1. 1

    They’re both interesting, but until some new(er) tool can match the ecosystem around Terraform when it comes to providers and modules it will be really hard to replace it.

    I know Pulumi is creating a registry, and they support cross-language usage (for example use a project written in Typescript in your Python stack)

    1. 1

      I think Pulumi has a bridge for Terraform providers.

    1. 4

      I tried out Nomad but getting a shell on a job is an Enterprise feature? Seems over aggressive in terms of pricing.

      1. 2

        No?

        nomad alloc exec <allocation-id> bash

        gives you a shell in one allocation of a job.

        1. 2

          Just tried again, works! My bad. Think I was a victim of https://github.com/hashicorp/nomad/issues/4567

          Still only works sometimes…

           2021-03-01T14:53:37.401Z [ERROR] http: request failed: method=GET path=/v1/client/allocation/bc06ab17-9271-3bfd-cbbd-97c992252d7e/exec?task=redis&tty=true&ws_handshake=true&command=%5B%22%2Fbin%2Fbash%22%5D error="websocket: close 1006 (abnormal closure): unexpected EOF" code=500
              2021-03-01T14:54:05.571Z [ERROR] http: request failed: method=GET path=/v1/client/allocation/bc06ab17-9271-3bfd-cbbd-97c992252d7e/exec?task=redis&tty=true&ws_handshake=true&command=%5B%22%2Fbin%2Fbash%22%5D error="websocket: close 1006 (abnormal closure): unexpected EOF" code=500
          
          1. 1

            oh, well I stand corrected. good to know :)

          2. 1

            I tried “exec” from the UI - is that not the same?

          3. 1

            Ah, yes, product tiering!

          1. 9

            Nomad is cool, because it may work with technologies other than Docker containers. For example, Nomad can be used to orchestrate FreeBSD jails: https://papers.freebsd.org/2020/fosdem/pizzamig-orchestrating_jails_with_nomad_and_pot/

            1. 3

              And it’s exec command is isolated with a chroot, which makes it super useful when migrating non-containerised workloads too.

              1. 2

                Anyone got any experience with that? Seems like a nice way to run plain binaries without having to use docker images (For example when the binaries are compiled with Go).

                1. 4

                  I used the java one and the exec ones. It worked great, especially if you don’t require any special libraries already in the system.

                  1. 3

                    We’ve been using the java driver in production for over 2 years now, we also us the exec driver for smaller tools, basically shell scripts to backup the consul and nomad database.

                    1. 2

                      I’ve used the exec in presentation demos, where I am running a cluster of nomad VMs, and I have an directory mounted to the host with the apps to run.

                      I could of course host a docker registry in the host, but it’s not worth the hassle; I’d rather have simpler demos with less to go wrong!

                1. 2
                  • We just moved to a new apartment so on our list is unpacking and getting things in order.
                  • My youngest child is turning two so we’re having a small celebration with family and close friends
                  • I’m starting work again on Monday, so Sunday will be spent preparing the home office at least a little bit.
                  1. 2

                    For work we just use ids generated by AWS. For home we use characters from norse mythology.

                    1. 3

                      My company has always been highly dependent on the Amazon ecosystem. When we made the move to a microservice architecture three years ago, we opted for Amazon ECS as it was the simplest way to achieve container orchestration.

                      With new business constraints, we have to migrate from Amazon to a different cloud provider, breaking away from the Amazon ecosystem, including ECS. We are still a relatively small company and cannot afford to spend months on the infrastructure instead of focusing on delivering on the business front.

                      Articles such as this one are a good reminder that Kubernetes is still not an easy solution to implement, and some of the comments confirm my assumption that upgrading and maintaining a Kubernetes cluster can be challenging. It’s a tough call since it’s also the most popular technology around, which helps with recruitment. The absolute certainty is that we no longer want to be tied to a cloud provider, and will choose a technology that allows us to move more freely between providers (no coupling is nothing else than a dream).

                      1. 5

                        I’d recommend checking out Hashicorp Nomad[0]. It’s operationally simple and easy to get your head around for the most part. A past issue of the FreeBSD Journal had an article on it [1].

                        0: https://nomadproject.io/

                        1: https://www.freebsdfoundation.org/past-issues/containerization/

                        1. 2

                          I love Hashicorp. I’ve yet to encounter a product of theirs that didn’t spark joy.

                          1. 2

                            I’ve talked to more teams switching away from Nomad to Kubernetes than I have talked to people using Nomad or considering Nomad. A common Nomad complaint I hear is that support and maintenance is very limited.

                            I’m interested to hear any experience reports on the product that suggest otherwise - My team runs on Beanstalk right now, but I miss the flexibility of a more dynamic environment.

                            1. 1

                              I assume if you are willing to pay the $$$$$$$$$‘s for the Enterprise version, the support is fabulous. If it’s not, one is definitely getting ripped off. I have no experience with the enterprise versions of any of Hashicorp’s products, we can’t afford it. We also don’t need it. We went in knowing we would never buy the enterprise version.

                              We haven’t had any issues getting stuff merged upstream that makes sense, and/or getting actual issues fixed, but we’ve been running nomad now for years, and I don’t even remember the last time I had to open an issue or PR, so it’s possible things have changed in that regard.

                            2. 1

                              It is indeed one of the alternatives that we have been looking at. My only concerns about Nomad (and Hashicorp products in general) are the additional cost once you use the enterprise features, the smaller candidates pool (everyone is excited about Kubernetes these days), and the absence of load balancing.

                              1. 2

                                Both Traefik and Fabio works as an ingress load balancer on the (nomad) cluster. We use the Spring Cloud Gateway as our ingress.

                                For service to service communication you can run Consul (we do this)

                                1. 1

                                  Seconding fabio as an incredibly simple automatic ingress, and consul service discovery (-> connect+envoy) for service to service. There’s a nice guide as well https://learn.hashicorp.com/nomad/load-balancing/fabio . I’d consider nomad incomplete without consul and vault, but i’d also say the same (particularly vault is irreplaceable) for k8s.

                                  As for hiring – hire the k8s candidates. They’re both omega schedulers so the core scheduling concepts and job constructs (pod <-> alloc, etc) translate well, and I’d wager for some k8s veterans not having to deal with a balkanized ecosystem and scheduler wordpress plugins (CRDs/operators) would be seen as features.

                                  docker itself is by far the weakest link for us, but nomad also offers flexibility there.

