1. 3

    In my experience random (type 4) UUIDs are often used instead of sequential integers to prevent someone from iterating over all records of some API resource, e.g. if you provide some unauthenticated user information for frontends in your API from an endpoint like /users/{id} then–if user records have sequential ids–someone can just iterate over all users and collect this information. This is not possible when using random identifiers, but type 1 UUIDs as recommended in the article are not random and should be prone to this type of information disclosure attack.

    There’s a great article from percona that explains why random UUIDs are bad for performance. Instead of using UUIDs at all one can also try Universally Unique Lexicographically Sortable Identifiers (ULID) which may be better suited for the use as row indentifiers. Also, I did make the mistake of using type 4 UUIDs as primary key throughout all tables of a database design and it has shown that the performance is just fine, even for a couple million records. So, performance is really a problem of scale.

    1. 4

      For me, I try to avoid incrementing integers as much as possible for the simple reason that I want to be able to take the same data and load it into a different database and have no conflicts.

      Generally speaking, I want “natural keys” as much as possible. If there isn’t a natural key for something, then its by definition universally unique – and should have a UUID key. :)

      1. 1

        There’s a great article from percona that explains why random UUIDs are bad for performance. Instead of using UUIDs at all one can also try Universally Unique Lexicographically Sortable Identifiers (ULID) which may be better suited for the use as row identifiers.

        in their example they have 1 billion rows and benchmark things with thousands of insertions/second. That’s a rather specific use case most people don’t have; if you use an UUID for your user or whatnot then that’s probably just fine, and the performance difference is negligible. For example all of Lobsters could probably run on UUIDs with no real difference.

        1. 1

          Also, I did make the mistake of using type 4 UUIDs as primary key throughout all tables of a database design and it has shown that the performance is just fine, even for a couple million records. So, performance is really a problem of scale.

          I already stated in the sentences following your quote that performance problems are unlikely for “small to medium sized” tables.

          1. 2

            So, performance is really a problem of scale.

            I think I misread that a bit as “UUIDs aren’t webscale!!!” rather than “performance is only a problem at large scale, which probably won’t be an issue for you” 😅

      1. 4

        NOTE: Since response bodies are read after the client method has returned you need to use a time.Timer if you want to enforce read time limits.

        I think one would normally use context.WithTimeout to cancel long running body reads.

        If you are not going to do anything with the body then it is still important to read it to completion. To not do so affects the propensity for reuse, particularly if the server is pushing a lot of data. Flush the body with: _, err := io.Copy(ioutil.Discard, res.Body)

        This one is interesting, up until now I’ve always just deferred res.Body.Close and called it a day. Can someone explain to me why it is necessary/preferable to read the response body?

        This is a small one, but as far as I’m concerned, the url.Parse method is essentially infallible and it trips me up all the bloody time. You almost always want url.ParseRequestURI and then some further checks if you are wanting to filter out relative URLs.

        This one bit me a dozen times as well and it’s really suprising for Go newbies that expect a request.URL to be fully populated, i.e. having a scheme, host and what not.

        1. 4

          Basically you send a request and get a response, and with http keepalive you can do that a number of times. If you don’t fully receive the response, you can’t reuse the connection and send another request.

          1. 4

            So, what exactly happens if you don’t read the entire body but you do close it? The original article sort of implies that closing the body is enough in some cases, not just cases where the response is zero bytes.

            These parts confuse me:

            As a client you might not care about the content of your response bodies […] So, to close things out safely the following suffices:

            If I don’t care about the contents of the body, closing suffices? It doesn’t seem so.

            If you are not going to do anything with the body then it is still important to read it to completion. To not do so affects the propensity for reuse, particularly if the server is pushing a lot of data.

            How does the server pushing lots of data affect anything? If the response body is small, but I don’t read it, will the connection somehow become reusable earlier than if the response body is large?

            I would expect that either the response body must be read to reuse the connection at all, or that reading the entire body is never required. Not some halfway thing where sometimes not reading the body still allows reuse, sometimes it doesn’t.

            The official Go docs are also ambiguous here:

            If the Body is not both read to EOF and closed, the Client’s underlying RoundTripper (typically Transport) may not be able to re-use a persistent TCP connection to the server for a subsequent “keep-alive” request.

            1. 3

              What happens depends on whether things are speaking HTTP/1.1 or HTTP/2.

              If you close the body without reading it on an HTTP/1.1 connection, then basically that socket is done with. Resources are neither leaked nor re-used. With HTTP/2 there may be other options and the behavior might be better. If the behavior were otherwise (for example .Close() reads and discards data), that would imply that a server could force your client to download arbitrary amounts of data which would be bad.

              The dual support of http/1.1 and http/2 is, I believe, the source of the ambiguity in the docs.

            2. 2

              Thanks, that was pretty clear!

          1. 4

            Looks like there is a typo in the last benchmark table,

            Request/sec	34.76	3773
            Trasfer/sec (MB)	37.34	3690
            

            if not then there is 100x improvement in bandwith for the use of hyper::body::Bytes. Also, this is some of the most “unconventional” Go and Rust code I saw in a while. What is the purpose of this article anyways, showing how to build a custom HTTP server to serve a single file and concluding that Rust is the answer? When deciding what language to pick to implement a similar tool those toy benchmarks do not help a thing. I do not get why this got that many upvotes.

            1. 11

              BackBlaze acknowledged this and pushed out a fix. Facebook’s SDKs are notorious for recording far more data than necessary as noted here, so I don’t feel BackBlaze was shipping off data intentionally, and were blindsided by Facebook changing things under them.

              1. 35

                BackBlaze is responsible for the code on their website. If they ship code in their web app which ships all the names of the user’s files to Facebook, that’s on them. This is a huge violation of trust from BackBlaze. “A library did it” isn’t an excuse.

                1. 20

                  I completely agree, it is certainly a grave mistake on their part. What I meant was that this incident appears to be a result of carelessness rather than malice.

                  1. 6

                    Ah, makes sense. That is indeed an important thing to point out.

                    1. 2

                      Case or “Never attribute to malice that which can be adequately explained by stupidity.”?

                      1. 2

                        Never attribute to malice which can be adequately explained by passing the buck to a library♥

                    2. 9

                      Absolutely, I mean what did they expect would happen when they include some tracking garbage from facebook? I evaluated them and eventually planned to use them as a block storage provider but canceled my account with them today after I read about the tracking pixel. There’s absolutely zero reason for including this tracking stuff in the admin part of the website.

                      1. 2

                        The only mitigation I can think of is to code-review (at some level) all diffs of all dependencies (transitively), when any first-level dependency changes.

                        It’s even worse if some libraries are loaded from a third party, which could change them at any time.

                        I think that is a lot of difficult, challenging work.

                        Is there a better idea than the one above? Or is that just the cost of doing business and the best approach would be for us to somehow distribute the load (e.g. a 3rd party, curated, checked, trusted JS stack which covers a common set of modules.

                        1. 16

                          The mitigation here is substantially simpler, don’t include code loading from or sending data to 3rd parties on pages that contain sensitive business and personal information that you are obligated to protect. Especially when that’s your core business.

                          People would be much more understanding of this issue if it was a supply chain attack, it wasn’t, they intentionally included scripts from third parties where there shouldn’t have been any. That the scripts were extracting slightly more data than they thought… really isn’t the issue.

                          1. 4

                            But why would you like to integrate your customers admin panel with Facebook? It compromises their privacy and your company secrets. The only reason I can imagine is measuring conversions, but again is it worth the risks?

                            1. 3

                              Well, it’s a trade-off isn’t it. In theory, code reviewing (and self hosting!) every dependency could provide the best security. That’s feasible if you’re comfortable with using few dependencies, but it might not always be possible.

                              If you’re not going to be reviewing your dependencies though, the very least you should do is to reflect over whether the dependency is managed by someone who you have reasons to believe aren’t going to do anything creepy. I would, for example, probably trust jQuery, because they don’t (AFAIK) have a history of being creepy. Do we have a reason to trust Facebook to not be creepy? Absolutely not. So maybe don’t use their tracking library.

                              Above all that though, host your code on your own damn servers. There’s no good reason to give a library vendor (or an attacker with access to your library vendor’s web server) the technical ability to inject arbitrary code into your app just by changing a file on their end. This should be an obvious thing just from a reliability perspective too. Thanks to Hyrum’s law, every change is a potential breaking change, so it seems ridiculous to effectively push new versions of dependencies to customers with no testing.

                        1. 4

                          Pretty solid article!

                          • I did not know about “.” imports
                          • difference between a nil slice and an empty slice: I’d mention how they’re encoded differently to JSON (arguably a bug)
                          • maps as sets: a second disadvantage to map[x]bool is that it’s a redundant encoding, leading to plenty of chances of confusing things (been there)
                          • would have liked to see named return values labelled a trap, but suppose there’s not really anything particularly surprising about them – they just make the code harder to read
                          1. 3
                            • would have liked to see named return values labelled a trap, but suppose there’s not really anything particularly surprising about them – they just make the code harder to read

                            Oh, there is something surprising about named return values namely that they’re the only way to return an error from a deferred function.

                            Deferred functions may read and assign to the returning function’s named return values. [source]

                            Here’s an example that demonstrates this.

                            1. 1

                              Right, that’s their reason for being even as far as I understand, since it’s the only way to return errors from defers.

                            1. 2

                              Wanted to give this a shot, but:

                              sudo setcap_cap_net_raw,cap_net_admin=eip .cargo/bin/nethoscope
                              
                              Nethoscope 🩺 0.1.1
                              
                              ALSA lib pcm_dmix.c:1075:(snd_pcm_dmix_open) unable to open slave
                              Error: The requested device is no longer available. For example, it has been unplugged.
                              
