1. 5

    It’s got to be a keyword, that’s how it can work with is not, not also being a keyword.

    Also there’s a quite ubiquitous use of is that justifies its inclusion; compare a is None to a == None to not a… only by testing the identity can you know for certain that None was passed.

    1. 2

      You put that very clearly, here and in the other comments; I learned something today.

      One other ubiquitous use of is: type inspection, like if type(a) is MyClass or if type(a) is str.

      (Some of the time isinstance(a, MyClass) will also do, but if you want to exclude the possibility of subclass instances, only a type identity check suffices.

      Ooonn the other hand, one could also argue that is tempts people into checking for identity when a subclass would also suffice; and that this may needlessly prevent interoperation with otherwise-valid subclasses. Hm. I really like the keyword, though, especially compared to ===)

      1. 5

        Note that you don’t normally need is for this sort of type inspection, as type(a) == MyClass works fine pretty much always. I think the only time it wouldn’t work correctly is if one of the classes involved had a metaclass that overrode __eq__ and did something perverse with it. I think that the cases where you really need is are uncommon; you need to care about object identity and be in a situation where something is overriding == in a way that affects the comparison you care about. Python definitely should have something that checks object identity in the way that is does, but I don’t know if it needs to be a tempting keyword instead of a built-in function.

        (I’m the author of the linked to article.)

        1. 2

          Every language must have a means of checking both identity and equality … they are fundamentally different things. The choice to make both of them an operator is quite common, the only real distinction Python makes by choosing == and is over, say, == and === is that promotion to also being a keyword.

          And just because you find it to be uncommon does not mean that it is, in fact, uncommon. I use is all the time, for instance with enum.Enum members, to properly handle default values that need to be mutable, and to identify sentinel values in iterators (usually None, but not if None is a legitimate value of the iterator) … it’s also extremely necessary to things like the Singleton pattern in Python.

          Moreover you’re throwing out the baby with the bathwater … sure, exactly as you said you can use type(a) == MyClass pretty much anywhere you might use type(a) is MyClass, but why would you? Why necessarily invoke the performance cost of equality comparison? The underlying cost of is is near zero, but by using == you force lookup and execution of MyClass.__eq__ and, if that returns False or NotImplemented you further force lookup and execution of type(a).__eq__ … both of which could be implemented in such a way as to be unbearably time consuming.

          See the question of identity is, precisely, “are these the same thing” rather than “do these share the same attributes” … they’re fundamentally different questions, and when all you care about is identity, why bother asking for equality?

      2. 2

        Arguing that it has to be a keyword because otherwise you would have to write it differently is a weird argument to me. It just means that it would be written not is(a, b) instead, which might not read as nicely, but that’s a different argument.

        1. 7

          Perhaps I should have been more specific: is needs to be either a reserved keyword or an operator (in effect it’s both, though it’s not truly an operator because, like and, or, and not it cannot be overloaded) precisely because Guido et all intended it to be used as a syntactic construct… it cannot be a function because it would then have to be used with the call syntax, be able to be assigned to a name, and overloadable in user code. There is no desire for an overloadable identity operation, indeed allowing it to be overloaded would break fundamental language semantics. The same is true of None, which is why it’s also a keyword, though it could just be a globally available variable… in Python the argument for promoting to an operator is “should this bind values around it into an operation” and for promotion to a keyword is “should the meaning of this never even potentially change during runtime” and (optionally) “should this modify other keywords” … in the case of is the answer to all of those is “yes”, so the only option was to make it a keyword.

          1. 1

            It seems to me like the same arguments would mean that isinstance should also be a keyword though?

            1. 3

              Sure, it could be extended to any number of things — Python 2 didn’t see True or False as keywords, but that protection was extended to them in Python 3 — but would it add any semantic value to do so, by stripping call semantics from it and allowing it to be used as an operator or to directly interact with other keywords?

              Some keywords have been downgraded (most notably print), but that was because there was added value in doing so, and also a colorable argument for overloading existed. The simple fact is that identity testing is a fundamental operation — much more so than introspecting class phylogeny — and the benefits of being a keyword far outweigh the minor confusion it can cause in relative newbies, while there’d be no advantage to removing it except for people who don’t know why it’s fundamental.

              In other languages you’ve got equality as == and identity as ===… frankly we’ve got it easy with is.

          2. 2

            is being built in means you know it can’t be overridden.

            It being a function would be ugly

        1. 4

          It took Y half a year to get the web site up again, and finally all those dead links stopped screaming.

          Not only that, most parts of it never came back again at all.

          1. 10

            What3Words are pretty weird, I’d prefer them not to succeed in the marketplace.

            That said, I’m speculating they have a solid DMCA case here. I have not seen the code in question, but I figure W3W does geohashing by translating lat/long into 3 unique word tuples using a lookup table. This table has been chosen to be clear and unambiguous, and that’s the relevant IP (the hashing algo too, I imagine).

            If WhatFreeWords had substituted their own lookup table, I doubt this would have been any problem.

            I’d rather a competing standard was developed and hosted by OpenStreetMap, instead of trying to reverse-engineer some company that’s legally trigger-happy.

            1. 10

              This table has been chosen to be clear and unambiguous

              You would think so, but it’s not the case. An article about What3Words listed reporter.smoked.received as the address of the Stade de France. But if you search reporter.smoked.received on What3Words, you will see it’s in Laredo, Missouri. Reporter.smoker.received, just one letter’s difference, is the Stade. W3W is not just a badly-licensed land grab, it’s also a terrible product!