                                2. 1

                                  My suggestion is just make sure you don’t need the enterprise features :) You can get very far without the enterprise $$$$ expense, that’s what we do. But agreed, the Enterprise version for any of the Hashicorp things are very very expensive.

                                  Load balancing is easily solved as others have said. We use HAProxy and it lives outside of the nomad cluster.

                                  Agreed, everyone is all excited by k8s, because everything that comes out of Google(if only the design) must be perfect for your non-google sized businesses. Let’s face it, the chances of any of us growing to the size of Google is basically trending towards zero, so why optimize prematurely for that?

                                  The upside for the candidate pool being “smaller” is you can read through the Nomad docs in an hour or so, and have a pretty good idea of how everything works and ties together, and can be productive, even as a sysadmin type role, pretty quickly. IME one can’t begin to understand how k8s works in an hour.

                            1. 2

                              We use Hashicorp Nomad (together with Consul and Vault) and deploy java jar files on it.

                              The deployment is triggered by a successful build for our staging environment and for production we go into our build tool and press the deploy button, all job specifications are in their own repository now, but the plan is to have a directory called deploy in each service/application repository with their job specification in them and let the backend developers manage that themselves.

                              We rotate all machines at least ones a month as a way to patch and upgrade the machines and only a handful of people have direct access to them over ssh. This sort of forces us to make sure all relevant configuration is committed and pushed in our packer repo.

                              All configuration including secrets are managed in Vault, to change something we either wait for a new deploy or restart the service, as we deploy at to production at least once a day this is seldom a problem.

                              1. 14

                                I don’t think I could delete code that was doing good, even if it was being used to harm.

                                1. 13

                                  Cars, video cameras, chef knives, toilets (kids put other kids’ heads in them), products containing water in general, products containing electricity that can be used accidentally/offensively, any tool for communication that can carry hate speech, any tool for computation that can execute evil plans (eg IBM doing logistics for Holocaust)… the list goes on and on.

                                  I’m with you. The techs are usually purpose-neutral. That someone bad uses it is rarely a reason to avoid creating it for the good it can do. I say rarely because mass surveillance, land mines, and nukes all made my list of exceptions. They seem to always do more harm than good. Better to not be invented or at least super-regulated.

                                  1. 21

                                    IBM doing logistics for Holocaust

                                    The tech wasn’t the issue and it was never claimed to be. It was IBM structuring its relationship with the Nazis so that it would be undetected. Not sure why you would use that as an example.

                                    1. 2

                                      It was argued at one point that it would be hard for them to pull the logistics off the way they wanted to without support of computers. They loved processes and records. The computers with customized punch cards helped them imprison and execute people more efficiently. Not giving them computers might have reduced harm to their victims or increased problems for the Nazis to some degree.

                                      My examples, though, were a response to the original comment which was tech (“code”) that could be used for evil purposes. Everything in my comment was tech that was used for evil purposes at some point. Also, stuff we’d likely want to keep anyway. That was my point.

                                    2. 5

                                      “Cars, video cameras, chef knives”, etc are broad categories. This is not a case of someone saying “don’t use computers, because some people use them for bad things”, it’s “this specific product provides value to a particular company that is doing business with someone I find reprehensible”.

                                      1. 2

                                        That’s a specific instantiation of the general class of things I just describe. Each thing is something that people have or regularly use to harm others. Sometimes themselves. Yet, we as a society choose to keep them around for the good they do and not internalize evils others use them for.

                                        1. 3

                                          To be more clear, the comparison you make is a specious one – a specific tool being taken down is not at all like banning cars, video cameras, or knives. The things you list are commodities that have more than one use. This is about a particular tool that makes working with one particular other tool easy. Even talking about banning a specific knife or whatever is different, because knives are a more-or-less fungible commodity; this software is not.

                                          1. 1

                                            It’s stopping the sale of Corvettes because someone used one to run down a kid.

                                            1. 1

                                              It’s not, but you people seem determined to not understand that. If you want to make an analogy to cars, maybe it would be like someone pulling their Corvette bodykit off the market because Corvette had a giant contract to supply to [some organization that would be objectionable enough for you].

                                              In any case, like Upton Sinclair said, “It is difficult to get a man to understand something, when his salary depends on his not understanding it”, so feel free to ignore this & let your cognitive dissonance tell you I’m just a troll.

                                      2. 5

                                        Agreeing with animatronic… IBM sold counting machines (the holorinth?) to Germans under a subsidiary. That’s like selling dells to isis.

                                        1. 5

                                          Nope. Common misconception. Back then, computers were extremely expensive, hard to operate, and low volume. IBM regularly got close to institutions trying to sell them computers. They cut many scheming deals. The guy I originally watched on this stuff had dug up the contract for the sale. It was with the New York part of IBM, not Germany. They also custom made and sold the punch cards that Nazi’s used for their operation. Probably sent people to service the machines, too. Memory getting fuzzy at that point.

                                          Plus, I don’t usually sit at the table with dictators before telling folks they were a random customer. I owned a Dell but never hung with Dell. ;)

                                      3. 6

                                        What’s worse, it’s not inconceivable that in a similar situation some well-meaning sabotage (because, let’s be honest–that’s what this is, sabotage) could result in, say, the loss of data records delaying or outright preventing the timely release of people from the camps.

                                        Techies taking the law into their own hands by committing acts of sabotage of this nature are almost assuredly unable to prevent collateral damage.

                                        1. 11

                                          Techies taking the law into their own hands by committing acts of sabotage of this nature are almost assuredly unable to prevent collateral damage.

                                          It was his code, under his name, how is deleting your own copyrighted code from the internet “taking the law into their own hands”?

                                          1. 15

                                            It wasn’t sabotage in any form, it was protest. They knew full well it would get restored and the license allows it to be used for any purpose.

                                            1. 3
                                              sabotage (ˈsæbəˌtɑːʒ)
                                              n
                                              1. the deliberate destruction, disruption, or damage of equipment, a public service, etc, as by enemy agents, dissatisfied employees, etc
                                              2. any similar action or behaviour
                                              

                                              Sabotage is a form of protest. I’m not even arguing that they’re wrong to be angry–nobody should want kids in camps.

                                              My point is that techies deciding to do actions like this both can’t guarantee the exact impacts of those outcomes and seldom seem to reflect on that point. Everybody cries foul about us making policy with ML/AI…this is not so far afield.

