1. 44

    Let’s see. I’ve:

    • brought down credit card processing for a national retailer
    • cut off all Internet access to a major United States military installation (twice!)
    • helped bring down an entire automobile manufacturing facility
    • helped break all internet access via cell phone for one of the major US cell networks
    • shipped incorrectly optimized code that caused the (important, air-gapped) system to become accidentally quadratic

    So, you know. Be careful.

    1. 21

      I can relate to this, though I wouldn’t say I’m on the same level as you, there’s for me a long way to go. Two of my most significant achievements:

      • Brought down the debit card processing for a multinational bank issuer (only on one country sadly, and just for 2 hours).
      • Deleted the entire payment records database for a local private university on a semester, nobody noticed it, and I managed to restore it using the only backup in existence: an Excel sheet I was using to verify data.
      1. 9

        I managed to restore it using the only backup in existence: an Excel sheet I was using to verify data.

        Deeply in awe right now.

        1. 7

          To make things more exciting, that Excel file was just in memory, so a complete computer crash would have left me helpless. I learnt my lesson and do double checks on data edition, it is funny now how I make sure about doing things right even when I’m just changing a value for parameter on a file.

      2. 14

        Sounds like you’ve had a productive and interesting career, then!

        1. 15

          plot twist: he’s an intern

        2. 5

          Did you face hard consequences

          1. 15

            brought down credit card processing for a national retailer

            No. I fixed it before it became a problem and explained to the rest of my team what had happened.

            cut off all Internet access to a major United States military installation (twice!)

            First time: no, because they installed the update without testing it in their environment first. Resulted in a lot of paperwork on their end, though.

            Second time: whoo boy. I had written the compiler that turned network intrusion signatures into code that could run on our devices. I messed up the code generator for one part, so that in certain rare circumstances, an and would be an or…which meant that certain signatures would suddenly start matching just about everything. Some customers had it set up that certain signature matches would result in blocked traffic. You can see where this is headed.

            The compiler had actually been pretty extensively tested, but the problem manifested on an older configuration that didn’t have a device still in our testing pool (I know, I know).

            I had to spend a couple of days doing non-stop calls with my boss to various impacted customers, apologizing, answering their questions, and basically (and deservedly) eating crow.

            helped bring down an entire automobile manufacturing facility

            helped break all internet access via cell phone for one of the major US cell networks

            These two ended up being a lot of noise and phone calls but, ultimately, the customer had deployed stuff into their environment without testing it first. The issues on our side were from being too aggressive with what we defined as “malicious network traffic”.

            shipped incorrectly optimized code that caused the (important, air-gapped) system to become accidentally quadratic

            Not from the customer or my company, no, but from myself, very much so. I just about had a nervous breakdown, seriously. It got bad enough that I had resolved to quit as soon as I figured out what the problem was (I certainly wasn’t going to quit and leave the problem for someone else), and had convinced myself that I was just terrible at my job and had been faking it all these years. I was miserable, working long hours every night for weeks trying to figure out the problem, constantly preoccupied, not enjoying time with my family.

            Finally figured out the problem, got the fix in, and ended up staying and being reassured that I didn’t suck, which was nice.

            (Moral of this last story, database query optimizers can sometimes make the wrong decision so don’t assume that the solutions they pick in your test environment are the ones they’re going to pick in the field…)

            I actually got a job offer during that time from what might have been my dream job. I turned it down because I didn’t want to leave my current company in a bad state. I don’t know if I made the right decision, but I’m happy, so I suppose that all worked out…

            1. 2

              Thanks for sharing.

        1. 5

          At first I thought, “great, another todo app”, but this one is actually really cool. +1

          1. 1

            Thank you so much :D

          1. 16

            For another perspective, I suggest you read “Bullshit Jobs”. It speaks a lot about the logics of big schizofrenic corporations and the psicology behind middle management. It also speaks about the rise of “managerial feudalism” and how this reflects on everyday life inside a corporation.

            1. 7

              Good book rec. This whole piece is kind of deluding itself about what a corporation is and does.

              Maybe one of your organizational values is “do what your boss says.”

              I read this, and I was like, that’s every company! What company doesn’t have this value!

              1. 4

                A cooperative, because there are no bosses.

                1. 4

                  Worker led companies are not nearly as pitiless. In many cooperatives though there are still seniority ranks, there is still a managerial role, and the “boss” becomes distributed over the whole of the workers, so there is still some dictatorial aspect in the end.

                  1. 3

                    No authority doesn’t mean no law and no hierarchy. It just means that the law and hierarchy derives from the workers and not from one person or from the state. and they can be changed through voting. Then yes, there are cases of cooperatives, especially very big ones with thousands of employees, where this mechanism becomes a ritualized appendage that doesn’t challenge who controls the cooperative but they are exceptions, not the rule.

                2. 2

                  Companies where the boss first asks their employees what they think should be done and then based on their advice says: “sounds good, let’s do it like that”. Yes, in some sense they’re still “doing what their boss says”, but “do what your boss says” strongly implies that the boss decides what the employee should do without them having much input in it.

