1.  

    While I agree with some of the “examples” listed, I don’t think it’s fair to say microservices are “hyped and volatile”. Microservice architecture isn’t some advent to the computing world. Conceptually, it’s been around for a long long time when you look at operating system kernels. I’d also argue that building software that “does one thing and does it well” is not a new idea either (i.e. UNIX design philosophy).

    While the author has some good points, that one seems poorly thought out. Perhaps microservice means something different to the author?

    1.  

      Conceptually many ideas, including NoSQL, have been around for ages. It seems clear to me that the criticism in both cases are in references to the fad of microservices-for-microservices-sake and NoSQL-for-NoSQL’s-sake fads in Web Application Architecture, where there is often no real rationale behind their choice other than they are the trendy topics on the web conference circuits.

      (And yes, obviously, there are circumstances in which a microservices approach or a particular NoSQL solution make good sense – these are frequently not, unfortunately, the circumstances in which I have tended to see them used professionally).

    1. 4

      Indeed, major cryptocurrencies like Bitcoin and Ethereum have maintained their security quite well — better, arguably, than any other digital asset/payment system in history …

      That’s a hell of a claim.

      1. 2

        Yeah, the MULTOS-based solutions seem to be fairing quite well. Mondex did, too, on its software and protocol assurance. The weakness was storing the value on a card with limits on tamper-resistance. There’s cryptocurrency “wallets” essentially doing the same thing with less security put into their software stacks. A few HSM’s and smartcards are also doing better on the hardware side for tamper-resistance. That different banks use different ones to check transactions within and between banks adds security through diversity.

        I think the claim is well-refuted between the stronger implementations of prior work and fewer known compromises.

      1. 2

        Am I the only one that thinks that all these netflix things are extremely over-engineered? The bulk of their content is not even served from AWS, but from boxes that are close to the eyeballs.

        I am not saying, I could build one in a weekend or anything like it, but what do all these servers do? There is hardly any user interaction, except search and maybe giving a rating. The search is also not that big, given the size of the catalog they serve per country. The traffic comes from local caches. What is all this for, except keeping engineers in the bay area busy?

        1. 19

          just a psa, I don’t and have never worked for Netflix, all of this is mostly conjecture from experience.

          sure, I think that micro service bloat is probably a problem that they have. and many of the FANG companies suffer from NIH (not invented here syndrome), in some cases because of (IMO) broken promotion processes that require engineers to ship “impactful” work at all costs, and in others just because they have an unlimited amount of money to spend on engineering time.

          That being said, even the most trivial problems become quite difficult at the scale that they’re working at – they have 125 million subscribers worldwide, which means peak time is almost all of the time. In addition, maybe you only use search and ratings, but what about admin UI’s? What do customer service teams use? What tooling do content creators use to get materials onto their platform, and what do they use to monitor metrics for content once it’s uploaded? What about ML and BI concerns, SOC2 concerns, GDPR concerns? I could go on forever perhaps. It’s very difficult to reconstruct all of the reasons for the way any platform evolved the way it did without getting a historical architecture overview. But! Their service is very reliable and their business is profitable, so they must be doing something right. (not that there isn’t always room for improvement)

          1. 15

            There was a good presentation at StrangeLoop last year: Antics, Drift, and Chaos. The short version is “Netflix is a monitoring company that, as an interesting and unexpected byproduct, also streams movies.”

            1. 1

              this is great! thanks for the link – I’ve got to get to strangeloop next year.

              1. 1

                What kind of monitoring do they do, do you know?

                1. 3

                  We use Atlas for monitoring.

              2. 1

                The result and the press is not as important as the journey. Being able to failover that quickly such a huge infrastructure is impressive, but the most important part is how they managed to achieve this and improve their work-flow, resiliency, and many other things along the way!

                1. 1

                  I assume these other boxes are Very Important^TM for authorization and provides the search/indexing functionality of their service. The CDN boxes they ship out do nothing but host the videos, and not all videos exist on each box, so something would have to handle directing you to the correct node.

                  You can’t stream the videos if you can’t get authorization, so…

                  1. 1

                    Those boxes they ship to ISPs only hold a subset of content. They still have to deal with routing a request to the closest node with the content they want, and update the ISP cache box with that content when there’s a spike in demand for something that isn’t cached locally. If your AWS nodes are down and nobody on the ISP requested Star Trek in the last N hours, you’re up shit creek with the customer requesting it unless you have a good fail over strategy.

                    I doubt those ISP cache nodes do local authentication or billing, either.

                    1. 1

                      Do you know where the movie content lives though? I’d be surprised if any of it was served from AWS hosts, instead I’d expect it on a CDN somewhere. I don’t think @fs111 is saying that Netflix doesn’t do anything, but rather does their architecture actually make sense given what they do?

                      My two cents is that it is probably overengineered and that is probably because it happened organically because nobody really knew what they were doing. With hindsight we could probably say some things are needed or could be done simpler.

                      1. 2

                        The video content, at least as of a couple of years ago, is encoded by EC2 instances into a bunch of qualities/formats (some on demand, I believe?), which live in S3 and are shuttled to around to various ISP cache nodes as needed.

                        Netflix doesn’t use a CDN, they are a CDN.

                        1. -1

                          Netflix doesn’t run S3, though, which, for my point, is not different than outsourcing to some CDN.

                          1. 2

                            S3 isn’t geographically distributed at all. It’s RAID with a REST API. It’s nothing like a CDN – Netflix does all the CDN things (replication, dynamic routing-by-proximity, distributing content to multiple edges close to customers) at their own layer above the storage layer.

                  1. -1

                    I disagree with Stallman here.

                    If you surrender your data, then you do not have any right over them. If you upload your photos to facebook, then facebook has them.

                    For public utility, it is fine to restrict the collection and usage of personal data. But for private corporations, the private individuals should be able to decide for themselves if giving a corporation access to your entire search history for wifi access at the coffee shop is worth it.

                    1. 25

                      More and more we are getting forced to use services that spy on us. Cash is being phased out for credit cards and mobile payments. I can’t even pay for parking at my uni without installing their mobile app. We need laws to protect us from these companies because they are impossible to 100% avoid.

                      1. [Comment removed by author]

                        1. 40

                          Governments aren’t there to protect you.

                          That is literally what governments are for.

                          1. 3

                            Not anymore… at least here where I live, Government is composed of people and people will have their own agendas which might not include protecting other people or even obeying the laws they’ve passed. I see government as an instrument of power, some will use this power to help society, others to accumulate wealth at the expense of society.

                            1. 31

                              What your particular government does and what the purpose of the government is are two separate topics.

