1. 1

    If the language has the problem that people are fighting with the language in order to become productive with it, perhaps something is wrong with the language, and not the programmers?

    Perhaps - but, given how often those “productive” programmers produce software with major flaws, perhaps not.

    1. 1

      But why everyone blame npm and “micro-libraries” as the main problem in js? Aren’t all other languages (except C/C++) has the same way of dealing with dependencies? Even in conservative Java installing hundreds of packages from Maven is norm.

      1. 10

        Something to consider is that JavaScript has an extreme audience. People who barely consider themselves programmers, because they mostly do design use it, or people just doing tiny modifications. Nearly everyone building a web application in any kind of language, framework, etc. uses it.

        I think the reason there is so much bad stuff in JavaScript is not only something rooted in language design. JavaScript isn’t so much worse than other popular bad languages, it just has a larger base having even more horrible programmers and a lot of them also build some form of frameworks.

        Don’t get me wrong, JavaScript is not a great language by any stretch, but blaming the ecosystem of a language who certainly has at least a few of the bright minds designing and implementing (working at/with Google, Mozilla and Joyent for example) it should not result in something so much more unstable.

        Of course this doesn’t mean that it’s not about the language at all either. It’s just that I have yet to see a language where there isn’t a group writing micro-libraries, doing bad infrastructure, doing mostly worst-practice, finding ways, to work around protections to not shoot yourself in the foot, etc. Yes, even in Python, Rust, Go, Haskell and LISP that exists.

        Maybe it’s just that JavaScript has been around for ages, many learned it do so some animated text, they wrote how they did it, there is a ton of bad resources and people that didn’t really learn the language and there is a lot of users/developers that also don’t care enough, after all it’s just front-end. Validation happens on the server and one wants to do the same sending off some form and loading something with a button, updating some semi-global state anyway.

        JavaScript is used from people programming services and systems with it (Joyent, et al.) to a hobby web designer. I think that different approaches also lead to very different views on what is right and what isn’t. Looking at how it started and how the standards-committee has to react to it going into backend, application and even systems programming direction probably is a hard task and it’s probably a great example of how things get (even) worse when trying to be the perfect thing for everything, resulting in the worst.

        On a related note: I think the issue the community, if you even can call it like that (there are more communities around frameworks rather than the language itself, which is different from many other scripting languages) doesn’t seem to look at their own history too much, resulting in mistakes to be repeated, often “fixing” a thing by destroying another, sometimes even in different framework-layers. For example some things that people learned to be bad in plain JavaScript and HTML get repeated and later learned to be bad using some framework. So one starts over and builds a new framework working around exactly that problem, overlooking other - or intentionally leaving them out, because it wasn’t part of the use case.

        1. 2

          there are more communities around frameworks rather than the language itself, which is different from many other scripting languages

          In general I tend to agree, but at least at some time ago I am pretty sure the Rails community was larger than the Ruby community. The Django community in Python also seems to be quite big vocal, but probably not larger than its language community given that the Python community is overall way more diversified and less focused on one particular use of the language.

        2. 9

          A lot of Java frameworks predate maven - e.g. Spring was distributed as a single enormous jar up until version 3 or so, partly because they didn’t expect everyone to be using maven. I think there’s still a cultural hangover from that today, with Java libraries ending up much bigger than those in newer languages that have had good package management from early on (e.g. Rust).

          1. 5

            Even including all transitive libraries, my (quite large) Android app Quasseldroid has 21 real dependencies. That’s for a ~65kLOC project.

            In JS land, even my smallest projects have over 300 transitive dependencies.

            It’s absolutely not the same.

            1. 3

              In technical terms, npm does not differ much from how python does package management. Culturally, however, there are a big difference in how package development is approached. Javascript has the famous left-pad package (story). It provided a single function to left-pad a string with spaces or zeroes. Lots of javascript libraries are like it, providing a single use case.

              Python packages on the other hand usually handle a series of cases or technical area - HTTP requests, cryptography or, in the case of left-pad, string manipulation in general. Python also has PEP8 and other community standards that mean code is (likely to be) more homogeneous. I am using python here as that is what I know best.

              1. 1

                Because npn micro-libraries tends to be much worse than most other languages.

                1. 1

                  It’s a problem there too.

                1. 3

                  A message veiled into a personal learning story to make it more palatable. I would not care much, but it scratches an itch.

                  We got a slight tests vs. type checking going in the middle of the lines. These subjects should not be dumped together because you may also do Python without any tools and get along just fine.

                  My opinion about types and type checking has changed as well, but it has grown to very different direction than the posters. I also have had some sort of enlightenment going along. I am a die-hard dynamic-typing proponent. I did not need a static type system, and I neither needed tests. The author had to work with something else than Python to form his opinion. I had to go into other direction, deeper into Python and finally into my own improved variation of Python.

                  If type checking is sound, and if it is decidable, then it must be incomplete. I’ve realized this is really important as the set of correct and useful programs that do not pass a type checker is large. Worse, often these are the most important sort of programs that spares a person from stupid or menial work.

                  “If it compiles, it works” and “type system make unit tests unnecessary” are hogwash. It doesn’t really matter how much you repeat them or whether you clothe them into a learning story. There was a recent post pointing out how difficult it is to construct a proof that some small program is actually correct. This means you cannot expect that program works or is correct despite that it types correctly in any language.

                  There is an aspect that is required for making computation and logical reasoning possible in the first place. That is in recognizing variant and invariant parts of the program. I’ve realized that spamming variants is the issue in modern dynamically typed languages. That cannot be solved by adding type annotations because you still have tons of variables in your code that could theoretically change. And you really have to check whether they do, otherwise you have not verified that your program is correct.

                  Statically typed languages commonly do better in keeping variances smaller, but they are also stupid in the sense that they introduce additional false invariants that you are required to satisfy in order to make the type checking succeed. And you cannot evaluate the program before the type checker is satisfied. This is an arbitrary limitation and I think people defending this for any reason are just dumb. Type checker shouldn’t be a straitjacket for your language. It should be a tool and only required when you’re going to formally verify or optimize something.

                  During working on software I’ve realized the best workflow is to make the software work first, then later validate and optimize. Languages like Python are good for the first purpose while some ML-variants are good for the middle, and for the optimization C and similar are good. So our programming languages have been written orthogonal, to cross with the workflow that makes most sense.

                  1. 19

                    the set of correct and useful programs that do not pass a type checker is large

                    If it’s large then you should be able to give a few convincing examples.

                    1. 5

                      I haven’t had the problem the quote implies. The basic, type systems were about enforcing specific properties throughout the codebase and/or catching specific kinds of errors. They seem to do that fine in any language designed well. When designers slip up, users notice with it becoming a best practice to avoid whatever causes protection scheme to fail.

                      Essentially, the type system blocks some of the most damaging kinds of errors so I can focus on other verification conditions or errors it can prevent. It reduces my mental burden letting me track less stuff. One can design incredibly-difficult, type systems that try to do everything under the sun which can add as many problems as they subtract. That’s a different conversation, though.

                      1. 1

                        This set includes programs that could be put to pass a type checker, given that you put extra work into it, or use a specific type checker for them. Otherwise that set is empty: For every program you can construct such variation where the parts that do not type check are lifted outside from the realm of the type checker. For example. stringly typed code.

                        The recipe to construct a program that does not pass a type checker is to vary things that have to be invariant for the type checker. For example, if you have a function that loads a function, we cannot determine the type for the function that is produced. If the loaded function behaves like an ordinary function, it may result in a dilemma that you may have to resolve either by giving it some weird different type that includes the idea that you do not know the call signature, or by not type checking the program.

                        Analogous to the function example: If you define creation of an abstract datatype as a program, then you also have a situation where the abstract datatype may exist, but you cannot type the program that creates it, and you will know the type information for the datatype only after the program has finished.

                        And also consider this: When you write software, you are yourself doing effort to verify that it does what you want. People are not very formal though, and you will likely find ways to prove yourself that the program works, but it does not necessarily align with the way the system thinks about your program. And you are likely to vary the ways you use to conclude the thing works because you are not restricted to just one way of thinking about code. This is also visible in type systems that themselves can be wildly different from each other, such that the same form of a same program does not type in an another type system.

                        I think for the future I’ll try to pick up examples of this kind of tricky situations. I am going to encounter them in the future because in my newest language I’ll have a type inference and checking integrated into the language, despite that the language is very dynamic by nature.

                        There is some work involved in giving you proper examples, and I think people have already moved to reading something else when I finish, but we’ll eventually resume to this subject anyway.

                        1. 6

                          Looking forward to seeing your examples, but until then we don’t have any way to evaluate your claims.

                          About your function loading example, that may or may not be typeable, depending on the deserialisation mechanism. Again, can’t really say without seeing an example.

                          1. 6

                            When you write software, you are yourself doing effort to verify that it does what you want.

                            That’s exactly why I find type systems so useful. I’m doing the effort when writing the code either way; types give me a way to write down why it works. If I don’t write it down, I have to figure out why it works all over again every time I come back to the code.

                        2. 6

                          A message veiled into a personal learning story to make it more palatable.

                          Why do you think this is veiled message instead of an actual personal story?

                          1. 5

                            If type checking is sound, and if it is decidable, then it must be incomplete.

                            Only if you assume that some large set of programs must be valuable. In my experience useful programs are constructive, based on human-friendly constructions, and so we can use a much more restricted language than something Turing-complete.

                            1. 1

                              If type checking is sound, and if it is decidable, then it must be incomplete.

                              That’s not a bug. That’s a feature.

                              If you can implement a particular code feature in a language subset that is restricted from Turing completeness, then you should. It makes the code less likely to have a security vulnerability or bug. (See LangSec)

                            1. 3

                              Honestly, I don’t find much in this article that seems like I would not want to try Kotlin for a project. Maybe the interop with Java can be bad, but maybe it can be offset by other plus of Kotlin.

                              The open class problem is something a lot of people complained in Java about class and variables are not final by default. I guess that the article is more like : I’m not agreeing with a lot choices that was made in Kotlin.

                              1. 2

                                Honestly, I don’t find much in this article that seems like I would not want to try Kotlin for a project. Maybe the interop with Java can be bad, but maybe it can be offset by other plus of Kotlin.

                                The message I would take away is: Kotlin is not a lightweight extension to Java, it’s a complete language, and picking it up will require the same amount of effort as picking up another JVM language. You might find Kotlin offers enough to be worth that cost, but you should weigh its benefits against those offered by Scala, Groovy, JRuby etc.. Do not believe the hype that this is a new kind of JVM language with better Java interoperability than its predecessors; it’s not.

                              1. 3

                                OK, OK, great, nice, really helpful.

                                But all of those tutorials about desktopping on *BSD lack a single convincing point, which I don’t need (I use OpenBSD on desktop more or less actively) but others would appreciate:

                                How such BSD desktop solution would be appealing for some casual Ubuntu user who just clicks “ok” button and gets on with things? I don’t want to deprecate or make it feel worse in any way, just looking for some points or features which can be nice for people using some mainstream Linuxes (Ubuntu, RHEL, CentOS, Fedora) on they work/private machines just to click things?

                                The only thing like that I’ve seen was “OpenBSD is not for you if…” paragraph in OpenBSD desktop practives howto. But it’s actually an opposite for what I’m looking for :)

                                1. 5

                                  How such BSD desktop solution would be appealing for some casual Ubuntu user who just clicks “ok” button and gets on with things?

                                  I think we need to find a difference between a ‘desktop’ term for regular people (not IT related) and a ‘desktop’ term for technical IT people.

                                  My guide is definitely for the second group, such FreeBSD Desktop is not suited for a regular user, the NomadBSD may be suited that way, the TrueOS Desktop may be suited that way but definitely such ‘custom’ setup.

                                  I am sharing this knowledge as I use FreeBSD on the ‘desktop’ since 15 years and when I wanted to have FreeBSD desktop it was not such easy task as it is now, but still requires some configuration and that I wanted to share.

                                  Is CentOS/RHEL better suited for the ‘desktop’ then FreeBSD? Depends, Linux has the advantage here that a lot of software out of the box supports these distributions, yet when you compare the freshness and count of packages between these system families its on the FreeBSD side - https://repology.org/statistics/newest - you have to configure many additional repositories with CentOS/RHEL like EPEL and on FreeBSD you just type pkg install so its more friendly here.

                                  CentOS/RHEL has graphical installer on which You can select to install X11 desktop which is easier for less advanced users, that is the CentOS/RHEL advantage over FreeBSD, but when we compare it that way, OpenIndiana based Illumos distribution is even easier to use and install then CentOS/RHEL as its installer is more easy then the CentOS/RHEL one ;)

                                  So its a long discussion without end really :>

                                  1. 4

                                    How such BSD desktop solution would be appealing for some casual Ubuntu user who just clicks “ok” button and gets on with things?

                                    The real selling point is “fearless upgrades”. Pushing the upgrade button in Ubuntu feels like russian roulette, you never know what’s going to break this time.

                                    ZFS is nice - RAID-like resilience, LVM-like convenience, and filesystem snapshotting for history/“undo” for the same amount of admin effort it would take to set up one of those things on Linux - but the biggest feature of BSD for me is more of an anti-feature: they just don’t keep randomly breaking everything.

                                    1. 3

                                      The real selling point is “fearless upgrades”. Pushing the upgrade button in Ubuntu feels like russian roulette, you never know what’s going to break this time.

                                      A somewhat relevant data point: the Fedora folks have been working for a while on atomic workstation, now Team Silverblue. It uses OSTree for atomic updates/downgrades. You pretty much boot in an OS version, similarly to FreeBSD boot environments (of course, the implementation is very different). The idea is to use Flatpak for installing applications, though you can still layer RPMs with rpm-ostree.

                                      Although it is probably not a solution for a tech user’s desktop. It seems interesting for the ‘average’ user in that it provides updates that don’t fail when yanking out the plug in the middle of an update and offers rollbacks. The OS itself is immutable (which protects against certain kinds of malware) and applications are sandboxed in by Flatpak.

                                      ZFS is nice - RAID-like resilience, LVM-like convenience, and filesystem snapshotting for history/“undo” for the same amount of admin effort it would take to set up one of those things on Linux

                                      Ubuntu also supports ZFS out of the box. With some work, you can also do ZFS on root.

                                      but the biggest feature of BSD for me is more of an anti-feature: they just don’t keep randomly breaking everything.

                                      I think this is the biggest selling point for BSD. I have given up on Ubuntu for my personal machines a long time ago. Stuff breaks all the time and Ubuntu/Debian/etc. are so opaque that it takes a long time to get to the bottom of a problem. Arch Linux is a reasonable compromise, stuff breaks sometimes due to it being a rolling release, but at least it’s fairly clear where to look. Moreover, the turnaround time of submitting reports/patches upstream and trickling down to Arch is pretty short.

                                      But I would switch back to BSD in a heartbeat if there was good out-of-the-box support for amdgpu, Intel MKL, CUDA, etc. But apparently (haven’t verified) the Linux amdgpu tree has more lines of code than the OpenBSD kernel.

                                      1. 2

                                        I order to be able to easily undelete files I’ve setup zrepl to snapshot my system every 15 minutes. I have these snapshots expired after a while. In combination with boot environments this means I can mess with my system without having to worry about breaking it. I can simply reset it quickly and easily. This is very convenient.