                                              1. 11

                                                I’d love if we could have this discussion face to face as a group. These kinds of conversations are really really hard online. It’s difficult for everyone not to come across as snarky, pedantic, trite, glib, etc. I struggle with giving others the necessary charity. I do strive to use a tone and form of argument that I would use if I were standing infront of the person. I was in debate, that form of rhetoric is about winning, not about using logic to arrive at the best decisions.

                                                We both know what sabotage is, and this case, deleting the code was protest and not sabotage. Sabotage would be introducing bugs or special cases to actively hurt ICE. Pasting a definition doesn’t make your point stronger.

                                                Of course you can’t guarantee impacts, that is a truism, we can’t even guarantee the code we write has the intended outcome. Putting that requirement on someone before they protest is a hugely imbalanced burden that we apply no where else. I would love it if humanity used science and formal methods to fully understand the impact of our designs and decisions, but we still operate in an open-loop where we react to the problems we cause. No technology is neutral, with every advantage also comes with it a disadvantage, a risk, most of them uncatalogued. My perception of arguments along the lines of the one you are making is that techies should stay in their box working on tools. That there is a clean hierarchical delineation between people (that people are things with labels) and they build technology (neutral) and that it is the application of said technology that does bad things. On the spectrum of applicability, a component of Chef is more neutral than a facial detection library.

                                                Everyone should still have a moral code and realize how the tools they are building could be used. This person was thrust into something they weren’t prepared for, I don’t know how I would react in a similar situation. But the overall impact to ICE was zero and that would be known. This action was purely symbolic act of protest.

                                            2. 1

                                              Doesn’t the US government have additional rights on other people’s intellectual rights (like patents) in certain cases?

                                              1. 2

                                                Content produced by the US Government is very often public domain.

                                                During WW1, the US forced patents holders on airplane tech to pool their patents, but patents are intellectual property. State power in the US seldom appropriates private property. Eminent domain is an exception.

                                            3. 5

                                              Yes, this is technically a type of sabotage, and yes it’s the sort of thing that is likely to damage other entities besides the intended target, but I would oppose eatabliahing a norm where removing one’s own code from a public repo is considered punishable in and of itself. It should be considered the responsibility of the clients of open-source code to make local copies of the code they use, whether that’s an entity the code-author likes or dislikes.

                                              1. 3

                                                There’s no risk of punishment (the licenses state, among other things, “NO WARRANTY”). I understood friendlysock to mean that developers should keep side effects (such as blocking procedures with positive effects, like getting people out of camps, in undesired organizations) in mind when considering such activities.

                                              2. 5

                                                I agree with the risk of collateral damage, but see below.

                                                I don’t agree with the term “sabotage” here.

                                                In corporate context, sabotage would be an employee deleting code and backups so that development halts and the company suffers financial or reputational damage.

                                                In this case, Vargo developed the software (apparently when working at Chef), and everyone was best buds and agreed for this to be released as Open Source (I’m assuming that’s a variant of the license used, not a form of the GPL).

                                                Chef proceeded to build their business using software that was out of their direct control, all the while relying on a gentleman’s agreement that Vargo would not impede access to this software.

                                                This is a supply chain problem, not sabotage. Obviously, Chef and others in their situation needs to hedge against contributors to their software stack not taking umbrage to the actions of Chef’s customers. They can do this by keeping local repo copies in the short term, and keeping other developers on retainers to rewrite the software in case a developer removes their repo.

                                                Edit another solution if for the company to identify any repo that is critical to them, and then simply purchase the rights to it (as well as the maintenance overhead, of course) from the developer. Market solution! I love them.

                                                Chef’s business model was to take software written by volunteers for free and package it into a form palatable for corporate customers (and whatever the US term for entities like ICE is), pocketing the proceeds.

                                                Chef assumes the responsibility for maintaining access to the software. Having to hedge against software developer’s “whims”[1] will of course cut into the profit margin of this business. In the long term, it might make sense for companies like Chef to forego open source licensing entirely and develop their stuff in-house, keeping control of the IP. Or they’ll just have contingency plans such as the one outlined above.

                                                [1] I hesitate to use “whim” for Vargo’s decision. But other developers might delete their repos “for the lulz”, to actually sabotage a company per the above, have access to their repos disrupted, or simply delete it all and move to a bunker.

                                                1. 0

                                                  If Chef or any other technology is so key to the core of how ICE works that removing it crippled them, then the protest has proved its point. Imagine applying this cold logic to, say, Japanese internment camps during WWII. (which is not dissimilar to what’s going on now since there are multiple cases of legitimate citizens getting deported as well.)

                                                  Sometimes you’ve gotta throw an wrench in. Let’s hope that there are more.

                                                  1. 0

                                                    Techies taking the law into their own hands by committing acts of sabotage of this nature are almost assuredly unable to prevent collateral damage.

                                                    pardon me?

                                                  2. 2

                                                    I could definitely see myself doing it to protest a company selling it to do something I disagreed with.

                                                  1. 4

                                                    Vim is a genius idea with a sloppy realisation. First time I tried it, I spent a month learning it and setting everything up to be just perfect. But then I changed job and stack, and I have had to set everything up again, and I wasn’t as patient the second time. After a few more times, I understood that I can’t be bothered to spend a few weeks testing all the plugins and remembering all the shortcuts every time I need to get acquainted with a new language or change computers and operating systems – I guess it happens to me much more often than to the greybeards.

                                                    On the other hand, modern editors like VSCode just work. They’re not ideal, and you may have to try different plugins as well, but I’m not afraid that editor will hung for a half a minute or indefinitely (which happens a LOT with vim plugins), and you don’t have to remember any magical Leader-something shortcuts: just type Ctrl/Cmd-P, and all the plugin’s functions are there, with useful search. I still install vim plugin on any IDE I use, and, of course, the support is lacking (for example, relative line numbers and relative movement over closed folds is something that plugin developers usually don’t get right), but these things I can live with.

                                                    I wish that when I retire, I will finally have time to set up Emacs with evil mode from scratch and will finally have an editor that I can configure and program in a language that I love. But it seems as a project that would take a couple of months (during which I will not be able to use it as an editor and will often break it), and for now, I have work to do.

                                                    1. 13

                                                      I’m not afraid that editor will hung for a half a minute or indefinitely (which happens a LOT with vim plugins)

                                                      I have literally never had that happen. This sounds like the “Wordpress plugin problem” to me:

                                                      1. Install Wordpress.
                                                      2. Install loads of crappy plugins.
                                                      3. Get 0wned.
                                                      4. Blame Wordpress.
                                                      1. 1

                                                        Well, if there are a lot of crappy plugins that turn up as first results in Google, you can definitely blame the ecosystem. And you can certainly blame the software with a plugin architecture designed in such a way that a bad plugin can bring down everything, without an easy way to isolate or at least identify the culprit.