                              1. 2

                                That is true but still, you can probably agree with me that when dealing with the real world, the creators intention has very little bearing in whatever usage people do of something. For example: the web was a way to share scientific hypertext and now we’re doing crazy stuff with it, or, tide pods were supposed to be used for laundry… governments, much like many other human creations happened over time, in different places, with different purposes. Monarchy is government but one can argue that historically it was not meant to protect people, dictatorships also work that way. We can say that the “platonic ideal of a pure and honest government” is to protect people but thats just us reasoning after the fact. There are no “letter of intention” about creation of government which all governments across time and space need to follow. What we perceived as “purpose” has very little meaning to what actually happens.

                                Personally, I find most interesting when things are not used accordingly to the creators intention, this creative appropriation of stuff by inventive users is at the same time what spurs a lot of cool stuff and what dooms us all, we here in Brazil have a moniker for it “Jeitinho Brasileiro” which could be translated as an affectionate version of “the brazilian way”. Everyone here is basically born in a fractal of stuff whose real world usage does not reflect its ideal purpose to the point that it is IMHO what makes us creative and cunning.

                                1. 3

                                  Monarchy is government but one can argue that historically it was not meant to protect people…

                                  Well, monarchy was actually a simple protection racket. It enabled a significant growth of the agricultural society through stabilization of violent power — no raids, just taxes.

                                  We can say that the “platonic ideal of a pure and honest government” is to protect people…

                                  That’s unreasonable. Establishment of a democratic government is just a consensus seeking strategy of it’s electorate. A move from a simple racket to a rule of law that is a compromise of various interests.

                                  In feudalism, people choose other people to follow. In democracy, people chose policies to enact. Both systems are very rough and fail in various ways, but democracy has evolved because it just makes more people a lot less unhappy than an erratic dictator ever can.

                                  … people will have their own agendas which might not include protecting other people or even obeying the laws they’ve passed…

                                  You seem to be alienated from the political process and perceive your government as something that is not actually yours to establish and control. That’s a very dangerous position for you to take, since government has a monopoly on violence. Of course others won’t take you automatically into consideration. That’s what you do every time you do virtually anything — you never take the full situation into account.

                                  But you just can’t quite ditch the government… otherwise your neighbor might try building a nuclear reactor using whatever he got from the Russians, which is something you (and perhaps a few other neighbors) might be against. Then on the other hand, he might convince a few others that the energy will be worth it… so you meet up, decide on some rules that will need to be followed so as to prevent an armed conflict and in the end, some who originally opposed the project might even join it to ensure it’s safety and everyone will benefit from the produced energy.

                                  1. 5

                                    Friend, lets agree to disagree. What you say do make sense, I am not saying you’re talking bullshit or anything like that, on the contrary, I find your arguments plausible and completely in tune with what I’ve learned at the university buuuuut my own country has been a monarchy, an “empire”, a monarchy again, a republic, a dictatorship, a republic again, an who knows what will happen before 2018 ends.

                                    Our experience, is vastly different than what is explained above. I haven’t said we’re out of the political process, heck, I’ve organized demonstrations, helped parties I was aligned with, entered all the debates I could long ago, I was a manager for a social program, and am married to an investigative journalist. I am no stranger to political processes, but it is a very simplistic approach to say “(…) your government as something that is (…) yours to establish and control”, this sidesteps all the historical process of governments here and how the monopoly of violence is used by the powerful (which might or might not be actual government) with impunity on anyone who tries to pull government into a different path. Couple weeks ago, one of our councilwoman was executed by gunshots to her car (where a friend of mine was as well as she worked for her), killing our rising star politician, and the driver, and forever traumatizing my friend. I have tons of stories about people dying while trying to change things. Talking about the root of feudalism is meaningless to whatever is happening today. Today people die for defending human rights here (and elsewhere).

                                    Academic and philosophical conversations about the nature and contracts of government are awesome but please, don’t think this shit is doable, lots of people here died trying to improve the lifes of others. I don’t know if you’ve ever been to a place like here, those conversations don’t really apply (we still have them though).

                                  2. 1

                                    I do think it’s important for people to have the power to keep the government accountable. Without checks and balances the government looks after its own interests as opposed to those of its constituents.

                                2. 7

                                  I clicked at your profile with absolute certain that you’d be from Brazil. Now I’m kinda depressed I was right.

                                  1. 4

                                    Can spot a Brazilian from miles away right? Don’t know if I laugh or cry that we’re so easy to recognize through our shared problems.

                                  2. 3

                                    I can feel your pain (and I admire your courage for talking in a public space about the issues you see in your government).

                                    But @Yogthos is right: we should not be afraid of our governments, at least not of democratic ones.

                                    In democracy the government literally exists to serve people. If it doesn’t, it’s not a democracy anymore.

                                    1. 3

                                      @soapdog @yogthos @dz This is an interesting discussion for me (though not appropriate for lobste.rs). Any interest in discussing this together, say over email or something else. I’ve always wanted to discuss this topic of government vs individual corporations but it’s a complex subject and hard to keep devolving into a bar-fight.

                                      1. 0

                                        Change the name then, not the definition of what it is.

                                      2. 2

                                        Shouldn’t governments primariy govern? For whatever reason, but usually something along the lines of “the common good” or “to protect (individual) rights”? But sometimes sadly also in the interests of the more powerful in society…

                                        1. 0

                                          Why do you believe that is the purpose of governments? Can you imagine a situation where something recognized as a government doesn’t protect it’s citizens in some cases?

                                          Is the government supposed to protect you if you put your hand in a garbage disposal, slip in the shower, or attempt suicide?

                                        2. 11

                                          Governments aren’t there to protect you.

                                          They’re definitely there to protect us. However, they’re also their own separate entity. They’re also a group of ambitious, often-lying people with a variety of goals. They can get really off track. That’s why the folks that made the U.S. government warned its people needed to be vigilant about it to keep it in check. Then, its own agents keep the individuals or businesses in check. Each part does its thing with discrepencies corrected by one of the others hopefully quickly. The only part of this equation failing massively is the people who won’t get the scumbags in Congress under control. They keep allowing them to take bribes for laws or work against their own voters. Fixing that would get a lot of rest in line.

                                          We have seen plenty of protection of individuals by laws, regulations, and courts, though. Especially whenever safety is involved. In coding, the segment with highest-quality software on average right now is probably group certifying to DO-178B for use in airplanes since it mandates lots of activities that reduce defects. They do it or they can’t sell it. The private sector’s solution to same problem was almost always to lie about safety while reducing liability with EULA’s or good legal teams. They didn’t produce a single, secure product until regulations showed up in Defense sector. For databases, that wasn’t until the 1990’s with just a few products priced exhorbitantly out of greed. Clearly, we need a mix of private and public action to solve some problems in the marketplace.