                                      2. 1

                                        It’s been so long since I used it that it’s changed names, but TrueOS is the “I just want to have FreeBSD with a desktop and don’t want to learn how to edit kernel modules with vi” answer.

                                      1. 12

                                        When people tell me to stop using the only cryptosystem in existence that has ever - per the Snowden leaks - successfully resisted the attentions of the NSA, I get suspicious, even hostile. It’s triply frustrating when, at the end of the linked rant, they actually recognize that PGP isn’t the problem:

                                        It also bears noting that many of the issues above could, in principle at least, be addressed within the confines of the OpenPGP format. Indeed, if you view ‘PGP’ to mean nothing more than the OpenPGP transport, a lot of the above seems easy to fix — with the exception of forward secrecy, which really does seem hard to add without some serious hacks. But in practice, this is rarely all that people mean when they implement ‘PGP’.

                                        There is a lot wrong with the GPG implementation and a lot more wrong with how mail clients integrate it. Why would someone who recognises that PGP is a matter of identity for many of its users go out of their way to express their very genuine criticisms as an attack on PGP? If half the effort that went into pushing Signal was put into a good implementation of OpenPGP following cryptographic best practices (which GPG is painfully unwilling to be), we’d have something that would make everyone better off. Instead these people make it weirdly specific about Signal, forcing me to choose between “PGP” and a partially-closed-source centralised system, a choice that’s only ever going to go one way.

                                        1. 9

                                          I am deeply concerned about the push towards Signal. I am not a cryptographer, so all I can do is trust other people that the crypto is sound, but as we all know, the problems with crypto systems are rarely in the crypto layers.

                                          On one hand we know that PGP works, on the other hand we have had two game over vulnerabilities in Signal THIS WEEK. And the last Signal problem was very similar to the one in “not-really-PGP” in that the Signal app passed untrusted HTML to the browser engine.

                                          If I were a government trying to subvert secure communications, investing in Signal and tarnishing PGP is what I would try to do. What better strategy than to push everyone towards closed systems where you can’t even see the binaries, and that are not under the user’s control. The exact same devices with GPS and under constant surveilance.

                                          My mobile phone might have much better security mechanisms in theory, but I will never know for sure because neither I, nor anyone else can really check. In the meantime we know for sure what a privacy disaster these mobile phones are. We also know for sure the the various leaks that government implant malware on mobile devices, and we know that both manufacturers and carriers can install software, or updates, on devices without user consent.

                                          Whatever the PGP replacement might be, moving to the closed systems that are completely unauditable and not under the user’s control is not the solution. I am not surprised that some people advocate for this option. What I find totally insane is that a good majority of the tech world finds this position sensible. Just find any Hacker News thread and you will see that any criticism towards Signal is downvoted to oblivion, while the voices of “experts” preach PGP hysteria.

                                          PGP will never be used by ordinary people. It’s too clunky for that. But it’s used by some people very successfully, and if you try to dissuade this small, but very important group of people to move towards your “solution”, I can only suspect foul play. Signal does not compete with PGP. It’s a phone chat app. As Signal does not compete with PGP, why do you have to spend all this insane ammount of effort to convince an insignificant amount of people to drop PGP for Signal?

                                          1. 4

                                            I can’t for the life of me imagine why a CIA-covert-psyops-agency funded walled garden service would want to push people away from open standards to their walled garden service.

                                            Don’t get me wrong, Signal does a lot of the right things but a lot of claims are made about it implying it’s as open as PGP, which it isn’t.

                                            1. 2

                                              What makes Signal a closed system?

                                              https://github.com/signalapp

                                              1. 12

                                                Not Signal, iOS and Android, and all the secret operating systems that run underneath.

                                                As for Signal itself, moxie forced F-Droid to take down Signal, because he didn’t want other people to compile Signal. He said he wanted people only to use his binaries, which even if you are ok with in principle, on Android it mandates the use of the Google Play Store. If this is not a dick move, I don’t know what is.

                                                1. 3

                                                  I’m with you on Android and especially iOS being problematic. That being said, Signal has been available without Google Play Services for a while now. See also the download page; I couldn’t find it linked anywhere on the site but it is there.

                                                  However, we investigated this for PRISM Break, and it turns out that there’s a single Google binary embedded in the APK I just linked to. Which is unfortunate. See this GitHub comment.

                                                  1. 2

                                                    because he didn’t want other people to compile Signal. He said he wanted people only to use his binaries

                                                    Ehm… he chose the wrong license in this case.

                                              2. 4

                                                As I understand it, the case against PGP is not with PGP in and of itself (the cryptography is good), but the ecosystem. That is, the toolchain in which one uses it. Because it is advocated for use in email and securing email, it is argued, is nigh on impossible, then it is irresponsible to recommend using PGP encrypted email for general consumption, especially for journalists.

                                                That is, while it is possible to use PGP via email effectively, it is incredibly difficult and error-prone. These are not qualities one wants in a secure system and thus, it should be avoided.

                                                1. 4

                                                  But the cryptographyisn’t good. His case in the blog post is intentionally besides all of the crypto badness.example: the standard doesn’t allow any other hash function than sha1, which has been proven broken. The protocol itself disallows flexibility here to avoid ambiguity and that means there is no way to change it significantly without breaking compatibility.

                                                  And so far, it seems, people wanted compatibility (or switched to something else, like Signal)

                                                2. 4

                                                  Until this better implementation appears, an abstract recommendation for PGP is a concrete recommendation for GPG.

                                                  Imagine if half the effort spent saying PGP is just fine went into making PGP just fine.

                                                  1. 2

                                                    I guess that’s an invitation to push https://autocrypt.org/

                                                  2. 3

                                                    When people tell me to stop using the only cryptosystem in existence that has ever - per the Snowden leaks - successfully resisted the attentions of the NSA, I get suspicious, even hostile.

                                                    Without wanting to sound rude, this is discussed in the article:

                                                    The fact of the matter is that OpenPGP is not really a cryptography project. That is, it’s not held together by cryptography. It’s held together by backwards-compatibility and (increasingly) a kind of an obsession with the idea of PGP as an end in and of itself, rather than as a means to actually make end-users more secure.

                                                    OpenPGP might have resisted the NSA, but that’s not a unique property. Every modern encryption tool or standard has to do that or it is considered broken.

                                                    I think most people unless they are heavily involved in security research don’t know how encrytion/auth/integrity protection are layered. There are a lot of layers in what people just want to call “encryption”. OpenPGP uses the same standard crypto building blocks as everything else and unfortunately putting those lower level primitives together is fiendishly difficult. Life also went on since OpenPGP was created meaning that those building blocks and how to put them together changed in the last few decades, cryptographers learned a lot.

                                                    One of the most important things that cryptographers learned is that the entire ecosystem / the system as a whole counts. Even Snowden was talking about this when he said that the NSA just attacks the endpoints, where most of the attack surface is. So while the cryptography bits in the core of the OpenPGP standard are safe, if dated, that’s not the point. Reasonable people can’t really use PGP safely because we would have to have a library that implements the dated OpenPGP standard in a modern way, clients that interface with that modern library in a safe and thought-through way and users that know enough about the system to satisfy it’s safety requirements (which are large for OpenPGP)

                                                    Part of that is attitude, most of the existing projects for implementing the standard just don’t seem to take a security-first stance. Who is really looking towards providing a secure overall experience to users under OpenPGP? Certainly not the projects bickering where to attribute blame.

                                                    I think people kept contrasting this with Signal because Signal gets a lot of things right in contrast. The protocol is modern and it’s not impossibly demanding on users (ratcheting key rotation, anyone?), there is no security blame game between Signal the desktop app vs signal the mobile app vs the protocol when a security vulnerability happens, OWS just fixes it with little drama. Of course Signal-the-app has downsides too, like the centralization, however that seems like a reasonable choice. I’d rather have a clean protocol operating through a central server that most people can use than an unuseable (from the pov of most users) standard/protocol. We’re not there yet where we can have all of decentralization, security and ease of use.

                                                    1. 2

                                                      OpenPGP might have resisted the NSA, but that’s not a unique property. Every modern encryption tool or standard has to do that or it is considered broken.

                                                      One assumes the NSA has backdoors in iOS, Google Play Services, and the binary builds of Signal (and any other major closed-source crypto tool, at least those distributed from the US) - there’s no countermeasure and virtually no downside, so why wouldn’t they?

                                                      there is no security blame game between Signal the desktop app vs signal the mobile app vs the protocol when a security vulnerability happens, OWS just fixes it with little drama.

                                                      Not really the response I’ve seen to their recent desktop-only vulnerability, though I do agree with you in principle.

                                                      1. 3

                                                        Signal Android has been reproducible for over two years now. What I don’t know is whether anyone has independently verified that it can be reproduced. I also don’t know whether the “remaining work” in that post was ever addressed.

                                                        1. 2

                                                          The process of verifying a build can be done through a Docker image containing an Android build environment that we’ve published.

                                                          Doesn’t such process assume trust on who created the image (and on who created each of layers it was based on)?

                                                          A genuine question, as I see the convenience of Docker and how it could lead to more verifications, but on the other hand it create a single point of failure easier to attack.

                                                          1. 1

                                                            That question of trust is the reason why, if you’re forced to use Docker, build every layer for yourself from the most trustworthy sources. It isn’t even hard.

                                                    2. 1

                                                      the only cryptosystem in existence that has ever - per the Snowden leaks - successfully resisted the attentions of the NSA

                                                      I’m pretty ignorant on this matter, but do you have any link to share?

                                                      There is a lot wrong with the GPG implementation

                                                      Actually, I’d like to read the opinion of GPG developers here, too.

                                                      Everyone makes mistakes, but I’m pretty curious about the technical allegations: it seems like they did not considered the issue to be fixed in their own code.

                                                      This might have pretty good security reasons.

                                                      1. 3

                                                        To start with, you can’t trust the closed-source providers since the NSA and GHCQ are throwing $200+ million at both finding 0-days and paying them to put backdoors in. Covered here. From there, you have to assess open-source solutions. There’s a lot of ways to do that. However, the NSA sort of did it for us in slides where GPG and Truecrypt were worst things for them to run into. Snowden said GPG works, too. He’d know given he had access to everything they had that worked and didn’t. He used GPG and Truecrypt. NSA had to either ignore those people or forward them to TAO for targeted attack on browser, OS, hardware, etc. The targeted attack group only has so much personnel and time. So, this is a huge increase in security.

                                                        I always say that what stops NSA should be good enough to stop the majority of black hats. So, keep using and improving what is a known-good approach. I further limit risk by just GPG-encrypting text or zip files that I send/receive over untrusted transports using strong algorithms. I exchange the keys manually. That means I’m down to trusting the implementation of just a few commands. Securing GPG in my use-case would mean stripping out anything I don’t need (most of GPG) followed by hardening the remaining code manually or through automated means. It’s a much smaller problem than clean-slate, GUI-using, encrypted sharing of various media. Zip can encode anything. Give the files boring names, too. Untrusted, email provider is Swiss in case that buys anything on any type of attacker.

                                                        Far as the leaks, I had a really-hard time getting you the NSA slides. Searching with specific terms in either DuckDuckGo or Google used to take me right to them. They don’t anymore. I’ve had to fight with them narrowing terms down with quotes trying to find any Snowden slides, much less the good ones. I’m getting Naked Security, FramaSoft, pharma spam, etc even on p 2 and 3 but not Snowden slides past a few, recurring ones. Even mandating the Guardian in terms often didn’t produce more than one, Guardian link. Really weird that both engines’ algorithms are suppressing all the important stuff despite really-focused searches. Although I’m not going conspiracy hat yet, the relative-inaccuracy of Google’s results compared to about any other search I’ve done over past year for both historical and current material is a bit worrying. Usually excellent accuracy.

                                                        NSA Facts is still up if you want the big picture about their spying activities. Ok, after spending an hour, I’m going to have to settle for giving you this presentation calling TAILS or Truecrypt catastrophic loss of intelligence. TAILS was probably temporary but the TrueCrypt derivatives are worth investing effort in. Anyone else have a link to the GPG slide(s)? @4ad? I’m going to try to dig it all up out of old browser or Schneier conversations in near future. Need at least those slides so people knows what was NSA-proof at the time.

                                                        1. 2

                                                          Why would TAILS be temporary? If anything this era of cheap devices makes it more practical than ever.

                                                          1. 3

                                                            It was secure at the time since either mass collection or TAO teams couldnt hack it. Hacking it requires one or more vulnerabilities in the software it runs. The TAILS software includes complex software such as Linux and a browser with history of vulnerabilities. We should assume that was temporary and/or would disappear if usage went up enough to budget more attacks its way.

                                                            1. 2

                                                              I’d still trust it more than TrueCrypt just due to being open-source.

                                                              What would it take to make an adequate replacement for TAILS? I’m guessing some kind of unikernel? Are there any efforts in that direction?

                                                              1. 1

                                                                Well, you have to look at the various methods of attack to assess this:

                                                                1. Mass surveillance attempting to read traffic through protocol weaknesses with or without a MITM. They keep finding these in Tor.

                                                                2. Attacks on the implementation of Tor, the browser, or other apps. These are plentiful since it’s mostly written in non-memory safe way. Also, having no covert, channel analysis on components processing secrets means there’s probably plenty of side channels. There’s also increasingly new attacks on hardware with a network-oriented one even being published.

                                                                3. Attacks on the repo or otherwise MITMing the binaries. I don’t think most people are checking for that. The few that do would make attackers cautious about being discovered. A deniable way to see who is who might be a bitflip or two that would cause the security check to fail. Put it in random, non-critical spots to make it look like an accident during transport. Whoever re-downloads doesn’t get hit with the actual attack.

                                                                So, the OS and apps have to be secure with some containment mechanisms for any failures. The protocol has to work. These must be checked against any subversions in the repo or during transport. All this together in a LiveCD. I think it’s doable minus the anonymity protocol working which I don’t trust. So, I’ve usually recommended dedicated computers bought with cash (esp netbooks), WiFi’s, cantennas, getting used to human patterns in those areas, and spots with minimal camera coverage. You can add Tor on top of it but NSA focuses on that traffic. They probably don’t pay attention to average person on WiFi using generic sites over HTTPS.

                                                                1. 1

                                                                  Sure. My question was more: does a live CD project with that kind of aim exist? @josuah mentioned heads which at least avoids the regression of bringing in systemd, but doesn’t really improve over classic tails in terms of not relying on linux or a browser.

                                                                  1. 2

                                                                    An old one named Anonym.OS was an OpenBSD-based, Live CD. That would’ve been better on code injection front at least. I don’t know of any current offerings. I just assume they’ll be compromised.

                                                                2. 1

                                                                  I think it is the reason why https://heads.dyne.org/ have been made: Replacing the complex software stack with a simpler one with aim to avoid security risks.

                                                                  1. 1

                                                                    Hmm. That’s a small start, but still running Linux (and with a non-mainstream patchset even), I don’t think it answers the core criticism.

                                                            2. 2

                                                              Thanks for this great answer.

                                                              Really weird that both engines’ algorithms are suppressing all the important stuff despite really-focused searches.

                                                              If you can share a few of your search terms I guess that a few friends would find them pretty interesting, with their research.

                                                              For sure this teach us a valuable lesson. The web is not a reliable medium for free speech.

                                                              From now on, I will download from the internet interesting documents about such topics and donate them (with other more neutral dvds) to small public libraries around the Europe.