              1. 4

                That’s intentional, the idea being that you know roughly where the identifier is meant to point to, so you would realize that you have the wrong one if it’s on a different continent. (See https://support.what3words.com/en/articles/2212868-why-are-the-words-randomly-assigned-wouldn-t-it-be-better-if-there-was-some-logic-hierarchy-structure-to-the-naming-structure)

                1. 2

                  Thanks for the link. But it doesn’t really detract from my (admittedly wild-ass guess) legal theory.

                  The fact whether the words are actually unambiguous is not relevant - the point is that W3W can argue that they have made significant effort in choosing the words and that the lookup table is proprietary information, covered by DMCA protections.

                  (By the way, the article has been corrected to note that the address for Stade de France is the smoker variant)

                  1. 1

                    They don’t really argue that, though. As kyrias points out in their link the words are chosen at random. This seems like incredibly thin ice for copyright purposes, almost straying into conceptual art territory.

                    The W3W promise is three words to define a location. The hedge is three words, plus a general idea of where the location is so you know if there’s an error. The reality is three words plus an unknown probability of an error and no way to correct it. Real addresses feature hierarchy and redundancy for this reason.

                    1. 3

                      Since my comment I’ve been reading up a bit. Here’s a purported DMCA takedown notice (not neccessarily the exact one served for WhatFreeWords) that makes the same argument I surmised:

                      A key feature of W3W’s activities is its creation of unique three-word addresses (“3WAs”) for three-metre by three-metre “squares” of the Earth’s surface. […] 3WAs are generated through the use of software code and approximately 57,000,000,000 word combinations made from a wordlist of over 40,000 words compiled by and proprietary to W3W.

                2. 7

                  I’d rather a competing standard was developed and hosted by OpenStreetMap, instead of trying to reverse-engineer some company that’s legally trigger-happy.

                  Plus codes come close I think; no need for yet another standard. Granted they’re not pronounceable words, but What3Words also needs homonym disambiguation so I’m not sure much is lost.

                  See also: Evaluation of Location Encoding Systems.

                  1. 2

                    I had plus codes in the back of my mind when I wrote my comment, but believed they weren’t fully open. Thanks for informing me.

                    Edit - the HN discussion on this submission is quite interesting. Among others, yet another competing geo-phrase service offers this critique of OLC/Plus Codes: https://www.qalocate.com/whats-wrong-with-open-location-code/

                    1. 1

                      not pronounceable words

                      I’m not convinced that English pronounceability is really such a killer feature for something that’s supposed to be usable worldwide. But that’s neither here nor there. Thanks for the links!

                  1. 18

                    Applications don’t manage the network

                    This entire paragraph reeks of “King of the Castle” attitude. 5 years ago I interacted with a sysadmin who had the same arguments for why every network device should go through his local HTTP proxy.

                    Just imagine the pure mess if you get different DNS results in different applications.

                    Well, what does the author imagine will happen? I don’t know. I don’t think it matters if two apps resolve to different IPs. What would happen if two devices resolved some hostnames to different IPs? Probably the same thing: Nobody cares.

                    btw Firefox caches DNS results independently of the OS, and I believe so does Chrome. These out of sync issues already happen and they are not a big deal.

                    The chaos will be a perfect Trump made Internet.

                    Oh yeah, that’s how you connect Mozilla to Trump. Nicely done. You just had to taint your best argument (US govt can’t be trusted) with that line.

                    I expected nothing based on the title and was still disappointed.

                    1. 9

                      I don’t think it matters if two apps resolve to different IPs. What would happen if two devices resolved some hostnames to different IPs? Probably the same thing: Nobody cares.

                      As someone who semi-regularly has to debug connectivity issues people have with various services, it’s rather annoying not to be able to get the same DNS results when manually resolving addresses using the OS settings, especially if one doesn’t know about the fact that Firefox has started doing this.

                      1. 4

                        Yes, it has annoyed me too. DoH is not introducing this problem though.

                        1. 7

                          It does introduce the problem though. Problems related to application level DNS caching are easily bypassed by just having them restart the browser. But if your browser claims to not be able to resolve a name, or resolves it to something different due to split-horizon DNS, and everything else on the machine is able to resolve the name properly, how would you debug this?

                          (So according to https://blog.mozilla.org/futurereleases/2019/09/06/whats-next-in-making-dns-over-https-the-default/ it should fall back to the OS resolver on failures, so at least ones that don’t exist externally should work, though that doesn’t really help when the public address resolve differently.)

                          1. 7

                            Pertinent example:

                            (11:42:26) om:~% dig +short @8.8.8.8 archive.is
                            62.192.168.106
                            (11:42:35) om:~% dig +short @9.9.9.9 archive.is
                            51.15.97.128
                            (11:42:43) om:~% dig +short @1.1.1.1 archive.is
                            127.0.0.3
                            

                            uh oh!

                            1. 3

                              Apparently archive.is is refusing to respond to 1.1.1.1: https://twitter.com/archiveis/status/1018691421182791680

                      2. 3

                        Oh yeah, that’s how you connect Mozilla to Trump. Nicely done. You just had to taint your best argument (US govt can’t be trusted) with that line.