                  I wouldn’t work anywhere where I would just be doing ‘what the boss says’.

                  1. 2

                    Eh? It’s my boss’ job to go to meetings I don’t wanna go to, and to let me know where we’re going. It’s my job how to get there.

                    1. 1

                      What company doesn’t have this value!

                      You used an exclamation point instead of a question mark, but I think that is a great question!
                      I had to spend most of a day thinking about it off-and-on before I felt prepared to try and offer an answer, so thank you for prompting these thoughts.

                      When I read “do what your boss says” as an organizational value, I find a lot to unpack in the phrase. Much of it goes beyond merely acknowledging a difference in power or authority. I cannot read the author’s mind to know if this is what they meant, but when interpreting the phrase “do what your boss says” as a value, if it begins and ends with those five words, then that interpretation is missing out on an entire layer of lived reality.

                      Consider the differences between:

                      • “Do what your boss says, do only what your boss says, and nothing more.”
                      • “Do what your boss says, and be mindful of ways to make it better.”

                      And these two:

                      • “Do what your boss says, do not question or alert anyone, even if you see a problem.”
                      • “Do what your boss says, and raise questions when you see a problem.”

                      If none of those seem different to a person, or if they have never had separate experiences that shine a spotlight on those differences, I can understand them not examining further. Yet each is a world of difference. Even in benign office workplaces, it can wind up being a matter of life or death in ways that seem insane at first glance, but which ultimately can be traced back to culture. The story is a bit too long to shove in this (already-long) comment, but there was a situation where a pregnant woman at an office job almost died in her chair from a culture of “brag about good news to your boss, but bad news never flows up.” So I am not over-dramatizing this world of difference.

                      I spent years dismissing the whole “culture is everything” and “values matter, but are hard to change” aspect of organizations (whether corporate, governmental, community, or otherwise). Especially when it came to corporations, I had an inescapably cynical, instrumentalist view about what a corporation is and does, as you worded it. Though perhaps I was more pessimistic than you are.

                      My mind was only changed after two things happened.

                      First, I came across a definition of culture that was infinitely better than all of the pie-in-the-sky, mando-fun teambuilding, platitude parade bullshit that I had long associated with it.

                      Second, I observed and experienced differences in outcomes that I could not attribute to anything other than problems of culture. I tried to find anything else. Process deficiencies, technology choices, even matters of power and authority, all are more tangible (and therefore felt safer to engage with) than those squishy culture-and-values questions.

                      The definition I came across was this:

                      “Culture is the framework by which people in an organization will make decisions.”

                      I do not believe that was the exact quote, but it is close. In a corporate structure of knowledge workers, absent from but implicit in that phrase, is probably “when there is no established process”. Yet perhaps not? Even that notion, of how often, in what cases, to go around or outside of a process, is one-hundred-percent within the realm of a cultural value.

                      Now this does not mean I am pollyannaish about organizational culture and values in all cases, or at all times.

                      There are going to be middle management MBA-types who crow about “culture” blindly, because they have learned that this is the pavlovian trick that gets them the treat: respect among peers, a high salary, and so forth. If a bad actor in a position of authority is especially good at hiding their motivations or incompetence, I do not have a magic wand to wave that can solve that problem systemically. However, I no longer let my cynicism about how other people engage with questions of culture keep me from engaging with those questions in a manner that is productive and empowering.

                  1. 5

                    Corporate structure is a replication of feudal structure where the board of directors delegate oversight to lower and lower levels of company “nobility”, and everyone gets to set their own renumeration. From a bottom up perspective they’re not necessary for production at all, but from capital’s perspective executives are the obviously rational way to defend their property interests.

                    In short, they don’t do anything except for defend profit and extract surplus.

                    1. 4

                      At least unlike nobility of centuries past, or even the dynastic capitalists of 100 years ago, executives are required to work, to such an extent that you hear them engaging in the same “Gosh I’m so busy” virtue signaling of working all the time.

                      The idle rich still exist, but it is not the executive described here. Labor exploitation has moved up the ladder and you have corporate leaders missing their kid’s birthday party to work on the weekends, the same as an aspirational middle class worker picking up an extra shift.

                      I forget where I read this, or I would share, because it surprised me, but the percentage of people who are in the 1% that get the majority of their wealth from income/salary is higher than it’s ever been. Now that’s percentage of people in that percentile, not percentage of combined raw wealth in that percentile, but fascinating nonetheless.

                      1. 1

                        I agree, but can you offer an alternative? I happen to be involved in a political party and it’s a hard problem just to set up reasonable vetting of newcomers. You get all kinds of applicants ranging from math nerds who love trains to paranoid crackpots who notify police that your WiFi is reading their thoughts. Some are latent Nazis, others radical anarchists. Propose a framework to vet and integrate newcomers, please.

                        1. 3

                          Not sure what this has to do with company execs, but engaging with it anyway:

                          Send them a letter describing how your meetings work and the expectations on members.

                          Then invite them to meetings as a prospective member and ratify their membership after N meetings if you want to keep them in the group?