                                                              I guess that slowly, people will go back to librarians if search engines don’t search carefully enough anymore.

                                                              1. 2

                                                                It was variations, with and without quotes, on terms I saw in the early reports. They included GPG, PGP, Truecrypt, Guard, Documents, Leaked, Snowden, and catastrophic. I at least found that one report that mentions it in combination with other things. I also found, but didn’t post, a PGP intercept that was highly-classified but said they couldn’t decrypt it. Finally, Snowden kept maintaining good encryption worked with GPG being one he used personally.

                                                                So, we have what we need to know. From there, just need to make the programs we know work more usable and memory safe.

                                                        1. 2

                                                          A complex “governance” process sounds like a problem rather than a solution. Agile done right keeps you on course in a very simple way: every two weeks you demo a working system, and the only work you do is towards specific customer-facing features.

                                                          1. 2

                                                            FWIW, I’ve seen many teams focus on the two week demo, and, not all the time, but often I’ve seen it end in they only work on things that look-cool demoing and not necessarily things that might help them. For example, tech debt tends to not be very demoable. One can always say “well they aren’t doing it right” but that also has been a problem in the times Agile has been a negative experience: people often don’t know how to do it well. I’m not saying it’s always bad or whatever, just that it’s harder to get right than just being agile.

                                                            1. 2

                                                              I’ve seen Agile lead to working with a higher technical debt load than developers wanted to, but often that was actually the level that was best for the business. Particularly for a weak team, trying to make a codebase better as a task in its own right can easily do more harm than good; making sure each codebase change is driven by a specific customer- facing feature, as Agile does, helps keep you on track.

                                                          1. 3

                                                            I find this post to be too much on the “rant for the sake of rant” side:

                                                            None of these “fancy” tools still builds by a traditional make command.

                                                            – that can be said about almost anything not written in C. I understand where the author is coming from (the old-school universe of C packages), but come on, the world is much more complex and diverse now. Hadoop is definitely a good horse for beating in this case, but would not it be a nightmare to build and maintain it with any approach?

                                                            the Docker approach boils down to downloading an unsigned binary, running it

                                                            – I find this statement very weird: docker build and private registries are your friends. I understand that setting up proper CI and a private registry can take a non-trivial amount of complexity and effort, but it is a way to ensure trust and upgrades, but the author is still talking only about running unsigned binaries from Dockerhub as if a proper secure process does not exist.

                                                            Feels like downloading Windows shareware in the 90s to me.

                                                            – with the difference that shareware is explicitly hostile to user inspection and modification, and any pre-built Docker containers should have clear, public and reproducible build process, otherwise I don’t bother running them.

                                                            With signed packages, built from a web of trust.

                                                            – maybe I’m being too strict here in my understanding of “a web of trust”, but has the author actually ever exchanged PGP keys with maintainers of the old-school Linux distros/BSD distributions? Isn’t the traditional sysadmin model also based on trust: you get an installation image from a trusted place and trust the distro maintainers? In case of almost any distro except Gentoo, you also run binaries made by someone else (with root access to your system and no isolation whatsoever except for manually set up chroots, cgroups, namespaces, … oh wait, it smells like Docker already).

                                                            Some even work on reproducible builds.

                                                            – isn’t that one of the promises of Docker, reproducible builds with some effort, but without overhauling-in-depth every build system in existence?

                                                            Docker itself may be a short-sighted overhyped product with lots of technical weaknesses, but containerization is here to stay.

                                                            1. 2

                                                              but would not it be a nightmare to build and maintain it with any approach?

                                                              Yes, that’s the core of the problem: The design choices that make it a nightmare to build and maintain regardless of the approach taken. Potentially, if containers weren’t used, people might feel the need to fix this bug.

                                                              isn’t that one of the promises of Docker, reproducible builds with some effort, but without overhauling-in-depth every build system in existence?

                                                              Except I need to build code on systems without docker. Getting some docker-built libraries into a state where I could include them linked into an android app turned from a “Well, it’ll take an hour or so, uses cmake, can’t possibly be that bad” into 3 engineers trying things out for about a week, including debugging cmake with strace, and gdb in order to get the build to work.

                                                              1. 1

                                                                – isn’t that one of the promises of Docker, reproducible builds with some effort, but without overhauling-in-depth every build system in existence?

                                                                How is that possible, though? Programs still need to get built through their existing infrastructure.

                                                                1. 2

                                                                  Taking a minimal fixed image as the base for building and paying some attention to what is being downloaded from where is much more closer to reproducible builds than building a package on a continuously changing traditional system with lots and lots of libraries and admin/user activity.

                                                                  When you start nailing versions of OS and every library to build a reproducible image, soon you will be down to managing many virtual machines, and at some point plain containerization of builds makes more sense.

                                                                  1. 2

                                                                    But we still have the problem of building our software reproducbly.

                                                                    Also, I disagree that reusing the same binary artifact (in this case an OS image) counts as reproducible builds. It’s like saying installing a prebuilt piece of software is a reproducible build.

                                                                    1. 1

                                                                      I agree that full reproducibility is a noble goal and I hope that NixOS/bazel approach will be dominant someday.

                                                                      Right now, it’s easier to deal with existing/legacy systems just building from minimal fixed images: that does not give full reproducibility in the strict sense, but it’s way better to have those kinda-reproducible builds in practice than what we had before.

                                                                      1. 1

                                                                        Also, I disagree that reusing the same binary artifact (in this case an OS image) counts as reproducible builds. It’s like saying installing a prebuilt piece of software is a reproducible build.

                                                                        Seems closer to building with a prebuilt compiler to me. Of course it’s important to ensure that you can rebuild the compiler/OS image, but you wouldn’t expect to rebuild it for every build.

                                                                        1. 2

                                                                          We’ve had that state of affairs for over a decade, at least, though. I don’t know anyone who was calling building AMIs “reproducible builds”. To make my critique more nuanced: I don’t think Docker is changing the state of reproducible builds.

                                                                          1. 1

                                                                            Usability matters. I don’t think I ever saw people using AMIs to run the build in, which is what would be the equivalent here.

                                                                            1. 1

                                                                              What does “run the build in” mean?

                                                                              1. 1

                                                                                Performing the build process - running the compiler etc. - inside the known-state system that the AMI provides. I didn’t ever see them being used that way.

                                                                                1. 1

                                                                                  That is how one builds a new AMI: you launch an existing AMI, run your build process, then save that as a new AMI.

                                                                                  1. 1

                                                                                    I never saw that being used as the primary build process, probably because it takes so long (comparatively) to launch an AMI. Rather there would be a language-specific process that built a binary, and then a distinct AMI-building process that just stuck that binary in the AMI. Whereas docker is more practical to use as your sole build process.

                                                                                    1. 1

                                                                                      Maybe, I see using AMIs to build AMIs quite commonly. But either way, I’m not really sure if this changes my core critcism: Docker is not changing the state-of-the-art of reproducible builds.

                                                                                      1. 1

                                                                                        As I said, usability matters; Docker doesn’t change what’s possible, but it does change what’s easy.

                                                                                        1. 1

                                                                                          That’s fine, but as I explicitly stated earlier, my point was about the ability to do reproducible builds, and docker has not changed one’s ability to accomplish that.

                                                                1. 8

                                                                  I can’t speak one way or another of other tools, but maven is being unfairly blamed here; it’s one of relatively few language packagers that requires signing all packages. Of course it’s possible to download a jar and not check its signature, but that’s equally true for tarballs or any other format.

                                                                  Also makefiles are just another kind of “incomptaible, and non-portable “method of the day” of building”. Every makefile I’ve seen runs a bunch of random binaries from your PATH, and doesn’t document what it requires of them. (e.g. if tar on your system is BSD rather than GNU tar, many Makefiles will just break).

                                                                  1. 3

                                                                    Serious question from a fully paid up member of the tinfoil hat brigade: Why protonmail?

                                                                    Don’t forget that if you’re sending messages you also have to consider the recipient. If your hardware is hosed, theirs may well be too. On that basis perhaps mail should be avoided depending on your threat model.

                                                                    One option would be to use something like a BeagleBone black as it’s open source and I believe verifiable.

                                                                    Another option would be to use a disconnected host for creating, encrypting and viewing messages then a separate host for relaying. This was the basis for a project I did (and cancelled) a few years back.

                                                                    1. 1

                                                                      Yeah, I guess I’m imagining that I’d be able to give my correspondents their own copy of the setup, and instructions on how to use it. I’m definitely not expecting that emails I send to random people will magically be safe from now until the end of time.

                                                                      1. 2

                                                                        If you’re talking about dedicated hardware at both ends, why not signal?

                                                                        1. 1

                                                                          Signal’s proprietary central server and TOFU-oriented protocol add a lot of attack surface that doesn’t exist in other approaches.

                                                                      2. 1

                                                                        The answer to the question “why protonmail” is mainly that I’m not sure what else to do. I have long given up hope that I’ll ever convince anyone to manually use PGP. Protonmail is a platform that I might be able to convince people to use; - has a nice UI and can conform to people’s existing habits and tools.

                                                                        Edit: Reading this next to my other response does seem to make it clear that I’m confused about how other people ought to relate to the hypothetical system involved here. Obviously they can’t be allowed to just use their phones to read messages, so I’m not sure in what sense they should be allowed to stick with their existing habits.

                                                                        1. 1

                                                                          if it’s just secure email wouldn’t spiped suffice?

                                                                      1. 20

                                                                        sigh

                                                                        So, this has already sparked a discussion about taste, freedom of speech, the whole thing.

                                                                        The joke in question is bad, very bad. It’s plain unfitting, and it isn’t even remotely funny. It’s US-centric. RMS, the person making and subsequently claiming it, has a history of making sexual and other inappropriate commentary (e.g. arguing eugenics). His quoted comment about child birth is another example of RMS speaking about things he probably doesn’t have a very qualified opinion on. Most (all?) of the people mentioned in the article discussing the issue will never be affected by this in the real world. Seriously, I expect one of those people to stand up and say “You know what? We aren’t even the right group to discuss that in!”.

                                                                        And this is the issue he pulls his authority card? Seriously? For a bad joke that was already shit in the 90s? That - even ignoring the punchline being terrible - just plain isn’t funny? Which boundary does that cross? Probably his egos.

                                                                        Seriously, this is a tech manual. This is the place where you can finally have your “let’s just talk tech her”. And there, this discussion comes up?

                                                                        1. 17

                                                                          The thing I find weird is the clear generational gap in Internet users that mean that people end up talking past each other.

                                                                          For older people who grew up thinking that Sendmail m4 macros were somehow intuitive, and that C was the new hotness, this is not a joke about abortion. It’s about censorship. That’s the hill RMS thinks he’s dying on. Removing the joke is at the risk of putting words in his mouth, censoring the manual.

                                                                          Of course, the younger people who live in a world where Javascript isn’t ridiculous to use on a server, where everything-as-a-service is the norm demand takedowns of things outside of their overton window. To them, it’s a matter of not having a frankly disgusting joke about the very real problems of abortion in the US in a technical manual that has nothing to do with those problems. They don’t understand the culture in which GNU was founded, they believe that it is RMS’ job to change to fit with their culture.

                                                                          This is what happens when an unstoppable force meets an immovable object. I’m just not sure who plays which part here. There is a reasonable answer, and the good news for the kids is that this has happened before several times: fork glibc. Fork it to remove RMS’ influence from the project and fork it to remove the offending text (for people that want it removed).

                                                                          1. 17

                                                                            Even as a commentary about censorship, it’s pretty freaking oblique. It should be removed on the technical grounds that it’s inefficient GNU crap.

                                                                            1. 2

                                                                              Stallman is pretty freaking oblique at the best of times when it comes to his sense of humour. Saying that GNU is full of inefficient crap is like saying that water is wet, or that the Linux kernel is a bug-ridden dumpster fire.

                                                                              If every GNU inefficiency was removed, it’d be BSD.

                                                                              1. -1

                                                                                It should be removed on the technical grounds that it’s inefficient GNU crap.

                                                                                Nobody force you to use GNU crap.

                                                                                But GNU is and have always been openly political.

                                                                                You are free to use software that is apparently neutral. if you don’t like it.
                                                                                And you have plenty of choice on the market: Microsoft, Apple, Google… all are pretty ready to serve your needs (and collect your data for whatever purpose, and lobbying for DRM and so on../)

                                                                                But “as a commentary about censorship”, that joke is perfectly fine.

                                                                                1. 6

                                                                                  Nobody force you to use GNU crap.

                                                                                  The fact that you are saying this to tedu (an OpenBSD developer) is kind of funny.

                                                                                  1. 5

                                                                                    I’m fine with GNU being a political project. Indeed, I actively advocate for projects to make their mind up.

                                                                                    But “as a commentary about censorship”, that joke is perfectly fine.

                                                                                    A lot of the project itself does not seem to agree, especially in the context of having it in the documentation. Except RMS, who pulls rank over a joke that he himself made. Which makes the GNU project his personal opinion/joke vehicle.

                                                                                    1. 3

                                                                                      Except RMS, who pulls rank over a joke that he himself made. Which makes the GNU project his personal opinion/joke vehicle.

                                                                                      I don’t see the point you’re making here? The GNU project was always an expression of political views that were, originally, personal to RMS. If the project ran by majority consensus it would have given up on the whole free software thing a long time ago.

                                                                                      1. -3

                                                                                        Using your “Rust Community Team” hat here is crass, and only reinforces some people’s beliefs (myself included) about these types of thought police organizations.

                                                                                        I sure hope the non-“Rust Community Team” people show less virtue signalling. It puts your project under a terrible spotlight.

                                                                                        1. 5

                                                                                          FWIW, I find the use of the hat inappropriate here as well.

                                                                                          That being said, as discussed below, I think it depends on what you think the hat means, exactly. It seems Florian uses the hat differently than many here might expect.

                                                                                2. 7
                                                                                  1. I think the joke is funny. It’s even more funny now.
                                                                                  2. RMS’s character has no bearing on the legitimacy of the joke.
                                                                                  3. You don’t need to be qualified to have an opinion.
                                                                                  4. Any group can discuss any topic, there is no “right” group.
                                                                                  5. RMS is the benevolent dictator of GNU, and as such has the authority to veto decisions in rare situations like these.
                                                                                  1. 10

                                                                                    Be that as it may, when the people who have written the code (glibc was originally written by someone else (not RMS), and Ulrich Drepper is now responsible for something like 70% of the code) and make it all work ask you to back off, it’s a stupid hill to die on. Yeah, you might win the battle, but you’ll lose the war.

                                                                                    Last time something like this happened, everyone switched to using eglibc and it wasn’t until the RMS-mandated steering committee was dissolved that people switched back to glibc. If RMS decides to be a jerk about things, watch everyone fork it again or sink their resources into musl.

                                                                                    There’s being right, and there’s being so egotistical that you burn down the house because you didn’t get your way.

                                                                                    1. 4

                                                                                      He has veto power for precisely these cases where “everyone else” disagrees, so I don’t think it’s a stupid hill to die on. In any case, I agree with you, RMS will lose this war, this is just the beginning.

                                                                                      1. 15

                                                                                        Vetoing the removal of a little-used architecture with heavy maintenance burden because they want to support those few users is a good hill to die on. Vetoing the removal of a joke that everyone else wants to remove from the manual and doesn’t in any way affect the operation of the library is a stupid hill to die on.