                                                        1. 3

                                                          Both modern Vim and Neovim support async operations now.

                                                          1. 3

                                                            And yet, a fresh install of spacevim on top of neovim in latest Ubuntu in WSL hangs when I try to save any Haskell file. Making a good plugin architecture is not about allowing plugins to do stuff; it’s about limiting their power to do it.

                                                          2. 1

                                                            blame the software with a plugin architecture designed in such a way that a bad plugin can bring down everything

                                                            You can’t edit the buffer by both a plugin and the user typing in it, so completely avoiding any locks is a logical impossibility.

                                                            an easy way to isolate or at least identify the culprit.

                                                            Profiling (:profile start vim.profile :profile file *) usually works, or vim --startuptime.

                                                            1. 3

                                                              I’m not a plugin developer for any IDE, and I’m familiar with these ecosystems only as a user. And as a user, I know that I have never seen any plugin hang Visual Studio, VS Code, Sublime or other “modern” editors, but I’ve seen it many times with Vim.

                                                              Now, I specifically say that I blame not the editor code itself, but the whole ecosystem. This includes not only plugin API, but also best practices that plugin developers get nudged into. From my experience with different ecosystems, I would make an educated guess that Vim plugin developers do certain things in a naive and potentially bad way (which leads to bugs and freezes that I experience) not just because they are allowed to, but because that’s how they’re taught to do it in tutorials, documentation, by looking into other existing plugins, and so on. Which, in the end, makes Vim a bad editor for me. Because just as quality of language is not only about the spec, but also about the amount and quality of libraries written for it, the quality of an editor is also about quality of plugins that I can use with it and overall level of trust or caution that I, as a user get accustomed to; that’s exactly what the word “ecosystem” stands for.

                                                              1. 4

                                                                Every ecosystem has loads of crap plugins/libraries. Sturgeon’s law: “90% of everything is shit”. Your entire arguments sounds like “I have experienced one plugin misbehave, therefore the entire ecosystem is bad”. That is actually a generous reading, as it could also be a misconfiguration or something else. I’ve seen people copy/paste some pretty silly things in their vimrc without understanding what it does.

                                                                If VSCode works well for you: great. Go for it! But I don’t see why you need keep repeating the strange claim that it’s somehow “normal” that Vim frequently hangs. I can assure you it’s not, and “greybeards” – as you charmingly call them – do not spend all of their days waiting for Vim, or spend their entire time configuring Vim.

                                                        2. 6

                                                          I’ve never understood the point of overloading vim with plugins. On the one hand the arguments are “it’s the same everywhere” and “it’s start-up time is minimal”, etc. but all of this seems defeated when you try to turn Vim into an IDE. Unix is supposed to be the (I)DE, and vim is the editing component, while the shell is supposed to mediate between all the other tools one would use in the process (as opposed to Emacs, where Emacs itself mediates). Or that’s at least the idea.

                                                          1. 2

                                                            Well, that’s the idea that makes vim a bad full-blown editor, and one of the reasons that OP, me, and other like-minded developers quit vim even though we love the modal editing aspect of it.

                                                            1. 2

                                                              Vim is already an IDE out of the box; it comes with completion, make integration, code navigation, a file browser, and many other IDE-like features.

                                                              The problem is that a lot of plugins duplicate these features because they want to “make it seem like Jetbrains”, instead of using the Vim way of doing things. In many ways it’s similar to “Vi key bindings” that you get in many other IDEs.

                                                              1. 3

                                                                I wouldn’t consider any of those things to be what make an IDE. They’re not strictly vi-ish, yes, but an IDE should take things further, ideally creating a seamless interface between everything, taking charge of the more complicated parts for the user.

                                                                1. 1

                                                                  Well, you could argue all day about what exactly an “IDE” is, but if we take the broad definition of “comprehensive facilities to computer programmers for software development” (lifted from Wikipedia) then think Vim fits the bill. It’s certainly a different approach than, say, Visual Studio, but I don’t think that makes it “not an IDE”. It’s certainly more than just an “editor”.

                                                          1. 6

                                                            We are still on 8 where I work. Are others here adopting new versions more quickly?

                                                            1. 4

                                                              nah, we’re also still on 8.

                                                              1. 2

                                                                We are moving to 11 right now

                                                                1. 1

                                                                  Which version are you currently using? Are there any specific features or bug fixes that are prompting the migration?

                                                                  Edit: After upgrading to today’s (2019-03) release of Eclipse, I discovered two things: (1) The latest version of Eclipse only supports Java up to version 11; (2) Java 11 removed support for JAXB and apparently the activation framework as well. I am not ready to track down all of these external libraries yet, as it would cause my development environment (i.e. Java 12 (no JAXB or activation framework); limited to Java 11 by Eclipse) to get out of sync with our test and production environments (currently limited to Java 8 with JAXB and activation framework). We will need to hold off on Java 12 until it is specifically supported on Amazon Linux.

                                                                  1. 2

                                                                    We’re running 10 right now.

                                                                    Not that I know of, I have a coworker that works with in the infra layer on the JVM side of things (in the same team) so I don’t have deeper insights except that it works with our stack and build systems.

                                                                2. 2

                                                                  I believe we’re rolling out 11 once we do our June release, but not yet.

                                                                  1. 1

                                                                    My Java upgrades have always been in June as well, to coincide with the Eclipse release schedule (like clockwork for 15 years, there has been a new major release every June from 2004-2018). However, a few months ago Eclipse changed their Simultaneous Release schedule, and this has thrown my usual upgrade process into chaos. I’m still using Eclipse Photon (4.8, June 2018), and I’m not even certain if this is the current version or not.

                                                                    Not to presume you’re using Eclipse, but now I’m really curious if this release cadence change is affecting anyone else’s shop.

                                                                    1. 2

                                                                      Eclipse actually released its now-quarterly release today, version 4.11 aka “2019-03”. The previous release 4.10 was labeled “2018-12”.

                                                                      1. 2

                                                                        Thanks for the heads-up. I see (after a little more reading), they basically re-named/re-numbered the service releases as major versions. Incidentally, I see that Eclipse is not yet advertising Java 12 build support.