                              
                              1. 1

                                Oops, which distribution/version you’re running? I could look into it

                                1. 1

                                  Arch linux

                                2. 1

                                  Works fine for me, running Arch Linux with Pipewire.

                                1. 12

                                  A while back I bought two of these USB Thinkpad keyboards, using the old (good) keyboard layout: https://www.newegg.com/lenovo-thinkpad-usb-wired/p/N82E16823218006

                                  I have used the crap out of them. They are the absolute best.

                                  Internally it’s just a USB controller attached to the same keyboard that shipped in older Thinkpads, so I’ve already fixed up at least one keyboard with parts from eBay.

                                  Despite things like Vimium or i3 or other ways to reduce mouse usage, most folks still need a mouse from time to time. Reducing the travel time from your keyboard to your mouse seems really high value to me, and I’m lost why most of these custom or fancy keyboard people don’t focus on having a nearby mouse of some kind?? I’m not the OP of this thread, but I highly empathize: https://www.reddit.com/r/MechanicalKeyboards/comments/626sga/how_about_trackpoints/

                                  These Thinkpad trackpoint keyboards are perfect. The mouse is right there.

                                  1. 10

                                    I love my shinobi tex, a mechanical homage to the thinkpad design: https://tex.com.tw/products/shinobi

                                    1. 4

                                      Woah! This is the first keyboard I’ve seen in years that tempts me…

                                      1. 4

                                        Just got yesterday mine. Such a pleasure to have again some key travel, and feeling the fingers match the keys. Really nice to alternate with the laptop keyboard (X1E Gen1) and is an incentive to work more at the desk with a big screen. For me the trackpoint on the shinobi work much more precise and easy. I was expecting a little more pressure resistance from the keys, but in the end I think it is quite comfortable. It’s really nice too that there is a deeper mold in the keycaps. Was expensive, but I’m definitely happy about this purchase.

                                        1. 4

                                          oh my gosh i’ve never seen this before, this is amazing!

                                          1. 3

                                            How are the key symbol printings holding up? I got mine a week ago and I’m already noticing L-Ctl, Esc, and frequent letters fading. It’s not a big deal since I don’t really look but I’m surprised.

                                            1. 3

                                              I’ve been using mine for ~9 months daily, and while it’s true that some letters started fading very quickly, they seem to have reached a “plateau”. Definitely the discolouring has slowed its pace or the keycaps would be blank by now.

                                              1. 2

                                                Same here. Fading on frequent used keys. Been using it since last november.

                                            2. 5

                                              Thank you for your comment. I feel the same way about trackpoints, and your comment made me order a ThinkPad USB keyboard :)

                                              I really like the newer chiclet design, so I’ve picked a more recent model. Luckily they seem to be designed with a similar concept; reuse of the existing laptop keyboard design (see https://dontai.com/wp/2018/09/06/thinkpad-wired-usb-keyboard-with-trackpoint-0b47190-disassembly-and-cleaning/ for disassembly). The number of key rows don’t really bother me, and for all I’ve tried I don’t feel comfortable on keyboards with mechanical switches. Too many hours on a ThinkPad, I think.

                                              1. 4

                                                i am very happy lenovo is still making these keyboards, even if it’s the new layout

                                              2. 4

                                                I have one of these and I love it! I’m a sucker for the trackpoint and I love the pre-chiclet key design. It’s super portable too - I can easily throw it in my backpack with my laptop if I’m going to be out of the (home) office all day.

                                                It’s a little sad that these version seem to be so unavailable these days :(

                                                1. 3

                                                  I’d recommend ThinkPad TrackPoint Keyboard II because it is wireless - via Bluetooth or Wireless Nano USB Dongle.

                                                  1. 4

                                                    I own the first generation as wired version and the micro USB socket is absolute garbage. Two out of three keyboards lose USB connection when the cable is moved slightly. But, this problem can be fixed pretty easily by disassembling the keyboard, bending the socket back to normal shape and then adding a large solder blob to the socket case such that it can’t bend that easily anymore. I fixed both keyboards reliably with this procedure.

                                                1. 2

                                                  Go 1.16 got a new feature that can replicate a similar behavior: https://golang.org/pkg/embed/

                                                  1. 2

                                                    I don’t think that this is really comparable, you still need to compile the Go binary for each ARCH/OS combination and adding or adjusting resources will require a recompilation.

                                                  1. 6

                                                    What a happy coincidence, this was released minutes after I finished my presentation about Go 1.16 at our local Go meetup.

                                                    1. 36

                                                      Tangentially related, it seems like macOS on M1 swaps very enthusiastically, to the point of possibly bringing SSD life well under a year: https://twitter.com/marcan42/status/1361151198921826308

                                                      (I didn’t want to post a twitter thread as a submission, but seems like it may be of interest.)

                                                      As marcan42 points out in the thread, this is clearly an OS software issue so it should be patchable in software as well.

                                                      1. 11

                                                        Interesting. I’m up to 5.4TBW; kernel_task has written 69.5GB (!) in 3 days 1 hour of uptime. One to keep an eye on; thanks for sharing.

                                                        1. 8

                                                          This is madness, I’ve only managed 15 TBW on a Samsung 970 EVO 1TB on an extremely heavily used laptop in 28 months, under 2% the drive’s warrantied TBW, and keenly aware I’ve been hammering the drive at various points. That also includes 2 h00j VMware VMs

                                                        2. 16

                                                          Not a big problem, just swap out the SSD of your MacBook when it’s dead. Oh wait, it can’t be replaced :/ Another reason to support Right To Repait.

                                                          1. 5

                                                            This might be controversial, but I think you’re just watching what happens when miniaturization and integration happens. The SSD on these is basically directly connected to the FSB, and that contributes to the performance of it. How do you make that replaceable effectively?

                                                            Your ALU used to be a discrete, replaceable component. Then it became integrated. Then L2 cache. Should it stop, especially if integration can make things more reliable (i.e RAM slot failure)?

                                                            1. 5

                                                              I think “things that are consumables” such as batteries are those things that absolutely must be replaceable. SSD’s fit that category because they actually wear out over time.

                                                              But I think you raise good points about other discrete components, not being able to upgrade my RAM sucks, but if it’s more reliable, performant, cheaper and uses less power than alternatives, then it’s a compelling choice.

                                                              1. 5

                                                                I agree that this is miniaturization and integration, but I’d argue it’s not strictly necessary for performance.

                                                                AFAIK the M1 RAM is LPDDR4X-4266 and you can buy DIMMs[*] in this specification as well. The SSD is NVMe and as far as I know there’s nothing special about the signalling compared to an off-the-shelf NVMe SSD.

                                                                integration can make things more reliable (i.e RAM slot failure)

                                                                I don’t have any numbers to back this up, but my gut feeling is that in the average upgradable laptop the number of lifetime failures that require replacing the RAM is going to be equal or higher than the number of lifetime failures that require replacing the RAM slot - so there’s a gain and a loss here.

                                                                I’d suggest it boils down to three things:

                                                                • Integrating everything on one board (or one package in the case of the RAM) is cheaper to design, manufacture and test.
                                                                • Integrating everything makes the product smaller and slimmer, and portable device consumers love slim products (as do Apple industrial designers, it would seem).
                                                                • Upgrading or repairing laptop internals is not something the majority of laptop customers plan to ever do (unfortunately), and there is no other regulatory pressure requiring this (which brings us back to Right to Repair).

                                                                [*] EDIT: I originally thought you could buy SO-DIMMs in this spec, but maybe only DIMMs. I think it’d be technically possible to have a small size & replaceable standard for these, but maybe the industry is going with soldered RAM to the extent that it doesn’t exist.

                                                                1. 1

                                                                  I wonder how much putting RAM on as an MCM lets them run LPDDR at those speeds/latencies.

                                                                2. 1

                                                                  especially if integration can make things more reliable (i.e RAM slot failure)?

                                                                  And yet, the only failing RAM I had in a machine in the last 10 years was a MacBook Pro with on-board RAM. If the machine actually had a DIMM slot, it could’ve been replaced without replacing the whole logic board. (Since the MacBook Pro was just two days old, they replaced the whole system, of course.)

                                                              2. 2

                                                                Not a problem on mine somehow (918GB writes in 6 weeks).

                                                                1. 2

                                                                  I’m second thinking getting an M1 now, maybe I’ll wait for this to be fixed. Hopefully, in time for the new macbook pros. :p

                                                                  Still my current Linux laptop is 4 years old, and has <10TB TBW on its nvme. I haven’t used it a lot in the past 6 months but it has been in used daily before that. So, 918GB in six weeks still seems like a lot.

                                                                  1. 2

                                                                    shurg

                                                                    Just checked my 3.5 year old MB12, it had 27.5TB writes over 182-ish weeks, which is roughly 0.9TB/6W. So yeah, it’s normal.

                                                                    1. 1

                                                                      I’ve had a 2019 MBP from work for almost a year now, and I’m at 65.8 TB written. I don’t think this is an M1 problem so much as a macOS problem (if indeed it’s actually a problem).

                                                                      1. 1

                                                                        Yes it’s certainly an OS issue.

                                                                        Could be some combination of usage patterns with memory configuration. Like I don’t do npm or use any heavyweight IDEs, maybe they provoke the system to swapping out more.

                                                                      2. 1

                                                                        FWIW smartctl claims 27 TB written on my mid-2012 MBA11. I’m no expert, but I think my wearout is all zeroed out. Can’t upgrade past 10.15, not sure if OS matters.