                        Exactly! This article felt nothing more than a scare tactic due to the author having un-moving opinions on the matter, resulting in him using points that aren’t even accurate. Author’s need to learn to have more perspective, share their own perspective, and back their sources

                      1. 5

                        What I appreciate most of all is that nobody apparently thought about how to design USB-C plugs so they didn’t slide out.

                        1. 3

                          Sweet baby Jesus why would you want that? Personally I’m annoyed at how difficult it is to pull out a USB-C compared to the (now) old-fashioned MagSafe. When it’s finally time to replace the wife’s old laptop with whatever’s current at the time, I fear for its life.

                          1. 2

                            I loved MagSafe connectors and thought them up years before Apple introduced them: magnets get rid of mechanical wear-and-tear while making it easier to plug in! I’m guessing they weren’t used in USB-3 because of the connector size and magnetic interference.

                          2. 2

                            It seems to me that they did. My regular phone charger slides out way too easily, but my laptop charger (when either plugged into my laptop, or my phone) is quite good at staying in until I try and pull it out.

                            1. 3

                              Have you checked your phone’s usb-c port and mauybe tried cleaning it with a toothpick? :)

                              Not sure this is intentional, but with my Nexus 5X the lint seems to set in such a way that the usb-c cable slides out with the slightest touch once enough has accumulated. The connection is never broken so you’d notice, just the mechanical “lock”.

                            2. 2

                              I’ve personally always experienced that issue more often with micro-A than I have with any of my devices with C.

                              1. 1

                                I’ve been so annoyed by this that I’m pondering whether USB-C cables can be used for electronics which don’t get a gentle treatment all of the time (badges, smaller electronic cards, …).

                              1. 3

                                Their latest reply also feels rather Google:

                                If there can be a C++ standard library and runtime implementation as part of the LLVM project, I do not see a reason why there cannot be a libc implementation as part of the LLVM project.

                                Of course there can be an LLVM libc, just as there can be an LLVM anything. The question is should, which needs to be justified with sound whys, none of which have been given so far.

                                1. 3

                                  I haven’t thought in detail about what should be public versus what the compiler insists has to be public due to how I’m using these modules. I think for a command-line application it doesn’t matter so much what my public API is because no one will be consuming it, but for a library it’s probably important. I will come back to these considerations later and see if I can understand how to manage separation of concerns in rust in more detail.

                                  The simplest way to manage it is by just slapping pub(crate) on everything that you aren’t 100% sure you want exposed. It makes the item public to the whole crate, but public to other crates.

                                  1. 1

                                    Is there anything particular to Mongo in this situation, or could it have happened to any unsecured DB?

                                    1. 3

                                      IIRC mongo doesn’t have authentication by default, and older versions were exposed to the internet by default.

                                      1. 1

                                        Looks like a normal case of poor choices by someone acting as sysadmin.

                                        1. 3

                                          The phrasing of the article (“important measures which will prevent the attacks are to enable authentication and to not allow the databases to be remotely accessible”) seems to suggest that by default MongoDB instances do not have any authentication and are remotely accessible. I can’t grep it from the docs right now, but this 2016 SO answer verifies.

                                          I just tested it, and it does seem to bind to 127.0.0.1 by default, but perhaps that’s distro-specific or the default changed.

                                          At any rate, not enabling authentication is a poor default. Not everyone running a MongoDB instance is a MongoDB expert and if the entire security of your installation is dependent on not missing a “warning: please enable authentication” in some documentation then you’re just doing it wrong.

                                          People don’t read the docs, or they don’t read the right ones, or they read the right ones, get asked something by a coworker, and continue reading from a different part (skipping the warning), etc. etc.

                                          It doesn’t hurt enabling it by default, and it will prevent a world of hurt for everyone involved. We’ve seen this before time and time again going back to (at least) SMTP servers running as open relays by default.

                                          Replying to your other comment:

                                          Here is the question. How do software people make good defaults when those defaults may make it harder to use and therefore adopt the software?

                                          I don’t think enabling authentication makes software that much harder to use. It’s essentially just one command to change a password. Having your MongoDB installation hijacked also doesn’t make it easier to use ;-)

                                          1. 2

                                            Having your MongoDB installation hijacked also doesn’t make it easier to use ;-)

                                            Arguably it makes it easier to use for everyone. ;)

                                      1. 6

                                        We’re currently transitioning to https://notion.so as our single source of truth on these things. It’s not perfect, but it’s discovery and collaboration is must better than Confluence or GDocs, from experience. This is from the perspective of a small engineering team, though.

                                        1. 1

                                          That looks somewhat neat, but it looks like it has no Linux support and no web interface?

                                          1. 3

                                            Ah, I can see how you would get that impression from the landing page, but it does in fact have a web interface and I mostly just use it from the browser so that should solve the Linux support issue as well.

                                            1. 2

                                              It’s fully usable through a web browser, but there’s no Linux client, no.

                                              1. 1

                                                The native clients are basically web views. The web interface is what I use most of the time.

                                                1. 1

                                                  It’s definitely web based and in browser, the desktop apps are just Electron wrappers. I think there may be an unofficial Linux Electron wrapper too (if you are willing to add to your collection)

                                                2. 1

                                                  Thanks for the link. Definitely going to check it out!

                                                1. 14

                                                  Yay! It’s been great to have you on the team!

                                                  In my second week I implemented a change to make a certain pattern more ergonomic. It was refreshing to be able to build the initial functionality and then make a project wide change, confident that given it compiled after the change I probably hadn’t broken anything. I don’t think I would have had the confidence to make such a change as early on in the Ruby projects I’ve worked on previously.