                                                                        In case it helps anyone else, I just did (for us, an “out of band”; we’ve never jumped two major versions) update of all of our development workstations. Aside from the Windows and Linux installers failing (resorted to manual install via zip archive), the Subclipse plug-in installed without problems but IvyDE failed to install unless Contact all update sites during install to find required software was unchecked. Overall, less painful than normal for an Eclipse upgrade.

                                                                  2. 1

                                                                    My team’s on 11, but we use Clojure so we’re not affected by majority of the changes in the JDK.

                                                                  1. 7

                                                                    I brew beer, I’ve been a craft beer fan for a long time (10+ years) and about two years ago I got a beginners kit from my partner, it escalated quite fast and now I brew 8 - 12 times a year in a small all in one brew system.

                                                                    I’ve mainly done clone recipes, but recently started designing my own ones.

                                                                    1. 2

                                                                      I love how brewing your own beer enriches the experience of drinking beer, just as cooking makes you enjoy food more because you understand and participate in the process, ingredients, work…

                                                                    1. 1

                                                                      As we are moving to Nomad for cluster orchestration we also use their Batch/Periodic jobs for scheduling tasks. (We also wrote our own based on something from Spring, I’m not touching that…)

                                                                      1. 9

                                                                        Hah, I was actually curious whether AST will make a move. Good to see he did.

                                                                        Still, it’s sad that he doesn’t seem to care about ME.

                                                                        1. 7

                                                                          Whether he cares about ME is irrelevant here. By releasing the software under most (all?) free software and open source licenses, you forfeit the right to object even if the code is being used to trigger a WMD - with non-copyleft licenses you agree not to even see the changes to the code. That’s the beauty of liberal software licenses :^)

                                                                          All that he had asked for is a bit of courtesy.

                                                                          1. 4

                                                                            AFAIK, this courtesy is actually required by BSD license, so it’s even worse, as Intel loses here on legal ground as well.

                                                                            1. 5

                                                                              No, it is not - hence the open letter. You are most likely confused by the original BSD License which contained the so called, advertising clause.

                                                                              1. 5

                                                                                Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

                                                                                http://git.minix3.org/index.cgi?p=minix.git;a=blob;f=LICENSE;h=a119efa5f44dc93086bc34e7c95f10ed55b6401f;hb=HEAD

                                                                                1. 9

                                                                                  Correct. The license requires Intel to reproduce what’s mentioned in the parent comment. The distribution of Minix as part of the IME is a “redistribution in binary form” (i.e., compiled code). Intel could have placed the parts mentioned in the license into those small paper booklets that usually accompany hardware, but as far as I can see, they haven’t done so. That is, Intel is breaching the BSD license Minix is distributed under.

                                                                                  There’s no clause in the BSD license to inform Mr. Tanenbaum about the use of the software, though. That’s something he may complain about as lack of courtesy, but it’s not a legal requirement.

                                                                                  What’s the consequence of the license breach? I can only speak for German law, but the BSD license does not include an auto-termination clause like the GPL does, so the license grant remains in place for the moment. The copyright holder (according to the link above, this is Vrije Universiteit, Amsterdam) may demand compensation or acknowledgment (i.e. fulfillment of the contract). Given the scale of the breach (it’s used in countless units of Intel’s hardware, distributed all over the globe by now), he might even be able to revoke the license grant, effectively stopping Intel from selling any processor containing the then unlicensed Minix. So, if you ever felt like the IME should be removed from this world, talk to the Amsterdam University and convince them to sue Intel over BSD license breach.

                                                                                  That’s just my understanding of the things, but I’m pretty confident it’s correct (I’m a law student).

                                                                                  1. 3

                                                                                    It takes special skill to break a BSD license, congrats Intel.

                                                                                    1. 5

                                                                                      Actually, they may have a secret contract with the University of Amsterdam that has different conditions. But that we don’t know.

                                                                                      1. 2

                                                                                        Judging from the text, doesn’t seem AST is aware of it.

                                                                                        1. 2

                                                                                          University of Amsterdam (UvA) is not the Vrije University Amsterdam (VU). AST is a professor at VU.

                                                                                    2. 1

                                                                                      I’ve read the license - thanks! :^)

                                                                                      The software’s on their chip and they distribute the hardware so I’m not sure that actually applies - I’m not a lawyer, though.

                                                                                      1. 5

                                                                                        Are you saying that if you ship the product in hardware form, you don’t distribute software that it runs? I wonder why all those PC vendors were paying fees to Microsoft for so long.

                                                                                        1. 2

                                                                                          For the license - not the software

                                                                                          1. 3

                                                                                            Yes, software is licensed. It doesn’t mean that if you sell hardware running software, you can violate that software’s license.

                                                                                        2. 3

                                                                                          So, they distribute a binary form of the OS.

                                                                                          1. 4

                                                                                            This is the “tivoization” situation that the GPLv3 was specifically created to address (and the BSD licence was not specifically updated to address).

                                                                                            1. 2

                                                                                              No, it was created to address not being able to modify the version they ship. Hardware vendors shipping GPLv2 software still have to follow the license terms and release source code. It’s right in the article you linked to.

                                                                                              BSD license says that binary distribution requires mentioning copyright license terms in the documentation, so Intel should follow it.

                                                                                              1. 3

                                                                                                Documentation or other materials. Does including a CREDITS file in the firmware count? (For that matter, Intel only sells the chipset to other vendors, not end users, so maybe it’s in the manufacturer docs? Maybe they’re to blame for not providing notice?)

                                                                                                1. 3

                                                                                                  You have a point with the manufacturers being in-between Intel and the end users that I didn’t see in my above comment, but the outcome is similar. Intel redistributes Minix to the manufacturers, which then redistribute it to the end-users. Assuming Intel properly acknowledges things in the manufacturer’s docs, it’d then be the manufacturers that were in breach of the BSD license. Makes suing more work because you need to sue all the manufacturers, but it’s still illegal to not include the acknowledgements the BSD license demands.

                                                                                                  Edit:

                                                                                                  Does including a CREDITS file in the firmware count?

                                                                                                  No. “Acknowledging” is something that needs to be done in a way the person that receives the software can actually take notice of.

                                                                                                  1. 2

                                                                                                    The minix license doesn’t use the word “acknowledging” so that’s not relevant.

                                                                                                    1. 2

                                                                                                      You’re correct, my bad. But “reproduce the above copyright notice” etc. aims at the same. Any sensible interpretation of the BSD license’s wording has to come to the result that the receivers of the source code must be able to view those parts of the license text mentioned, because otherwise the clause would be worthless.