                          The political party I am a member of has a simpler system: I think it just accepts members unless a cursory search of public records shows bad behaviour.

                          There’s a complaints process for removing members that are problematic. Complaints process overseen by representatives elected by members.

                          1. 1

                            Complaints process overseen by representatives elected by members.

                            Hierarchy. And since they are elected, they have a higher chance to get re-elected.

                            They can also throw out people who oppose them and keep their supporters, thus solidifying their position even more.

                            Does your party happen to have a rule-making committee (perhaps with a delegate system)? Commies had (or have) one (both Soviet and Chinese). Then they elected a subcommittee (called Politburo) to hold the power in-between the sessions which eventually gained enough support in the central committee to mandate that they will pre-select central commission candidates. That’s how a nice democratic party becomes a top-down evil corporation. (It helps that a member of politburo is a minister of interior.)

                            I mean, it’s hard for me to imagine systems that operate in non-hierarchic ways. But the problems with hierarchy are real and are independent of organization type.

                            1. 2

                              Rules can be changed by assemblies of delegates at different levels, yes.

                              If you want to avoid traditional delegate systems then you can use sortition (select executive randomly from membership like jury service).

                              If you want to avoid hierarchy entirely then you need anarchist theories, I think.

                              I think traditional delegate systems can maybe work OK so long as the electorate is informed and the electoral system is expressive and fair enough. Israel has a good democracy by those measures, apparently, but I don’t know how well the Israeli state is considered to be serving its people.

                          2. 2

                            I agree, but can you offer an alternative?

                            The corporate structure is pretty dictatorial, and there are alternatives to that even in today’s society, like with the government. Suppose company executives were elected by and can be recalled by the population of the company, or perhaps there was some kind of representative oversight council that had to ratify executive decisions (think like the US Senate approving of the president’s appointees), but otherwise did basically the same job they have now.

                            Obviously, as we see in government, this is still far from a perfect system.. but it more-or-less works and people are already familiar with the concept so it might be an easy baby step to consider.

                          3. 1

                            who are the share holders in this analogy?

                            1. 2

                              The mass of shareholders forms an abstract capitalist which is the monarchy at the top of the feudal hierarchy. The shareholders (of which the board is some portion) have absolute sovereignty over production.

                              1. 2

                                That’s incorrect, though. Most of the big ones are cartes of cartels with interlocking boards of scheming people backing corrupt laws that benefit their own class, specifically them, at everyone else’s expense, including shareholders. The leaked memos from Citigroup called the new structure a “plutonomy.” Just a new form of plutocracy where they keep their control in executive positions, the boards, paid-for politicians, and infiltrated regulators (esp Goldman).

                                If really working for shareholders, the folks in this class would’ve sent them the vast majority of the wealth instead of extracted it for themselves with shareholders holding a mix of real money and IOU’s that can change in an instant. If for stakeholders, the employees and customers would get treated better, too. They haven’t been about either in most cases.

                                That’s why there’s a new push for public-benefit companies, foundations, and other structures with incentives that might fix some of this.

                                1. 1

                                  It’s an interesting way to model the corporate structure.

                            1. 8

                              I’m still unconvinced contracts need to be strictly separate from interfaces. The argument that enforcing operators would be repetitive maybe falls flat on me because it seems trivial to ship the stdlib with some basic Operatable interfaces you can reach for, but also that doing a bit of extra typing for clarity I’ve generally seen as part of the golang ethos.

                              Similarly, the idea that you can never have discrete instances of contracts (versus interfaces) runs counter to how I’ve used generics in the past where generic constraints are just interfaces and you can reference the type constraint interface when declaring values later.

                              1. 6

                                Agreed on interface reuse. My guess is adding new semantics to interface is hard to back out of, where as “contracts” can just ultimately be deprecated when the dictators decide that the experiment “failed.”

                                OK, maybe that’s not fair. But, I agree that there’s a weird resistance to extend something that seems to really make sense, in favor of adding something completely new. Either way, 3rd party tooling will be broken until updated…

                                1. 2

                                  They extended functions and types to accept type parameters, but then they neglected to do the obvious thing which is extend interfaces with type parameters. Do that, then allow interfaces to be the specifiers in the type parameters list - done. They dedicated a whole section to this but every argument is unconvincing and evinces a lack of imagination. Just read this:

                                  Contracts, unlike interfaces, support multiple types, including describing ways that the types refer to each other.

                                  Then add type parameters to the interfaces.

                                  It is unclear how to represent operators using interface methods.

                                  Other languages either map operators to a special name or provide a syntax for the overloading. Most design documents have a prior art section - do your homework!

                                  An interface is a type, not a relationship between function definitions and callers. A program can have a value of an interface type, but it makes no sense to speak of a value of a contract type.

                                  Again, there is no creativity here or an attempt to see what other people have done. Expand the definition of interface. I would solve the problem like this: if an interface appears in a type parameter list, the type is unboxed and preserves its type, whereas if it occurs in a parameter list as a type, then it is the usual boxed interface. It is really that simple. This also happens to be nearly exactly what Rust did for a long time.