                                          1. 0

                                            Governments shouldn’t impose speed limits, people should just drive at reasonably safe speeds.

                                            Just because a particular behaviour might be most beneficial to a person, does not mean they will do it. Because consumers’ behaviour has not changed (and will not), this type of surveillance has proliferated to the point it’s nearly impossible to escape, even for the most dedicated privacy advocate.

                                            1. 2

                                              Funny you should mention that…the setting of speed limits to drive revenue irrespective of actual engineering and human factors is pretty well documented at this point.

                                        3. 5

                                          For public utility, it is fine to restrict the collection and usage of personal data. But for private corporations, the private individuals should be able to decide for themselves if giving a corporation access to your entire search history for wifi access at the coffee shop is worth it.

                                          But that’s precisely what fails when dealing with Facebook et al, isn’t it?

                                          No matter how assiduously you or I might refuse to sign up for Facebook and its ilk, block their tracking scripts, refuse to upload our photos, our text messages, our data – other people sign up for these things, and give these services permission to index their photos and text message logs etc, and Facebook builds a comprehensive shadow profile of you and I anyways.

                                          There is no avoiding or opting out of this short of opting out of all human contact, at this point, and the “simple”-sounding solution of “let every individual decide for themselves!” completely fails to engage with the collective consequences that everyone is losing privacy regardless of what decision they make individually.

                                          When your solution doesn’t engage with reality, it’s not useful.

                                          1. 4

                                            But for private corporations, the private individuals should be able to decide for themselves if giving a corporation access

                                            This will be true when everybody will be able to program and administrate a networking system.

                                            That’s the only way people can understand what they are giving and for what.

                                            Till then, you must protect them from people who use their ignorance against them.

                                            1. 1

                                              You can’t protect people from their own ignorance, long-term, except by education.

                                              1. 3

                                                You have to. No citizen can foresee the effects of all their actions. The technology we use today is too complicated to understand all of it.

                                                That’s why generally everything needs to be safe by default.

                                                1. 3

                                                  The technology we use today is too complicated to understand all of it.

                                                  The entire field of engineering is predicated on being able to do things without understanding how they work. Ditto beer brewing, baking, cooking, and so forth.

                                                  That’s why generally everything needs to be safe by default.

                                                  Bathtubs are not safe by default. Kitchen knives are not safe by default. Fire is not safe by default. Even childbirth isn’t safe by default, and you’d think that would’ve been solved generations ago by evolution.

                                                  No citizen can foresee the effects of all their actions.

                                                  Then why would we trust policies enacted by a handful of citizens deemed able to create laws any more than individual citizens making their own decisions? That’s a far riskier proposition.

                                                  ~

                                                  We can’t make the world safe for people that won’t learn how to be safe, and efforts to do so harm and inhibit everybody else.

                                                  1. 6

                                                    The entire field of engineering is predicated on being able to do things without understanding how they work. Ditto beer brewing, baking, cooking, and so forth. … You can’t protect people from their own ignorance, long-term, except by education.

                                                    Try buying an oven that will spontaneously catch fire just by being on. It’s going to be complicated, because there are mandatory standards. And it’s a good thing they are this reliable, right? Leaves us time to concentrate on our work.

                                                    Then why would we trust policies enacted by a handful of citizens deemed able to create laws any more than individual citizens making their own decisions? That’s a far riskier proposition.

                                                    Because a lot of shouting from many sides went into the discussions before the laws were enacted. Much like you discuss your network infrastructure policies with your colleagues instead of just rewiring the DC as you see fit every once in a while.

                                                    1. 3

                                                      The entire field of engineering is predicated on being able to do things without understanding how they work. Ditto beer brewing, baking, cooking, and so forth.

                                                      No.

                                                      Engineering is about finding solutions by using every bit of knowledge available.

                                                      Ignorance is an enemy to fight or work around, but for sure it’s not something to embrace!

                                                      That’s why generally everything needs to be safe by default.

                                                      Bathtubs are not safe by default. Kitchen knives are not safe by default. Fire is not safe by default. Even childbirth isn’t safe by default, and you’d think that would’ve been solved generations ago by evolution.

                                                      I agree that we should work to make programming a common knowledge, like reading and writing so that everyone can build his computing environment as she like.

                                                      And to those who say it’s impossible I’m used to object that they can read, write and count just because someone else, centuries before, said “no, it’s possible to spread this knowledge and we have the moral duty do spread it”.

                                                      But all your example are wrong.

                                                      They are ancient technologies and techniques that are way simpler than programming: humans have learnt to master them and teach each generation how to do so.

                                                      We have to protect people.

                                                      The states and laws can help, but the first shield of the people against the abusive use of technology are hackers.

                                                      We must spread our knowledge and ethics, not exploit the ignorance of others for a profit.

                                            1. 2

                                              Are Nokia/HMD selling phones directly to end users? They only have to provide the source (or a written offer to provide the source) to anyone they’re supplying phones to. It’s up to whoever sells you the phone to provide the same to you. I’m not even sure section 3.c of GPLv2, which lets you pass on a written offer from someone else, can be invoked when selling phones since it specifically excludes commercial distribution.

                                              1. 3

                                                Are Nokia/HMD selling phones directly to end users? They only have to provide the source (or a written offer to provide the source) to anyone they’re supplying phones to.

                                                They’re distributing OTA Android updates to end users (see eg: here). That alone is enough to require them to provide the source to any GPL software they are distributing to any users who receive it.

                                              1. 17

                                                Lmao bad defaults should not be kept. No defaults are frequently just another form of bad defaults.

                                                1. [Comment removed by author]

                                                  1. 30

                                                    If it were only sysadmins who paid the price, I’d be a lot more sympathetic to this argument.

                                                    We can and should learn from decades of FAA practices and recognize that all sysadmins are human, all will make a mistake somewhere, and the correct response to that is to alter our tools and procedures to mitigate those mistakes, because we have not as yet succeeded in breeding the infallible human.

                                                    1. 3

                                                      Is there a pithy phrase that encapsulates the whole, “People make mistakes, proper tools and processes prevent them.”?

                                                    2. 5

                                                      That’d be great if it were actually the sysadmins being punished, not the users.

                                                    3. 1

                                                      If I’m remembered for nothing else, could it be this quote?