                                                                                            2. 1

                                                                                              If they don’t distribute that copyright notice (I can’t remember last seeing any documentation coming directly from Intel as I always buy pre-assembled hardware) and your reasoning is correct, then they ought to fix it and include it somewhere.

                                                                                              However, the sub-thread started by @pkubaj is about being courteous, i.e. informing the original author about the fact that you are using their software - MINIX’s license does not have that requirement.

                                                                                  2. 7

                                                                                    I think he is just happy he has a large company using minix.

                                                                                    1. 5

                                                                                      Still, it’s sad that he doesn’t seem to care about ME.

                                                                                      Or just refrains from fighting a losing battle? It’s not like governments would give up on spying on and controlling us all.

                                                                                      1. 6

                                                                                        Do you have a cohesive argument behind that or are you just being negative?

                                                                                        First off, governments aren’t using IME for dragnet surveillance. They (almost certainly) have some 0days, but they aren’t going to burn them on low-value targets like you or me. They pose a giant risk to us because they’ll eventually be used in general-purpose malware, but the government wouldn’t actually fight much (or maybe at all, publicly) to keep IME.

                                                                                        Second off, security engineering is a sub-branch of economics. Arguments of the form “the government can hack anyone, just give up” are worthless. Defenders currently have the opportunity to make attacking orders of magnitude more expensive, for very little cost. We’re not even close to any diminishing returns falloff when it comes to security expenditures. While it’s technically true that the government (or any other well-funded attacker) could probably own any given consumer device that exists right now, it might cost them millions of dollars to do it (and then they have only a few days/weeks to keep using the exploit).

                                                                                        By just getting everyday people do adopt marginally better security practices, we can make dragnet surveillance infeasibly expensive and reduce damage from non-governmental sources. This is the primary goal for now. An important part of “marginally better security” is getting people to stop buying things that are intentionally backdoored.

                                                                                        1. 2

                                                                                          Do you have a cohesive argument behind that or are you just being negative?

                                                                                          Behind what? The idea that governments won’t give up on spying on us? Well, it’s quite simple. Police states have happened all throughout history, governments really really want absolute power over us, and they’re free to work towards it in any way they can.. so they will.

                                                                                          They (almost certainly) have some 0days, but they aren’t going to burn them on low-value targets like you or me.

                                                                                          Sure, but do they even need 0days if they have everyone ME’d?

                                                                                          They pose a giant risk to us because they’ll eventually be used in general-purpose malware

                                                                                          Yeah, that’s a problem too!

                                                                                          Defenders currently have the opportunity to make attacking orders of magnitude more expensive, for very little cost. [..] An important part of “marginally better security” is getting people to stop buying things that are intentionally backdoored

                                                                                          If you mean using completely “libre” hardware and software, that’s just not feasible for anyone who wants to get shit done in the real world. You need the best tools for your job, and you need things to Just Work.

                                                                                          By just getting everyday people do adopt marginally better security practices, we can make dragnet surveillance infeasibly expensive and reduce damage from non-governmental sources.

                                                                                          “Just”? :) I’m not saying we should all give up, but it’s an uphill battle.

                                                                                          For example, the blind masses are eagerly adopting Face ID, and pretty soon you won’t be able to get a high-end mobile phone without something like it.

                                                                                          People are still happily adopting Google Fiber, without thinking about why a company like Google might want to enter the ISP business.

                                                                                          And maybe most disgustingly and bafflingly of all, vast hordes of Useful Idiots are working hard to prevent the truth from spreading - either as a fun little hobby, or a full-time job.

                                                                                        2. 4

                                                                                          It reads to me like he just doesn’t want to admit that he’s wrong about the BSD license “providing the maximum amount of freedom to potential users”. Having a secret un-auditable, un-modifiable OS running at a deeper level than the OS you actually choose to run is the opposite of user freedom; it’s delusional to think this is a good thing from the perspective of the users.

                                                                                          1. 2

                                                                                            And the BSD code supported that by making their secret box more reliable and cheaper to develop.

                                                                                          2. 3

                                                                                            Oh, it’s still not lost. ME_cleaner is getting better, Google is getting into it with NERF, Coreboot works pretty well on many newish boards and on top of that, there’s Talos.

                                                                                          3. 2

                                                                                            He posted an update in which he says he doesn’t like IME.

                                                                                          1. 6

                                                                                            I’ll add to this that being on call when it’s quiet limits your ability to live your life as you please outside of office hours - you can’t disappear into the wilderness, you can’t go to the movies and turn your phone off, you can’t go out to dinner and not take your laptop, you can’t go out to a party and get drunk so that you sleep through the beeping.

                                                                                            That’s the best scenario. When things are broken you might lose a lot of sleep. You might have to interrupt dinner with friends. You might have to jump in a cab and head home so you can get properly online and work. You come into the office tired; your partner is grumpy because they got woken up, too; you feel like crap because you haven’t had an evening all week where you didn’t have to deal with something.

                                                                                            On-call can be a scourge. It’s random, unpaid work, demanding your full attention at the worst of times. The best thing I can recommend is: don’t be on call. Don’t get in that critical path. If you are a manager with on-call staff you should be telling people to come in late, or not at all, if they’ve had a night of activity.

                                                                                            And make fixing that issue so it never wakes anyone up again your biggest priority.

                                                                                            1. 4

                                                                                              It’s random, unpaid work, demanding your full attention at the worst of times.

                                                                                              Is this something specific to states? Where I live I’m paid (constant amount) for the fact that I’m on-call even if nothing happens. And 150% of my hourly rate if I have to work.

                                                                                              1. 6

                                                                                                In the US, it varies by the job and by the state.

                                                                                                Some employees are paid hourly, and there are state and federal labor rules about how many hours a week (and sometimes how many hours per day) an employee can work before an overtime rate has to be paid.

                                                                                                There are other workers, however, who are paid ‘on salary’ instead of hourly. That means they get payed monthly or bi-weekly at a fixed rate, and hours worked aren’t tracked and don’t enter into the pay equation. They are called ‘exempt’ employees, because they are not covered by the minimum wage and overtime rules that apply to hourly employees under the Fair Labor Standards Act.

                                                                                                Exempt employees often preferentially asked to go on call because, if they’ll do it, they aren’t required to be paid extra for the work like an hourly employee would be. Some jobs choose to pay their exempt employees an on-call bonus, or to compensate them in other ways- extra time off for example- but not all do. If you work at one of those places, you have to decide if your salary makes up for the hassle and inconvenience of putting up with on-call work.