                                  In other words, contracts are not extensions of interface types.

                                  This is wrong. It’s wrong, it’s wrong, it’s wrong.

                                  I will end this comment with just a little bit of polemic, which by now is par for most comments about Go but totally deserved: I do not trust the language designers. There is too much NIH syndrome, too much anti-intellectualism, too much reinvention of solved problems. It is a waste of a great runtime. Use something else.

                                  1. 7

                                    do your homework!

                                    It seems manifestly obvious that they did, considering the design document cites numerous languages and how their design improves on past mistakes. Consider cutting back on your hyperbolic ranting and snobbery; it undermines your commentary.

                                    1. 2

                                      That comment was specifically about the preceding quotation.

                                      1. -1

                                        His comment is fine.

                                        Just because he criticizes your language doesn’t mean you get to insult him.

                                        1. 3

                                          He is on the Rust team…

                                          1. 0

                                            That’s an appeal to authority and you know that.

                                            Also, being an authority doesn’t stop you from being an ass because you misinterpreted someone else’s comment as being “I am very smart” to utterly dismiss their content.

                                            1. 6

                                              no, i mean @soc said that @kristof was criticizing @burntsushi’s language.

                                              but thats not the case. the language being criticized is Go, and AFAIK @burntsushi has nothing to do with Go, other than maybe being a user. He is on the Rust team, hence my comment. Sorry that was not clear. i mean just look at this bio:

                                              https://github.com/BurntSushi

                                      2. 2

                                        They extended functions and types to accept type parameters, but then they neglected to . . . extend interfaces with type parameters.

                                        Although the draft doesn’t explicitly mention interfaces as a possible parameterized type, I don’t see anything that would imply they aren’t supported.

                                        1. -1

                                          I do not trust the language designers. There is too much NIH syndrome, too much anti-intellectualism, too much reinvention of solved problems.

                                          I don’t think this is polemic, it’s spot-on.

                                      1. 29

                                        As much as I believe every single last person involved in cryptography yelling “use Signal”, it doesn’t fit everyone’s use case of a chat application.

                                        Signal has a hard requirement that you give them a mobile phone number to tie to an account and register from a smartphone. This number is also exposed to other contacts. As for the alternatives in the article, namely: Wire has monthly fees that may prove difficult to pay anonymously. WhatsApp is owned by Facebook; even if you consider this okay enough somehow, that still requires you to go through your smartphone, on which it requires a phone number for registration; not that you could install it on an OS that isn’t macOS or Windows anyway.

                                        People may suggest to “just get a burner SIM”. But that is not a reasonable option if your goal is to hide your real life identity: For example, in Greece and Spain, you must provide ID and formerly anonymous SIM cards were blocked see COM(2010) 253, p. 69. That’s a non-starter in these scenarios. Of course, you may still argue that people that need to go to such extents to hide are almost certainly criminals, terrorists or dissenters (none of which may be worth protecting depending on your morals), and you’d probably be right. Nonetheless, the increasing disappearance of an untied, non-real-life identity scenario is a worrying prospect to me.

                                          1. 5

                                            Read to the end of the article, where Signal clarifies that they don’t consider it a problem because the goal was never for Signal Desktop to provide at-rest encryption. (I will say however that I too have always wondered why they bothered using SQLCipher to begin with.) If you need that, use full-disk encryption. That will protect you much better.

                                            “But they should be aiming for at-rest encryption.” Let’s play this out:

                                            1. The only way Signal Desktop can accomplish this without some additional support from the platform*, AFAICT, is to require a decryption password that the user types in at startup. Already this breaks a lot of useful things: it breaks the ability for the app to autostart when the user logs in, and that means that if the user forgets to type in the password (and they will) notifications for new messages won’t work, silently. So already we’ve seriously broken the UX.
                                            2. The decryption password can’t even be secured properly. A malicious app on your system can just sniff the keystrokes. Or, it can just record the screen. AFAIK Windows and macOS don’t restrict these operations by default (maybe keylogging, but I’ve never gotten a prompt or anything for screen recording IIRC). Wayland on Linux is supposed to fix this but adoption is “in progress” at best on that front so that doesn’t do us any good.
                                            3. Let’s say that isn’t a problem. Maybe something changed since I used Windows or macOS and they’re better now. The password still isn’t secure. Your disk isn’t encrypted so the attacker can tamper with the Signal binary if they have physical access. Now Signal is malicious. Game over.
                                            4. But let’s say that the attacker doesn’t have physical access, and you’re sure all the apps on your system are trustworthy. Are you sure they don’t have a security vulnerability and won’t get compromised to sniff your Signal password?

                                            The list goes on. This can’t be mitigated at the app level because the platform is fundamentally not designed for this. Mobile devices isolate apps by default; you don’t routinely run processes that aren’t sandboxed. But on desktop, the opposite is true. There are valiant efforts to sandbox apps, like the Mac App Store requiring that all apps distributed through it enable sandboxing, and Flatpak on Linux. But those are still opt-in. Are you sure that everything on your system is sandboxed enough? To actually guarantee this, you need something like Qubes.