                                                    1. 4

                                                      Talking about the C++ parts, because I know nothing about D, and a leetle bit about C++: A core complaint of this article is summed up by this statement

                                                      All of this means that const actually provides zero guarantees about an object not being mutated

                                                      Yes, C++ is one of those languages where there are no guarantees. If you let a madman loose on your code base, you will need to look over your shoulder for the rest of your life.

                                                      But, I would describe C++ as the language of consenting adults. I’ve had code where I’ve passed an object as const but I needed to mark some things as mutable. This has happened to me because of locks and there is a nice discussion about mutable here.

                                                      I guess this article is another piece in a larger dialog that pushes for languages to save us from ourselves, but that protection always comes at a cost. Always.

                                                      1. 11

                                                        I think the issue is that even the brightest consenting adults keep making mistakes that have disastrous consequences. And you’re right that safety comes at a cost, but for a lot code it’s free, and we can explicitly mark things as footgun when needed, instead of it being the default.

                                                        1. 6

                                                          Yes, C++ is one of those languages where there are no guarantees. If you let a madman loose on your code base, you will need to look over your shoulder for the rest of your life.

                                                          I would suggest that a more useful rubric for evaluating safety features like const is less “will it save me from a madman in my codebase” and more “will it prevent me from gunfooting myself in some subtle way that ends up leaking sensitive information” or “killing a patient” or some equally costly event.

                                                          My feeling on features like this really changed when realized that to a first approximation, nobody is designing them to make madmen sane or idiots brilliant. Rather, these features are designed as a pragmatic, FAA-style response to the fact that we are human and that no amount of smarts or paying attention will ever prevent us from unintentionally screwing up, with terrible consequences. Therefore, our tools should accommodate our fallibility if we are ever to deliver less spectacularly crappy software than is the current norm.

                                                          1. 4

                                                            I’ve had code where I’ve passed an object as const but I needed to mark some things as mutable. This has happened to me because of locks and there is a nice discussion about mutable here.

                                                            This is not limited to c++. For example in Rust, std::sync::Mutex::lock borrows immutably, but when check implementation, you will see that all it does is call unsafe methods. The difference is that c++ does not pretend that locking is const, but rust pretends that locking is safe. In both cases it is up to author of library to make sure that logical constnes/safeness is preserved.

                                                            1. 0

                                                              C++ is a language for consenting adults.

                                                              Love this, going to have to steal it.

                                                            1. 7

                                                              Here Menard bases his comments on a Marxist view where talking of GOTO statements as “cheap” and procedure calls as “expensive” present an invalid dichotomy, since a capitalist economy tries to extract surplus value from open source work, and not from CPU cycles.

                                                              Hahahaha wow, this is really well done. I had to go back to the original to see if the author had based it on one of the points in the list or come up with it on their own.

                                                              1. 3

                                                                McCarthy, at least when I used to debate him on Usenet was a far right ideologue - but much nicer than the current ones. His parents were communist labor organizers.

                                                                1. 1

                                                                  I knew it was somewhere:

                                                                  There was a general confidence in technology as being simply good for humanity. I remember when I was a child reading a book called 100,000 Whys — a Soviet popular technology book written by M. Ilin from the early 1930’s. I don’t recall seeing any American books of that character. I was very interested to read ten or fifteen years ago about some extremely precocious Chinese kid and it was remarked that he read 100,000 Whys.

                                                                  from http://www.nyu.edu/classes/jcf/CSCI-GA.2110-001/handouts/mccarthymini.pdf

                                                                  1. 1

                                                                    I considered an intelligent thing as a finite automaton connected to an environment that was a finite automaton.

                                                                    This suddenly reminded me of Legg’s and Hutter’s definition of intelligent agent… and indeed McCarthy is cited there: http://www.vetta.org/documents/legg-hutter-2007-universal-intelligence.pdf

                                                              1. 46

                                                                Half this article is out of date as of 2 days ago. GOPATH is mostly going to die with vgo as is the complaint about deps.

                                                                Go is kind of an example of what happens when you focus all effort on engineering and not research.

                                                                Good things go has:

                                                                • Go has imo the best std library of any language.
                                                                • Go has the best backwards compatibility I have seen (I’m pretty sure code from go version 1.0 still works today.).
                                                                • Go has the nicest code manipulation tools I have seen.
                                                                • The best race condition detector tool around.
                                                                • An incredibly useful in practice interface system. (I once used the stdlibrary http server over a serial port because net.Listener is a simple interface)
                                                                • The fastest compiler to use, and to build from source.
                                                                • Probably the best cross compilation story of any language, and uniformity across platforms, including ones you haven’t heard of.
                                                                • One of the easiest to distribute binaries across platforms (this is why hashicorp, cockroachdb, ngrok etc choose go imo).
                                                                • A very sophisticated garbage collector with low pause times.
                                                                • One of the best runtime performance to ease of use ratios around.
                                                                • One of the easier to learn languages around.
                                                                • A compiler that produces byte for byte identical binaries.
                                                                • incredibly useful libraries maintained by google: (e.g. Heres a complete ssh client and server anyone can use: https://godoc.org/golang.org/x/crypto/ssh)
                                                                • Lots of money invested in keeping it working well from many companies: cloud flare, google, uber, hashicorp and more.

                                                                Go is getting something that looks like a damn good versioning story, just way too late:

                                                                Go should have in my opinion and order of importance:

                                                                • Ways to express immutability as a concurrent language.
                                                                • More advanced static analysis tools that can prove properties of your code (perhaps linked with the above).
                                                                • Generics.
                                                                • Some sort of slightly more sophisticated pattern matching .

                                                                Go maybe should have:

                                                                • More concise error handling?
                                                                1. 53

                                                                  I have been involved with Go since the day of its first release, so almost a decade now, and it has been my primary language for almost as long. I have written the Solaris port, the ARM64 port, and the SPARC64 port (currently out of tree). I have also written much Go software for myself and for others.

                                                                  Go is my favorite language, despite everything I write below this line.

                                                                  Everything you say is true, so I will just add more to your list.

                                                                  My main problem with Go is that, as an operating system it’s too primitive, it’s incomplete. Yes, Go is an operating system, almost. Almost, but not quite. Half and operating system. As an operating system it lacks things like memory isolation, process identifiers, and some kind of a distributed existence. Introspection exists somewhat, but it’s very weak. Let me explain.

                                                                  Go presents the programmer with abstractions traditionally presented by operating systems. Take concurrency, for example. Go gives you goroutines, but takes away threads, and takes away half of processes (you can fork+exec, but not fork). Go gives you the net package instead of the socket interface (the latter is not taked away, but it’s really not supposed to be used by the average program). Go gives you net/http, instead of leaving you searching for nginx, or whatever. Life is good when you use pure Go packages and bad when you use cgo.