                                                                                                1. 3

                                                                                                  In the US, by an unfortunate quirk of labor regulations, software engineers are considered “clerical” and are exempt from the requirement that they be paid overtime. Consequently, for all intents and purposes all are salaried and not paid for hours actually worked.

                                                                                                  1. 2

                                                                                                    Yeah, likewise. I’m a massive advocate for putting devs on-call, but I won’t enter a rotation unless it’s compensated: at a minimum, a base rate per hour, regardless of incidents.

                                                                                                    1. 2

                                                                                                      In the US there are a lot more people working as salaried, non-hourly employees than other places I’m aware of in europe and SE asia. It’s rare for a salaried job to pay any sort of overtime, or additional compensation for on-call.

                                                                                                    2. 3

                                                                                                      All places I’ve worked at, including startups and small companies paid for you to be on call. And you matched hours to hours if there was night work (ie come in late next day), and you got an extra day off at the end of your on call shift.

                                                                                                    1. 19

                                                                                                      I don’t support the FSF when so much of their income ends up in the pockets of lawyers and not with programmers.

                                                                                                      I find that point incredibly weird. Most of the FSFs work is policy work and is legal counsel to programmers doing open source.

                                                                                                      You might not agree with what they do, but yes, that’s mostly the place where lawyers are appropriate.

                                                                                                      1. 4

                                                                                                        And the SFLC is not the FSF.

                                                                                                        1. 3

                                                                                                          Software may be free, but laws cost good money! 8)

                                                                                                        1. 2

                                                                                                          I found rcm a couple of years ago, and haven’t looked back.

                                                                                                          1. 1

                                                                                                            Right now we just install the Mesos agent and run everything on container images. Some prometheus exporter images and that’s about it.

                                                                                                            1. 42

                                                                                                              In case anyone wants to cross-check, out of the 23 curl CVEs in 2016, at least 10 (1, 2, 3, 4, 5, 6, 7, 8, 9, 10) are due to C’s manual memory management or weak typing and would be impossible in a memory-safe, strongly-typed language. (Note that, while I like Rust and it seems to have been the motivator for this post, many modern languages meet this bar.) While “slightly more than half” as non-C-related vulnerabilities may technically be “most”, I’m not sure it’s fitting the spirit of the term.

                                                                                                              There are some very compelling advantages to C, certainly, which the author enumerates; in particular, its portability to nearly every platform in existence is a major weakness of Rust (and, to the best of my knowledge, any other competitor) at the moment. But it’s very important to note that nontrivial C code practically always contains serious vulnerabilities, and nothing we’ve tried (especially “code better”, the standard advice for avoiding C vulnerabilities) works to prevent them. We should be conscious that, by writing C, we are trading away security in favor of whatever benefits C provides at that moment.

                                                                                                              edit: It’s worth noticing and noting, as I failed to, that 2016 was an unusual year for curl vulns. /u/amaurea on Reddit helpfully counted and cataloged all the vulns on that page, and 2016 is an obvious outlier for raw count, strongly suggesting an audit or new static analysis tool or something. However, the proportion of C to not-C bugs is not wildly varied over the entire list, so the point stands.

                                                                                                              1. 9

                                                                                                                […] 2016 is an obvious outlier for raw count, strongly suggesting an audit or new static analysis tool or something.

                                                                                                                It was an audit.

                                                                                                                1. 5

                                                                                                                  especially “code better”, the standard advice for avoiding C vulnerabilities

                                                                                                                  If the curl codebase is as bad as its API then this is honestly a completely fair response.

                                                                                                                  We had this code recently:

                                                                                                                  int status;
                                                                                                                  void * some_pointer;
                                                                                                                  curl_easy_getinfo( curl, CURLINFO_RESPONSE_CODE, &status );
                                                                                                                  

                                                                                                                  which trashes some_pointer on 64bit Linux because curl_easy_getinfo( CURLINFO_RESPONSE_CODE ) takes a pointer to a long and not an int. The compiler would normally warn about that, but curl_easy_getinfo is a varargs function, which brings no benefits and means the compiler can’t check the types of its arguments. WTF seriously? Why would you do that??

                                                                                                                  I also recall reading somewhere that curl is over 100k LOC, which is insane. If the HTTP spec actually requires the implementation to be that large (and it wouldn’t surprise me if it does), then you are free to, and absolutely should, just not implement all of it. If the spec is so unwieldy that nobody could possibly get it right, then why try? Implement a sensible subset and call it a day.

                                                                                                                  If you know you’re not going to be using many HTTP features, it’s not hard to implement it yourself and treat anything that isn’t part of the tiny subset you chose as an error. For example, it’s only a few hundred lines to implement synchronous GET requests with non-multipart responses and timeouts, and that’s often good enough.

                                                                                                                  1. 5

                                                                                                                    I also recall reading somewhere that curl is over 100k LOC, which is insane. If the HTTP spec actually requires the implementation to be that large (and it wouldn’t surprise me if it does), then you are free to, and absolutely should, just not implement all of it.

                                                                                                                    curl supports a lot more protocols than just http though.

                                                                                                                    1. 3

                                                                                                                      Indeed. From the man page.

                                                                                                                      curl is a tool to transfer data from or to a server, using one of the supported protocols (DICT, FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, TELNET and TFTP).

                                                                                                                      1. 1

                                                                                                                        damn, that’s a juicy attack surface

                                                                                                                    2. 3

                                                                                                                      CURL is highly compatible with a lot of the strange behaviors that browsers do support and are usually outside of (or even prohibited by) the spec/standard. Just implementing the spec doesn’t quite make it useful to the world, when the world isn’t even spec compliant. Even if you write down the standard, the real standard is what all the other browsers do, not what a piece of paper says.

                                                                                                                      Example: https://github.com/curl/curl/issues/791

                                                                                                                      1. 1

                                                                                                                        But it is useful even if you only implement a tiny subset of HTTP, because most use cases involve sending trivial requests to sensible servers.

                                                                                                                        1. 3

                                                                                                                          The point is that cURL isn’t a project that supplies that subset, regardless of it being useful or not. cURL supplies a complete and comprehensive package that runs pretty much anywhere and supports pretty much any protocol you might need at some point (and some you might not need).

                                                                                                                          Nothing wrong in making a slimmed down works-most-of-the-time-and-will-be-enough-for-most-people project, it might be very useful indeed, but thats not the goal of the cURL project. There’s space for both.