                                                                                        1. 3

                                                                                          That’s in your opinion. If you care the culture of your project not taking itself so seriously, I think it’s a good hill to die on.

                                                                                  2. 5

                                                                                    As a participant in Rust Community and a proponent of eugenics, your use of Rust Community Team hat makes me uncomfortable. Was it necessary? Are you really speaking for Rust Community Team here? I hope my eugenics advocacy won’t affect my Rust participation.

                                                                                    As for the joke, the joke is clearly about censorship and not about abortion. I think attempt to censor the joke makes it more relevant.

                                                                                    1. 2

                                                                                      As for the joke, the joke is clearly about censorship and not about abortion.

                                                                                      Jokes, by their nature, are not clear and subject to cultural background and education. In my opinion, it’s a bit condescending to claim that it has universal understanding and appeal.

                                                                                      I think attempt to censor the joke makes it more relevant.

                                                                                      The origin of the patch seems to be the person just didn’t think it relayed any meaningful information to a user of the function. I don’t think that falls into common usage of “censorship”.

                                                                                      1. -2

                                                                                        I don’t think that falls into common usage of “censorship”.

                                                                                        Yes, and I have yet to see a documentation patch forced on a project by a state.

                                                                                        1. 2

                                                                                          Censorship exists only when done by the state??

                                                                                      2. 1

                                                                                        On FOSS social issues, I generally put the hat on here. As my work for the Rust project is social, judging which of these issues I should put the hat on would only lead to problems. I’m fine with people knowing my affiliation and I think it’s more honest for people to know it. I don’t speak for the team, but I am a member of the team.

                                                                                        On Eugenics: it’s, in my view, an only thinly veiled form of Ableism, and as such opposed to the goal of being inclusive, especially also to people with disability. Many forms fundamentally attack the right to live of people with disabilities, for example by arguing for their abortion.

                                                                                        Just to be clear on which comment by RMS I’m referring to (on people with Trisomy 21):

                                                                                        If you’d like to love and care for a pet that doesn’t have normal human mental capacity, don’t create a handicapped human being to be your pet. Get a dog or a parrot…

                                                                                        If you want to support that comment, go ahead.

                                                                                        1. 3

                                                                                          I support the idea behind the comment. Given medical acceptance of prenatal screening of trisomy 21, this is one of less extreme among RMS’s positions.

                                                                                          I agree the expression of the idea in the comment you quoted leaves a lot to be desired.

                                                                                          1. -1

                                                                                            Prenatal screening of trisomy 21 are generally accepted as a way to increase survival chances for the fetus.
                                                                                            Trisomy 21 increases the risk of heart issues at birth, that can be handled in the proper structure, but would lead to secure death if not addressed promptly.

                                                                                            Some people use it for eugenetics (usually with amniocentesis, that kills 1 healthy children out of 200 if I remember correctly).

                                                                                            Now, IMO what RMS means is horrible, disgusting and plain dangerous.
                                                                                            But it’s not related to freedom. And he has the right to think (and say) it.

                                                                                            1. 1

                                                                                              Prenatal screening of trisomy 21 are generally accepted as a way to increase survival chances for the fetus.

                                                                                              Do you have a citation for your “generally accepted” claim? There appears to be at least some evidence to the contrary:

                                                                                              About 92% of pregnancies in Europe with a diagnosis of Down syndrome are terminated.[14] In the United States, termination rates are around 67%, but this rate varied from 61% to 93% among different populations.[13] Rates are lower among women who are younger and have decreased over time.[13] When nonpregnant people are asked if they would have a termination if their fetus tested positive, 23–33% said yes, when high-risk pregnant women were asked, 46–86% said yes, and when women who screened positive are asked, 89–97% say yes.[75]

                                                                                              https://en.wikipedia.org/wiki/Down_syndrome#Abortion_rates

                                                                                              1. 0

                                                                                                This is entirely offtopic here, but I don’t want to flee the question.

                                                                                                My source is my doctor, that incidentally is also my wife.
                                                                                                When the prenatal screening of our second daughter established 1/350 probability of a Down syndrome, she explained me about amniocentesis, about the risks for the fetus and about the implications and the medical reasoning beyond it. It’s a complex topic and I’m not competent enough to expose it here deeply, but the relevant point was that, while several doctors object to abortion as a murder in contrast with their oath and ethics, prenatal screening is designed to increase the survival of the fetus, so every doctor is fine with it.

                                                                                          2. 1

                                                                                            On FOSS social issues, I generally put the hat on here. As my work for the Rust project is social, judging which of these issues I should put the hat on would only lead to problems. I’m fine with people knowing my affiliation and I think it’s more honest for people to know it. I don’t speak for the team, but I am a member of the team.

                                                                                            While I do not agree with you on the “joke on documentation” issue, I really support this approach.

                                                                                            Hacking is a ethical and political action.

                                                                                          3. -1

                                                                                            I hope my eugenics advocacy won’t affect my Rust participation.

                                                                                            If that’s what you think that means, and you advocate for any intelligence-based eugenics, you might want to reconsider your position on eugenics.

                                                                                            This obviously would only affect you if you attempted to add eugenics commentary to the Rust project itself in some way. Same as if you attempted to add any other irrelevant polarizing commentary.

                                                                                            1. 1

                                                                                              I don’t talk eugenics on Rust space. Not because eugenics is wrong (it isn’t), but because it’s off-topic.

                                                                                              1. 2

                                                                                                it’s off-topic

                                                                                                Yes. And it’s also off-topic for glibc.

                                                                                                1. 0

                                                                                                  No, it isn’t. By definition.

                                                                                                  You might not agree with GNU or with rms here, or you might prefer that glibc would not be a GNU project, but it is.

                                                                                                  1. 2

                                                                                                    Fine. But the consensus of the primary maintainers is that it’s off-topic. Therefore it’s off-topic for whatever fork of glibc everyone ends up using. Because if we get another eglibc situation, everyone will use the fork maintained by the maintainers, and no one will use the fork “maintained” by rms.

                                                                                                    It’s de facto off-topic for those who accept reality.

                                                                                                    1. 0

                                                                                                      Anyone who “accepts reality” in that sense wouldn’t be contributing to GNU in the first place. The project has always been about RMS telling the rest of the world they’re wrong.

                                                                                                      1. 1

                                                                                                        See eglibc. A non-GNU fork already happened, and was reintegrated when the issue was dropped.

                                                                                                        I don’t see how you can say that those kind of people wouldn’t be contributing to GNU, when they clearly are and that’s what this is all about. If those kind of people wouldn’t be contributing to GNU, then why is there any debate?

                                                                                                        1. 1

                                                                                                          There is debate precisely because the people contributing don’t subscribe to your notion that the primary maintainer consensus is all that matters. glibc contributors do care about GNU and RMS, otherwise the eglibc-style fork would already have happened and the project would now be being maintained outside the GNU umbrella.

                                                                                        1. 1

                                                                                          Interesting - and somewhat worrying - to see Haskell going in the opposite direction from Scala here - Dotty (Scala 3) moves towards ML-style “type members are existential by default” and removes the forSome syntax even as this paper is proposing to introduce an equivalent exists syntax to Haskell.

                                                                                          1. 1

                                                                                            Interesting. But can this really be called a computer? If I understood the article, it seems to have built for one program, economy simulation.

                                                                                            1. 1

                                                                                              It’s an edge case, there’s no right or wrong answer. It’s a device that computes, but it’s not a general-purpose computer or a stored-program computer.

                                                                                            1. 26

                                                                                              I’m glad to see this trend of standing up against poltiical exclusion in Open Source. I assume that the Code of Conduct for llvm was written in good faith, but the continued demonization of political groups (and to some extent, white men) is troubling. Remember when no one on the internet cared what you looked like, believed, or who you loved? I want to go back to that :/

                                                                                              1. 43

                                                                                                Who is being excluded? How is Outreachy preventing someone from contributing to llvm?

                                                                                                I remember those days too. “No one” cared because “everyone” assumed you were white, male, and college educated. “There are no women on the Internet” dates back, at least, to the early ’90s.

                                                                                                As a black male dropout, that was fine for me— I could get involved. No one questioned my capabilities. And as long as I kept up a good impression of being fluent in upper-middle to upper-class white culture, I could build my skills and social capital.

                                                                                                I also got beat up on the street in front of my grandmother for “showing off” how I could “talk white” at school.

                                                                                                I also remember, when Pentiums were out, using a pawn shop purchased Apple IIc with a gifted modem. I also remember hacking into dial-up pools to get telnet— haha, as if my machine could talk SLIP or PPP. I remember begging friends from MOOs and IRC for a shell account. I remember having no concept of the disparity between myself and the people with whom I played games, chatted, wrote code, and made friends. They simply had things, and I didn’t.

                                                                                                I don’t see a problem with choosing to give their time and their money to mentor people who otherwise might not be able to participate. There certainly hasn’t been a problem with people choosing to give their time and their money to people who look like them, sound like them, grew up with them, attend the same church as them, went to the same school as them, are friends with them, enjoy the same movies as them, play the same sports as them, and just happen to be a well-off straight white male. Just. Like. Them.

                                                                                                1. 5

                                                                                                  I also remember hacking into dial-up pools to get telnet

                                                                                                  Holy crap, you and I are kindred spirits. The terminal-concentrator at the local university dropped you into a command line…you were supposed to then immediately telnet to the VAX on campus, but they didn’t enforce that. I was 13 years old and certainly not a student at said university but boy did I get around using that little trick.

                                                                                                  (This would’ve been like 1993. I’m old.)

                                                                                                  1. 4

                                                                                                    🙏🏾 s/the local university/Sprint/ and that was me too!

                                                                                                    1. 4

                                                                                                      It was an eight year old Amiga 1000 that my dad got at an estate sale for like $20 because it would only boot up about half the time and shut down and random intervals, hooked up to a black and white TV, with an old external 1200 baud modem and a terminal program I got off a disk on the cover of a magazine. I felt like the lord of all creation.

                                                                                                      Man I’m nostalgic now.

                                                                                                      1. 4

                                                                                                        Who ever thought we’d make it this far?

                                                                                                  2. 3

                                                                                                    I remember when internet arrived at my hometown. It was 1996. I am not sure such delay was related to skin color.

                                                                                                  3. 46

                                                                                                    There is no whitemend.

                                                                                                    Outreachy isn’t out to make a monster out of you. It’s trying to correct for GSoC. You don’t like Outreachy’s policies, a much smaller, less well-funded org than Google, then go through GSoC and Google. You have lots of other options other than Outreachy.

                                                                                                    The code of conduct doesn’t say anything about how white men are bad. Reading the CoC, if you object that strongly to it that you must leave, then please do! That’s the CoC working as intended. You are deciding to exclude yourself by deciding that what the CoC forbids (i.e. being an asshole) is something that you must be and defend.

                                                                                                    Also, one more thing.

                                                                                                    I wish I could explain to people who are privileged one way or another, that it doesn’t mean your entire life is handed to you in a silver platter. Being a white male doesn’t mean you can’t be poor or can’t be gay (thus discriminated) or that you can’t have a slew of other problems.

                                                                                                    It just means you don’t have those problems in addition to also being discriminated for being a woman, for being black, for being anything else.

                                                                                                    1. 5

                                                                                                      Reading the CoC, if you object that strongly to it that you must leave, then please do! That’s the CoC working as intended. You are deciding to exclude yourself by deciding that what the CoC forbids (i.e. being an asshole) is something that you must be and defend.

                                                                                                      I would disagree with that notion. I think it’s certainly possible to disagree with the CoC or parts of it without being an “asshole as the CoC forbids”. Personally and for example, I would say the “Be welcoming” clause is too exhaustive and could be shortened to “Be welcoming to everyone regardless of who they are and choose to be” which would IMO cover the same topics as it does now. The fifth clause is also way too broad and vague. A simple note that discussion not furthering the the project or it’s software, being NSFW or otherwise non-productive would have achieved the same goal and would give moderators more leeway to deal with troublemakers.

                                                                                                      I specifically wonder why number 6 was necessary. It’s a community of coders, if they can’t understand disagreement I seriously question what is going on behind the scenes that warrants such a rule. Does discussion derail so often into low level sand-flinging?

                                                                                                      Not too long ago I was member of a forum focused around LEGO robots. There were no rules of any kind but plenty of electricians and programmers around, men, women, kids and teens, etc. Everyone was happy to participate and be happy to exchange ideas and code. When there was drama the moderators enacted unspoken rules of the clearly obvious kind. If you insulted someone for no reason you got banned. Same for insulting someone based on their gender. We didn’t need rules for that. It was obvious as day that such behaviour was not something you’d do to have a productive conversation with someone about the intricacies of rubber bands vs gearing.

                                                                                                      1. 8

                                                                                                        I specifically wonder why number 6 was necessary. It’s a community of coders, if they can’t understand disagreement I seriously question what is going on behind the scenes that warrants such a rule. Does discussion derail so often into low level sand-flinging?

                                                                                                        Speaking as someone who has over the course of many years, moderated things on the internet. Things like this exist because otherwise someone will come along and say “but you didn’t say”. It’s an unwinabble battle, there will always be a “but you didn’t say” response to something. You try to cover the big things in a broad way so that people have a general idea.

                                                                                                        I’ve answered many emails as a member of the Pony core team where well meaning people write in to ask “if I do X, would that be against the CoC”. I can’t say that is how every CoC operates, but its how I like them to operate:

                                                                                                        Here are some ground rules. If you aren’t sure if what you are going to do violates those ground rules, maybe don’t it or ask whoever enforces the CoC.

                                                                                                        CoC’s are far from perfect. A large amount of that lack of perfection is that they are administered by people. Establishing some ground rules for a community is better than having none. Most communities have a CoC whether they call it that and whether its explicit. Take HackerNews, its called “Guidelines” there. It’s still a statement of some behavior that isn’t acceptable.

                                                                                                        1. 2

                                                                                                          I think if someone goes down the route of “but you didn’t say” that would be grounds for getting a mute from the poor moderator they annoyed. At least back in the forum that was how it was handled. Nitpickers aren’t people who tend to keep around once the people in charge hammer them on the fingers.

                                                                                                          I don’t think Hackernews’ Guidelines are comparable to a Code of Conduct. HN’s book of laws is much more vague and subjective, the word “guideline” already implies a certain amount of softness. Moderators won’t stick to that word-by-word and rather apply common sense on top of the rules. A “Code of X” for me implies a certain rigidness and thoroughness that isn’t present in most of them.

                                                                                                      2. 14

                                                                                                        The code of conduct doesn’t say anything about how white men are bad.

                                                                                                        And yet that is how it has been applied. The organisation is funding a scholarship which is very explicitly open to people of some race/gender combinations and not others. I don’t think finding that unconscionable makes someone an “asshole”; quite the opposite.

                                                                                                        I wish I could explain to people who are privileged one way or another, that it doesn’t mean your entire life is handed to you in a silver platter. Being a white male doesn’t mean you can’t be poor or can’t be gay (thus discriminated) or that you can’t have a slew of other problems.

                                                                                                        It just means you don’t have those problems in addition to also being discriminated for being a woman, for being black, for being anything else.

                                                                                                        Put it this way: I would lay money that, in practice, the average Outreachy scholarship ends up going to someone who has had an easier life than the average open-application scholarship (GSoC or similar). The rhetoric of inclusion is all about underprivileged groups, but somehow the beneficiaries always end up being middle-class college-educated liberals.