                                                  Yeah, this is what made me consistently frustrated and annoyed at my previous work place (they used Ruby, Elixir, and JS). Static types are a bit of a trade off, and not perfect, but I’m thankful to finally be able to use them in my day job.

                                                  1. 11

                                                    I think the same problem exists even in statically typed languages. Java people talk about the open-close principle all the time, but I think it terribly encourages overengineering and bloat (due to append-only programming). What you really want is a language (and a codebase that isn’t trying hard to thwart it) that gives you the confidence to change anything as the requirements change.

                                                    1. 4

                                                      Sandi Metz hammers this home. I can’t recommend POODR and every talk she gives on youtube enough. It’s all about the cost of maintaining the code.

                                                      1. 3

                                                        I hadn’t heard about Sandi Metz as a non-Rubyist, so went ahead and listened to some of her talks. Her messages are exactly what I would’ve applauded before I met Haskell and functional programming. When you have a very powerful type system behind your back, you’re not afraid of writing code that mixes abstraction levels. You’re not afraid of hard-coding that configuration value, because when you need it, the time it takes to refactor it out to a configuration file is exactly as much as it is now, and the risk is zero in either case. So, in the long term, you end up with a simpler codebase, because you didn’t introduce needless complexity fearing that you might need it later (that’s a very valid concern in Ruby or Java.).

                                                        The principles I recommend to junior Haskellers are much more simple.

                                                        1. Stick to DRY as much as possible
                                                        2. Make sure your non-local assumptions are reflected in the types (purity is a side-effect of that principle)
                                                        3. Don’t work around abstractions, go in and refactor them
                                                        1. 2

                                                          Yeah, as I said in another comment, I think this is why Prince is such a nice code base, even after 16 years. Although Rust isn’t pure like Mercury or Haskell, it still seems to provide similar benefits as well.

                                                        2. 1

                                                          Yeah, Sandi Metz’s stuff is really great from what I’ve seen!

                                                        3. 2

                                                          Aka The Smalltalk Advantage

                                                          1. 1

                                                            I think it’s fine to have to change code when requirements change, so I’m less strict about following open-close stuff from the Java world. What I’m looking for is tooling that helps me know what to change and where - that’s something that can really help when requirements change underneath you. I definitely find that type systems in Rust, Haskell, OCaml, etc to give that power to refactor in a far more ruthless way than Java’s does - although I find Java a step up from say, Ruby, where there tends to be much fear around changing things, even in with a good test suite in place.

                                                          2. 1

                                                            Would unit tests help in this case? I’ve regularly had something compile and later segfault , (not sure if that’s possible with rust), whereas often the tests caught that.

                                                            1. 3

                                                              Barring compiler bugs Rust’s memory model guarantees no segfaults in “safe Rust”. Use of the unsafe keyword allows dereferencing of raw pointers so if you get that wrong you could get a segfault. Our code only uses unsafe for FFI with the existing application so it’s possible to get that wrong but when writing and testing the Rust in isolation we’ve written no unsafe (although the standard library does make use of it).

                                                              1. 3

                                                                Barring compiler bugs Rust’s memory model guarantees no segfaults in “safe Rust”.

                                                                That’s not actually true, stack overflows are for instance not exactly hard to cause. Segfaults just don’t violate memory safety.

                                                              2. 2

                                                                You can still get panics and stuff in safe Rust, and there are plenty of things that you definitely need tests for. You don’t need to worry about segfaults if you’re in safe code though (barring bugs in Rust and the standard library).

                                                                The change in question was more an API change - something that would be tedious and error-prone to do a find and replace for when using Ruby. The type system can do a pretty good job of telling you where you need to change things at the the exact place where you need to make that change.

                                                            1. 3

                                                              A nice little writeup, though the mind boggles why they want to bring in Redis when the tooling and ecosystem already exist in the Erlang/OTP.

                                                              1. 2

                                                                Seems like they’re planning on moving away from Redis later:

                                                                With Elixir is also possible to get rid of this component, purely relying on the communication between Elixir nodes (we will see this in the next article).

                                                                Still seems a tad strange to go with Redis first. The main reason I could see for doing this is if they want to be able to interoperate with non-Erlang systems, but since it uses term_to_binary that won’t actually be the case.

                                                              1. 2

                                                                Would be interesting to know when these slides were written, to put it in perspective.

                                                                Edit: Seems the talk took place on November 6th.

                                                                1. 2

                                                                  Where is the source code? I could not find any. Yes, there is a link to an article that talks about some server software used at ground stations. A Google search of the NASA site does not return anything obvious.

                                                                  1. 1

                                                                    It’s not the actual Mars Rover they open sourced, it’s a “scaled down version of the design”, based on the Raspberry PI. You can find the actual design and software here. (And here is the official website of the Open Source Rover.)

                                                                    1. 1

                                                                      Or, put differently, tarballs or it didn’t happen.