                                                                                                                          1. 1

                                                                                                                            This is the way. Start small. I would assume that 90% of the use cases for curl is just some simple HTTP(S) queries and that can be implemented in any language quite quickly.

                                                                                                                            For example, D currently has curl in its standard library, which will probably be deprecated and removed. For simple HTTP(S) queries, there is requests, which is pure D except for the ssl and crypto stuff.

                                                                                                                      2. 8

                                                                                                                        nothing we’ve tried works to prevent them

                                                                                                                        Formal verification actually works. seL4 exists.

                                                                                                                        1. 10

                                                                                                                          Verifying seL4 took a few years and it was roughly 10000 LoC. Curl has an order of magnitude more. 113316 as counted by sloccount on the Github repo right now. Verification is getting easier, but only very slowly.

                                                                                                                          There is no immediate commercial advantage since curl works fine. This leaves it to academia to get the ball rolling.

                                                                                                                          1. 4

                                                                                                                            Verifying seL4 took a few years and it was roughly 10000 LoC.

                                                                                                                            Formally verifying 15,000ish lines of Haskell-generated C in seL4 took ~200,000 lines of proof, actually, per this. Formally verifying all of curl would easily run into the millions of lines of proof – and you’d basically be rewritting it into C-writing Haskell to boot.

                                                                                                                          2. 3

                                                                                                                            seL4 has two versions, a Haskell version that’s used to verify model safety and a C version that’s just a translation of the Haskell version. It may actually be a bit of a counter-example to your claim (that formal verification on C works in practice).

                                                                                                                            1. 1

                                                                                                                              This is incorrect. seL4 project actually proved C version is equivalent to (technically, refines) Haskell version. And then they (semi-automatically) proved generated assembly is equivalent to (refines) C so that they don’t need to rely on C compiler correctness.

                                                                                                                          3. 2

                                                                                                                            Yes but a lot of these are only published and fixed because curl is so widely used—and scrutinized. For example number 2 on your list:

                                                                                                                            If a username is set directly via CURLOPTUSERNAME (or curl’s -u, –user option), this vulnerability can be triggered. The name has to be at least 512MB big in a 32bit system. Systems with 64 bit versions of the sizet type are not affected by this issue.

                                                                                                                            Literally this doesn’t matter.

                                                                                                                            Also, how would Rust prevent this? I’m pretty sure multiplication overflow happens in Rust too.

                                                                                                                            1. 14

                                                                                                                              Rust specifies that:

                                                                                                                              1. If overflow happens, it is a “program error,” but is well-defined as two’s compliment wrapping.
                                                                                                                              2. In debug builds, overflow must be checked for and panic.

                                                                                                                              In the future, if overflow checking is cheap enough, this gives us the ability to require it. Who knows when that’ll ever be :)

                                                                                                                              Also note that this means it might lead to a logic error, but not a memory safety error. Just by making it defined helps a lot.

                                                                                                                              1. 3

                                                                                                                                Is there a formal or semi-formal Rust specification anywhere?

                                                                                                                                1. 9

                                                                                                                                  Not quite yet; or at least, it’s not all in one place. While all those universities are working on formalisms, we’re not working hard to get one in place, since it’d have to take that work into account, which would mean throwing stuff out and re-writing it that way, I’d imagine.

                                                                                                                                  There is some work going on to make the reference (linking to nightly docs since some work has recently landed to split it up into manageable chunks) closer to a spec; there’s also been an RFC accepted that says before stabilization, we must have the reference up-to-date with the changes, but we have to backfill all the older ones. So currently, it’s always accurate but not complete.

                                                                                                                                  This area is well-specified though, in RFC 560 https://github.com/rust-lang/rfcs/blob/master/text/0560-integer-overflow.md (one RFC I refer to so often I remember its number by heart)

                                                                                                                                  1. 1

                                                                                                                                    Thank ye

                                                                                                                                2. 2

                                                                                                                                  That’s neat! Still, I find it hard to believe anything would have coverage of all multiplication errors in allocations, even if it were written in Rust. If anyone can show me a single Rust project that deliberately trips the debug panic for multiplication errors during allocation in its unit tests, I’ll be impressed. But I’ll bet the only way to really be robust against this class of error is to use something like OpenBSD’s reallocarray. That’s equally possible in C and Rust.

                                                                                                                                  1. 3

                                                                                                                                    I do have an few overflow tests in one of my projects, but not for that specifically: https://github.com/steveklabnik/semver-parser/blob/master/src/range.rs#L682

                                                                                                                                    We have pretty decent fuzzer support, seems like that might be something it would be likely to find.

                                                                                                                                    1. 2

                                                                                                                                      I guess that depends on how often you run your fuzzer on 32 but systems long enough for it to accumulate gigabytes of input.

                                                                                                                                      The example here triggers after half a gig, but many of this class of bug would need more.

                                                                                                                            1. 3

                                                                                                                              A problem with stow is that, very often, I only want the files to be symlinked, with the directories created rather than symlinked. Otherwise, too many applications have a habit of writing to temporary and log files within the config directories, and these files appear inside the dotfile repository, which I do not want.

                                                                                                                              For example, my configuration file for foo is .foo/config. Unfortunately, foo will also write a file .foo/history. If I create a foo/.foo/config directory in my dotfile repo, and stow it, the ~/.foo is made into a symlink to the directory foo/.foo. So, the file ~/.foo/history actually appears under foo/.foo/log

                                                                                                                              Stow unfortunately does not support making directories (it makes directories only if the directory is shared between another application). I currently get by with some scripting on top of stow, but it would have been nice if this could have been implemented.

                                                                                                                              1. 8

                                                                                                                                Unless I’m fundamentally misunderstanding something, shouldn’t stow’s “--no-folding” argument do what you want?

                                                                                                                                1. 1

                                                                                                                                  It seems it is. My version of stow (1.3.3) seems to not to have it, and hence missed it. Thank you for pointing it out.

                                                                                                                                  1. 1

                                                                                                                                    Thank you! I also needed to know that existed. :)

                                                                                                                                  2. 2

                                                                                                                                    I sortof get around it with git and a .gitignore

                                                                                                                                    1. 2

                                                                                                                                      I also use .gitignore to deal with this, but I would prefer to have the directory structure copied and the files symlinked. Still, it works reasonably well for personal use.

                                                                                                                                      If you do this with your .emacs.d directory, the .gitignore can get extensive.

                                                                                                                                    2. 2

                                                                                                                                      rcm by thougtbot works like that by default