                                                                  The idea is that Go not only has these rich features, but that when you are programming in Go, you don’t have to care about all the OS-level stuff underneath. Go is providing (almost) all abstractions. Go programming is (almost) the same on Windows, OpenBSD and Plan 9. That is why Go programs are generally portable.

                                                                  I love this. As a Plan 9 person, you might imagine my constant annoyance with Unix. Go isolates me from that, mostly, and it is great, it’s fantastic.

                                                                  But it doesn’t go deep enough.

                                                                  A single Go program instance is one operating system running some number of processes (goroutines), but two Go program instances are two operating systems, instead of one distributed operating system, and in my mind that is one too many operating systems.

                                                                  “Deploying” a goroutine is one go statement away, but deploying a Go program still requires init scripts, systemds, sshs, puppets, clouds, etc. Deploying a Go program is almost the same as deploying C, or PHP, or whatever. It’s out of scope for the Go operating system. Of course that’s a totally sensible option, it’s just doesn’t align with what I need.

                                                                  My understanding about Erlang (which I know little of, so forgive me if I misrepresent it) is that once you have an Erlang node running, starting a remote Erlang process is almost as easy as starting a local Erlang process. I like that. I don’t have to fuck with kubernetes, ansible, it’s just a single, uniform, virtual operating system.

                                                                  Goroutines inside a single process have very rich communication methods, Go channels, even mutexes if you desire them. But goroutines in different processes are handicaped. You have to think about how to marshal data and RPC protocols. The difficulty of getting two goroutines in different processes to talk to each other is the about the same as getting some C, or Python code, to talk to Go. Since I only want Go to talk to Go, I don’t think that’s right. It should be easier, and it should feel native. Again, I think Erlang does better here.

                                                                  Goroutines have no process ids. This makes total sense if you restrict yourself to a single-process universe, but since I want a multi-process universe, and I want to avoid thinking about systemds and dockers, I want to supervise goroutines from Go. Which means goroutines should have process ids, and I should be able to kill and prioritize them. Erlang does this, of course.

                                                                  What I just described in the last two paragraph would preclude shared memory. I’m willing to live with that in order to get network transparency.

                                                                  Go programs have ways to debug and profile themselves. Stack traces are one function call away, and there’s a easy to use profiler. But this is not enough. Sometimes you need a debugger. Debugging Go programs is an exercise in frustration. It’s much difficult than debugging C programs.

                                                                  I am probably one of the very few people on planet Earth that knows how to profile/debug Go programs with a grown-up tool like DTrace or perf. And that’s because I know assembly programming and the Go runtime very well. This is unacceptable. Some people would hope that something would happen to Go so that it works better with these tools, but frankly, I love the “I am an operating system” aspect of Go, so I would want to use something Go-native. But I want something good.

                                                                  This post is getting too long, so I will stop now. Notice I didn’t feel a need for generics in these 9 years. I must also stress out that I am a low-level programmer. I like working in the kernel. I like C and imperating programming. I am not one of those guys that prefers high-level languages (that do not have shared memory), so naturally wants Go to be the same. On the contrary. I found out what I want only through a decade of Go experience. I have never used a language without shared memory before.

                                                                  I think Go is the best language for writting command-line applications. Shared memory is very useful in that case, and the flat, invisble goroutines prevent language abuse and “just work”. Lack of debugger, etc, are not important for command-line applications, and command-line applications are run locally, so you don’t need dockers and chefs. But when it comes to distributed systems, I think we could do better.

                                                                  In case it’s not clear, I wouldn’t want to change Go, I just want a different language for distributed systems.

                                                                  1. 11

                                                                    I’ve done some limited erlang programming and it is very much a distributed OS to the point where you are writing a system more than a program. You even start third party code as “applications” from the erlang shell before you can make calls to them. erlang’s fail fast error handling and let supervisors deal with problems is also really fun to use.

                                                                    I haven’t used dtrace much either, but I have seen the power, something like that on running go systems would also be neat.

                                                                    1. 5

                                                                      Another thing that was interesting about erlang is how the standard library heavily revolves around timers and state machines because anything could fail at any point. For example gen_server:call() (the way to call another process implementing the generic service interface) by default has a 5 second timeout that will crash your process.

                                                                    2. 2

                                                                      Yes, Go is an operating system, almost. Almost, but not quite. Half and operating system. As an operating system it lacks things like memory isolation, process identifiers, and some kind of a distributed existence.

                                                                      This flipped a bit in my head:

                                                                      Go is CMS, the underlying operating system is VM. That is, Go is an API and a userspace, but doesn’t provide any security or way to access the outside world in and of itself. VM, the hypervisor, does that, and, historically, two different guests on the same hypervisor had to jump through some hoops to talk to each other. In IBM-land, there were virtual cardpunches and virtual cardreaders; these days, we have virtual Ethernet.

                                                                      So we could, and perhaps should, have a language and corresponding ecosystem which takes that idea as far as we can, implementation up, and maybe it would look more like Erlang than Go; the point is, it would be focused on the problem of building distributed systems which compile to hypervisor guests with a virtual LAN. Ideally, we’d be able to abstract away the difference between “hypervisor guest” and “separate hardware” and “virtual LAN” and “real LAN” by making programs as insensitive as possible to timing variation.

                                                                    3. 18

                                                                      How can vgo - announced just two days ago - already be the zeitgeist answer for “all of go’s dependency issues are finally solved forever”?

                                                                      govendor, dep, glide - there’s been many efforts and people still create their own bespoke tools to deal with GOPATH, relative imports being broken by forks, and other annoying problems. Go has dependency management problems.

                                                                      1. 2

                                                                        We will see how it pans out.

                                                                      2. 15

                                                                        Go has the best backwards compatibility I have seen (I’m pretty sure code from go version 1.0 still works today.).

                                                                        A half-decade of code compatibility hardly seems remarkable. I can still compile C code written in the ’80s.

                                                                        1. 11

                                                                          I have compiled Fortran code from the mid-1970s without changing a line.

                                                                          1. 1

                                                                            Can you compile Netscape Communicator from 1998 on a modern Linux system without major hurdles?

                                                                            1. 13

                                                                              You do understand that the major hurdles here are related to the external libraries and processes it interacts with, and that Go does not save you from such hurdles either (other than recommending that you vendor compatible version where possible), I hope.

                                                                            2. 1

                                                                              A valid point not counting cross platform portability and system facilities. Go has a good track record and trajectory but you may be right.