                                                                  2. 2

                                                                    This comment should be a separate post by itself. Thank you for the heads up!

                                                                    1. 1

                                                                      I have had this experience with macOS (VM) in general, testing my memory profiler’s OOM detection (https://pythonspeed.com/fil). it seems much more aggressive about swapping than Linux, to the point where I needed to come up with a different heuristic.

                                                                    1. 21

                                                                      The article never mentions the, in my humble opinion, most important part of good logging practices and that is structured logging. Without it you end up with weird regexes or other hacks trying to parse your log messages.

                                                                      1. 4

                                                                        As a sibling post notes, if you use structured logging you’re mostly throwing away the idea that the entries must be easily parsable by a human. If that’s the case, and we’ll need a custom method of displaying the structured logs in a human friendly way, I believe we should forego plain text all together and gain the benefits of logging directly to binary.

                                                                        1. 5

                                                                          You can do human readable structured logging if you use key="value" formats inside text messages. Some people still prefer json, but there is a middle ground.

                                                                          1. 2

                                                                            If you need just key=value, that’s not really structured in my opinion.

                                                                            1. 4

                                                                              Why not?

                                                                              1. 2

                                                                                Because the amount of information added by this format would be infinitesimal over a line based logger with manual tokenization. The reason why you’d want a structured logger is to allow proper context to a message. Unless you’re working with simple cases, the structure that would offer such context is more than one level deep.

                                                                                1. 3

                                                                                  Hmm, definitely not.

                                                                                  Structured logging is about decorating log events with just enough of a schema to make them machine parseable, so that searching, aggregating, filtering, etc. can more than a crapshoot. Deeply nested events significantly increase the complexity of that schema, and therefore the requirements of the consumer.

                                                                                  By default, structured logs should be flat key/value pairs. It gets you the benefits of richer parseability, without giving up the ability to grep.

                                                                        2. 2

                                                                          Excellent point. That’s become such second nature to me by now, that I forgot to even mention it!

                                                                          1. 1

                                                                            On top of that, structured logger if implemented properly, can often be faster and be operated at granular levels (like the other comments pointed out, sometimes you do want to on-fly turn on some logs at some locations, not all logs at all locations).

                                                                            1. 1

                                                                              I love structured logging, with one caveat: the raw messages emitted (let’s assume JSON) are harder for me to scan when tailing directly (which I usually only do locally as we have better log querying tools in the cloud), in contrast to a semi-structured simple key-value format. Do you all use a different format than JSON? Or a tool that transforms structured logs to something more friendly to humans, eg. with different log levels displayed in different appropriate colors, eg. JSON syntax characters diminished, for local tailing?

                                                                              1. 5

                                                                                At Joyent, we used the Bunyan format. Each line in the file was a separate JSON object with standard properties, some mandatory and some optional, and freeform additional properties. We shipped a tool, bunyan, that was capable of acting as a filter that would render different human readable views of the JSON. For example, you would often run something like:

                                                                                tail -F $(svcs -L manatee) | bunyan -o short
                                                                                

                                                                                It also had some rudimentary filtering options. It also had a relatively novel mode that would, instead of reading from a file or standard input, use DTrace probes for different log levels to allow you to dynamically listen for DEBUG and TRACE events even when those were not ordinarily present in the log files. The DTrace mode could target a particular process, or even all processes on the system that emitted Bunyan logs.

                                                                                1. 1

                                                                                  Hi, what were the required fields? Was it just a unique request ID? Thanks for sharing about bunyan. Even though it’s been out for a while I was unaware of it.

                                                                                2. 5

                                                                                  Do you all use a different format than JSON? Or a tool that transforms structured logs to something more friendly to humans, eg. with different log levels displayed in different appropriate colors, eg. JSON syntax characters diminished, for local tailing?

                                                                                  We use JSON and the only tools I use are grep and jq. And although I am pretty much still a novice with these two, I found that with the power of shell piping I can do almost anything I want. Sometimes I reach for the Kibana web interface, get seriously confused and then go back to the command line to figure out how to do it there.

                                                                                  I wrote a simple tutorial for the process, just a couple of weeks ago.

                                                                                  1. 1

                                                                                    If you rely on external tools to be able to make sense of your logs, why not go all the way, gain the speed and size benefits that binary logs would bring, and write your own log pager? I feel like the systemd folks had the right idea even when everyone was making fun of them.

                                                                                    1. 3

                                                                                      I don’t think the average employer would be happy subsidizing an employee writing a log pager instead of implementing something that would bring a tangible result to the business. The potential money savings by using binary logs probably doesn’t outweigh the new subs/increased profits of churning out more features.

                                                                                      1. 1

                                                                                        To me that sounds like an excuse. The world is not made up of only software that is beholden to the all mighty shareholder.

                                                                                        1. 1

                                                                                          I mean, yes, if you’re developing something in your personal time, go bananas on what you implement.

                                                                                          But I also know my manager would look at me funny and ask why I’m not just shoving everything into CloudWatch/<cloud logging service>

                                                                                      2. 2

                                                                                        I’m sure most problems with systemd journals are fixable, but they’ve left a very bad taste in my mouth for two main reasons: if stuff gets deleted from under them they apparently never recover (my services continue to say something like “journal was rotated” until I restart them), and inspecting journals is incredibly slow. I’m talking magnitudes slower than log files. This is at its worst (I often have time to make a cup of tea) when piping the output into grep or, as journalctl already does by default, less, which means every byte has to be formatted by journalctl and copied only to be skipped over by its recipient. But it’s still pretty bad (I have time to complain on IRC about the wait) when giving journalctl filters that reduce the final output down to a few thousand lines, which makes me suspect that there are other less fundamental issues.

                                                                                        I should note that I’m using spinning disks and the logs I’m talking about are tens to hundreds of GB over a few months. I feel like that situation’s not abnormal.

                                                                                        1. 1

                                                                                          If you rely on external tools to be able to make sense of your logs, why not go all the way, gain the speed and size benefits that binary logs would bring, and write your own log pager?

                                                                                          It’s hard to imagine a case at work where I could justify writing my own log pager.
                                                                                          Here are some of the reasons I would avoid doing so:

                                                                                          • Logs are an incidental detail to the application.
                                                                                          • Logs are well understood; I can apply a logging library without issues.
                                                                                          • My application isn’t a beautiful and unique snowflake. I should use the same logging mechanisms and libraries as our other applications unless I can justify doing something different.
                                                                                          • JSON is boring, has a specification, substantial library support, tooling, etc.
                                                                                          • Specifying, documenting, and testing a custom format is a lot of work.
                                                                                          • Engineering time is limited; I try to focus my efforts on tasks that only I can complete.
                                                                                          1. 2

                                                                                            Logs are an incidental detail to the application.

                                                                                            I think this is trivially disproved by observing that if the logs stop working for your service, that is (hopefully!) a page-able event.

                                                                                            Logs are a cross-cutting concern, but as essential as any other piece of operational telemetry.

                                                                                            1. 1

                                                                                              Logs are a cross-cutting concern, but as essential as any other piece of operational telemetry.

                                                                                              I rely heavily on logging for the services I support but the applications I wrote for work have only error reporting. They are used by a small audience and problems are rare; I might get a crash report every 18 months or so.

                                                                                              1. 1

                                                                                                Ah, yeah, I presume the context here is services.

                                                                                        2. 1

                                                                                          Agreed. jq is a really nice tool. It made the decision to transition to using JSON for logging very easy.

                                                                                        3. 3

                                                                                          Don’t use JSON, use logfmt.

                                                                                          1. 1

                                                                                            Yes! Logfmt is the good stuff. But it’s only semi-structured. Why not use JSON and a tool to transform to logfmt (with nested data elided probably) when needing to scan as a human?

                                                                                            1. 1

                                                                                              Logfmt is fully structured, it just doesn’t support nesting, which is an important feature! Structured logs should be flat.

                                                                                        4. 1

                                                                                          I’m surprised it wasn’t mentioned, but the larger advantage of passing a logger around to constructors is the ability to then have nested named loggers, such as

                                                                                          Battery.ChargingStatus.FileReader: Failed to open file { file: "/tmp/battery charge", error: ... }
                                                                                          Battery.ChargingStatus: Failed to access status logs, skipping report
                                                                                          
                                                                                          1. 17

                                                                                            See Betteridge’s law of headlines:

                                                                                            Any headline that ends in a question mark can be answered by the word no.

                                                                                            1. 7

                                                                                              The cover story of the January issue of the CACM was Does Facebook Use Sensitive Data for Advertising Purposes?.

                                                                                              1. 7

                                                                                                For every joke, somebody will point out that it’s not literally true

                                                                                                – gthm’s law

                                                                                            2. 6

                                                                                              The linked post doesn’t disagree with you.

                                                                                              can we see here that Microsoft is releasing more and more parts of Windows as open source?

                                                                                              Windows will probably remain a proprietary product for some time, but I can imagine that the trend of releasing more and more code will continue

                                                                                              This take seems quite reasonable.

                                                                                              1. 2

                                                                                                It was an open question and more of a thought than an answer. 😊

                                                                                                1. 2

                                                                                                  i did read the article before replying and it is very sensible, i just couldn’t help myself 😅

                                                                                                2. 4

                                                                                                  By ‘no’, do you mean:

                                                                                                  • No, it won’t become open-source,
                                                                                                  • Hard to say, but it’s unlikely it will become open-source,
                                                                                                  • No, you don’t want it to happen, because it will be bad for MS,
                                                                                                  • No, you don’t want it to happen, because it will be bad for other systems,
                                                                                                  • You think even if MS releases the source, it will never be truly open-source,
                                                                                                  • Something else?

