricks I have missed (I have tried stripping the ELF files, ++), a request for having a build flag for generating tiny executables is in the pile.

                                                        1. 1

                                                          You could dynamically link your binaries, thus reducing the binary size a lot https://stackoverflow.com/a/30488222

                                                          1. 1

                                                            That’s a good tip, I will try that. What I was originally thinking about was something similar to GCC’s -Os for size optimization, but for Go. Perhaps that’s already possible?

                                                            1. 1

                                                              As far as I remember, the go compiler already uses and enables a handful of binary size optimization by itself.

                                                      1. 3

                                                        Going to be at Gophercon. Please say hi if you will be there as well!

                                                        1. 2

                                                          According to whom has CoffeeScript served its purpose?

                                                          1. 3

                                                            A lot of the good features in Coffeescript like fat arrows made it in to ES6

                                                            1. 2

                                                              Three major features certainly made it into ES6:

                                                              1. Fat Arrow => for declaring an anonymous function with scope context preservation
                                                              2. String interpolation.
                                                              3. Splats and destructuring.

                                                              But that’s not the extent of CoffeeScript’s ergonomic improvements (in no particular order):

                                                              • Everything is an expression. I love this the most about Ruby/Rust/Elm/etc. No need for explicit return keyword (in most cases, except when wanting to short circuit). The last “expression” in a function is automatically returned as its return value.

                                                              • ? to guard against possible undefined keys when doing nested object access (e.g. val = obj.?key.?might.?not.?exist will not crash. In JS you’d have to guard against every level of object access via if (obj && obj.key && obj.key.might && obj.key.might.not)

                                                              • -> skinny arrow to not preserve scope context when declaring an anonymous function. In legitimate cases where you want a closure’s this (or @ syntactic sugar in CoffeeScript) to actually refer to the new anonymous function scope’s this or arguments, you don’t want to use a =>. In vanilla JS, that means writing out function(), in CoffeeScript, it’s a skinny arrow.

                                                              • Not requiring parenthesis for function calls (e.g. alert "Hey ma, no parenths!").

                                                              • Control flow expressions can be suffixed to a line (e.g. alert "You should see this if..." if truthy_value).

                                                              • List Interpretation syntax for loops (Python-esque).

                                                              1. 1

                                                                Try this in ES6:

                                                                alert `Hey ma, no parenths!`
                                                                

                                                                (Tagged template literals + coercion from Array to String, har har har.)

                                                          1. 1

                                                            One possible reason for differences in results is the amount of battery/power being drawn by other apps when the camera is running. I would try to always use the app with the battery more than 80% charged, and with the radio/wifi off. Ideally it would also be plugged in to the charger at the time.

                                                            1. 27

                                                              I don’t know about others, but I don’t enjoy seeing flamebait like this being posted to Lobsters. The actual relevance is almost zero. The only appeal I can see is that it’s a skillfully written put-down.

                                                              1. 8

                                                                A diff would have made it less flamebait (and a diff that made it use Makefiles would have been epic!).. but I think the point is very valid. The common trend in the industry in general seems to be “this tool is old and crufty, I will do it better with something new”.. meanwhile they didn’t have a full grasp on what that old crufty tool solved.. so they fall into all the same pitfalls.

                                                                1. 5

                                                                  Agreed. It’s a troll, and not even a good one.

                                                                  Use make to run webpack. gcc doesn’t check file times, either, and neither do most code transformation tools, because that functionality is already in make.

                                                                  1. 1

                                                                    I thought about writing a blog post about this but I thought the GH issue illustrates the point fairly well. It’s a common problem with build tools written in Javascript.

                                                                    I could switch the title to match the issue title.

                                                                    1. 9

                                                                      I could switch the title to match the issue title.

                                                                      That would be an improvement. But to be clear, I also take issue with the way that the issue is written. Compare:

                                                                      A: “Hey, could we check timestamps on output to avoid unnecessary work?” B: “Webpack doesn’t even check timestamps on outputs? LOL. Even make, released 46 years ago, does that!”

                                                                      This feels a lot closer to B, which is why I described it as a put-down.

                                                                  1. 6

                                                                    Amazing that they went to all this effort after she emailed them from her work computer.

                                                                    1. 9

                                                                      I understand the odds are that this person was careless enough that she would have been caught anyway; I still feel like it is your obligation as a journalist to do what you can to protect your source.

                                                                      I am still astounded they sent the raw PDF back to the NSA for verification instead of typing up a subset of the contents and sending those to the NSA.

                                                                      1. 4

                                                                        Actually she didn’t email them about the leaks:

                                                                        1. The U.S. Government Agency determined that WINNER had e-mail communication with the News Outlet on or about March 30, 2017, and March 31, 2017. The first e-mail was from WINNER, using e-mail address da3rc.fitness@gmail.com, to the News Outlet. In it, WINNER appeared to request transcripts of a podcast. The second e-mail was from the News Outlet to da3re.fitness@gmail.com and confirmed WINNER’S subscription to the service. The da3re.fitness@gmail.com account is a personal e-mail account not sponsored by or affiliated with the U.S. Government Agency.

                                                                        from here

                                                                        1. 4

                                                                          Yeah I mean its a neat article on microdots, but probably not actually the determining factor.

                                                                          1. 4

                                                                            Would we know if it was or would they parallel construct it away to hide effectiveness? Quick way to start assessing that would be for anyone following federal prosecutions of leaks to say if they publicly mention when they used the printer method.

                                                                          2. 2

                                                                            You say that like Chelsea Manning didn’t just walk off with CDRs labeled “Britney Spears.”

                                                                            1. 1

                                                                              Lady Gaga’s Telephone especially:

                                                                              https://www.theguardian.com/world/2010/nov/28/how-us-embassy-cables-leaked

                                                                              Although, I’ll gladly add Britney to the humiliation if you have a source for that. I do like that Lady Gaga is more cringe-inducing for the Manning haters, though.

                                                                              1. 2

                                                                                You are totally right. I guess I don’t know the difference between controversial pop stars.

                                                                                1. 1

                                                                                  It’s an easy mistake to make given their irrelevance to people into deeper things. ;) I did pull up the song and video out of curiosity to see what Manning was jamming to at the time. Try to get into the persona and state of mind.

                                                                                  1. 3

                                                                                    You ain’t gotta throw shade on pop music, nickpsecurity. Mozart was the Lady Gaga of his time.

                                                                                    1. 2

                                                                                      It’s them not me lol. In my research, I loved the refrain in Paparazzi. It was a bit more down to earth in style. Im cool with Mozart, too. We hang sometimes and talk which blockchain he’s betting his music fortune on.