                                                                    1. 14

                                                                      Pretty good article overall, but a few things to fix:

                                                                      • Please spell UTF-8 and UTF-16 consistently with a hyphen.
                                                                      • Each plane has 65536 code points, not 65535.
                                                                      • Rust strings do not support rune indexing; they only support byte indexing. However, the str.chars() method returns an iterator that yields each rune sequentially. Moreover, this iterator can be collected into a Vec<char> which is in UTF-32.
                                                                      • CJK characters are 3 bytes characters long in UTF-8, not 2 bytes as you stated. This is because the 2-byte limit is U+07FF, and all CJK characters are above U+3000.
                                                                      • You mention that UTF-8 is a variable-length encoding by design, but fail to acknowledge that UTF-16 is variable-length too.
                                                                      • Python 2 is a can of worms (which depends on compile-time flags), but Python 3 is not. In Python 3, all strings behave as if they are in UTF-32 (i.e. direct access to every code point). But internally, it can store strings as UTF-32, UTF-16, or UTF-8, depending on the actual content of each string (e.g. a pure ASCII string can be stored as UTF-8 and still allow fast O(1) indexing).
                                                                      1. 6

                                                                        Rust strings do not support rune indexing; they only support byte indexing. However, the str.chars() method returns an iterator that yields each rune sequentially. Moreover, this iterator can be collected into a Vec which is in UTF-32.

                                                                        Stringactually doesn’t support byte indexing either, it just has range indexing to get a slice of the string, but you can use the as_bytes method to get a slice of bytes instead.

                                                                        1. 3

                                                                          This is correct and this is a really important point I think for Rust string indexing, I’ll modify the post to reflect this.

                                                                        2. 3

                                                                          You mention that UTF-8 is a variable-length encoding by design, but fail to acknowledge that UTF-16 is variable-length too.

                                                                          I don’t understand this criticism. The entire article is about the special case where UTF-16 is variable length - the case where you need to use surrogate pairs to represent a single unicode code point.

                                                                          1. 2

                                                                            Thanks for the feedback! I’m really glad the article initiated some interesting comments here. There are a few points which need clarifying and correcting which I’ll do in an update.

                                                                            You’re right about the Rust string indexing requiring .chars() iterator, I think this is a very important point so I’ll edit the post to explain this.

                                                                            I tried to point out how UTF-16 isn’t fixed length but I definitely think it could be made more clear.

                                                                            1. 1

                                                                              !!! I don’t know what happened, I’m quite sure I copied the whole URL when submitting the form; weird. I even remember the title being fetched as “elm-beam”, which I edited to match what I originally found on Reddit. Strange. Thanks, obviously, for posting the comment (I don’t seem to be able to edit the URL now).

                                                                              1. 1

                                                                                The blog has a bad rel=canonical link that the title-grabbing code picked up.

                                                                            1. 0

                                                                              This is not only the wrong place to protest against such things, it is also illegal as all contributors have to agree with this change.

                                                                              This approval has not been sought.

                                                                              In general, I don’t think one should deliberately mix politics and software development at all. It really doesn’t improve code quality and I’m still looking for an example where it did. Please enlighten me if you know one.

                                                                              1. 2

                                                                                “ I don’t think one should deliberately mix politics and software development at all. It really doesn’t improve code quality and I’m still looking for an example where it did. Please enlighten me if you know one.”

                                                                                Although I mostly agree, I do know of one from a security perspective: Rust. It’s a C alternative that provably reduces security risks with massive adoption vs about every other attempt at a safer replacement for C. Although Mozilla is backing it (common reason for success), a big part of its success seems to come from its community team. @skade described their approach here in an epic, improvised, field manual on marketing languages that he needs to turn into a book and consultancy for other projects. Those coding in it, regardless of skill, have fewer flaws than its predecessors. It had other benefits, too, given it integrates multiple paradigms.

                                                                                A common refrain was their inclusiveness made people want to join. I think that was mostly great onboarding and positive culture but some liked things like Code of Conduct. Any of those are a mix of political and practical. I’d love to see an experiment where you keep everything except the most political stuff to see what happens in a project that should likewise get lots of traction. I”m curious how each part plays into the situation to create the final mix of users, contributors, and successful/failed products. I wonder what the 80/20 rule is on minimum a project has to do to get most of those results.

                                                                                Regardless of what I wonder, the project with a highly effective and political team on community focus got great results with their methods that nobody else achieved in that area. Safety/security is already improving at the rate of adoption since it’s the default of the language. I give them due credit on that.

                                                                                1. 3

                                                                                  Creating an inclusive atmosphere is at least peripherally involved (and plausibly more) in bettering the project. Every project has some form of governance, which may be “political” but I would differentiate that from examples invoking Kissinger and abortions. External vs internal politics.

                                                                                  1. 2

                                                                                    Thanks for the elaborate response! As @tedu already perfectly put, I was only talking about external politics. Being a German native speaker, I made the mistake to assume the German meaning of “politics” as well for the English language. Surely politics also are internal politics in the German language, but much less.

                                                                                    So what I really meant is external politics (e.g. as a form of protest against government or political activism). The Rust approach definitely looks interesting, and even though I am not a fan of the language, its approach in terms of community development and language design are pretty unique.

                                                                                    Your point about internal politics is completely correct and I concur of course!

                                                                                  2. 1

                                                                                    it is also illegal as all contributors have to agree with this change.

                                                                                    That is incorrect, the MIT license explicitly allows sublicensing.

                                                                                    Permission is hereby granted… to any person obtaining a copy of this software… to deal in the Software without restriction, including without limitation the rights to… sublicense

                                                                                    Thus, anytime you license anything under the MIT license, you are explicitly allowing this kind of thing.