                                                                                                  :^)

                                                                                                1. 33

                                                                                                  Disclaimer: I represent a GitHub competitor.

                                                                                                  The opening characterization of GitHub detractors is disingenuous:

                                                                                                  The reasons for being against GitHub hosting tend to be one or more of:

                                                                                                  1. it is an evil proprietary platform
                                                                                                  2. it is run by Microsoft and they are evil
                                                                                                  3. GitHub is American thus evil

                                                                                                  GitHub collaborated with US immigration and customs enforcement under the Trump administration, which is a highly controversial organization with severe allegations of “evil”. GitHub also recently fired a Jewish employee for characterising armed insurrectionists wearing Nazi propeganda as Nazis.

                                                                                                  It’s not nice to belittle the principles of people who have valid reasons to cite ethical criticisms of GitHub. Even if you like the workflow and convenience, which is Daniel’s main justification, other platforms offer the same conveniences. As project leaders, we have a responsibility to support platforms which align with our values. There are valid ethical and philosophical complaints about GitHub, and dismissing them because of convenience and developer inertia is cowardly.

                                                                                                  1. 27

                                                                                                    GitHub collaborated with US immigration and customs enforcement under the Trump administration

                                                                                                    This makes it sound worse than it actually was, ICE bought a Github Enterprise Server license through a reseller. Github then tried to compensate by donating 500.000$ to “nonprofit organizations working to support immigrant communities”.

                                                                                                    … other platforms offer the same conveniences.

                                                                                                    Maybe, but they definitely lack the networking effect that was one of main points for curl to use Github.

                                                                                                    1. 24

                                                                                                      The inconsistency is what kills me here. Allowing ICE to have an account became a heinous crime against neoliberalism, meanwhile how many tech companies openly collaborated with the US military while we killed a million innocent people in Iraq? Or what about Microsoft collaborating with our governments surveillance efforts?

                                                                                                      I’m not even engaging in what-about-ism here in the sense that you must be outraged at all the things or none. I’m suggesting that ICE outrage is ridiculous in the face of everything else the US government does.

                                                                                                      Pick less ridiculous boogeymen please.

                                                                                                      1. 20

                                                                                                        I see a lot of the same people (including myself) protesting all of these things…

                                                                                                        I feel like I should say something to make this remark longer, and less likely to be taken as hostile, but that’s really all I have to say. Vast numbers of people are consistently opposing all the things you object to. If you’re attempting to suggest that people are picking only one issue to care about and ignoring the other closely related issues, that’s simply wrong - factually, that is not what is happening. If you’re not trying to suggest that, I don’t understand the purpose of your complaint.

                                                                                                        1. 13

                                                                                                          The inconsistency is what kills me here.

                                                                                                          Also:

                                                                                                          1. Free Software and Open Source should never discriminate against fields of endeavour!
                                                                                                          2. GitHub should discriminate against this particular organisation!

                                                                                                          and:

                                                                                                          1. We need decentralised systems that are resistant to centralised organisation dictating who can or can’t use the service!
                                                                                                          2. GitHub should use its centralised position to deny this service to this particular organisation!

                                                                                                          Anyway, how exactly will curl moving away from GitHub or GitHub stopping their ICE contract help the people victimized by ICE? I don’t see how it does, and the entire thing seems like a distraction to me. Fix the politics instead.

                                                                                                          1. 14

                                                                                                            Is some ideological notion of consistency supposed to weigh more heavily than harm reduction in one’s ontological calculus? Does “not discriminating against a field of endeavor” even hold inherent virtue? The “who” and “on what grounds” give the practice meaning.

                                                                                                            If I endeavor to teach computer science to under-served groups, and one discriminated against my practice due to bigotry, then that’s bad. If I endeavor to make a ton of money by providing tools and infrastructure to a power structure which seeks to violate the human rights of vulnerable populations, you would be right to “discriminate” against my endeavor.

                                                                                                            Anyway, how exactly will curl moving away from GitHub or GitHub stopping their ICE contract help the people victimized by ICE?

                                                                                                            I don’t think anyone here has suggested that if curl were to move away from github that it would have an appreciable or conclusive impact on ICE and it’s victims. The point of refusing to work for or with with ice or their enablers is mainly to raise awareness of the issue and to build public opposition to them, which is a form of direct action - “fixing the politics” as you put it. It’s easy to laugh at and dismiss people making noise online, or walking out of work, or writing a heated blog post, but as we’ve seen over the last decade, online movements are powerful forces in democratic society.

                                                                                                            1. 8

                                                                                                              Is some ideological notion of consistency supposed to weigh more heavily than harm reduction in one’s ontological calculus?

                                                                                                              If you’re first going to argue that 1) is unethical and should absolutely never be done by anyone and then the next day you argue that 2), which is in direct contradiction to 1), is unethical and should absolutely never be done by anyone then I think there’s a bit of a problem, yes.

                                                                                                              Because at this point you’re no longer having a conversation about what is or isn’t moral, and what the best actions are to combat injustices, or any of these things, instead you’re just trying to badger people in to accepting your viewpoint on a particular narrow issue.

                                                                                                              1. 3

                                                                                                                If you’re first going to argue that 1) is unethical and should absolutely never be done by anyone and then the next day you argue that 2), which is in direct contradiction to 1), is unethical and should absolutely never be done by anyone then I think there’s a bit of a problem, yes.

                                                                                                                does anyone say that though

                                                                                                            2. 12

                                                                                                              Your first two points are a good explanation of the tension between the Open Source and Ethical Source movements. I think everyone close to the issue is in agreement that, yes, discriminating against militant nationalism is a form of discrimination, just one that ought to happen.

                                                                                                              There was some open conflict last year between the Open Source Institute, and the group that became the Organization for Ethical Source. See https://ethicalsource.dev/ for some of the details.

                                                                                                              Your second two points, also, highlight a real and important concern, and you’ve stated it well. I’m personally against centralized infrastructure, including GitHub. I very much want the world to move to decentralized technical platforms in which there would be no single entity that holds the power that corporations presently do. However, while centralized power structures exist, I don’t want those structures to be neutral to injustice. To do that is to side with the oppressor.

                                                                                                              (Edit: I somehow wrote “every” instead of “everyone”. Too many editing passes, I guess. Oops.)

                                                                                                              1. 11

                                                                                                                To clarify: this wasn’t really intended as a defence of either the first or second points in contradictions, I just wanted to point out that people’s views on this are rather inconsistent, to highlight that the issue is rather more complex than some people portray it as. To be fair, most people’s worldviews are inconsistent to some degree, mine certainly are, but then again I also don’t make bold absolute statements about these sort of things and insult people who don’t fit in that.

                                                                                                                I think that both these issues are essentially unsolvable; similar to how we all want every criminal to be convicted but also want zero innocent people to be convicted unjustly. This doesn’t mean we shouldn’t try, but we should keep a level head about what we can and can’t achieve, and what the trade-offs are.

                                                                                                                I don’t want those structures to be neutral to injustice. To do that is to side with the oppressor.

                                                                                                                In Dutch we have a saying I rather like: “being a mayor in wartime”. This refers to the dilemma of mayors (and journalists, police, and so forth) during the German occupation. To stay in your position would be to collaborate with the Nazis; but to resign would mean being replaced with a Nazi sympathizer. By staying you could at least sort of try to influence things. This is a really narrow line to walk though, and discussions about who was or wasn’t “wrong” during the war continue to this day.

                                                                                                                I don’t think GitHub is necessarily “neutral to injustice”, just like the mayors during the war weren’t. I know people love to portray GitHub as this big evil company, but my impression is that GitHub is actually not all that bad; I mean, how many other CEOs would have joined youtube-dl’s IRC channel to apologize for the shitty situation they’re in? Or would have spent time securing a special contract to provide service to Iranian people? Or went out of their way to add features to rename the default branch?

                                                                                                                But there is a limit to what is reasonable; no person or company can be unneutral to all forms of injustice; it would be debilitating. You have to pick your battles; ICE is a battle people picked, and IMO it’s completely the wrong one: what good would cutting a contract with ICE do? I don’t see it, and I do see a lot of risk in alienating the government of the country you’re based in, especially considering that the Trump administration was not exactly know for its cool, level-headed, and calm responses to (perceived) sleights. Besides, in the grand scheme of injustices present in the world ICE seems small fries.

                                                                                                                And maybe all tech companies putting pressure on ICE would have made an impact in changing ICE’s practices, I don’t really think it would but let’s assume it would. But what does that mean? A bunch of undemocratic companies exerting pressure to change the policy of a democratically elected government. Yikes? Most of the time I see corporate influence on government it’s not for the better and I would rather we reduce this across the board, which would also reduce the potential “good influences”, but the bad influences vastly outnumber the good ones that this is a good trade.

                                                                                                                1. 6

                                                                                                                  Yes, those are all fair and thoughtful points. I agree very much that with any system, no matter how oppressive, if one has a position of power within the system it’s important to weigh how much good one can do by staying in, against how much they can do by leaving. I rather wish I were living in times that didn’t require making such decisions in practice so frequently, but none of us get to choose when we’re born.

                                                                                                                  On the strategic point you raise, I disagree: I do think the GitHub/ICE issue is a valuable one to push on, precisely because it prompts conversations like this. Tech workers might be tempted to dismiss our own role in these atrocities; I think it’s important to have that reminder. However, I very much acknowledge that it’s hard to know whether there’s some other way that might be better, and there’s plenty of room for disagreement, even among people who agree on the goals.