                                                                                                        1. 15

                                                                                                          The organisation is funding a scholarship which is very explicitly open to people of some race/gender combinations and not others. I don’t think finding that unconscionable makes someone an “asshole”; quite the opposite.

                                                                                                          Races and genders which are significantly unrepresented in the field they are trying to get them into.

                                                                                                          There are campaigns and organisations here to try and get more male primary school teachers, because males are significantly unrepresented in primary education. Are the people running those organisations and campaigns “assholes” for discriminating against women, who represent over 84% of primary school teachers?

                                                                                                          1. 4

                                                                                                            He said although he made hiring decisions based on who was the best teacher, irrespective of gender, it would be great to see more men giving teaching a go.

                                                                                                            That’s what the non-asshole version of this kind of thing looks like. Marketing the career to a particular demographic is fine. Giving that demographic an unfair advantage is not fine.

                                                                                                            1. 2

                                                                                                              It’s an unfair advantage that’s not even managing to negate the pre-existing unfair disadvantages that certain groups face.

                                                                                                              1. 4

                                                                                                                It’s Simpson’s paradox in reverse: picking an advantaged member of a disadvantage group over a disadvantaged member of an advantaged group is a negative step for equality that sounds like a pro-equality move.

                                                                                                          2. 6

                                                                                                            The outreachies I’ve seen have gone to Indian and Eastern bloc girls. You don’t see a lot of those in GSoC.

                                                                                                            1. 4

                                                                                                              Sure. That doesn’t contradict what I said: that the beneficiaries of these efforts end up being disproportionately people from the international college-educated liberal middle class (a group that’s far more homogenous in the ways that matter than most races or genders, though that’s a separate discussion), people who have had an easier life with fewer problems than the people they are displacing, even when those people are white and male.

                                                                                                              1. 4

                                                                                                                Let’s assume you’re right.

                                                                                                                How does Outreachy working with international college-educated liberal middle class Indian and Eastern bloc girls displace anyone?

                                                                                                                1. 2

                                                                                                                  If LLVM is choosing to fund a scholarship with Outreachy in place of funding one with GSoC, the recipient of that scholarship is displacing the person who would’ve received the GSoC one.

                                                                                                                  1. 9

                                                                                                                    Please correct me if I’m wrong, but as I understand it:

                                                                                                                    • LLVM participates in both Outreachy and GSoC.
                                                                                                                    • LLVM doesn’t fund either programme.
                                                                                                                      • Outreachy and GSoC both provide funds for their own programmes.

                                                                                                                    So, neither LLVM nor Outreachy are “displacing” anyone from GSoC.

                                                                                                                    Moreover, no one even signed up for LLVM’s Outreachy! So this is hypothetical “displacement.”

                                                                                                                    1. 1

                                                                                                                      Outreachy doesn’t fund internships, you need to bring your own funding to them. I’m not sure how LLVM is funding their outreachy internships.

                                                                                                                      1. 8

                                                                                                                        [citation needed]

                                                                                                                        Because, from their front page:

                                                                                                                        Outreachy provides three-month internships for people from groups traditionally underrepresented in tech. Interns are paid a stipend of $5,500 and have a $500 travel stipend available to them.

                                                                                                                        And their sponsor page:

                                                                                                                        Outreachy internship stipends, travel fund, and program costs are supported by our generous donors.

                                                                                                                        Same page, “Commonly Asked Questions”:

                                                                                                                        Q: Who pays the interns? A: The Outreachy parent organization, the Software Freedom Conservancy, handles payments to interns.

                                                                                                                        Not to make too fine a point:

                                                                                                                        Q: We have a company internship program. How does that work with Outreachy internships? A: Outreachy internships are completely separate from any other internship program. Outreachy organizers find FOSS communities that are willing to provide mentorship and use corporate sponsorship to fund the internships.

                                                                                                                        1. 1

                                                                                                                          I guess I don’t see how you’re disagreeing with what I wrote. You need to have funding arranged before you can set up an outreachy internship.

                                                                                                                          1. 4

                                                                                                                            FOSS community provides mentorship. Corporate sponsor provides funding. Internship = mentorship + funding. Outreachy provides internships.

                                                                                                                            The money from corporate sponsors goes into a pool that is used for all internships. Outreachy is a funds aggregator.

                                                                                                                            When you say “you need to bring your own funding to them,” who is the “you?” It’s not the FOSS community. It’s not the internship applicant. Who is it?

                                                                                                                            1. 1

                                                                                                                              Perhaps the policy changed. When I looked this up in November it was the responsibility of whoever wanted to start an outreachy program for a project to identify a source of funding.

                                                                                                                              1. 2

                                                                                                                                According to the Internet Archive, in September of 2017, their policy was exactly the same. It’s the same at least back through the last GNOME Outreachy, over a year ago.

                                                                                                                                Update: I deleted my follow-on questions. This is the kind of back and forth @pushcx warned about.

                                                                                                                                1. 2

                                                                                                                                  Did you see my other comment? Each org needs to find a coordinator who needs to find funding for their org (see under coordinator, here: https://www.outreachy.org/mentor/). That might be in terms of corporate sponsorhip, but outreachy won’t do that for you.

                                                                                                                                  1. 2

                                                                                                                                    No I didn’t, I missed your self-reply. Sorry about that!

                                                                                                                                    And, yeah:

                                                                                                                                    Coordinator Duties Before Application Period Opens

                                                                                                                                    • Finding funding for at least 1 intern ($6,500)

                                                                                                                                    That’s clear and conflicts with their other pages. “Perhaps the policy changed” indeed. I put more weight on that page, though, than their more advertise-y ones.

                                                                                                                                    mea culpa!

                                                                                                                      2. 1

                                                                                                                        I understood LLVM was funding the scholarship but could easily have misunderstood. In any case it’s beside the point: my point goes through exactly the same if we’re talking about the person a hypothetical open-application scholarship would have selected or a person who was displaced as such.

                                                                                                                        Moreover, no one even signed up for LLVM’s Outreachy! So this is hypothetical “displacement.”

                                                                                                                        Isn’t it just the opposite? If choosing to offer an Outreachy scholarship rather than some other scholarship meant that instead of getting a likely-less-privileged individual they got, not a more-privileged individual but no-one, that’s an even bigger loss.

                                                                                                                        1. 1

                                                                                                                          If choosing to offer an Outreachy scholarship rather than some other scholarship […]

                                                                                                                          They also offer a GSoC scholarship, and there’s nothing to imply Outreachy replaced an alternative rather than being an addition.

                                                                                                                          1. 0

                                                                                                                            Scholarships don’t grow on trees; surely the fairest comparison to make is offering a scholarship versus offering a slightly different scholarship. (Would you apply the same reasoning if someone wanted to offer a scholarship that was only for white people, say?)

                                                                                                                            1. 3

                                                                                                                              I can play this game too, where “displaced” is entirely hypothetical:

                                                                                                                              • LLVM has displaced compiler developers from gcc!
                                                                                                                              • My drinking tea tonight displaced a purchase of beer from the bar down the road!
                                                                                                                              • My mother and father each displaced every other person on the planet born before 1980!

                                                                                                                              THE INJUSTICE

                                                                                                                              1. 1

                                                                                                                                Um, yes, it’s 100% fair to compare gcc to llvm, tea to beer, or your mother and father to other people?

                                                                                                            2. 8

                                                                                                              It just means you don’t have those problems in addition to also being discriminated for being a woman, for being black, for being anything else.

                                                                                                              That’s incorrect in any environment where whites or men are the minority. Human nature dictates that all groups favor those like them and penalize those unlike them. Examining the politics of non-white nations in World History or current affairs confirm those groups are just as racist in the social systems they create. Examining the actions of black administrators or elected officials show they mostly bring in people like them regardless of what the mix is in their area. The kind of political beliefs behind these Codes of Conduct and privilege assume this doesn’t happen on a large scale by non-whites to whites. The wealth of evidence disagrees with that so strongly that believing in it anyway and suppressing alternative views is comparable to a religious faith. One that damages specific groups while propping up others.

                                                                                                              Another point folks in favor of those beliefs and CoC’s never bring up is how many minority members disagree with them. The surveys they usually take are almost never worded to assess how many people believe it’s something all groups do to each other. That’s because they’re biased enough to try to just reinforce their own beliefs. In my surveys, I always present both sides asking which they think it is. I rarely meet black or Latino people, majority of minority members in my area, that think structural oppression is only a white thing. It’s so rare out here. Most think all groups do it but that whites are doing it the most. That’s reasonable. Yet, under CoC’s and associated beliefs, their views would be censored as well since they’d be construed as racist (in their definition) or contributing to reinforcement of it. Likewise, any “language” or “terms” that are racist, sexist… scratch that, which their political beliefs without supporting evidence label as inherently racist, sexist, etc. That too.

                                                                                                              So, I object to these CoC’s that act like a good chunk of minority members’ opinions don’t matter, that ignore the fact that minorities do structural racism/sexism all the time (by default like people in general?), ignore the fact that whites/men they’re addressing might have been the oppressed minority in previous environment (or current), and then build social structures and enforcement mechanisms on top of those damaging, faith-based beliefs. I also say this as a white guy who spent years in black-run schools living a long time in many areas of black-run city working in black-run departments and companies. If I write about my experiences or tell it like a 3rd party, the black people always think the person in the story is black saying the feelings and obstacles are what they endure. When I say they’re white, then type of people I’m countering say, poof!, none of it counts as evidence of racism. That shows it’s politically-motivated maneuvering, not consistent logic.

                                                                                                              These should be fought in favor of CoC’s that don’t require everyone in America or the World to believe and speak as if one, smaller, vocal group is unconditionally right in all political claims about these matters.

                                                                                                              1. 14

                                                                                                                That’s incorrect in any environment where whites or men are the minority. Human nature dictates that all groups favor those like them and penalize those unlike them. Examining the politics of non-white nations in World History or current affairs confirm those groups are just as racist in the social systems they create.

                                                                                                                I’m sorry, what are you talking about? I’m from Peru where ‘whites’ are a minority. They are most certainly not discriminated against, quite the contrary. Whiteness is equated to privilege to the extent we have a saying here: ‘El dinero blanquea’, which roughly translates to ‘Money bleaches’.

                                                                                                                The discrimination comes from factual power, not a head count. Power which was built upon centuries of enslavement and exploitation. Exploitation most members of the white elite minimize and/or are oblivious to.

                                                                                                                It is the same in other places of South America. Certainly in Brazil, where the author is from.

                                                                                                                1. 6

                                                                                                                  I’m from Peru where ‘whites’ are a minority. They are most certainly not discriminated against, quite the contrary. Whiteness is equated to privilege to the extent we have a saying here: ‘El dinero blanquea’, which roughly translates to ‘Money bleaches’.

                                                                                                                  I appreciate you sharing your example where one of the minorities has power. That supports my view that it’s highly conditional. Power is one thing that ties into discrimination. Group identity is another. You don’t need centuries of enslavement or exploitation to get one group working for themselves more or against another. It can be a factor, though. Often is. I also noticed you’re mentioning countries where white armies invaded them and their upper classes, not whites in general, did coercive negotiations for trade that benefits them. In this case, it’s real but tied to who did what. You can bet a group invaded by non-whites will also develop some reaction to that group.

                                                                                                                  Whereas around Memphis TN, being white in specific areas won’t get them respect or power due to the slavery that happened in the South. They’ll just get a warning to leave, beat down, robbed, and/or killed. No power. Like with those that invaded Latin America, the power was with a subset of them in high places or any that could get them to act on their behalf. As a civil rights proponent in America, I assure those powerful, white people would try to squash or minimize white people like me when our interests conflict. They hate outsiders even more but I would be treated more like them than your scenario would lead you to expect. I’m still in the outgroup. Just not as far out as Latin America. Same with local blacks or latinos that control specific areas, organizations, businesses, and so on. Being white conveys me large benefits in some contexts, about none in others, kind of negative in others, and violence/death in others.

                                                                                                                  It varies by context is my overall point. It’s not “If white, always this. If non-white, always that.” It’s really complicated. I’m sure I have plenty more to learn about the dynamics of the many groups. Thing is, countering it my way is much simpler than trying to trace it all: being civil, going out of your way to bring in others, accepting each other despite differences, and randomizing/blinding where possible selections/promotions. Increased fairness without further discrimination or hate. It’s simple, but not easy.

                                                                                                                  Edit to all: Other replies will be delayed since I have to work a late shift tonight. Heading out now. Hope yall have a good day and appreciate all the civil replies so far. :)

                                                                                                                  1. 4

                                                                                                                    Thank you for the thoughtful response. I get a better sense of what you were getting at. I don’t think I’m qualified to say much more on the matter, I don’t think I have a proper grasp of the dynamics of structural exploitation. But I’d like to add a couple of not fully developed ideas.

                                                                                                                    – Whiteness is sometimes used as a proxy for privilege.

                                                                                                                    – Whiteness is context dependent. My cousin from the US grew up on Pensilvania. Here he is a ‘gringo’, where he grew up he was considered far from white, being called racial slurs when growing up.

                                                                                                                    – It may be a better idea to talk more in other terms w/o proxies. Class politics are more relevant today than race IMHO.

                                                                                                                    – Even in Perú there are some contexts where you can be subject to specific instances of discrimination, but they pale in comparison to the structural discrimination that happens in the day to day basis. Which is why (in the context of Latin America at least) I view focusing on ‘reverse racism’ as a mechanism to distract from the larger and more important problem of structural discrimination.

                                                                                                                    also noticed you’re mentioning countries where white armies invaded them and their upper classes, not whites in general, did coercive negotiations for trade that benefits them.

                                                                                                                    I understand and empathize and partially agree with what you are getting at. Certainly you can’t be held personally accountable for everything action your government does. But at the same time they have to some extent the support of the general public. At best, you are turning a blind eye to the pain and suffering that supports your economy. But then again, it is our (Latin American) governments which are complicit and also responsible for said exploitation.

                                                                                                                    I’m the words of a mining worker, when talking to a college student:

                                                                                                                    – You speak of the gringos you’ve seen in Morococha and Cerro (Mines in Perú). But they are millions. Don’t generalize…

                                                                                                                    – So why do they send those how look down on us, cholos, not like people but like dogs.

                                                                                                                    Another thing, the exploitation of Latin America is not limited to ‘economic deals’ and is not something of the past (But there is more than a fair share to blame on our obsequent governments). In the 90’s US Companies hired henchmen to kill union leaders. The US Goverment (through US-‘AID’) provided logistic support for the mass forced sterilization of millions of women in Perú. Or even this decade, the US government, through the DEA, determines the policy and funds the forceful eradication of coca leaves further contributing to the impoverishment of Peruvian farmers. The Coca plant is legal here and is consumed by many in their day to day.