                                                                            3. 5

                                                                              Perfect list (the good things, and the missing things).

                                                                              1. 3

                                                                                The fixes the go team have finally made to GOROOT and GOPATH are great. I’m glad they finally saw the light.

                                                                                But PWD is not a “research concern” that they were putting off in favor of engineering. The go team actively digs their heals in on any choice or concept they don’t publish first, and it’s why in spite of simple engineering (checking PWD and install location first) they argued for years on mailing lists that environment variables (which rob pike supposedly hates, right?) are superior to simple heuristics.

                                                                                Your “good things go has” list is also very opinionated (code manipulation tools better that C# or Java? Distrribution of binaries.. do you just mean static binaries?? Backwards compatibility that requires recompilation???), but I definitely accept that’s your experience, and evidence I have to the contrary would be based on my experiences.

                                                                                1. 4

                                                                                  The fixes the go team have finally made to GOROOT and GOPATH are great.

                                                                                  You haven’t had to set, and should’t have set GOROOT since Go 1.0, released six years ago.

                                                                                  (which rob pike supposedly hates, right?)

                                                                                  Where did you get that idea?

                                                                                  1. 5

                                                                                    Yes, you do have to set GOROOT if you use a go command that is installed in a location different than what it was compiled for, which is dumb considering the go command could just find out where it exists and work from there. See: https://golang.org/doc/go1.9#goroot for the new changes that are sane.

                                                                                    And I got that idea from.. rob pike. Plan9 invented a whole new form of mounts just to avoid having a PATH variable.

                                                                                    1. 4

                                                                                      you do did have to set GOROOT if you use a go command that is installed in a location different than what it was compiled for

                                                                                      So don’t do that… But yes, that’s also not required anymore. Also, if you move /usr/include you will find out that gcc won’t find include files anymore… unless you set $CPPFLAGS. Go was hardly unique. Somehow people didn’t think about moving /usr/include, but they did think about moving the Go toolchain.

                                                                                      Plan9 invented a whole new form of mounts just to avoid having a PATH variable.

                                                                                      No, Plan 9 invented new form of mounts in order to implement a particular kind of distributed computing. One consequence of that is that $path is not needed in rc(1) anymore, though it is still there if you want to use it.

                                                                                      In Plan 9 environment variables play a crucial role, for example $objtype selects the toolchain to use and $cputype selects which binaries to run.

                                                                                      Claiming that Rob Pike doesn’t like environment variables is asinine.

                                                                                      1. 20

                                                                                        “So don’t do that…” is the best summary of what I dislike about Go.

                                                                                        Ok, apologies for being asinine.

                                                                                      2. 1

                                                                                        I always compiled my own go toolchain because it takes about 10 seconds on my PC, is two commands (cd src && ./make.bash). Then i could put it wherever I want. I have never used GOROOT in many years of using Go.

                                                                                    2. 0

                                                                                      C# and Java certainly have great tools, C++ has some ok tools. All in the context of bloated IDE’s that I dislike using (remind me again why compiling C++ code can crash my text editor?). But I will concede the point that perhaps C# refactoring tools are on par.

                                                                                      I was never of the opinion GOPATH was objectively bad, it has some good properties and bad ones.

                                                                                      Distrribution of binaries.. do you just mean static binaries? Backwards compatibility that requires recompilation???

                                                                                      Dynamic libraries have only ever caused me problems. I use operating systems that I compile from source so don’t really see any benefit from them.

                                                                                  1. 4

                                                                                    This is a problem with any language or library. You need to know what is available in the Python library and what it does to use it effectively. You need to know the binaries in /bin to use the shell effectively. And so on.

                                                                                    It’s just like learning a human language: Until you use the vocabulary enough to get comfortable, you are going to feel lost, and spend a lot of time getting friendly with a dictionary.

                                                                                    1. 8

                                                                                      This is a problem with any language or library. You need to know what is available in the Python library and what it does to use it effectively. You need to know the binaries in /bin to use the shell effectively. And so on.

                                                                                      I think this probably misses the point. The Python solution was able to compose a couple of very general, elementary problem solving mechanisms (iteration, comparison), which python has a very limited vocabulary of (there’s maybe a half dozen control constructs, total?), to quickly arrive at a solution (albeit while a limited, non-parallel solution, one that’s intuitive and perhaps 8 times out of 10 does the job). The standard library might offer an implementation already, but you could get a working solution without crawling through the docs (and you could probably guess the name anyways).

                                                                                      J required, owing to its overwhelming emphasis on efficient whole-array transformation, selection from a much much much larger and far more specialized set of often esoteric constructs/transformations, all of which have unguessable symbolic representations. The documentation offers little to aid this search, complicating a task that was already quite a bit less intuitive than Python’s naive iteration approach.

                                                                                      1. 5

                                                                                        For a long time now, I’ve felt that the APL languages were going to have a renaissance. Our problems aren’t getting any simpler, so raising the level of abstraction is the way forward.

                                                                                        The emphasis is on whole array transformation seems like a hindrance but imagine for a second that RAM becomes so cheap that you simply load all of your enterprise’s data in memory on a single machine. How many terrabytes is that? Whole array looks very practical then.

                                                                                        For what it’s worth, there is a scheme to the symbols in J. You can read meaning into their shapes. Look at grade-up and grade-down. They are like little pictures.

                                                                                        J annoys me with its fork and hook forms. That goes past the realm of readability for me. Q is better, It uses words.

                                                                                        What I’d like to see is the entire operator set of, say, J brought into mainstream languages as a library. Rich operations raising the level of abstraction are likely more important than syntax.

                                                                                        1. 5

                                                                                          J annoys me with its fork and hook forms. That goes past the realm of readability for me.

                                                                                          In textual form I agree. The IDE has a nice graphical visualization of the dataflow that I find useful in ‘reading’ that kind of composition in J code though. I’ve been tempted to experiment with writing J in a full-on visual dataflow style (a la Max/MSP) instead of only visualizing it that way.

                                                                                          1. 3

                                                                                            I find it a lot easier to write J code by hand before copying it to a computer. It’s easier to map out the data flow when you can lay it out in 2D.

                                                                                            1. 1

                                                                                              Have you looked at Q yet?

                                                                                            2. 1

                                                                                              That would be a very useful comparison of the usability of a compact text syntax vs visual language. I imagine that discoverability is better with a visual language as by definition it is interactive.