                                                                                                                  When I was young, I was highly prone to taking absolute positions that weren’t warranted. I hope if I ever fall back into those old habits, you and others will call me out. I do think it’s really important for people who disagree to hear each other out, whenever that’s feasible, and I also think it’s important for us all to acknowledge the limits of our own arguments. So, overall, thank you for your thoughts.

                                                                                                                  1. 2

                                                                                                                    I recently read a really approachable article article from Stanford Encyclopedia of Philosophy (via HN), which I found really interesting and balanced in highlighting the tensions between (in this case study) “free speech” and other values. To me it also helps to understand that those apparent “conflicts of interest” are still rather possible to balance (if not trivially) given good will; and IMO that the “extreme positions” are something of a possibly unavoidable simplifications - given that even analyzing the positions of renowned philosophers, skilled at precise expression, it’s not always completely clear where they sat.

                                                                                                                    https://plato.stanford.edu/entries/freedom-speech/

                                                                                                                    edit: though I am totally worried when people refuse to even discuss those nuances and to explore their position in this space of values.

                                                                                                                    1. 7

                                                                                                                      Anyone with a sincere interest in educating themselves about the concept of free speech and other contentious issues will quickly learn about the nuances of the concepts. Some people will however not give a fig about these nuances and continue to argue absolutist positions on the internet, either to advance unrelated political positions or simply to wind people up.

                                                                                                                      Engaging with these people (on these issues) is generally a waste of time. It’s like wrestling with a pig - you’ll get dirty and the pig enjoys it.

                                                                                                                      1. 3

                                                                                                                        I’m not sure I agree that anyone who makes a sincere effort will learn about the nuances. The nuance is there, but whether people have the chance to learn it is largely a function of whether the social spaces they’re in give them the chance to. I’m really worried about how absolutist, reactionary positions are the bulk of discussion on social media today. I think we all have an obligation to try to steer discussions away from reductive absolutism, in every aspect of our lives.

                                                                                                                        With that said, it’s clear you’re coming from a good place and I sympathize. I only wish I felt that not engaging is clearly the right way; it would be easier.

                                                                                                                        1. 5

                                                                                                                          I’ll have to admit that my comment was colored by my jaundiced view of the online conversation at this point in time. “Free speech” has become a shibboleth among groups who loudly demand immunity from criticism, and who expect their wares to be subsidized in the Marketplace of Ideas, but who would not hesitate to restrict the speech of their enemies should they attain power.

                                                                                                                          I’m all for nuanced discussion, but some issues are just so hot button it’s functionally useless in a public forum.

                                                                                                                          1. 3

                                                                                                                            I completely understand, and that’s very fair.

                                                                                                                            I agree with your assessment but, purely for myself and not as something I’d push on others, I refuse to accept the outcome of stepping back from discussion - because that would be a win for reactionary forms of engagement, and a loss for anyone with a sincere, thought-out position, wherever they might fall on the political spectrum.

                                                                                                                            It’s fine to step back and say that for your own well being, you can’t dedicate your efforts to being part of the solution to that. You can only do what you can do, and no person or cause has a right to demand more than that. For myself, only, I haven’t given up and I’ll continue to look for solutions.

                                                                                                                2. 6

                                                                                                                  There are a lot of people in the OSS community who don’t agree with your first point. You might find it contradictory, or “wrong” (And sure, I guess it wouldn’t be OSI certified if you codified it in a license). But it’s what a decent part of the community thinks.

                                                                                                                  And the easy answer to your comment about helping, let’s do the contrary. ICE has policies. Selling them tools to make it easier is clearly helping them to move forward on those policies. Just like AWS was helping Parler exist by offering its infrastructure. You can have value judgements or principles regarding those decisions, but you can’t say that it doesn’t matter at all.

                                                                                                                  And yeah, maybe there’s someone else who can offer the services. But maybe there are only so many Github-style services out there! And at one point it starts actually weighing on ICE’s ability to do stuff.

                                                                                                                  Of course people want to fix the politics. But lacking that power, people will still try to do something. And, yeah, people are allowed to be mad that a company is doing something, even they probably shouldn’t be surprised.

                                                                                                                  1. 4

                                                                                                                    And yeah, maybe there’s someone else who can offer the services. But maybe there are only so many Github-style services out there! And at one point it starts actually weighing on ICE’s ability to do stuff.

                                                                                                                    I’d expect ICE to be more than capable of self-hosting GitLab or some other free software project.

                                                                                                                    Of course people want to fix the politics. But lacking that power, people will still try to do something.

                                                                                                                    I don’t think it’s outside of people’s power to do that, but it is a lot harder, and requires more organisation and dedication. And “doing something” is not the same as “doing something useful”.

                                                                                                                    As for the rest, I already addressed most of that in my reply to Irene’s comment, so I won’t repeat that here.

                                                                                                                3. 12

                                                                                                                  no disagreement with your main point, but… a crime against neoliberalism?

                                                                                                                  1. 4

                                                                                                                    I think they mean against the newest wave of liberal politics in the US. Not the actual term neoliberalism which—as you clearly know—refers to something completely different, if not totally opposite.

                                                                                                                  2. 10

                                                                                                                    there are active campaigns inside and outside most companies about those issues. It’s not like https://notechforice.com/ exists in a bubble. Amazon, Google, Microsoft, Palantir, Salesforce and many others have been attacked for this. Clearly the DoD created the Silicon Valley and the connections run deep since the beginning, but these campaigns are to raise awareness and build consensus against tech supporting imperialism, concentration camps and many other crimes committed by the American Government against its citizens or foreign countries. But you have to start somewhere: political change is not like compiling a program, it’s not on and off, it’s nuanced and complex. Attacking (and winning) stuff like Project Maven or ICE concentration camps is a way to show that you can achieve something, break the tip of the iceberg and use that to build bigger organizations and bigger support for bigger actions.

                                                                                                                    1. 1

                                                                                                                      Clearly the DoD created the Silicon Valley and the connections run deep since the beginning

                                                                                                                      Oh, I’d love to be red-pilled into that!

                                                                                                                  3. 22

                                                                                                                    This makes it sound worse than it actually was, ICE bought a Github Enterprise Server license through a reseller.

                                                                                                                    LA Times:

                                                                                                                    In a fact sheet circulating within GitHub, employees opposing the ICE contract wrote that the GitHub sales team actively pursued the contract renewal with ICE. The Times reviewed screenshots of an internal Slack channel after the contract was renewed on Sept. 4 that appear to show sales employees celebrating a $56,000 upgrade of the contract with ICE. The message, which congratulated four employees for the sale and was accompanied by emojis of a siren, bald eagle and American flag, read “stay out of their way. $56k upgrade at DHS ICE.” Five people responded with an American flag emoji.

                                                                                                                    It was not as at arm’s length as they’d like you to believe. Several prominent organisations rejected offers of parts of the $500k donation because they didn’t want to be associated with the ICE contract. Internally the company was shredded as it became clear that GitHub under MSFT would rather be torn apart inside than listen to employees and customers and commit to stop serving ICE in the future.

                                                                                                                    There were plenty of calls to cancel the contract immediately, which might’ve been a pipedream, but even the more realistic “could we just not renew it in future” was met with silence and corporatespeak. Long-serving employees asking “well, if this isn’t too far for us, what concretely would be over the line?” in Q&A’s were labelled hostile, and most certainly not answered.

                                                                                                                    1. 15

                                                                                                                      We could debate the relative weight of these and other grievances here, but I’d rather not. My point is simply that the ethical concerns are based on reason, and Daniel’s blithe dismissal of them is inappropriate.

                                                                                                                      1. 7

                                                                                                                        Could you elaborate on the reasons?

                                                                                                                        You state that the reasons exist, and you give an example of someone you think github should reject as a customer. But you don’t talk about what those reasons are, or really go into principles, rationales or philosophy at all.

                                                                                                                        I worry that without a thought-through framework, your attitude degenerates into mindless shitstorms.

                                                                                                                        1. 4

                                                                                                                          He has not engaged with the ethical concerns you raise. That may well be because he is simply not aware of them. You are overinterpreting that as “blithe dismissal”.

                                                                                                                      2. 10

                                                                                                                        The firing of the employee has been reversed.

                                                                                                                        1. 10

                                                                                                                          Just a honest question: does this poop management actually makes them look better to you? Despite this being a reaction to public outrage that would have hurt the company? Like, do you think they that out of guilt or something like that?

                                                                                                                          1. 3

                                                                                                                            Considering the fired employee was reinstated and the head of HR resigned, this looks like a much more substantive concession than the employment status Ctrl-Z that internet outrages usually produce.

                                                                                                                            1. 3

                                                                                                                              how? isn’t the “let’s sacrifice a scapegoat without fundamentally changing anything” a quite common strategy?

                                                                                                                              1. 2

                                                                                                                                None of us know the details of this case. It’s way too easy to form a conclusion from one party, especially if they’re not bound by law from discussing sensitive HR details openly.

                                                                                                                                So while I can project a hope that this is a lasting change at GH, you are free to cynically dismiss it as window dressing. The facts, as we know them, support either view.

                                                                                                                          2. 16

                                                                                                                            Aye, and I commend them for that. But that doesn’t change the fact that “retaliated against an employee who spoke out against Nazism” is a permanent stain on their reputation which rightfully angers many people, who rightfully may wish to cease using the platform as a result. Daniel’s portrayal of their concerns as petty and base is not right.

                                                                                                                            1. 2

                                                                                                                              Not only that but the HR person who fired him was fired.