                                                                                                                    1. 1

                                                                                                                      I thank you for your detailed response. That was a mix of interesting and pretty sad. I’m going to back up a bit first on one issue since I was using a simplification that you and @stephenr are showing I probably shouldn’t use maybe here or in general. I’ll have to think on it. The actual belief I have about the ingroup vs outgroup dynamic is that they’re just treated differently in a way where it’s often positive to first and negative to second. It doesn’t have to be. I was just going with common pattern since it fits both my experiences and minorities in the U.S. which is mostly the topic around this thread. You’ve both given examples where a white outgroup can be benefit from their status in other countries. Likewise, there’s examples where the ingroup is a rough position with expectations for man or women coming to my mind easiest. One of the worst examples I’ve seen is the tribe that covers people in bullet ants to prove they’re men. I’d rather be the outgroup they look down on forever. ;)

                                                                                                                      On to your comments on exploitation. Far as unions, sterilization, and so on, that’s a side effect of the elites controlling America. They use the media to keep folks under control fighting enemies that aren’t the main enemy. You won’t see the stuff you described on American media much. Instead, it’s stuff that shocks or lets people point fingers temporarily for quick reactions. Next wave of shock happens making them forget what came before that. Americans can’t keep track of history. They can only focus collectively a moment at a time with what’s carefully put in front of them. The parts of the government doing things like you describe are mostly autonomous working for rich and powerful. Those that get voted in do a mix of things they said they’d do and things that appear to benefit their voters with lots of publicity for both. The choices are few with the non-participation and apathy so high that government doesn’t worry about rebellion. It’s kind of a constant rehash of the same games and corruption with businesses getting laws passed benefiting them more and more every year mostly under Americans’ noses since media barely reports on it.

                                                                                                                      So, that’s how that works if you were wondering. When I was young, I never thought handfuls of companies and some government organizations could really control most of several hundred million people with the presence of the Internet, activists getting word out, and so on. Yet, they actually can. They’re also intelligent, focused, well-staffed, and relentless in their pursuits vs masses that are hit and miss on these things with more scattered beliefs, goals, and participation. Just like in this, those fighting over the CoC’s and such aren’t investing effort in joining together against the elites like folks did in MLK days which truly scared them enough to plot murders. If they beat the corruption, they could work law by law, reg by reg, case by case to get a lot done starting with something as simple as due process for workers (I’m union). It takes unity and focus on where the foundational problems are, though, to achieve something like that. Not to knock efforts to improve things elsewhere but we really should be almost all in on dealing with people paying bribes for damaging laws to be passed that give corrupt jurisdictions and companies impunity in their evils. It seems like so much starts right there.

                                                                                                                      Anyway, there’s a lot of people pulling for the folks you describe. They just feel powerless to do anything about it. Also, those that care are so few that giving up products that come from there will change nothing. So, everyone from the consumers to the traders ignore their fleeting thoughts since they need some cheap copper.

                                                                                                                2. 13

                                                                                                                  I’m not sure how anything you’ve written is relevant to LLVM’s code of conduct. It says; be welcoming of everyone, be considerate, be respectful, don’t make violent threats. All very basic, common sense stuff that the vast majority of people don’t need to a checklist to accomplish. I’m not sure how you went from what is actually written there, to this:

                                                                                                                  The kind of political beliefs behind these Codes of Conduct and privilege assume this doesn’t happen on a large scale by non-whites to whites.

                                                                                                                  Which part of LLVM’s CoC do you think is saying this? Do you think the part about being welcoming of everyone regardless of race is non-white people discriminating against white people?

                                                                                                                  1. 8

                                                                                                                    “Violent threats or language directed against another person. Discriminatory jokes and language. especially those using racist or sexist terms Advocating for, or encouraging, any of the above behavior.” (my emphasis added)

                                                                                                                    It’s those words that are used to block people based on political beliefs. The kinds of people that push CoC’s often have specific views about what is considered racist, sexist, etc that there’s not a wide consensus on. Any words or behavior will be interpreted in the light of their views. This is double true when they get into the moderation positions, which they often aim for. I don’t have to speculate as I’ve been banned from forums for quoting under my own name minority member’s opinions on minority issues. They were racist, sexist, etc. by their definitions. These policies interpreted however they want are the leverage they use to reinforce their own groups or eject other groups. Advocating for is the last term where anyone even debating whether something was racist or sexist might be construed as supporting the racist or sexist person. That’s happened plenty, too.

                                                                                                                    So, it’s the intent behind the terms along with whose enforcing them, what their beliefs are, and if they’re willing to exclude people with different beliefs on contentious topics. They usually are. So, I oppose those in favor of CoC’s without enforcement of political ideology that focus on people just staying civil, friendly, etc. Those parts of the CoC’s I have no problem with.

                                                                                                                    EDIT to add what I’m fine with since I’d rather not be overly critical of something that’s mostly good:

                                                                                                                    “be friendly and patient, be welcoming, be considerate, be respectful, be careful in the words that you choose and be kind to others, and when we disagree, try to understand why.”

                                                                                                                    Most of the weaseling is built into that “be careful in the words you chose” part. Minus the weaseling, even quite a few points in that section are good. Also note that we don’t have to speculate given Lobsters already has enforcement that’s similar to what I’m advocating for. Our moderators may agree or disagree with people’s political views but haven’t ejected anyone for stating their views with data in a civil way. Our community is still a thriving, functioning community despite any political scuffles.

                                                                                                                  2. 11

                                                                                                                    That’s incorrect in any environment where whites or men are the minority.

                                                                                                                    I guess you’ve never been to Thailand. Whites are a ridiculous minority, but they’re held in such high regard by a large percentage of the population.

                                                                                                                    Edit: and to clarify, this isn’t the same situation as @PuercoPop’s:

                                                                                                                    Thailand was never colonised, has never been under ‘white’ or ‘western’ rule and was not a ‘source’ for slavery by whites, Heck, whites (without getting Thai citizenship, which, holy shit is that a long process) can’t own land, can’t own more than 49% of a company, etc.

                                                                                                                    Try to find some Thai soap operas on YouTube - notice how all the actors are very pale skinned: they’re all half-Thai, half-white. If they want to show a ‘poor brown girl’ (believe me, their stereotype, not mine) they literally take a Thai/White actress, and use makeup/body paint/whatever to show their version of what anyone else would think of as a ‘natural’ brown skin.

                                                                                                                    I’ve been stopped at police licence checkpoints, and the cop has been so excited just to say hello to a white guy he doesn’t even care if I have a licence.

                                                                                                                    1. 4

                                                                                                                      Of course structural oppression isn’t a white only thing. Anyone can discriminate against anyone. And sure, in localized areas some groups can oppress others in different ways than the average. That doesn’t mean CoCs shouldn’t try to prevent racist / sexist conduct.

                                                                                                                      What things do you see in CoCs that minority members disagree with, that unfairly construes their beliefs as racist? Or disregards their opinions? Or ignores that whites/men may have been the oppressed minority in their environment?

                                                                                                                      1. 4

                                                                                                                        That doesn’t mean CoCs shouldn’t try to prevent racist / sexist conduct.

                                                                                                                        I didn’t say that. I said it’s usually interpreted in a way where racist and sexist conduct has definitions that usually mean whites/males can’t experience the negatives, are often responsible for them (supported point in general case), and inherently have the positives. Evidence strongly counters two of those showing it has to be judged case by case, place by place, etc. For instance, the forums dominated by the types of people with that ideology make them the majority with the structural power to include, exclude, oppress, and so on. By their own definitions this is true. Yet, any person in a different group dissenting in such a place will be told they’re the “majority” with “privilege” who wouldn’t understand the… blah blah blah. Actually, at least in that context, they’re a minority getting treated worse than its majority at risk of damaging affects of discriminatory treatment. This plays out in other contexts like school, work, etc. where non-whites or non-males in the majority positions reinforce themselves at others expense. A general pattern.

                                                                                                                        Far as minority members disagree with, who are the minority members? That’s exactly what I mean. It depends on who you’re talking about in what context. Someone who is a minority member in one environment might be part of the privileged majority in another. The very definitions of who constitutes a minority (absolute vs conditional), what defines racism, who has privilege… these are in dispute across the nation. Many non-white and non-males dispute some of same points, too. So, starting from a specific set of views on it being true with enforcement working from there is already discriminating against all who disagree. They’ve not proven these views with evidence either.

                                                                                                                        Note: You can try to cheat with legal terms that one side or a group of them got in but treating the law as truth or moral is dangerous. Slavery and women not having rights were legal. So, my definitions are about reasonable categories people are in with their numbers or influence compared to groups of other categories.

                                                                                                                        The evidence collected on a global scale indicates that all groups in power reward their own and oppress others. So, if by evidence, this stuff will be conditional with every group monitoring themselves for bias boosting their outgroups when they don’t get a fair shake: not just whites or males being monitored with everyone boosting non-whites or non-males in all scenarios. In this country or in tech scene, the results would mostly be boosting non-whites or non-males to correct existing imbalances just on the numbers alone. No argument there. Yet, other things wouldn’t be taboo or inconsistent with the rules: a mostly black or women organization in mixed area with people in other categories having skills would be said to give more privilege to blacks/women, possibly structurally racist/sexist in hiring if ratios of workers vs supply were really skewed, encouraged to diversify, and activist action taken if they didn’t. Just like such people would do with white or male majority structurally reinforcing their own groups.

                                                                                                                        We don’t see this. Most of the types that push and want to enforce CoC’s frame it as one thing by definition with whites or males on high-privileged/victim-creating side in all situations. That’s dishonest. I’ll take “this happens more often than that” but not “this never happens or we should act like it doesn’t exist.” With that, they can’t eject people for disagreeing with them on what counts as discriminatory language or behavior if it’s something there’s no consensus on by people who otherwise are against a lot of clearly-discriminating behavior. Further, they might be more likely to go with diverse inclusion plus blind evaluation/selection to correct imbalances instead of ignore whites/males much as possible to only focus on everyone else. One is inherently more fair achieving a similar goal.

                                                                                                                        1. 2

                                                                                                                          But don’t you think that being the privileged majority in the society you live in will have more to do with shaping your experience and fortune in the world than being the privileged majority in an online message board or OSS project?

                                                                                                                          1. 3

                                                                                                                            In the spaces I live with, my lack of privilege as a white minority in many contexts has cost me likely mental health, plenty humiliation, confusion, physical beatings, missed dates, missed jobs, missed promotions, and so on. Coworkers locally were just telling me recently about black-run classes singling them out for opposing beliefs. Things they say get an entire room screaming at them to intimidate them into silence on top of whatever penalties teacher might give. More extreme versions of this ideology are going campus to campus all over the place taking on life of their own where students are doing things like holding up signs protesting inferred problems in words or ideas of instructors that are there to help them during class.

                                                                                                                            Again, I”m white male who doesn’t or can’t have such problems in a structural way according to specific groups in the United States despite the evidence of such things happening with non-white or non-male majorities. The forum example was just easier for people to see where you can tell the white male is not in control, is subject to the whims of others, and can be damaged for that. People causing outgroups problems is totally predictable in my model. That’s not the interesting thing. The interesting thing about the forum example is that the people in control who are the majority continue to describe their limited, powerless target in the same terms like powerful and majority. It doesn’t usually change as the circumstances change. It’s usually politics or religion when people’s beliefs or dictated rules don’t change when data flips by 100%.

                                                                                                                            So, it’s not what they say it is or consistent. That’s enough reason to resist it. That following it would damage more innocent whites or males making them suffer as so many of us did is even more reason. You could say what motivates me to write these posts isn’t much different as what motivates those on the other side with personal experiences in racism or sexism to write their posts. It’s not “reverse (ism)” so much as all the same evil to me. Once we see and experience the evils, we have to stop them from continuing in any form they’ll take. Another thing I noticed is we seem to do it for others’ sake more than ourselves as we can’t undo what we experienced. We’ll always be a bit fucked up by it. We can maybe stop someone else from having to experience that, though. I want someone else to be everyone instead of “everyone but whites and males.”

                                                                                                                            As usual, that’s on top of all the non-whites and non-males I care about and try to help. They just get a lot more attention and support than this other cause. Hence it being a focus area you’ll see me on. Plus, having been affected so strongly, that’s a motivational bias of mine on top of it.

                                                                                                                            1. 4

                                                                                                                              @nickpsecurity, that sucks. You’ve been a victim of structural discrimination. Worse, because it’s not a politically sexy or easily visible form, people continually reject your experience. That. Sucks.

                                                                                                                              In the past, if I’d heard your narrative, I’d have dismissed you by thinking something like “this white dude forgets he always has the option to leave, unlike …” But that’s unfair.

                                                                                                                              You’ve been a member of these communities, for years. You’ve been a decent person. You have family, friends, colleagues, social capital, and memories in these communities. To tell you “get up, leave, move on” is to ignore the simple reality that we’re social animals and structural discrimination harms everyone.

                                                                                                                              Thank you for your repeated posts on this point. At the very least, you got through my thick head. Hopefully, in the future, I can be a better person for it.

                                                                                                                              1. 2

                                                                                                                                Damn. That means a lot to me you saying that. I sent a private message not long ago about your comments being interesting as usual on these discussions. More than usual with one comment about you getting beat up for talking white to presumably get ahead whereas I was learning early to talk or act black to attempt inclusion in my environment. It’s because some of what you wrote seems like you might have started in similar circumstances as me going in an opposite direction to find yourself with opposite views. Maybe a stretch to say two sides of same coin but that metaphor popped into my head at least. Then, we end up here in this moment on this forum. A trip, eh?

                                                                                                                                It’s why I fight for flexibility on these topics in these discussions in wherever places I can. It’s painful and costly but the moments I learn from or reach people are worth it to me. I think those moments are critical. Probably gotta get to sleep now as I intended to. I just had to respond to that comment. :)

                                                                                                                                Edit: Oh yeah, sleepy enough I forgot to say Good Night.

                                                                                                                  3. 16

                                                                                                                    demonization of political groups (and to some extent, white men)

                                                                                                                    I’m a white man in tech and I can count the number of times I’ve been demonized on zero fingers.

                                                                                                                    demonization of political groups

                                                                                                                    The dominant political party in this country has in black and white in its party platform a desire to make same-sex marriage illegal (while simultaneously claiming “government overreach” is a bad thing). If hearing that we shouldn’t punish gay people just for being gay makes you uncomfortable, well…it’s supposed to.

                                                                                                                    (That same party has in its platform a denial of anthropogenic climate change, an existential threat to our civilization; the denial of which has zero scientific backing….but no, we can’t tell them that they’re wrong.)

                                                                                                                    More importantly, the stuff I’m talking about above is also banned. You can’t go to a conference and talk about how “Republicans are stupid”. You’d be asked to leave or at least tone it down.

                                                                                                                    The problem is that a lot of people hear “don’t be an asshole” and they think “man when I tell transgender folks they’re stupid and make jokes about gay people I get called an asshole (totally unjustifiably!) and I might get in trouble. Ugh, SJW’s!”

                                                                                                                    Remember when no one on the internet cared what you looked like, believed, or who you loved? I want to go back to that :/

                                                                                                                    I’ve been on the Internet since around 1992. That’s only three years after the very first consumer ISP served its first customer.

                                                                                                                    Was there a large contingent of people who really did believe that? Absolutely, I mean, I was one of them. Were there plenty of racists, sexists, homophobes, and bigots of all stripes? Absolutely. Go look at old Usenet archives from the 80’s and 90’s. Racism, sexism, homophobia abound. There was a long diatribe against same-sex marriage on a Perl newsgroup for some damn reason around 1996; there were plenty of people who chimed in and agreed. Various big names in the early hacker community were famously bigoted (often hiding behind “libertarianism” while simultaneously claiming women and black folks are just inherently inferior and it’s “just science”).

                                                                                                                    The “good old days” are very often viewed through rose-colored glasses. People were people back then too, for all the good and the bad.