                                            Signal Desktop absolutely has problems… but I don’t think this is one.

                                            [*]: keyrings have this same problem. Usually they’re unlocked automatically on login, so any unsandboxed app running in the user’s session can just ask the keyring to give it the Signal password. At least AFAICT… I vaguely recall macOS having some sort of access control.

                                            1. 2

                                              The core premise of the article is completely mistaken. The database key was never intended to be a secret. At-rest encryption is not something that Signal Desktop is currently trying to provide or has ever claimed to provide. Full-disk encryption can be enabled at the OS level on most desktop platforms.

                                            2. 9

                                              I definitely agree that, when possible, people should avoid communication tools that require phone numbers and use something like XMPP with OMEMO instead.

                                              If you do need/want to use Signal or similar, there are phone number options that let you maintain anonymity. For example, https://jmp.chat/ gives you a Canadian or US number without requiring any identifying information (you can even signup over Tor). If you want to keep the number past 30 days, you can pay in Bitcoin Cash or Bitcoin, or use https://shapeshift.io/ to pay with other more anonymous cryptocurrencies.

                                              1. 8

                                                Yep. I use Signal extensively in my labor activism. This is an example of an activity which is entirely legal in the United States, but where I am putting people in danger simply by talking to them. I agree 100% with all your criticisms, and it’s quite unfortunate that there are many situations in which there isn’t a realistic alternative.

                                                1. 2

                                                  Is there at least groundwork for such an alternative to Signal that doesn’t require a phone number? I’m in the same situation.

                                                  1. 1

                                                    The protocol is open, although it’s my understanding somebody would need to do a lot of implementation. I’d also suggest that future work should be based around expecting users to explicitly manage their keys, rather than trying to abstract that away.

                                                    1. 2

                                                      I’d also suggest that future work should be based around expecting users to explicitly manage their keys

                                                      Why? To me this is the main selling point of Signal. And from my observations teaching PGP (long ago), key management is one of its biggest downfalls.

                                                      1. 1

                                                        Sure. It’s because the automatic management both introduces insecurities, and makes it so that good key-verification practices are more friction than sloppy practices.

                                                        The most significant insecurity is that anyone with control over your phone number can gain control of your account. A stolen SIM or a number-porting attack could both be used that way. They won’t see message history, but they’ll be able to impersonate you. The only defense against this is that there’s a small notice in each chat about the safety number being reset.

                                                        The point about safety numbers dovetails with my larger point about good practices being hard. When you’re scaling up a large organization, educating everybody about what the safety number means and how to verify it is a constant undertaking. Meanwhile, people are constantly replacing their devices, accidentally reinstalling the app, intentionally reinstalling the app, etc for a variety of reasons. It’s constant tedium, and if you just punt on doing the work, there’s a chance of an impersonation attack being successful.

                                                        What I would like is to put key management front and center, so that everybody gets the message that this is something they should be paying attention to and learning more about. I’m envisioning, for example, a first-start wizard that walks users through creating an offline key and using it to sign a per-device subkey, with alternatives also presented if they want to add a key some other way. Yes, it’s a lot of work which would slow down adoption immensely. Thus, I don’t realistically expect any for-profit entity to be the first to offer a product that works this way. Still, in my ideal world, it’s what I’d like to see.

                                                        1. 1

                                                          Hm. So if I can rephrase this position, basically you’re saying that good practices (i.e. verifying safety numbers) isn’t on a level playing field with unsafe practices, because it’s much easier to do the latter. And basically you want to level the playing field by making both take equal amounts of effort? Did I get that (somewhat) right?

                                                          1. 1

                                                            I think that’s right, yes. I know it’s in some ways a quixotic idea.

                                                2. 6

                                                  I use Signal constantly, but this is a sound comment and still only covers maybe half the serious concerns I have with Signal.

                                                  1. 2

                                                    We are pseudonymous in Peergos (no phone number or even email required to sign up). At the moment we are focussed on storage and sharing, but we plan to implement a group chat/messaging solution using Messaging Layer Security once it stabilises.

                                                  1. 2
                                                    • etcetera
                                                    • lib like bib
                                                    • char like far
                                                    • I read fsck like the f-word
                                                    • skeemuh, schema is already plural
                                                    1. 3

                                                      This is a bit of a random bump but I just loaded a common lisp library that was last updated in the year 1990 (“series”, which nearly made it into the language spec). It still works. When’s the last time you used a library from thirty years ago and it worked?

                                                      1. 19

                                                        If you plan on using Lisp well into the future then you should use Common Lisp because you know the language is never going to change and the books written on it (from the 90s, to 2005’s Practical Common Lisp) will always work, as well as the libraries that are available. You will be part of a continuous tradition that started with John McCarthy - many of the best Lisp programmers moved to Common Lisp during the standardization process, whereas Scheme is relatively its own thing (yes, I know who Guy Steele is).