                                                                                                                              1. 4

                                                                                                                                Probably out of convenience and not actually the person who gave the order. At least, I think that’s the case more than we know.

                                                                                                                                1. 5

                                                                                                                                  The person who resigned was the head of HR. It almost certainly wasn’t the person who made the call, or even their manager, it was likely their manager’s manager. That sends a pretty strong signal to the rest of HR that there will be consequences for this kind of thing in the future.

                                                                                                                                  1. 1

                                                                                                                                    Damn, the head of HR!? What a turnover. Maybe that means they’re taking this more seriously than I thought at first.

                                                                                                                            2. 7

                                                                                                                              Every time someone asked me to move away from GitHub it’s been because “it’s not Free Software” and various variants of “vendor lock-in” and “it’s centralized”. I am aware there are also other arguments, but those have not been stated in the two instances people asked me to move away from GitHub. What (probably) prompted this particular Twitter thread and that doesn’t mention ICE or anything like that (also: 1 2). Most comments opposed to GitHub on HN or Lobsters don’t focus on ICE either.

                                                                                                                              That you personally care a great deal about this is all very fine, but it’s not the most commonly used argument against GitHub.

                                                                                                                              There are valid ethical and philosophical complaints about GitHub

                                                                                                                              According to your view of ethics, which many don’t share.

                                                                                                                              1. 2

                                                                                                                                I think that asking someone to change their infrastructure based solely on personal preferences is a step or two too far, be it based on ethics or ergonomics (“all the other code I use is on GitHub, yours should be too”).

                                                                                                                                It’s at the very least a bunch of work to move, and the benefit is likely small. You’ve already made a choice when deciding to put your code where it is, so why would you want to change it?

                                                                                                                                If asked, I’d recommend using something other than Github to work against the monoculture we’re already pretty deep in, but I don’t see myself actively trying to persuade others to abandon them.

                                                                                                                              2. 4

                                                                                                                                Isn’t sr.ht hosted and incorporated in the US? Or are only points (1) and (2) valid? :-D

                                                                                                                                GitHub also fought the US Gov to get the Iranian developer access to their platform, which is also helping your platform as far as I know. https://github.blog/2021-01-05-advancing-developer-freedom-github-is-fully-available-in-iran/

                                                                                                                                Any organization that is large enough will have some incidents which, when cherry-picked, can be used to paint the organization as evil. But really what happens is that they represent humanity. In terms of evil, you don’t have to look far to see much worse groups of people than GitHub.

                                                                                                                                IMO a more compelling argument would be centered around how he is an open-source developer, depending on a closed platform. Daniel’s utilitarian view is understandable but also short-thinking. He is contributing towards building this monolith just by using it.

                                                                                                                                1. 20

                                                                                                                                  Or are only points (1) and (2) valid? :-D

                                                                                                                                  None of the points Daniel raises are valid, because they’re strawmen, and bad-faith portrayals of actual positions.

                                                                                                                                  Actual argument: “GitHub, an American company, is choosing to cooperate with ICE, an American instutition which is controversial for its ethical problems”

                                                                                                                                  Bad faith re-stating: “GitHub is American thus evil”

                                                                                                                                  There is nuance here, and indeed you’ve found some of it, but a nuanced argument is not what Daniel is making.

                                                                                                                                2. 6

                                                                                                                                  collaborated with US immigration and customs enforcement

                                                                                                                                  I think “is American and thus evil” definitely covers this.

                                                                                                                                  1. 2

                                                                                                                                    Why are two [1, 2] of your most popular projects primarily hosted on github?

                                                                                                                                    1. https://github.com/swaywm/sway

                                                                                                                                    2. https://github.com/swaywm/wlroots

                                                                                                                                    1. 19

                                                                                                                                      I have been gradually moving off of GitHub, but not all at once. A few months ago I finished migrating all of the projects under my user namespace (github.com/ddevault) to SourceHut. Last week I also announced to my GitHub Sponsors supporters that I intend to leave the program, which is almost certain to cause me to lose money when many of them choose not to move to my personal donation platform (which has higher payment processing fees than GitHub does, so even if they all moved I would still lose money). If you intend to imply that I am a hypocrite for still using GitHub, I don’t think that holds very much weight.

                                                                                                                                      Regarding those two projects in particular, some discussion was held about moving to gitlab.freedesktop.org last year, but it was postponed until the CI can be updated accordingly. In any case, I am no longer the maintainer of either project, and at best only an occasional contributor, so it’s not really my place nor my responsibility to move the projects elsewhere. I think that they should move, and perhaps a renewed call for doing so should be made, but it’s ultimately not my call anymore.

                                                                                                                                      1. 10

                                                                                                                                        If you intend to imply that I am a hypocrite for still using GitHub, I don’t think that holds very much weight.

                                                                                                                                        Nope, I was just genuinely curious since I don’t follow you that closely, and hadn’t heard any explanation or reasoning why those repos are still on github when I have heard you explain your position regarding github multiple times. So it seemed odd, so I asked.

                                                                                                                                        In any case, thanks for explaining! I hope those projects are moved off too (@emersion !)

                                                                                                                                        1. 6

                                                                                                                                          Cool, makes sense. Thanks for clarifying.

                                                                                                                                        2. 2

                                                                                                                                          I love that you represent another point of view here. I firmly believe that free software needs free tools. We don’t want history to repeat. And Yes, there will be some sacrifice for the switch.

                                                                                                                                          Watching your actions closely for months, You represent how a free software leader should be.

                                                                                                                                    1. 1

                                                                                                                                      Have you found a good alternative to Ansible?

                                                                                                                                      If yes, I’d be interested in what you found, and otherwise you can check out cdist.

                                                                                                                                      1. 1

                                                                                                                                        Unfortunately, I haven’t. I’ve looked into cdist, unfortunately that’s not what I was looking for. I don’t want to write shell scripts manually.

                                                                                                                                        I’m border line thinking about doing my own thing :/ .

                                                                                                                                        1. 2

                                                                                                                                          I feel you, that’s also my current approach for (FreeBSD) jail-aware stuff…

                                                                                                                                          1. 2

                                                                                                                                            May I recommend having a look at pyinfra, a lightweight alternative to Ansible.

                                                                                                                                          2. 1

                                                                                                                                            Maybe mgmt but it competes more with Puppet’s approach than Ansible. I saw a demo of it at FOSDEM 2017 and was quite impressed, mainly because of its speed. Turns out they also gave a presentation at last year’s FOSDEM.

                                                                                                                                          1. 35

                                                                                                                                            e-mail has a lot of legacy cruft. Regardless of the technical merits of e-mail or Telegram or Delta Chat, Signal, matrix.org or whatever, what people need to be hearing today is “WhatsApp and Facebook Messenger are unnecessarily invasive. Everyone is moving to X.” If there isn’t a clear message on what X is, then people will just keep on using WhatsApp and Facebook Messenger.

                                                                                                                                            It seems clear to me that e-mail is not the frontrunner for X, so by presenting it as a candidate for replacing WhatsApp and Facebook Messenger, I think the author is actually decreasing the likelihood that most people will migrate to a better messaging platform.

                                                                                                                                            My vote is for Signal. It has good clients for Android and iOS and it’s secure. It’s also simple enough that non-technical people can use it comfortably.

                                                                                                                                            1. 26

                                                                                                                                              Signal is a silo and I dislike silos. That’s why I post on my blog instead of Twitter. What happens when someone buys Signal, the US government forces Signal to implement backdoors or Signal runs out of donation money?

                                                                                                                                              1. 10

                                                                                                                                                Signal isn’t perfect. My point is that Signal is better than WhatsApp and that presenting many alternatives to WhatsApp is harmful to Signal adoption. If Signal can’t reach critical mass like WhatsApp has it will fizzle out and we will be using WhatsApp again.

                                                                                                                                                1. 12

                                                                                                                                                  If Signal can’t reach critical mass like WhatsApp has it will fizzle out

                                                                                                                                                  Great! We don’t need more silos.

                                                                                                                                                  and we will be using WhatsApp again.

                                                                                                                                                  What about XMPP or Matrix? They can (and should!) be improved so that they are viable alternatives.

                                                                                                                                                  1. 13

                                                                                                                                                    (Majority of) People don’t care about technology (how), they care about goal (why).

                                                                                                                                                    They don’t care if it’s Facebook, Whatsapp, Signal, Email, XMPP, they want to communicate.

                                                                                                                                                    1. 14

                                                                                                                                                      Yeah, I think the point of the previous poster was that these systems should be improved to a point where they’re just really good alternatives, which includes branding and the like. Element (formerly riot.im) has the right idea on this IMHO, instead of talking about all sorts of tech details and presenting 500 clients like xmpp.org, it just says “here are the features element has, here’s how you can use it”.

                                                                                                                                                      Of course, die-hard decentralisation advocates don’t like this. But this is pretty much the only way you will get any serious mainstream adoption as far as I can see. Certainly none of the other approaches that have been tried over the last ~15 years worked.

                                                                                                                                                      1. 7

                                                                                                                                                        …instead of talking about all sorts of tech details and presenting 500 clients like xmpp.org, it just says “here are the features element has, here’s how you can use it”.

                                                                                                                                                        Same problem with all the decentralized social networks and microblogging services. I was on Mastodon for a bit. I didn’t log in very often because I only followed a handful of privacy advocate types since none of my friends or other random people I followed on Twitter were on it. It was fine, though. But then they shut down the server I was on and apparently I missed whatever notification was sent out.