                                                                                            3. 2

                                                                                              I started implementing the operators in Scala once - the syntax is flexible enough that you can actually get pretty close, and a lot of them are the kind of high level operations that either already exist in Scala are pretty easy to implement. But having them be just a library makes the problem described in the article much much worse - you virtually have to memorize all the operators to get anything done, which is bad enough when they’re part of the language, but much worse when they’re a library that not all code uses and that you don’t use often enough to really get them into your head.

                                                                                              1. 1

                                                                                                It could just be a beginning stage problem.

                                                                                                1. 1

                                                                                                  It could, but the scala community has actually drawn back from incremental steps in that direction, I think rightly - e.g. scalaz 7 removed many symbolic operators in favour of functions with textual names. Maybe there’s some magic threshold that would make the symbols ok once we passed it, but I can only spend so much time exploring the possibility without seeing an improvement.

                                                                                                  1. 1

                                                                                                    Oh. I’d definitely go with word names. Q over J. To me, the operations are the important bit.

                                                                                          2. 5

                                                                                            The difference is that Python already is organized by the standard library, and has cookbooks, and doesn’t involve holistically thinking of the entire transformation at once. So it intrinsically has the problem to a lesser degree than APLs do and also has taken steps to fix it, too.

                                                                                            1. 2

                                                                                              How easy is it to refactor APL or J code? The reason I ask is that I have the same problem with the ramdajs library in JavaScript, which my team uses as a foundational library. It has around 150 functions, I don’t remember what they all do and I certainly don’t remember what they’re all called, so I often write things in a combination of imperative JS and ramda then look for parts to refactor. I’m interested to hear whether that’s possible with APL, or whether you have to know APL before you can write APL.

                                                                                          1. 5

                                                                                            I’m really amused they generate a C file and call out to gcc / clang. I wonder if they plan to move away from that strategy.

                                                                                            1. 3

                                                                                              This is a draft implementation of the concept, so probably yes.

                                                                                              1. 2

                                                                                                What would be gained by moving away from that?

                                                                                                1. 6

                                                                                                  For one, no runtime dependency on a C compiler.

                                                                                                  C compilers are also fairly expensive to run, compared to other more targeted JIT strategies. And it’s more difficult to make the JIT code work nicely with the regular uncompiled VM code.

                                                                                                  Take LuaJIT. It starts by compiling the Lua code to VM bytecode. Then instead of interpreting the bytecode, it “compiles” the bytecode into native machine code that calls the interpreter functions that would be called by a loop { switch (opcode) { ... } }. That way when the JIT compiles a hot path, it directly encodes all entry points as jumps directly into the optimized code, and all exit conditions as jumps directly back to the interpreter code.

                                                                                                  Compare this to a external compiled object, which can only exit wholesale, leaving the VM to clean up and figure out the next step. A fully external object—C compiled or not—can’t thread into the rest of the execution, so its scope is limited to pretty isolated functions that only call similarly isolated functions, or functions with very consistent output.

                                                                                                  1. 2

                                                                                                    Compare this to a external compiled object, which can only exit wholesale, leaving the VM to clean up and figure out the next step. A fully external object—C compiled or not—can’t thread into the rest of the execution, so its scope is limited to pretty isolated functions that only call similarly isolated functions, or functions with very consistent output.

                                                                                                    This doesn’t seem to be related to the approach Ruby is taking, though? They’re callng out to the compiler to build a shared library, and then dynamically linking it in. There shouldn’t be anything stopping the code in the shared object from calling back into the rest of the Ruby runtime.

                                                                                                    1. 2

                                                                                                      Right, it can use the Ruby runtime, but it can’t jump directly to a specific location in the VM bytecode. It has to call a function that can execute for it, and will return back into the compiled code when that execution finishes. It’s very limited, compared to all types of code being able to jump between each other at any time.

                                                                                                  2. 4

                                                                                                    exec’ing a new process each time probably gets expensive.

                                                                                                    1. 3

                                                                                                      Typically any kind of JIT startup cost is quite expensive, but as long as you JIT the right code, the cost of exec’ing clang over the life of a long running process should amortize out to basically nothing.

                                                                                                      I’d expect that the bare exec cost would only become a significant factor if you were stuck flip-flopping between JITing a code section and deoptimizing it, and at that point you’d gain more from improving your JIT candidate heuristics rather than folding the machine code generator in process and continuing to let it flip-flop.

                                                                                                      There are other reasons they may want to move away from this C-intermediary approach, but exec cost doesn’t strike me as one of them.

                                                                                                1. 1

                                                                                                  Walking around Tokyo, I often get the feeling of being stuck in a 1980’s vision of the future and in many ways it’s this contradiction which characterises the design landscape in Japan.

                                                                                                  Could this also be because many American films in the 80’s about the future used Japanese culture? Rewatching the original Blade Runner made me think about this.

                                                                                                  1. 3

                                                                                                    Japan is one of our favorite places to visit, but there is a definite retro-futuristic vibe going on. Cash everywhere, or single-purpose cash cards instead of credit cards, fax machines, high-speed Internet access on your feature phone, no air conditioning or central heat but a robot vending machine at 7/11.

                                                                                                    (We kept having children and so we haven’t gotten to travel internationally for a while now, but that’s our memory of it.)

                                                                                                    1. 2

                                                                                                      The feature phones have died – everybody on the train is staring at their iPhone or Android, now. Contactless smart cards (Suica, Passmo, etc), used for train fares, are gaining momentum as payment cards in 7/11 etc, but otherwise it’s still mostly a cash-only.

                                                                                                      Otherwise it’s pretty much the same.

                                                                                                    2. 2

                                                                                                      Living in NYC, it feels like the 70’s version of the future!

                                                                                                    1. 4

                                                                                                      A solid list, with one question mark.

                                                                                                      Lynn Conway started life as a man. does this mean he/then her achievements give equally credited to men/women?

                                                                                                      1. 53

                                                                                                        No. Trans women are women.

                                                                                                        1. 10

                                                                                                          Thank you . I want to live in a world where this is just taken as a given. Lets start with our little world here people.

                                                                                                          1. 8

                                                                                                            What is the goal of creating a list of women in CS? If it’s to demonstrate to young girls that they can enter the field, it seems unproductive to include someone who grew up experiencing life as a man.

                                                                                                            If the goal of creating the list is some kind of contest, then it’s counterproductive for entirely different reasons.

                                                                                                            1. 28

                                                                                                              someone who grew up experiencing life as a man

                                                                                                              Do you know any trans women who have said they grew up experiencing life as a man? I know quite a few and none of them have expressed anything like this, and my own experience was certainly not like that.

                                                                                                              However, if you mean that we were treated like men, with the privilege it brings in many areas, then yes, that became even more obvious to me the moment I came out.