                                                        It is not the prettiest language but I am going to say that, regarding the differences between it and Scheme that people start fights over, you might find as I have that the decisions Common Lisp made were uniformly better across most of those dimensions, including nil vs. false (these should be the same thing!!), and even, the somewhat strange #’f and funcall syntax. For its gargantuan feature list, over time you will grow to like and appreciate the facilities that are available to you and realize that it is, in fact, a very practical language, designed over the decades of experience people had with actually using it for real software. Scheme (and which scheme: RSR5? RSR6?) is a small, small language that the various implementations (chicken, racket, guile) have to foist extensions over just to be practicable. Scheme does not have keyword arguments! Both racket and chicken do, but they use differing syntaxes. Even such a small and useful feature is not standardized and a small taste of the kind of divergence among implementations so if you are ready to be platform locked, go right on ahead.

                                                        Really, the difference between (any) Scheme and Common Lisp is that, after having used both for significant projects, the Scheme community is satisfied with a nice, clean definition of a language, and Common Lisp is the result of satisfying the real needs of people in industry.

                                                        Should you even use Lisp? I don’t know you and I don’t know your goals. But if you are choosing between CL and Scheme the answer is exceedingly clear imo.

                                                        1. 2

                                                          How do you like the concurrency support for CL? I’ve read that it isn’t supported by the standard lib, but most people use Bordeaux threads - are you happy with it? Coming from other languages, it’s a little scary for something as fundamental as concurrency not to be in standard lib.

                                                          1. 8

                                                            Bordeaux-threads might as well be considered the de facto library for system threads. If you’re interested in M:N threading with nonblocking scheduling there are also a plethora of implementations for that, although I haven’t used any personally. Clojure is another Lisp that does this quite well, and that one happens to have it in the standard library (but! I remember when it wasn’t, and Timothy Baldridge released lightweight threading as a codewalking macro. Such is the power of macros, and totally impossible with hygienic ones, I might add).

                                                            As for this standard library business… if it’s ever been needed, someone has written it and published it. I wouldn’t be “scared” that anything is or isn’t in a spec released in 1995, especially something for which the dominant paradigm has shifted so much over the past 15 years. Remember when transactional memory was the next big thing? Pepperidge Farm remembers. And even now, there is a divergence on whether people program in a pseudo-blocking procedural way (go, async await), monad-style promise chaining (all the functional languages, JavaScript before ES16), and whether concurrency was even appropriate in the first place (data parallelism, like Rust’s rayon or beam crates). Why should any standing committee decide to bless any one paradigm over another without literal decades of trial testing testing? For a frozen language like this, people coalesce over time around well written libraries, so don’t worry about that and ask around (IRC, Reddit, Google) if there is a library for this or that.

                                                            1. 4

                                                              I’ve used Bordeaux threads, and they work well enough. But I’m used to 90s-era and earlier languages which don’t come with concurrency baked in. In comparison to those, Lisp is pretty good.

                                                              1. 4

                                                                Would also mention that C didn’t have threads in the standard library until 2011 and it wasn’t seen as big handicap.

                                                                1. 3

                                                                  Bordeaux threads is de-facto standard, yeah, but I rarely find myself wanting to do low-level threading (in any language) anymore. There are various libraries built on top of it to provide higher-level concurrency primitives. For example lparallel provides task queues, promises, and parallel versions of map, reduce, sort, etc.

                                                              1. 10

                                                                My understanding is that Lisp-2 came out of a misunderstanding of the Lambda calculus papers. Especially with the rise of functional programming, the idea that functions are different from all other sorts of data and should be kept in a different namespace is awkward and strange.

                                                                I’m much more ambivalent about the macro system. Racket’s is much more sophisticated, but it has a much higher learning curve. I have found it difficult to make much progress in it. CL-style defmacro makes it easy to write macros, but also easy to write bad macros with unexpected behavior. Personally I have found that the pitfalls of defmacro are pretty easy to avoid. But if you adopted a very macro-heavy style it might be more difficult.

                                                                I would say that the main advantages of Racket are the unified, friendly community and the excellent learning materials. The advantage I can think of for Common Lisp is that it has the restartable condition system, which is extremely convenient, especially during debugging.

                                                                Of course in the end it’s impossible to answer in the general case; it always depends on what problem you are trying to solve.

                                                                1. 8

                                                                  www.nhplace.com/kent/Papers/Technical-Issues.html is a good writeup from the standardization process comparing lisp-1 vs lisp2, including the history.

                                                                1. 5

                                                                  Nice writeup, happy to read some hard numbers! The most compelling idea I took from it is that if tech workers unionize, we could make organized, sustainable donations to open source projects.

                                                                  1. 16

                                                                    Dude, if the majority of the tech worker class unionized, we could short-circuit the finance sector, end the attention economy, avert climate change and bring post-scarcity full automation to the whole world. But sadly those beefy salary to optimize adtech algos are necessary to buy a Tesla, so…

                                                                    1. 2

                                                                      Yeah. It’s hard to unshackle yourself from golden handcuffs. It’s even harder to do it on a mass scale.

                                                                    2. 5

                                                                      I’m reminded of the old observation that managing programmers is like herding cats. The kernel of truth in that makes unionization not very likely.