                                                                                    1. 2

                                                                                      Thanks for the heads up, I forgot about that! :)

                                                                                  1. 33

                                                                                    While I think a website like this would make sense in a few years, right now I think GDPR is complicated, confusing, and scary enough to a lot of companies that they are going to make mistakes. I’d rather help them do it better than mock them.

                                                                                    1. 15

                                                                                      As one of the thousands of engineers who had to figure out how to shoehorn a six-month compliance project into a lean team’s packed roadmap, I concur. This wasn’t easy, not even at a company that respects user data to begin with. Lots of the jokes I’ve seen about GDPR right now just lessen my opinion of the teller.

                                                                                      1. 23

                                                                                        On the other hand, we’ve all had literally more than 2 years to work on said six-month compliance project, and the fact that so many companies try to push on until the very end to start working on it is the actual problem here IMO.

                                                                                        1. 4

                                                                                          Not from my point of view – who cares if companies just woke up to GDPR two weeks ago, if I don’t use them for data processing? None of my actual pain came from that. But I definitely spent a lot of time working on GDPR when I’d rather have been building product, other deadlines slipped, things moved from To-Do to Backlog to Icebox because of this. We’re ready for GDPR, but that stung.

                                                                                          1. 3

                                                                                            I was essentially trying to put “People like you don’t get to complain about it being hard to fit something into a certain time period when they had literally 4 times that amount of time to do it.” ^__^

                                                                                            1. 3

                                                                                              Well, if people like you (who didn’t even do the work) get to complain, then so do I! If someone tells me they’re gonna punch me in the face, then they punch me in the face, I still got punched in the face.

                                                                                              1. 4

                                                                                                I did our GDPR planning and work, and I’m so glad to see it in effect. The industry is finally gaining some standards. Sometimes it’s time to own-up that you care more about your own bottom-line than doing the right thing, if you complain about having to give up a “rather have been building product” attitude.

                                                                                                1. 1

                                                                                                  Sometimes if you don’t build a product, GDPR compliance becomes irrelevant because you never get a company off the ground. As a one-person platform team until last September, I don’t regret how I prioritized it.

                                                                                                2. 6

                                                                                                  Well, if people like you (who didn’t even do the work) get to complain, then so do I!

                                                                                                  I actually did do the work. But either way, complaining about it being a pain overall is just fine, because it is. On the other hand, explicitly complaining that because you had to do it in 6 months you had issues fitting it in, had other deadlines slip, and had to essentially kill other to-do’s is a very different thing. If you’d used the extra 18 months, I bet you’d have had much less issues with other deadlines.

                                                                                                  If someone tells me they’re gonna punch me in the face, then they punch me in the face, I still got punched in the face.

                                                                                                  This analogy doesn’t even make sense in context…

                                                                                                  1. 6

                                                                                                    If you’d used the extra 18 months, I bet you’d have had much less issues with other deadlines.

                                                                                                    I’ll totally remember this for next time.

                                                                                        2. 25

                                                                                          Well, I agree in general, but this article specifically highlights some cases of just plain being mean to your users. I’m okay with mocking those.

                                                                                          1. 7

                                                                                            I disagree. GDPR is expensive to get wrong so the companies aren’t sure what to expect. They are likely being conservative to protect themselves.

                                                                                            1. 7

                                                                                              They were not conservative in tracking users, and spending for tracking and spying on users was not expensive?

                                                                                              As a user I don’t care about the woes of companies. They forced the lawmakers to create these laws, as they were operating a surveilance capitalism. They deserve the pain, the costs, and the fear.

                                                                                              1. 1

                                                                                                and spending for tracking and spying on users was not expensive?

                                                                                                Tracking users is very cheap, that’s why everyone can and does do it. It’s just bits.

                                                                                                As a user I don’t care about the woes of companies.

                                                                                                Feel free not to use them, then. What I am saying is that GDPR is a new, large and expansive, law with a lot of unknowns. Even the regulators don’t really know what the ramifications will be. I’m not saying to let companies not adhere to the law, I’m just saying on the first day the world would probably benefit more from helping the companies comply rather than mocking them.

                                                                                                EDIT:

                                                                                                To be specific, I think companies like FB, Google, Amazon, etc should be expected to entirely comply with the law on day one. It’s smaller companies that are living on thinner margins that can’t necessarily afford the legal help those can that I’d want to support rather than mock.

                                                                                          2. 10

                                                                                            It’s not like the GDPR was announced yesterday. It goes live tomorrow after a two year onboarding period.

                                                                                            If they haven’t got their act in order after two years, it’s reasonable to name and shame.

                                                                                          1. 2

                                                                                            mdocml is small and has minimal dependencies, but it has runtime dependencies - you need it installed to read the man pages it generates. This is Bad.

                                                                                            mdoc is part of the system. I guess not on Linux??

                                                                                            1. 3

                                                                                              mdoc is part of the system on Linux too.

                                                                                              1. 3

                                                                                                Depends on the Linux.

                                                                                                1. 1

                                                                                                  Do you have any particular distribution in mind where it isn’t?

                                                                                              2. 1

                                                                                                Guess what? There is life outside Unix! :-D

                                                                                              1. 8

                                                                                                A couple notes on the article (specifically, the one it links to at the beginning, The Logical Disaster of Null).