                                                                                                                    1. 16

                                                                                                                      Remember when no one on the internet cared what you looked like, believed, or who you loved? I want to go back to that :/

                                                                                                                      This was never true. People on the internet have always cared about who you are in ways that factor these things in. The fact that the (largely white) nerd culture contingent who had a lot of influence on the early internet has decided to tell this utopian story does not make it any more true than stories your grandpa tells about respectful children and walking both ways uphill in the snow.

                                                                                                                      1. 23

                                                                                                                        It’s less that “No one cared what you looked like” and more “Everyone assumed you were a white dude with roughly conformal beliefs, behaviors, and similar.”

                                                                                                                        1. 3

                                                                                                                          There’s no contradiction. Both those things were true.

                                                                                                                      2. 12

                                                                                                                        Remember when no one on the internet cared what you looked like, believed, or who you loved?

                                                                                                                        And look where it got us. Toxic subcultures, huge gender inequality in the workplace, software products that simply don’t work for many groups people… The field was biased towards white male hackers from the very beginning, and “not caring” only increased this bias. No, I don’t want to go back to that, I want to fix it.

                                                                                                                        Updated:

                                                                                                                        Also, “no one one the Internet cared what you looked like” simply because they technically couldn’t: nicknames and plain text don’t divulge much. As soon as we got real names and YouTube it became obvious that the majority of people care very much about how you look like. So a young girl making a guitar cover or an Ubuntu installation walk-through mostly gets “you’re hot” and “nice boobs” comments.

                                                                                                                        1. 16

                                                                                                                          People with privilege have been getting more and more outraged that the world is discriminating against them. They see it as unfair. Yes, it’s discrimination and that sucks. But it’s infuriating when they paint it as unfair, because that implies they’re somehow being disproportionately discriminated against, that the discrimination is unfairly balanced against them. And of course that’s nonsense. These privileged people, intentionally or not, feel they’re entitled to live free from any and all discrimination at the expense of those less privileged.

                                                                                                                          Remove yourself from the politics and think about a simple model instead of race, sex, gender, or orientation. Just group A and group B.

                                                                                                                          • members of group A receive 120 points a day
                                                                                                                          • members of group B receive 80 points a day

                                                                                                                          Members of group A develop a belief system that they are entitled to their 120 points. When some members of group B try to increase their points to 85, and that lowers the group A points to 119, the members of group A become angry. They say the members of group B are being unfair.

                                                                                                                          Group A believes that group B should not take any action that decreases their daily points. Group A compares their loss of 1 point to group B’s initial 40 point deficit, drawing a false equivalency. Some subset of A, group A’ deliberately take points from group B members around them to restore their original 120 points. Group A’ claims this is fair.

                                                                                                                          Group A’ bands together to institutionalize the 40 point difference. Some extreme members of group A’ even try to widen the 40 point difference. Group A’ comes to believe at an institutional level that the 40 point deficit either doesn’t exist, or is somehow natural and fair. Group A’ believes they hold the moral superiority by defending their 120 points.

                                                                                                                          Members of group B continue to try to elevate themselves, but A’ demands that all work done by group B must benefit group A’ equally. A’ considers this fair. Groups A and B focus on elevating group B rather than bickering with group A’ about whether 1 equals 40. Some members of both groups A and B institutionalize polite exclusion of group A’ just to simplify the whole thing, because they’re tired of bickering.

                                                                                                                          A vocal minority demonizes group A’ for their actions. Some members of group A find this demonization troubling. A larger and less vocal group of A and B think group A’ is a bunch of fucking douchebags, and start to actively exclude A’ rather than deal with their asinine bullshit. A surprising amount of group A wonders if this exclusion is fair or reasonable. Group B, and an increasing amount of group A, respond “are you fucking joking my ass what the actual fuck?”


                                                                                                                          If you’re a member of group A, please try to empathize with group B. Next time you feel discriminated against for your group A membership, take a step back and reflect on how you’re feeling in that moment. Try to imagine what it’s like to feel that way every single day of your life, at work, on the street, or in your own home through the media.

                                                                                                                          1. 2

                                                                                                                            But it’s infuriating when they paint it as unfair, because that implies they’re somehow being disproportionately discriminated against

                                                                                                                            I think there is more to this implication than you’re letting on, because it makes assumptions about what “fairness” actually means from the person wielding the term. You’ve assumed one definition, but perhaps someone else has another in mind. As a nominal example, consider this implication in different ethical frameworks (say deontological or Kantian ethics versus utilitarian). Is it true in all of them? Alternatively, do you dismiss ethical frameworks in which it isn’t true as nonsense or intractable? Either way, those are important assumptions to state, because your entire comment appears to rest on them.

                                                                                                                            (I do wholeheartedly agree with your final paragraph, but try my best to perhaps apply it as much as possible, with a healthy dose of perspective taking on all sides. I don’t always succeed!)

                                                                                                                          2. 4

                                                                                                                            I’m glad to see this trend of standing up against poltiical [sic] exclusion in Open Source.

                                                                                                                            Me too, I just wish more people would up and leave, instead of stick around and yell about “reverse discrimination” and such. I’m definitely coming at it from a selfish angle (and concern for my friends,) I’m just really tired of people who “disagree” with us existing, at best, and actively harass us at worst. The only way I can participate in open source is anonymously, which means it’s mostly uncredited work. It’s just not worth the toll it takes on my mental health. Of course, whenever possible, I contribute to projects/communities who show that they are aware of these issues, and are actively doing something about it.

                                                                                                                            Looking forward to the Incorrect, Off-topic, and Troll downvotes.

                                                                                                                            1. 4

                                                                                                                              I think it’s a loss when someone who can write code leaves a OSS project. I also think that discrimination, which you refer to as “reverse discrimination” in certain contexts, is bad, end of story. I don’t want anyone to be discriminated against. “Contribute good code” is all I ask off people looking to work with me. Politics are boringly unproductive towards that goal.

                                                                                                                              1. 4

                                                                                                                                I think it’s a loss when someone who can write code leaves a OSS project.

                                                                                                                                I don’t, if they keep other people away who can also write code. I honestly can’t understand what’s wrong with participating in this, unless you believe (actual) discrimination isn’t real.

                                                                                                                                1. 2

                                                                                                                                  I do believe actual discrimination is real but I think discriminatory internships aren’t the solution as they only lead to problems down the road. It’s great that outreachy is doing it and I believe they honestly think it’s the correct solution but I simply can’t agree on that.

                                                                                                                          1. 2

                                                                                                                            The broken m2eclipse plugin is what did it for me. Years and years have passed and no one has cared to address the issues with it. Just assume some sensible defaults for edge cases, like Intellij does. I hate to think how many hours I spent fighting that one issue in eclipse. It pretty much got me to where I am today though. Command line for everything, ide only when actually editing/debugging Java code. Million times more productive than fighting ide’s.

                                                                                                                            1. 1

                                                                                                                              What are you talking about? I use m2eclipse all the time, it works great.

                                                                                                                              1. 1

                                                                                                                                I struggled with m2eclipse for a long time. Presently it’s working, but I’m not using a system-wide maven.

                                                                                                                                1. 1

                                                                                                                                  That’s one setting to switch between embedded maven and system maven. But both work, so shrug.

                                                                                                                            1. 8

                                                                                                                              The act of powering up a computer, waiting for it to boot, doing some work, and then waiting for it to shut down gracefully is a barbaric ritual from ancient times. In 2018, we’re all modern and hip and just want to open up the laptop lid and get to work. Unfortunately this is easier said than done and as such it really only works reliably with the right combination of supported hardware. And even then, bugs in various layers of the OS can cause it to suddenly stop working consistently after an OS update.

                                                                                                                              This is one of the things keeping me on MacOS. The laptops are expensive for what they are, but the Just Works factor is pretty high.

                                                                                                                              1. 10

                                                                                                                                This is one of the things keeping me on MacOS. The laptops are expensive for what they are, but the Just Works factor is pretty high.

                                                                                                                                Have you found that to still be the case with recent models and OS revisions? That’s also the reason I’m on macOS, but it’s gotten less true for me over the past 3-4 years. The worst is that sleep/hibernate no longer seems to work reliably, and it happens on two completely different devices, a MacBook Pro (2016 model) and a MacBook Air (2014 model). About once a month, one will fail to properly wake from sleep when opening the case. Sometimes it fails to wake entirely; sometimes it seemingly wakes but won’t turn the backlight on (in the 2nd case it sometimes flashes on briefly). Usually this ends up requiring a hard powercycle to fix. Googling suggests I’m not alone, and there’s a whole pile of cargo-cart suggestions for fixing it (NVRAM resets and such). That’s by far the worst issue, but there’s a bunch of software-side stuff seemingly getting more flaky too (especially the App Store app, which sometimes requires a reboot to convince the Updates tab to load).

                                                                                                                                In 10 years of using PowerBook and MacBook laptops 2004–14 I never had that kind of basic functionality fail to work flawlessly, and I would’ve completely agreed with you back then, which is why I kept buying them.

                                                                                                                                1. 6

                                                                                                                                  I can confirm your experience - I sometimes have the issue with waking from sleep, and regularly see the OS freezing for extended periods of time (I do have a lot of applications open, but come on, it’s 2018). The quality of software has been declining over the last 4 years. Unfortunately, I still don’t see any better alternative.

                                                                                                                                  1. 3

                                                                                                                                    I am sorry, are you talking about your actual computer or was this a metaphor about human condition?

                                                                                                                                    1. 2

                                                                                                                                      Haha, it’s true, we’re all sleepwalking through life most of the time.

                                                                                                                                2. 6

                                                                                                                                  Get a Thinkpad.

                                                                                                                                  1. 4

                                                                                                                                    The laptops are expensive for what they are, but the Just Works factor is pretty high.

                                                                                                                                    So, not really expensive for what they are, given that apparently no others do what they do, reliably?

                                                                                                                                    1. 2

                                                                                                                                      I wasn’t clear that I was referring primarily to the hardware - Windows 10 laptops with better specs (especially the GPU) and comparable build quality can be significantly cheaper than a new Macbook Pro.

                                                                                                                                      1. 1

                                                                                                                                        It’s the Apple Tax: “In the end, we found each Apple machine to cost more than a similarly equipped PC counterpart, with the baseline Mac Pro being the exception. Usually the delta is around $50 to $150…”

                                                                                                                                        1. 2

                                                                                                                                          So firstly, that’s an article from 8 years ago, that also highlights Apple machines having longer battery life, better resistance to malware, and use higher quality materials.

                                                                                                                                          Secondly, the thread is about a feature that works quite reliably on Apple computers, but very poorly on generic PC’s running Linux.

                                                                                                                                          So, if you want to call “better, more reliable features” a TAX, then we have to agree to label any product anywhere that is objectively better than it’s competitors, and has a higher price, “Includes CompanyName TAX”

                                                                                                                                          Got a HP laptop that works faster than a piece of shit Chromebook? Must be a HP Tax.

                                                                                                                                          Got a BMW that has more comfortable seats than a Camry? Must be a BMW Tax.

                                                                                                                                          1. 3

                                                                                                                                            Any time a person ever gave me a set of Mac specs I was able to find a cheaper Windows machine that could do the same with hardware that works well. It’s not shocking at all to me given Apple’s marketing strategy of going for high margins. They’re currently one of the most profitable companies in the world with that strategy. Whereas, most of the other vendors became something more like commodities competing so hard on things like price. Your strawman comparisons don’t change that.

                                                                                                                                            1. 4

                                                                                                                                              And any time a person ever said to me “I found this non-Apple machine with the same features/specs” they conveniently leave out features that they personally don’t place value on.

                                                                                                                                              We can trade anecdotal stories all day, but the article you linked to, doesn’t really support your argument the way you seem to think it does.

                                                                                                                                              1. 2

                                                                                                                                                Yup. Buying a product purely on paper specs instead of including things like build quality seems foolish.

                                                                                                                                                Macs aren’t that expensive anyways when you compare them to machines in the same class, like ThinkPads, Surfaces, XPSes, Latitudes, etc.

                                                                                                                                      2. 2

                                                                                                                                        The thing keeping me on macOS is being able to use Control and Alt for emacs style shortcuts for editing text anywhere (like my browser’s URL bar) because all the system keyboard shortcuts use the Command key.

                                                                                                                                        https://jblevins.org/log/kbd

                                                                                                                                        1. 2

                                                                                                                                          Same. Apple can’t be beaten there in the current ecosystem. It just won’t happen. Unless Red Hat acquires a hardware vendor and builds a HatBook, there’s no chance. And they won’t do that because it’s not profitable enough.

                                                                                                                                          1. 6

                                                                                                                                            This is basically the idea behind Librem laptops.

                                                                                                                                            1. 7

                                                                                                                                              If only they had gigantic truckloads of money.

                                                                                                                                              1. 6

                                                                                                                                                Only way to make that happen is to vote with our wallets. :)

                                                                                                                                              2. 1

                                                                                                                                                I like the idea of librem, but unfortunately I cant see myself buying a laptop without a trackpoint…

                                                                                                                                              3. 2

                                                                                                                                                There are some nice vendors where this Just Works. I use system76. Dell xps developer laptops are also great linux laptops.

                                                                                                                                                1. 2

                                                                                                                                                  As a very happy Surface Book user, I’d argue you’ve forgotten about the other OS vendor.

                                                                                                                                                  1. 1

                                                                                                                                                    I’ve had this working on a de-chromed chomebook and xubuntu for a long time, the key is using not too new hardware maybe?

                                                                                                                                                    1. 1

                                                                                                                                                      That’s definitely the key. And while I’m glad you have a setup you’re happy with and have no doubt it works for you, I doubt it works for everyone, or even a majority.

                                                                                                                                                1. 3

                                                                                                                                                  Here’s the catch: I formally proved all three functions are correct. You have to do the same. And by “formally prove”, I mean “if there are any bugs it will not compile”. Informal arguments don’t count. Quickcheck doesn’t count. Partial proofs (“it typechecks”) don’t count.

                                                                                                                                                  I’ve never really understood the distinction being drawn here. If I want to prove that e.g. the sum of two even naturals is always even, and I write something like:

                                                                                                                                                  // definitions
                                                                                                                                                  trait Nat
                                                                                                                                                  trait Eq[A <: Nat, B <: Nat]
                                                                                                                                                  trait Sum[A <: Nat, B <: Nat] {
                                                                                                                                                    type AB <: Nat
                                                                                                                                                  }
                                                                                                                                                  object Sum {
                                                                                                                                                    type Witness[A <: Nat, B <: Nat, AB0 <: Nat] = Sum[A, B] { type AB = AB0 }
                                                                                                                                                    def apply[A <: Nat, B <: Nat]: Sum[A, B] = ??? // could be implemented inductively if need be
                                                                                                                                                  }
                                                                                                                                                  trait Product[A <: Nat, B <: Nat] {
                                                                                                                                                    type AB <: Nat
                                                                                                                                                  }
                                                                                                                                                  object Product {
                                                                                                                                                    type Witness[A <: Nat, B <: Nat, AB0 <: Nat] = Product[A, B] { type AB = AB0 }
                                                                                                                                                  }
                                                                                                                                                  trait _2 extends Nat
                                                                                                                                                  trait Even[N <: Nat]{
                                                                                                                                                    type M <: Nat
                                                                                                                                                    val witness: Product.Witness[_2, M, N]
                                                                                                                                                  }
                                                                                                                                                  // axioms
                                                                                                                                                  def additionDistributive[A, B, C, AB, AC](witnessAB: Product.Witness[A, B, AB], witnessAC: Product.Witness[A, C, AC], sum: Sum[B, C], sumA: Sum[AB, AC]): Product.Witness[A, sum.AB, sumA.AB] = ??? //could be implemented inductively
                                                                                                                                                  // proof
                                                                                                                                                  def evenAPlusB[A <: Nat, B <: Nat, AB <: Nat](evenA: Even[A], evenB: Even[B], aPlusB: Sum.Witness[A, B, AB]): Even[AB] = new Even[AB] {
                                                                                                                                                       val sum = Sum[evenA.M, evenB.M]
                                                                                                                                                       type M = sum.AB
                                                                                                                                                       val witness = additionDistributive(evenA.witness, evenB.witness, sum, aPlusB)
                                                                                                                                                    }
                                                                                                                                                  

                                                                                                                                                  and say “it typechecks”, how is that different from a formal proof (indeed better, since if my proof is invalid in the sense of not following the rules for proofs, it won’t compile)? Of course there could be errors in my encoding of my axioms as function signatures, but that seems equally true for any form of formal proof.