                                                                      1. 4

                                                                        In a field where the expectations change significantly every five years and skills can range very widely among individual software engineers, unionizing doesn’t seem to be appropriate anyway. I’m willing to have my mind changed about this, though.

                                                                        1. 6

                                                                          I’m not an expert by any stretch of the imagination, but I tend to think the fact that our field changes rapidly is more of a hurdle to overcome rather than an indicator that it isn’t appropriate to unionize. Given the ageism, sexual harrasment, wildly varying salaries, and extreme unneccesary overtime in our industry, I think unionizing is wholly appropriate.

                                                                          1. 2

                                                                            The ageism is huge.

                                                                            1. 8

                                                                              Historically, older workers are where unions come from - they’ve got the life experience to understand why shifting the power dynamic matters.

                                                                              Ageism is perhaps the ultimate union-busting technique…

                                                                              1. 2

                                                                                In startups, or everywhere? I’m in my late 30s. In my team there’s probably 2 guys younger than me, 4 older and a couple around the same age.

                                                                            2. 5

                                                                              Read the material from Tech Worker Coalition: their strategies for unionization rely on very different assumptions from traditional blue collar unions.

                                                                              Also there’s a wave of mobilization in the USA that might result in mass unionization in the short term: it’s the present, not the future.

                                                                              To read more about these topics, there’s this very good issue of Notes from Below: https://notesfrombelow.org/issue/technology-and-the-worker

                                                                        1. 2

                                                                          Reminds me of gruvbox.

                                                                          1. 3

                                                                            based on the comment in the vimscript, it seems like gruvbox was the basis.

                                                                            1. 0

                                                                              But no credit. Shame!

                                                                              1. 4

                                                                                Hi,

                                                                                In what way would you like to the see the scheme credit gruvbox other than the fact it’s at the top of the source file? (At least for the Vim scheme.) Gladly accepting advise.

                                                                                1. 1

                                                                                  Looks like it’s in the readme so that’s good enough I think. My bad!

                                                                                  1. 1

                                                                                    Just wanted to let you know I’ve added an attribution section at the bottom of the homepage1.

                                                                                2. 3

                                                                                  Au contraire. See srcery-vim#attribution.

                                                                            1. 1

                                                                              Does Rust have a built in event reactor?

                                                                              1. 3

                                                                                No, library only.

                                                                                1. 2

                                                                                  How does async/await interact with a library reactor?

                                                                                  1. 7

                                                                                    Function bodies that are async are compiled into anonymous state machines that implement the Generator trait. Types of this trait can indicate whether they are still running or finished.

                                                                              1. 4

                                                                                I don’t really know why Go didn’t just do the obvious thing to make exceptions concurrency friendly, which is have every goroutine point to a linked list of exception handlers established by the parent goroutine.

                                                                                1. 2

                                                                                  Symbols. And they have to be namespaced, too.

                                                                                  1. 2

                                                                                    Rolling my own auth

                                                                                    1. 1

                                                                                      Can someone elaborate on what he means by agile burning people out?

                                                                                      1. 6

                                                                                        I interpreted it as in the context of free software contribution. It simply isn’t sensible on a modern software project to suggest spending considerable time working on random tooling, because project management style and language has evolved to the point where the value of doing so can’t even be captured. “I’d like to add [X] to software [Y]” .. “Great, but what user story does this relate to? We’re focusing on the billing feature this week - there are 17 tickets still open for that due end of sprint Friday”, etc.

                                                                                      1. 4

                                                                                        We really have three options open to use:

                                                                                        And yet none of these options include what most good C libraries do, which is let the programmer worry about allocation.

                                                                                        1. 6

                                                                                          That’s not really a good fit for a high-level language, nor if you want to expose functionality that may need to do allocation internally. I do think that the module approach (where the programmer specifies the representation) is morally close.

                                                                                          1. 4

                                                                                            Wait, why do we want programmer’s to worry about allocation? Isn’t that prone to error and therefore best automated?

                                                                                            1. 3

                                                                                              Because the programmer theoretically knows more about their performance requirements and memory system than the library writers. There are many easy examples of this.

                                                                                              1. 5

                                                                                                Theoretically, yes. In practice, it is an enormous source of bugs.

                                                                                                1. 3

                                                                                                  In practice, all programming languages are enormous sources of bugs. :)

                                                                                                  But, here, from game development, here are reasons not to rely on library routines:

                                                                                                  • Being able to audit allocations and deallocations
                                                                                                  • Knowing that, at level load, slab allocating a bunch of memory, nooping frees, and rejiggering everything at level transition is Good Enough(tm) and will save CPU cycles
                                                                                                  • Having a frame time budget (same as you’d see in a soft real-time system) where GCing or even coalescing free lists takes too long
                                                                                                  • Knowing that some library (say,std::vector) is going to be doing lots of little tiny allocations/deallocations and that an arena allocator is more suited to that workload.

                                                                                                  Like, sure, as a dev I don’t like debugging these things when they go wrong–but I like even less having to rewrite a whole library because they don’t manage their memory the same way I do.