                                                                                                Null is a crutch. It’s a placeholder for I don’t know and didn’t want to think about it further

                                                                                                I disagree. In C, at least, NULL is a preprocessor macro, not a special object, “which expands to an implementation-defined null pointer constant”. In most cases, it’s either 0, or ((void *)0). It has a very specific definition and that definition is used in many places with specific meaning (e.g., malloc returns NULL on an allocation failure). The phrase, “It’s a placeholder for I don’t know and didn’t want to think about it further”, seems to imply that it’s used by programmers who don’t understand their own code, which is a different problem altogether.

                                                                                                People make up what they think Null means, which is the problem.

                                                                                                I agree. However, again in C, this problem doesn’t really exist, since there are no objects, only primative types. structs, for example, are just logical groupings of zero or more primative types. I can imagine that, in object-oriented languages, the desire to create some sort of NULL object can result in an object that acts differently than non-NULL objects in exceptional cases, which would lead to inconsistency in the language.

                                                                                                In another article linked-to in Logical Disaster of Null talks about how using NULL-terminated character arrays to represent strings was a mistake.

                                                                                                Should the C language represent strings as an address + length tuple or just as the address with a magic character (NUL) marking the end?

                                                                                                I would certainly choose the NULL-terminated character array representation. Why? Because I can easily just make a struct that has a non-NULL-terminated character array, and a value representing length. This way, I can choose my own way to represent strings. In other words, the NULL-terminated representation just provides flexibility.

                                                                                                1. 4

                                                                                                  “On Multics C on the Honeywell DPS-8/M and 6180, the pointer value NULL is not 0, but -1|1.”

                                                                                                  1. 3

                                                                                                    The C Standard allows that. It basically states that, in the source code, a value of 0 in a pointer context is a null pointer and shall be converted to whatever value that represents in the local architecture. So that means on a Honeywell DPS-8/M, the code:

                                                                                                    char *p = 0;
                                                                                                    

                                                                                                    is valid, and will set the value of p to be -1. This is done by the compiler. The name NULL is defined so that it stands out in source code. C++ has rejected NULL and you are expected to use the value 0 (I do not agree with this, but I don’t do C++ coding).

                                                                                                    1. 2

                                                                                                      I believe C++11 introduced the nullptr keyword which can mostly be used like NULL in C.

                                                                                                      1. 1

                                                                                                        Correct. Just for reference, from the 1989 standard:

                                                                                                        “An integral constant expression with the value 0, or such an expression cast to type void * , is called a null pointer constant.”

                                                                                                    2. 3

                                                                                                      I would certainly choose the NULL-terminated character array representation. Why? Because I can easily just make a struct that has a non-NULL-terminated character array, and a value representing length. This way, I can choose my own way to represent strings. In other words, the NULL-terminated representation just provides flexibility.

                                                                                                      That’s not a very convincing argument IMO since you can implement either of the options yourself no matter which one is supported by the stdlib, the choice of one doesn’t in any way impact the potential flexibility. On the other hand NULL-terminated strings are much more likely to cause major problems due to how extremely easy it is to accidentally clobber the NULL byte, which happens all the time in real-world code.

                                                                                                      And the language not supporting Pascal-style strings means that people would need to reach for one of a multitude of different and incompatible third-party libraries and then convince other people on the project that the extra dependency is worth it, and even then you need to be very careful when passing the functions to any other third-party functions that need the string.

                                                                                                      1. 1

                                                                                                        You make a good point. Both options for strings can be implemented. As for Pascal strings, it is nice that a string can contain a NULL character somewhere in the middle. I guess back in the day when C was being developed, Ritchie chose NULL-terminated strings due to length being capped at 255 characters (the traditional Pascal string used the first byte to contain length). Nowadays, since computers have more memory, you could just use the first 4 bytes (for example) to represent string length, in which case, in C it could just be written as struct string { int length; char *letters; }; or something like that.

                                                                                                        From Ritchie: “C treats strings as arrays of characters conventionally terminated by a marker. Aside from one special rule about initialization by string literals, the semantics of strings are fully subsumed by more general rules governing all arrays, and as a result the language is simpler to describe and to translate than one incorporating the string as a unique data type.”

                                                                                                    1. 28

                                                                                                      After reading the article and many HN comments, I found the headline to be highly misleading as if they’re targeting Signal for their activities in fighting censorship. It’s actually more incidental. They’re targeting a fraudulent practice Signal is doing that violates terms of service. Signal is doing it for good reasons but others might not. Google and Amazon are trying to stop it wholesale. A proper headline might be that “Several providers threaten to suspend anyone doing ‘domain fronting’ via hacks, including us.” Average person reading something like that would think it sounds totally to be expected. A technical person liking Signal or not should also notice the MO is an operational inconsistency that shouldn’t exist in the first place.

                                                                                                      So, they’re not doing a bad thing given the situation. They’re just an apathetic, greedy party in a business context fixing a technical problem that some good folks were using to help some other good folks deal with evil parties in specific countries. Sucks for those specific people that they did it but they’re not aiming at Signal to stop their good deeds. They’re just addressing an infrastructure problem that affects anyone hacking around with their service. Like they should.

                                                                                                      I wish Signal folks the best finding another trick, though.

                                                                                                      1. 16

                                                                                                        I think the correct headline would be “AWS is fixing a bug allowing domain fronting and calling it Enhanced Domain Protections”. An analogous situation would be console homebrew people exploiting buffer overflows in Nintendo games. Of course Nintendo should fix them, and like you, I root for console homebrew people to find another one.