                                                                                                                                                  1. 5

                                                                                                                                                    Encoding proofs in type systems is totally valid. I added that because some people I was arguing with claimed that it typechecks always counts as a full specification of the behavior even though that’s clearly not true for most types of most functions. As I cover later in the article, several people did solve these problems via type systems.

                                                                                                                                                    Also, as covered by the article, all of the proofs, regardless of style, prevented compilation if incorrect.

                                                                                                                                                    1. 4

                                                                                                                                                      Also, as covered by the article, all of the proofs, regardless of style, prevented compilation if incorrect.

                                                                                                                                                      Well, they prevented compilation if the proof was invalid as a proof. They didn’t prevent compilation if the premises / claims were incorrect. You say in the article this became an actual issue in terms of the specification of unique.

                                                                                                                                                      Any typechecked program (in a language fragment where we disallow casts, unbounded recursion etc.) is a proof; the extent to which it is a proof that your proposition follows from your premises is the extent to which your types accurately encode that proposition and premises. So if I build (for example) a SortedList type whose constructors only allow it to be instantiated in ways that guarantee that it is sorted, then I’d argue that a function that returns a SortedList is formally proven to return a sorted list. Of course it’s completely possible for me to make a mistake and accidentally write a constructor that allows me to construct a SortedList that isn’t sorted - but this seems to be in the same category of errors as making a mistake in your formal specification of “sorted”.

                                                                                                                                                      Given that the article is trying to generalise a measure of how expensive/effective different verification techniques are from small examples, it’s really important to define clear and consistent criteria for the “boundary conditions” of what constitutes verification, as any difference in those will swamp the effect you’re trying to measure. Concretely I’d say you need a defined line between the parts where mistakes could lead to a program that produces incorrect output in some cases and the parts where no such mistakes are possible, and then a rule about what kind of statements a given entrant may include in the former (the premises/TCB/…). For the imperative-analysis style where you draw a sharp distinction between a program and its proof that line is obvious, but for other approaches it isn’t necessarily so, and differing interpretations can easily lead to applying a double standard to those approaches.

                                                                                                                                                  1. 5
                                                                                                                                                    1. Because all product decision authority rests with the “Product Owner”, Scrum disallows engineers from making any product decisions and reduces them to grovelling to product management for any level of inclusion in product direction.

                                                                                                                                                    i.e. the product has a clear owner, and you build the thing that customers want rather than the thing that engineers want.

                                                                                                                                                    2-3,9, most of 11: true, and these things result in better software.

                                                                                                                                                    This lack of ownership results in: Poor design Lack of motivation (“It isn’t my thing”, “It was broken when I start working on it”)

                                                                                                                                                    That’s the opposite of my experience. Lack of ownership means I don’t need anyone’s permission to improve code I’m working on, and means the design can be evolved by the people actually working on it, leading to better design.

                                                                                                                                                    5-7, 14: not my experience.

                                                                                                                                                    8, 12: don’t do that then.

                                                                                                                                                    Do managers or Product Owners track and estimate every task they engage in

                                                                                                                                                    Track and estimate tasks? No, because those are reactive positions - QA folk or people on support duties this week don’t estimate either. The point of estimating is to be able to make prioritisation decisions, so it only really applies when there’s a

                                                                                                                                                    with little or no say in what they work on?

                                                                                                                                                    Yes? Managers and owners are expected to solve everything people bring to them, they don’t get any chocie.

                                                                                                                                                    Are they required to present burn down charts that show that they are on target to finish?

                                                                                                                                                    No, nor are developers.

                                                                                                                                                    Are they required to do bi-weekly sell-off meeting to justify their activities?

                                                                                                                                                    No, again like QA or support people.

                                                                                                                                                    13, 14: no actual argument to justify those claims, not my experience.

                                                                                                                                                    1. Scrum ignores the fact that any task that has been done before in software does not need to be redone because it can be easily copied and reused. So, by definition, new software tasks are truly new territory and therefore very hard to estimate.

                                                                                                                                                    Disagree. Scrum does everything reasonably possible to acknowledge that estimation is hard: estimating in officially meaningless points, daily standups to give you an assessment point to realise if a task is diverging from its estimate and reasses if need be. At the same time, ultimately you do want some way to have engineering estimates feed into task prioritization decisions - you need some minimal level of estimation to be able to make the “do I do task A or task B or task C this week” decision. Scrum accomplishes that better than anything else I’ve seen.

                                                                                                                                                    1. 6

                                                                                                                                                      i.e. the product has a clear owner, and you build the thing that customers want rather than the thing that engineers want.

                                                                                                                                                      It’s amazing to me how much bellyaching I hear over this. At $DAYJOB I have people coming to me all the time trying to figure out how to get their priorities done vs what the product owners want …why do you have priorities? Are you paid to build a product or to play with your toys?

                                                                                                                                                      1. 3

                                                                                                                                                        Maybe… don’t look at your colleagues like children who don’t want to do work and would rather play with their toys. Maybe look at them like adults who are invested in the product in their own way. Maybe you’d understand them better then.

                                                                                                                                                      2. 5

                                                                                                                                                        Disagree. Scrum does everything reasonably possible to acknowledge that estimation is hard: estimating in officially meaningless points

                                                                                                                                                        In theory this is true. In practice every single time I’ve seen or used scrum the points have devolved into a meaningful value instead. You can shout as loudly as you want that this is not doing scrum right but human nature says that doesn’t matter. We will inevitably assign a real metric to the points before too many sprints happen. We’ll treat them as time to ship, an estimate of effort required, complexity of problem. It’s pretty much inescapable that this will happen.

                                                                                                                                                        1. 1

                                                                                                                                                          I don’t disagree as such. The way I look at it is: given that we want to feed some level of engineering cost estimate into the planning process, what’s the cheapest/least damaging form of estimation we can do that will suffice for making prioritisation decisions?

                                                                                                                                                          From this perspective points are a small, incremental improvement over estimating in terms of e.g. programmer-days: they blunt some of the sting of “I only got 2 days’ worth of work done this week”, they make it a little less awkward that Bob gets 25% more done than Jim. They make it a little harder for a manager to breathe down your neck with “you estimated this as 3 days, it’s now 4 days since you started, why isn’t it done?”

                                                                                                                                                          They’re not infallible on any of these aspects, but they’re a little better than using a “real” metric directly. The fact that they’re officially meaningless give you a tool to push back with if people start to misuse them.

                                                                                                                                                          1. 1

                                                                                                                                                            They make it a little harder for a manager to breathe down your neck with “you estimated this as 3 days, it’s now 4 days since you started, why isn’t it done?”

                                                                                                                                                            This sound funny to me, because I’m pretty good at estimating long and complex tasks.

                                                                                                                                                            My average error is around 2%, but the bigger the task the more precise is the estimate.
                                                                                                                                                            It’s not magic, it’s just that for bigger tasks managers give me more time to explore the matter. And I’m talking about project that requires small (3-7) to medium (10-20) sized teams.

                                                                                                                                                            What’s funny?

                                                                                                                                                            Most of managers (that is all non technical ones, except one) prefer a small estimate than a precise one.
                                                                                                                                                            They fight back a lot. My usual answer is: “Why did you asked me? Write the numbers you like!”

                                                                                                                                                            In one case, some years ago, one did. Guess what happened?

                                                                                                                                                            1. 1

                                                                                                                                                              My average error is around 2%, but the bigger the task the more precise is the estimate. It’s not magic, it’s just that for bigger tasks managers give me more time to explore the matter.

                                                                                                                                                              Either there’s some “magic” you’re not mentioning, or you’re working in a very strange field for software. As the article puts it:

                                                                                                                                                              any task that has been done before in software does not need to be redone because it can be easily copied and reused. So, by definition, new software tasks are truly new territory and therefore very hard to estimate.

                                                                                                                                                              Certainly I’ve watched teams put a lot of time and effort into “exploring” and estimating, and come up with numbers that turned out to be orders of magnitude out. So it’s not as simple for ordinary programmers as just “spend some time on it”.

                                                                                                                                                              1. 1

                                                                                                                                                                No magic, really.

                                                                                                                                                                You just need twenty years of experience in a lot of different projects (with several different stacks), good tools (that I design for my own team) and enough informations.

                                                                                                                                                                The only “strange” thing is that we work for big banks.

                                                                                                                                                                1. 1

                                                                                                                                                                  Well, bully for you, but most working programmers don’t have twenty years of experience, and in most fields you never have “enough” information. (I’m not surprised that projects in big banks would be unusually predictable, but that doesn’t help the rest of us).

                                                                                                                                                      1. 3

                                                                                                                                                        For me personally, usage of Scrum on a project is a red flag, and I will try to avoid the project if I can. The existence of worse modes of work (which I also avoid) only constitutes an argument in favor of Scrum if they actually are the only alternatives.

                                                                                                                                                        To elaborate - from my perspective, Scrum feels

                                                                                                                                                        • disrespectful toward developers
                                                                                                                                                        • like a waste of time in terms of personal development and
                                                                                                                                                        • a step away from impact & responsibility
                                                                                                                                                        • overhead that makes me slower and less motivated

                                                                                                                                                        Perhaps that’s all a result of “doing it wrong”. For communication purposes, however, Scrum-the-formally-defined-process is much less relevant than Scrum-as-it-is-implemented. For me, the term is already tainted enough that I would actively avoid associating myself with it in any way.

                                                                                                                                                        1. 1

                                                                                                                                                          FWIW: my experience of Scrum-as-implemented has been very positive.

                                                                                                                                                          I don’t really get the “disrespect” narrative; for me the most fulfilling thing, the thing that makes me feel impact and responsibility, and the best for my “personal development” (to the extent that I understand the concept at all) is to have contact with a customer that I’m solving problems for.

                                                                                                                                                          Scrum has struck the best balance I’ve found between overhead and effectiveness; the overhead is not zero but it’s less than any other formal process I’ve seen applied unless we count Kanban (which is essentially Scrum without the iterations, and I found lead to endless indefinitely-scoped “do the thing” tasks where it was easy to get lost doing nothing useful). “No process” is of course the lowest overhead but I find it unpleasant to work under: much more of a blame game when things go wrong and something isn’t done, and too easy to end up building something useless.

                                                                                                                                                        1. 4

                                                                                                                                                          It’s funny how for many years people hated on checked exceptions as the worst mistake every – and now they’re back as Result types.

                                                                                                                                                          I just wish this realization had come sooner, as now too many languages don’t have support for either.

                                                                                                                                                          1. 26

                                                                                                                                                            I think checked-exceptions as implemented in Java had a number of flaws that Rust’s corrects:

                                                                                                                                                            • They don’t cover common exceptions, most notably NullPointerException, contributing to a feeling that they don’t add a lot of value.
                                                                                                                                                            • Suppressing a “can never occur” exception was verbose, e.g. UnsupportedEncodingException on "utf-8". The Java spec says UTF-8 must be available, but you have to write the handful of lines of code to catch UnsupportedEncodingException anyways! In Rust the equivalent situation is handled with .unwrap() or .expect("..."), much less verbose.
                                                                                                                                                            • If you have a function that can have multiple error conditions: say, a function that makes an HTTP request and parses a JSON response, you’ve got (at least) 3 categories of error: HTTP errors (e.g. a 404), JSON parse errors, and network IO errors. In Rust the convention would be to wrap those into an enum with three variants, and there’s a bunch of ergonomic tools for taking a Result and wrapping it into the correct one. In Java convention seems to be declaring that every function raises three different exception types, adding verbosity at every call definition.
                                                                                                                                                            1. 1

                                                                                                                                                              I agree. It just saddens me that Kotlin makes all exceptions unchecked, even those coming from Java, instead of automatically wrapping the Java code in Result<T, E>.

                                                                                                                                                              There’s a lot of things Rust does right that no JVM language currently does well.

                                                                                                                                                              1. 1

                                                                                                                                                                There’s a lot of things Rust does right that no JVM language currently does well.

                                                                                                                                                                Such as? Scala is very Rust-like; it doesn’t do linear typing but that wouldn’t help you much on the JVM anyway.

                                                                                                                                                            2. 8

                                                                                                                                                              At least Rust has unwrap, when you know that errors should not happen if code is correct, or for initial rough code. Java’s checked exceptions are frustrating just because there’s no short syntax for re-raising as unchecked exception (and preserving stacktrace, some IDEs even add code that prints stacktrace to stderr in such unwrap-like handlers).

                                                                                                                                                              1. 6

                                                                                                                                                                I hated checked exceptions right up until I tried to write some software that had to be more reliable than a http worker that got restarted every request.

                                                                                                                                                                Turns out that when I write to a file I really want to know exactly what can go wrong.

                                                                                                                                                                1. 4

                                                                                                                                                                  My only experience with checked exceptions was java, and that sucked… But inferred+merged checked exceptions could be cool. Any languages have that?

                                                                                                                                                                  1. 3

                                                                                                                                                                    If you use ExceptT in Haskell with a polymorphic error type you’ll get this.

                                                                                                                                                                    1. 3

                                                                                                                                                                      Yes, Ocaml has it with Polymorphic variants + result monad. The one current downside is the error messages can be less than ideal.

                                                                                                                                                                      A few blog posts describing it:

                                                                                                                                                                      http://functional-orbitz.blogspot.se/2013/01/introduction-to-resultt-vs-exceptions.html

                                                                                                                                                                      http://functional-orbitz.blogspot.se/2013/01/experiences-using-resultt-vs-exceptions.html

                                                                                                                                                                    2. 4

                                                                                                                                                                      The difference is that results are plain old values that fit in the normal type system. You can call a higher-order function with a function that returns a result and it will just work. Checked exceptions were indeed a terrible mistake, not because they force you to handle errors, but because they were a secondary type system that didn’t interoperate properly with the primary type system.

                                                                                                                                                                      (People who are proposing effect systems should take note)

                                                                                                                                                                      1. 1

                                                                                                                                                                        Sure, but the solution would have been to wrap checked exceptions in a Result type for interop, not, like kotlin does today, to just swallow all of them.

                                                                                                                                                                        1. 2

                                                                                                                                                                          the solution would have been to wrap checked exceptions in a Result type for interop

                                                                                                                                                                          There are a couple of problems with that - performing a JVM catch at every interop boundary is inherently inefficient, and exceptions don’t quite have the nice monadic composition you’d expect from results.