                                                                                                                                                        People always say crap like “What will you do if Twitter shuts down?”. Well, so far 100% of the federated / distributed social networks I’ve tried (I also tried that Facebook clone from way back when and then Identi.ca at some point) have shut down in one way or another and none of the conventional ones I’ve used have done so. I realize it’s a potential problem, but in my experience it just doesn’t matter.

                                                                                                                                                        1. 4

                                                                                                                                                          The main feature that cannot be listed in good faith and which is the one that everybody cares about is: “It has all my friend and family on it”.

                                                                                                                                                          I know it’s just a matter of critical mass and if nobody switches this will never happen.

                                                                                                                                                        2. 1

                                                                                                                                                          Sure, but we’re not the majority of people.. and we shouldn’t be choosing yet another silo to promote.

                                                                                                                                                        3. 5

                                                                                                                                                          XMPP and (to a lesser extent) Matrix do need to be improved before they are viable alternatives, though. Signal is already there. You may feel that ideological advantages make up for the UI shortcomings, but very few nontechnical users feel the same way.

                                                                                                                                                          1. 1

                                                                                                                                                            Have you tried joining a busy Matrix channel from a federated homeserver? It can take an hour. I think it needs some improvement too.

                                                                                                                                                            1. 2

                                                                                                                                                              Oh, definitely. At least in the case of Matrix it’s clear that (1) the developers regard usability as an actual goal, (2) they know their usability could be improved, and (3) they’re working on improving it. I admit I don’t follow the XMPP ecosystem as closely, so the same could be the same there, but… XMPP has been around for 20 years, so what’s going to change now to make it more approachable?

                                                                                                                                                          2. 4

                                                                                                                                                            […] it will fizzle out

                                                                                                                                                            Great! We don’t need more silos.

                                                                                                                                                            Do you realize you’re cheering for keeping the WhatsApp silo?

                                                                                                                                                            Chat platforms have a strong network effect. We’re going to be stuck with Facebook’s network for as long as other networks are fragmented due to people disagreeing which one is the perfect one to end all other ones, and keep waiting for a pie in the sky, while all of them keep failing to reach the critical mass.

                                                                                                                                                            1. 1

                                                                                                                                                              Do you realize you’re cheering for keeping the WhatsApp silo?

                                                                                                                                                              Uh, not sure how you pulled that out of what I said, but I’m actually cheering for the downfall of all silos.

                                                                                                                                                              1. 2

                                                                                                                                                                I mean that by opposing the shift to the less-bad silo you’re not actually advancing the no-silo case, but keeping the status quo of the worst-silo.

                                                                                                                                                                There is currently no decentralized option that is secure, practical, and popular enough to be adopted by mainstream consumers in numbers that could beat WhatsApp.

                                                                                                                                                                If the choice is between WhatsApp and “just wait until we make one that is”, it means keeping WhatsApp.

                                                                                                                                                            2. 3

                                                                                                                                                              They can be improved so that they are viable alternatives.

                                                                                                                                                              Debatable.

                                                                                                                                                              Great! We don’t need more silos.

                                                                                                                                                              Domain-name federation is a half-assed solution to data portability. Domain names basically need to be backed by always-on servers, not everybody can have one, and not everybody should. Either make it really P2P (Scuttlebutt?) or don’t bother.

                                                                                                                                                              1. 2

                                                                                                                                                                I sadly agree, which is why logically I always end up recommend signal as ‘the best of a bad bunch’.

                                                                                                                                                                I like XMPP, but for true silo-avoidance you need you run your own server (or at least have someone run it under your domain, so you can move away). This sucks. It’s sort of the same with matrix.

                                                                                                                                                                The only way around this is real p2p as you say. So far I haven’t seen anything that I could recommend to former whatsapp users on this front however. I love scuttlebutt but I can’t see it as a good mobile solution.

                                                                                                                                                            3. 8

                                                                                                                                                              Signal really needs a “web.signal.com”; typing on phones suck, and the destop app is ugh. I can’t write my own app either so I’m stuck with two bad options.

                                                                                                                                                              This is actually a big reason I like Telegram: the web client is pretty good.

                                                                                                                                                              1. 3

                                                                                                                                                                I can’t write my own app either so I’m stuck with two bad options.

                                                                                                                                                                FWIW I’m involved with Whisperfish, the Signal client for Sailfish OS. There has been a constant worry about 3rd party clients, but it does seem like OWS has loosened its policy.

                                                                                                                                                                The current Whisperfish is written in Rust, with separate libraries for the protocol and service. OWS is also putting work into their own Rust library, which we may switch to.

                                                                                                                                                                Technically you can, and the risk should be quite minimal. At the end of the, as OWS doesn’t support these efforts, and if you don’t make a fool of them, availability and use increases their brand value.

                                                                                                                                                                Don’t want to know what happens if someone writes a horrible client and steps on their brand, so let’s be careful out there.

                                                                                                                                                                1. 2

                                                                                                                                                                  Oh right; that’s good to know. I just searched for “Signal API” a while ago and nothing really obvious turned up so I assumed it’s either impossible or hard/hackish. To be honest I didn’t look very deeply at it, since I don’t really care all that much about Signal that much 😅 It’s just a single not-very-active chatgroup.

                                                                                                                                                                  1. 1

                                                                                                                                                                    Fair enough, sure. An API might sound too much like some raw web thing - it is based on HTTPS after all - but I don’t think all of it would be that simple ;)

                                                                                                                                                                    The work gone into the libraries has not been trivial, so if you do ever find yourself caring, I hope it’ll be a happy surprise!

                                                                                                                                                                2. 2

                                                                                                                                                                  The Telegram desktop client is even better than the web client.

                                                                                                                                                                  1. 3

                                                                                                                                                                    I don’t like desktop clients.

                                                                                                                                                                    1. 4

                                                                                                                                                                      Is there a specific reason why? The desktop version of Telegram is butter smooth and has the same capabilities as the phone version (I’m pretty sure they’re built from the same source as well).

                                                                                                                                                                      1. 3

                                                                                                                                                                        Security is the biggest reason for me. Every other week, you hear about a fiasco where a desktop client for some communication service had some sort of remote code execution vulnerability. But there can be other reasons as well, like them being sloppy with their .deb packages and messing up with my update manager etc. As a potential user, I see no benefit in installing a desktop client over a web client.

                                                                                                                                                                        1. 4

                                                                                                                                                                          Security is the reason that you can’t easily have a web-based Signal client. Signal is end-to-end encrypted. In a web app, it’s impossible to isolate the keying material from whoever provides the service so it would be trivial for Signal to intercept all of your messages (even if they did the decryption client-side, they could push an update that uploads the plaintext after decryption).

                                                                                                                                                                          It also makes targeted attacks trivial: with the mobile and desktop apps, it’s possible to publish the hash that you get for the download and compare it against the versions other people run, so that you can see if you’re running a malicious version (I hope a future version of Signal will integrate that and use it to validate updates before it installs them by checking that other users in your network see the same series of updates). With a web app, you have no way of verifying that you’re running the same code that you were one page refresh ago, let alone the same code as someone else.

                                                                                                                                                                          1. 1

                                                                                                                                                                            A web based client has no advantages with regards to security. They are discrete topics. As a web developer, I would argue that a web based client has a significantly larger surface area for attacks.

                                                                                                                                                                            1. 1

                                                                                                                                                                              When I say security, I don’t mean the security of my communications over that particular application. That’s important too, but it’s nothing compared to my personal computer getting hacked, which means my entire digital life getting compromised. Now you could say a web site could also hijack my entire computer by exploiting weaknesses in the browser, which is definitely a possibility, but that’s not what we hear every other week. We hear stupid zoom or slack desktop client containing a critical remote code execution vulnerability that allows a completely unrelated third party complete access to your computer.

                                                                                                                                                                          2. 1

                                                                                                                                                                            I just don’t like opening a new window/application. Almost all of my work is done with one terminal window (in tmux, on workspace 1) and a browser (workspace 2). This works very well for me as I hate dealing with window management. Obviously I do open other applications for specific purposes (GIMP, Geeqie, etc) but I find having an extra window just to chat occasionally is annoying. Much easier to open a tab in my browser, send my message, and close it again.

                                                                                                                                                                  2. 3

                                                                                                                                                                    The same thing that’s happening now with whatsapp - users move.

                                                                                                                                                                    1. 2

                                                                                                                                                                      A fraction of users is moving, the technically literate ones. Everyone else stays where their contacts are, or which is often the case, installs another messenger and then uses n+1.

                                                                                                                                                                      1. 2

                                                                                                                                                                        A fraction of users is moving, the technically literate ones

                                                                                                                                                                        I don’t think that’s what’s happening now. There have been a lot of mainstream press articles about WhatsApp. The technical users moved to Signal when Facebook bought WhatsApp, I’m now hearing non-technical folks ask what they should migrate to from WhatsApp. For example, one of our administrators recently asked about Signal because some of her family want to move their family chat there from WhatsApp.

                                                                                                                                                                        1. 1

                                                                                                                                                                          Yeah these last two days I have been asked a few times about chat apps. I have also noticed my signal contacts list expand by quite a few contacts, and there are lots of friends/family who I would not have expected to make the switch in there. I asked one family member, a doctor, what brought her in and she said that her group of doctors on whatsapp became concerned after the recent announcements.

                                                                                                                                                                          I wish I could recommend xmpp/OMEMO, but it’s just not as easy to set up. You can use conversations.im, and it’s a great service, but if you are worried about silos you are back to square one if you use their domain. They make using a custom domain as friction-free as possible but it still involves DNS settings.

                                                                                                                                                                          I feel the same way about matrix etc. Most people won’t run their own instance, so you end up in a silo again.