                                                                                                        1. 3

                                                                                                          That’s another good one. It’s just a bug in their services. Them not fixing it would be more questionable to me.

                                                                                                        2. 9

                                                                                                          I found the headline to be highly misleading as if they’re targeting Signal for their activities in fighting censorship. It’s actually more incidental.

                                                                                                          And that’s why they immediately sent signal an email containing a threat to close the account immediately, instead of a regretful email telling them that this will stop working due to abuse prevention measures.

                                                                                                          1. 1

                                                                                                            It my experience that’s generally how they treat literally any issue.

                                                                                                          2. 5

                                                                                                            Signal is doing it for good reasons but others might not.

                                                                                                            I’m failing to think of a way to use domain fronting for a not good reason, especially one where the provider being fronted is still happy to host the underlying service.

                                                                                                            1. 4

                                                                                                              There is nothing fraudulent about domain fronting. Show me one court anywhere in the world which has convicted someone of fraud for domain fronting. That’s a near-libelous claim.

                                                                                                              Can you provide an example of a “bad reason” for domain fronting?

                                                                                                              As the article points out, the timing of Amazon’s decision relative to the publicity about Signal’s use of domain fronting suggests that Signal is in fact the likely intended target of this change, not incidental fallout.

                                                                                                              The headline is accurate. Your comment really mischaracterizes what is happening.

                                                                                                              1. 3

                                                                                                                I meant it in the popular definition of lying while using something. Apparently, a lot of people agree its use isn’t what was intended, the domains supplied are certainly not them, and service providers might negatively react to that. It would probably be a contract law thing as a terms of use violation if it went to court. I’m not arguing anything more than that on the legal side. I’m saying he was doing something deceptive that they didn’t want him to do with their services. Big companies rarely care about the good intentions behind that.

                                                                                                                “the timing of Amazon’s decision relative to the publicity about Signal’s use of domain fronting suggests that Signal is in fact the likely intended target of this change”

                                                                                                                The article actually says he was bragging online in a way that reached highly-visible places like Hacker News about how he was tricking Amazon’s services for his purposes. Amazon employees stay reading these outlets partly to collect feedback from customers. I see the cloud people on HN all the time saying they’ll forward complaints or ideas to people that can take action. With that, I totally expected Amazon employees to be reading articles about him faking domains through Amazon services. Equally unsurprising that got to a decision-maker, technical or more lay person, who was worried about negative consequences. Then, knowing a problem and seeing a confession online by Signal author, they took action against a party they knew was abusing the system.

                                                                                                                We can’t just assume a conspiracy against Signal looking for everything they could use against it with domain fronting being a lucky break for their evil plans. One they used against Signal while ignoring everyone else they knew broke terms of service using hacker-like schemes. If you’re insisting targeted, you’d be ignoring claims in the article supporting my position:

                                                                                                                “A month later, we received 30-day advance notice from Google that they would be making internal changes to stop domain fronting from working entirely.

                                                                                                                “a few days ago Amazon also announced what they are calling Enhanced Domain Protections for Amazon CloudFront Requests. It is a set of changes designed to prevent domain fronting from working entirely, across all of CloudFront.

                                                                                                                It’s a known problem they and Google were apparently wanting to deal with across the board per his own article. Especially Google. They also have employees reading forums where Signal was bragging about exploiting the flaw for its purposes. I mean, what did you expect to happen? Risk-reducing, brand-conscious companies that want to deal with domain fronting were going to leave it on in general or for Signal since that one party’s deceptions were for good reasons according to claims on their blog?

                                                                                                                Although I think that addresses it, I’m still adding one thing people in cryptotech-media-bubble might not consider: the manager or low-level employee who made the decision might not even know what Signal is. Most IT people I’ve encouraged to try it have never heard of it. If you explain what it does, esp trying to get things past the governments, then that would just further worry the average risk manager. They’d want a brick wall between the company’s operations and whatever legal risks the 3rd party is taking to reduce their own liabilities.

                                                                                                                So, there’s at least several ways employees would react this way ranging from a general reaction to an abuse confession online to one with a summary of Signal about dodging governments. And then, if none of that normal stuff that happens every day at big firms, you might also think about Amazon targeting Signal specifically due to their full knowledge of what they’re doing plus secret, evil plans to help governments stop them. I haven’t gotten past the normal possibilities, though, with Amazon employees reading stuff online and freaking out being most likely so far.

                                                                                                                1. 3

                                                                                                                  This rings true to me (particularly the middle-management banality-of-evil take), bar one nitpick:

                                                                                                                  The article actually says he was bragging online in a way that reached highly-visible places like Hacker News about how he was tricking Amazon’s services for his purposes.

                                                                                                                  How did you get that impression? The article states:

                                                                                                                  We’re an open source project, so the commit switching from GAE to CloudFront was public. Someone saw the commit and submitted it to HN. That post became popular, and apparently people inside Amazon saw it too.

                                                                                                                  I haven’t read the mentioned HN thread, but that hardly constitutes “bragging online”.

                                                                                                                  1. 2

                                                                                                                    I can’t remember why I originally said it. He usually blogs about his activities. I might have wrongly assumed they got it out of one of his technical write-ups or comments instead of a commit. If it was just a commit, then I apologize. Thanks for the catch regardless.

                                                                                                              2. 3

                                                                                                                “Service provider warns misbehaving customer to knock it off after repeated RFC violations.”