                                                                                                  This is also why good libraries let the user specify file access routines.

                                                                                              2. 3

                                                                                                It’s not the allocation that’s error-prone, it’s the deallocation.

                                                                                                1. 6

                                                                                                  And not even the deallocation at time of writing. The problems show up ten years later with a ninja patch that works and passes tests but fails the allocation in some crazy way. “We just need this buffer over here for later….”

                                                                                                  1. 3

                                                                                                    How would a library take control of deallocations without also taking control of the allocations, too?

                                                                                                    1. 4

                                                                                                      As I understand, a library does not allocate and does not deallocate. All users are expected to BYOB(Bring Your Own Buffer).

                                                                                                      1. 2

                                                                                                        In which case, it really didn’t matter (in this context) if allocation-isn’t-hard-it’s-deallocation-that. The library is leaving both up to the application anyway.

                                                                                                2. 3

                                                                                                  Yeah, we saw what that’s like with MPI. Those bad experiences led to languages like Chapel, X10, ParaSail, and Futhark. Turns out many app developers would rather describe their problem or a high-level solution instead of micromanage the machine.

                                                                                                1. 1

                                                                                                  Are the search stats in the article true? What are people using these VPNs for? Only time I ever need to use a VPN is to connect to my work’s network from home.

                                                                                                  Am I missing something?

                                                                                                  1. 5

                                                                                                    I have a handful of friends overseas, and they use VPNs to dodge government filters (e.g. Telegram/FB services being blocked by governments).

                                                                                                    Personally, I just use it when I’m connecting to dodgy wifi (e.g. free airport hotspots). Additionally, for some reason youtube doesn’t work on AT&T LTE for me, so I use it for that.

                                                                                                    There’s also the ‘privacy’/‘security’ theme that these VPN services advertise, maybe many people just install the first VPN app they can find because it says it’ll protect their privacy.

                                                                                                    1. 3

                                                                                                      They are helpful for hiding traffic/metadata from ISPs and governments which have influence over those ISPs.

                                                                                                      1. 3

                                                                                                        A lot of people use VPN’s to stream overseas, pirate software, and of course privacy.

                                                                                                        1. 2

                                                                                                          I have a LowEndBox instance running OpenVPN. I use it as an (admittedly feeble) way to reduce the ease with which my ISPs (and hence intelligence agencies) can monitor my internet usage.

                                                                                                          1. 2

                                                                                                            Not to pick on you specifically, but a few people have mentioned hiding from their ISP, but that seems specious. Is there reason to believe your ISP wants to monitor your internet usage any more than LowEndBox wants to monitor your usage? Don’t you already trust your ISP with your real life identity, home address, credit card number, and (probably) SSN?

                                                                                                            And unless you’ve gone through the trouble of doing offline key exchange or something like that, can’t your ISP MITM your connection to the VPN anyway?

                                                                                                            1. 4

                                                                                                              ISPs are the easiest entry-point for your government to perform bulk surveillance, so they are quite likely to pass on traffic flows. LowEndBox are likely to pass on traffic flows to their government, but as long as that’s a different one it’s far less of an issue.

                                                                                                              ISPs are also allowed to sell your traffic flow data for advertising in many parts of the world. LowEndBox could, too, but they would have very few users and much less information about who they are, so it wouldn’t be very profitable.

                                                                                                              The ISP could also MITM connections, but that’s rather more expensive and much more likely to be discovered (by eg host key verification).

                                                                                                              1. 2

                                                                                                                Yes, my ISP has my identity, which is one of the reasons why I’d like them to not know absolutely everything else about me. My ISP is also under the legal influence of my government, whereas my VPS host is not (directly). It’s far from foolproof, but it (should) minimise the amount of data that is passively collected. I have no doubt that if I were actively targeted for monitoring, it’d all come apart without much effort.

                                                                                                                I’m not sure about MITM. The key was generated on the VPS and transferred via SSH. How would a MITM attack work? (That’s a genuine question - I’m happy to be educated).

                                                                                                            2. 2

                                                                                                              It really depends on the country in which you (currently) reside.

                                                                                                              I lived in many countries around the world and, aside from avoiding being tracked (which is a fair point), several countries block a whole range of websites, for instance:

                                                                                                              • Vietnam: any wordpress website is not available (due to a ban on it after it was used to ‘attack’ the communist party)
                                                                                                              • Japan: certain porn
                                                                                                              • Turkey: pretty much all porn
                                                                                                              • China: pretty much anything popular non-Chinese
                                                                                                              • India: teamviewer doesn’t work with most ISP I tried

                                                                                                              And then you have countries in which they might not advertise that they are blocking certain things but visiting certain websites with certain keywords might make you go on a list.

                                                                                                              So, there are real reasons to use a VPN. Btw, being a ‘modern’ developer in China is extremely difficult without a VPN (usually just connecting to HK).

                                                                                                              1. 1

                                                                                                                In many countries, porn

                                                                                                              1. 1

                                                                                                                Paul’s online calculus notes.