                                                                                                                                                                          For the closest thing to whatsapp, I have to recommend Signal. It’s not perfect, but it’s good. I wish you didn’t have to use a phone number…

                                                                                                                                                                    2. 2

                                                                                                                                                                      What happens when someone buys Signal, the US government forces Signal to implement backdoors or Signal runs out of donation money?

                                                                                                                                                                      Not supporting signal in any way, but how would your preferred solution actually mitigate those risks?

                                                                                                                                                                      1. 1

                                                                                                                                                                        Many different email providers all over the world and multiple clients based on the same standards.

                                                                                                                                                                        1. 6

                                                                                                                                                                          Anyone who has written email software used at scale by the general public can tell you that you will spend a lot of time working around servers and clients which do all sorts of weird things. Sometimes with good reasons, often times with … not so good reasons. This sucks but there’s nothing I can change about that, so I’ll need to deal with it.

                                                                                                                                                                          Getting something basic working is pretty easy. Getting all emails handled correctly is much harder. Actually displaying all emails well even harder still. There’s tons of edge cases.

                                                                                                                                                                          The entire system is incredibly messy, and we’re actually a few steps up from 20 years ago when it was even worse.

                                                                                                                                                                          And we still haven’t solved the damn line wrapping problem 30 years after we identified it…

                                                                                                                                                                          Email both proves Postel’s law correct and wrong: it’s correct in the sense that it does work, it’s wrong because it takes far more time and effort than it really needs to.

                                                                                                                                                                          1. 2

                                                                                                                                                                            I hear you (spent a few years at an ESP). It’s still better than some siloed walled garden proprietary thing that looks pretty but could disappear for any reason in a moment. The worst of all worlds except all others.

                                                                                                                                                                            1. 2

                                                                                                                                                                              could disappear for any reason in a moment

                                                                                                                                                                              I’m not so worried about this; all of these services have been around for ages and I’m not seeing them disappear from one day to the next in the foreseeable future. And even if it does happen: okay, just move somewhere else. It’s not even that big of a deal.

                                                                                                                                                                              1. 1

                                                                                                                                                                                Especially with chat services. There’s not that much to lose. Your contacts are almost always backed up elsewhere. I guess people value their chat history more than I do, however.

                                                                                                                                                                    3. 11

                                                                                                                                                                      My vote is for Signal. It has good clients for Android and iOS and it’s secure. It’s also simple enough that non-technical people can use it comfortably.

                                                                                                                                                                      I’ve recently started using it, and while it’s fine, I’m no fan. As @jlelse, it is another closed-off platform that you have to use, making me depend on someone else.

                                                                                                                                                                      They seem to (as of writing) prioritize “security” over “user freedom”, which I don’t agree with. There’s the famous thread, where they reject the notion of distributing Signal over F-Droid (instead having their own special updater, in their Google-less APK). What also annoys me is that their desktop client is based on Electron, which would have been very hard for me to use before upgrading my desktop last year.

                                                                                                                                                                      1. 6

                                                                                                                                                                        My vote is for Signal. It has good clients for Android and iOS and it’s secure. It’s also simple enough that non-technical people can use it comfortably.

                                                                                                                                                                        What I hate about signal is that it requires a mobile phone and an associated phone number. That makes it essentially useless - I loathe mobile phones - and very suspect to me. Why can’t the desktop client actually work?

                                                                                                                                                                        1. 2

                                                                                                                                                                          I completely agree. At the beginning of 2020 I gave up my smartphone and haven’t looked back. I’ve got a great dumb phone for voice and SMS, and the occasional photo. But now I can’t use Signal as I don’t have a mobile device to sign in to. In a word where Windows, Mac OS, Linux, Android, and iOS all exist as widely used operating systems, Signal is untenable as it only as full featured clients for two of these operating systems.

                                                                                                                                                                          Signal isn’t perfect.

                                                                                                                                                                          This isn’t about being perfect, this is about being accessible to everyone. It doesn’t matter how popular it becomes, I can’t use it.

                                                                                                                                                                          1. 1

                                                                                                                                                                            What I hate about signal is that it requires a mobile phone and an associated phone number.

                                                                                                                                                                            On the bright side, Signal’s started to use UUIDs as well, so this may change. Some people may think it’s gonna be too late whenever it happens, if it does, but at least the protocols aren’t stagnant!

                                                                                                                                                                            1. 1

                                                                                                                                                                              They’ve been planning on fixing that for a while, I don’t know what the status is. The advantage of using mobile phone numbers is bootstrapping. My address book is already full of phone numbers for my contacts. When I installed Signal, it told me which of them are already using it. When other folks joined, I got a notification. While I agree that it’s not a great long-term strategy, it worked very well for both WhatsApp and Signal to quickly bootstrap a large connected userbase.

                                                                                                                                                                              In contrast, most folks XMPP addresses were not the same as their email addresses and I don’t have a lot of email addresses in my address book anyway because my mail clients are all good at autocompleting them from people who have sent me mail before, so I don’t bother adding them. As a result, my Signal contact list was instantly as big as my Jabber Roster became after about six months of trying to get folks to use Jabber. The only reason Jabber was useable at all for me initially was that it was easy to run an ICQ bridge so I could bring my ICQ contacts across.

                                                                                                                                                                              1. 1

                                                                                                                                                                                Support for using it without a phone number remains a work in progress. The introduction of PINs was a stepping stone towards that.

                                                                                                                                                                          1. 10

                                                                                                                                                                            I’d happily read more synth stuff on Lobsters.

                                                                                                                                                                            1. 4

                                                                                                                                                                              Another reason why lobste.rs should get a dsp or signal-processing tag.

                                                                                                                                                                            1. 1

                                                                                                                                                                              I got a Logitech c920 from the company I work and the image quality is worse than that of the builtin webcam of my Lenovo X1C5. Actually, I never found a decent consumer grade webcam but if you’re willing to spend about 200$ for a cam then just grab Zoom’s Q2n-4k which can act as 4k webcam with proper microphones or as a mobile recorder. The best thing for me about the Q2n-4k is that it is compact and can be mounted on a regular camera stand or microphone desk stand using an adapter.

                                                                                                                                                                              Edit: typos.

                                                                                                                                                                              1. 1

                                                                                                                                                                                Update I bought a Zoom Q2n-4k as b-stock and the picture is a bit noisy in darker environments but still night and day compared to the integrated crap cam of my Lenovo notebook or the Logitech Webcam I use. Besides, the Zoom device also acts as a mobile recorder and the built-in mics are really good.

                                                                                                                                                                              1. 1

                                                                                                                                                                                ZIp was actually one of the worst removable media formats in its day due to the bad reliability issues. They were popular pretty much only because iomega employed an aggressive razors-and-blades model and pushing it to OEMs.

                                                                                                                                                                                For better or at least more interesting formats, MO was wildly popular in Japan, and LS-120 was a superfloppy format that was backwards compatible with old floppies.

                                                                                                                                                                                1. 1

                                                                                                                                                                                  Maybe your situation was different than mine in ’97-‘98 but iirc I hadn’t heard about LS-120 (living in Germany and just getting started being interested in all things hardware and MO either wasn’t widely available or too expensive) and ZIP was available, affordable and mostly worked. So in my book it was still the best removable media format in that time between ‘3.5” floppies are big enough’ and ‘whee, CD-RW’, that must’ve been 2-3 years I’d say, pinpointing CD-RW more in 1999 than 1998 because I think my first CD writer couldn’t do it.

                                                                                                                                                                                  1. 1

                                                                                                                                                                                    I owned an LS-120 drive and those things were awful. My sample size is small but 2 out of 3 of those 120MB floppies were unusable after a couple of days. Not sure what killed them, but never had those problems with plain floppy disks.

                                                                                                                                                                                  2. 1

                                                                                                                                                                                    And Zip looked like cuneiform tablets compared to the shitshow that was Iomega’s Jaz.

                                                                                                                                                                                  1. 1

                                                                                                                                                                                    Once you have a reasonable volume of pull requests the branches of those pull requests get outdated quickly meaning they have to be rebased before merging or every change will have an extra merge commit in the history.

                                                                                                                                                                                    And why are merge commits bad again?

                                                                                                                                                                                    1. 9

                                                                                                                                                                                      For feature branches a merge commit that updates against the default branch is just noise in the commit history. This is especially bad if the branch needed to be updated multiple times. In my opinion it is always better to rebase against the default branch to keep the commit history clean. Rebasing before a merge is often good practice anyways, e.g. to squash commits or rewrite commit messages.

                                                                                                                                                                                      1. 2

                                                                                                                                                                                        Indeed, I consider a feature branch being merged into a main branch without a merge commit to be an antipatten that makes the history less useful.

                                                                                                                                                                                        1. 5

                                                                                                                                                                                          This is not about the merge commit of the feature in main, its about merge requests in the feature branch when updating against main.

                                                                                                                                                                                          1. 1

                                                                                                                                                                                            Oh, I see. Yeah, I usually treat feature branches as roughly a patch series so keep merges out of that particular kind of flow, personally.

                                                                                                                                                                                          2. 3

                                                                                                                                                                                            The history should capture as much of the human process as possible without also encoding the details of how git creates that history.

                                                                                                                                                                                            Thus, rebases and not merge commits.

                                                                                                                                                                                            1. 1

                                                                                                                                                                                              If you really want to keep track of merges, you can use git rebase and then git merge --no-ff.

                                                                                                                                                                                              If a single feature may be developed and integrated progressively, having merge commits will add a lot of useless commits in the history, it’s an aesthetic choice that’s all.