                                                                                                              Regardless, trans folks need role models too, and we don’t get a lot of respectful representation.

                                                                                                              1. 22
                                                                                                                $ curl https://www.hillelwayne.com/post/important-women-in-cs/ | grep girl | wc -l
                                                                                                                0
                                                                                                                

                                                                                                                The motivation for the post are clearly layed out in the first paragraph:

                                                                                                                I’m tired of hearing about Grace Hopper, Margaret Hamilton, and Ada Lovelace. Can’t we think of someone else for once?

                                                                                                                It’s a pretty pure writeup for the sake of being a list you can refer to.

                                                                                                                On your statement about “girls”. It’s quite bad to assume a list of women is just for kids, it’s also bad to assume trans women can’t be examples to (possibly themselves trans) girls.

                                                                                                                1. 4

                                                                                                                  That’s not a motivation, that’s a tagline.

                                                                                                                  The primary reason I would refer to a list like this is if I was demonstrating to a young woman considering CS that, perhaps despite appearances, many women have historically made major contributions to the field. I’m not sure what else I would need something like this for.

                                                                                                                  1. 5

                                                                                                                    Maybe its not for you to distribute but for women to discover …

                                                                                                                  2. 1

                                                                                                                    I don’t see why it’s bad to assume that. It feels like it would be a pretty serious turn off to me if I we’re looking for successful women and found people who were men into adulthood. I find it hard to imagine that I’m unique in that feeling. I’m sure it feels good for trans people but I’d that’s your goal admit the trade-off rather than just telling people they’re women and not transwomen.

                                                                                                                    You can berate people for not considering trans-women to be the same as born women but it will likely just keep them quiet rather than convince them to be inspired.

                                                                                                                    1. 20

                                                                                                                      people who were men into adulthood

                                                                                                                      Now I’m curious what your criteria are, if not self-identification. When did this person cease to be a man, to you?

                                                                                                                      When they changed their name?

                                                                                                                      When they changed their legal gender?

                                                                                                                      When they started hormones?

                                                                                                                      When they changed their presentation?

                                                                                                                      When they got surgery?

                                                                                                                      What about trans people who do none of that? E.g. I’ve changed my name and legal gender (only because governments insist on putting it in passports and whatnot,) because I had the means to do so and it bothered me enough that I did, is that enough? What about trans people who don’t have the means, option, or desire to do so?

                                                                                                                      When biologist say that there’s not one parameter that overrides the others when it comes to determining sex¹, and that it makes more sense to just go by a person’s gender identity if you for whatever reason must label them as male/female, why is that same gender identity not enough to determine someone’s own gender?

                                                                                                                      1. http://www.nature.com/news/sex-redefined-1.16943
                                                                                                                  3. 16

                                                                                                                    If it’s to demonstrate to young girls that they can enter the field, it seems unproductive to include someone who grew up experiencing life as a man.

                                                                                                                    This is a misunderstanding of transexuality. She grew up experiencing life as a woman, but also as a woman housed in a foreign-feeling body and facing a tendency by others to mistake her gender.

                                                                                                                    Does that mean she faced a different childhood from many other women? Sure. But she also shared many of the disadvantages they faced, frequently to a much stronger degree. Women face difficulty if they present as “femme” in this field, but it is much more intense if they present as femme AND people mis-bucket them into the “male” mental box.

                                                                                                                2. 14

                                                                                                                  If they identified as a woman at the time of accomplishment, it seems quite reasonable that it’d count. For future work, just think about it in terms of trans-woman extends base class woman or at least implements the woman interface.

                                                                                                                  In any event, your comment is quite off-topic. Rehashing this sort of stuff is an exercise that while interesting is better kept literally anywhere else on the internet–if you have questions of this variety, please seek enlightenment via private message with somebody you think may be helpful on the matter, and don’t derail here.

                                                                                                                  1. 7

                                                                                                                    The point of this is not to give more achievements to women… It’s to showcase people who were most likely marginalized.

                                                                                                                    1. [Comment removed by author]

                                                                                                                      1. 9

                                                                                                                        This is definitely not what life is like for trans people pre-transition.

                                                                                                                    2. [Comment removed by author]

                                                                                                                      1. 0

                                                                                                                        It’s ridiculous to allow this framing to suppress a reasonable point.

                                                                                                                      2. 3

                                                                                                                        Depends on where a person is on political spectrum. I’d probably note they’re trans if targeting a wide audience, not if a liberal one, and leave person off if a right-leaning one.

                                                                                                                        1. 5

                                                                                                                          what they dont know wont hurt them. As far as the right is concerned , she is a woman …

                                                                                                                        2. 2

                                                                                                                          It is irrelevant, and you asking this is offensive.

                                                                                                                          1. -1

                                                                                                                            Interesting question. I think it may be met with hostility, as it brings to mind the contradiction inherent in both claiming that sex/gender is arbitrary or constructed and also intentionally emphasizing the achievements of one gender. Based on the subset of my social circle that engages in this kind of thing, these activities are usually highly correlated. Picking one or the other seems to get people labeled as, respectively, some slang variation of “nerd”, or a “TERF”.

                                                                                                                            1. 34

                                                                                                                              Can we please not for once? Every time anything similar to this comes up the thread turns into a pissfight over Gender Studies 101. Let’s just celebrate Conway’s contributions and not get into an argument about whether she “counts”.

                                                                                                                              1. 10

                                                                                                                                Much as I sympathize, transgender is controversial enough that merely putting a trans person on a list that claims all its members are a specific gender will generate reactions like that due to a huge chunk of the population not recognizing the gender claim. That will always happen unless the audience totally agrees. So, one will always have to choose between not mentioning them to avoid noise or including them combating noise.

                                                                                                                                1. 20

                                                                                                                                  I would like to live in a world where trangender isnt controversial and we dont have to waste energy discussing this. Can lobsters be that world please ?

                                                                                                                                  1. 18

                                                                                                                                    Perhaps this is why we get accused of pushing some kind of agenda or bringing politics into things, by merely existing/being visible around people who find us ”controversial” or start questioning whether our gender is legit or what have you. I usually stay out of such discussions, but sometimes feel the need to respond to claims about trans folks that I feel come from a place of ignorance rather than bigotry or malice, but most of the time I’m proven wrong and they aren’t really interested in the science or whatever they claim, they just want an excuse to say hateful things about us. I’ve had a better than average experience on this website, when it comes to responses.

                                                                                                                                    1. 6

                                                                                                                                      I cant speak for everyone on the side that denies trans identity. Just my group I guess. For us and partly for others, the root of the problem is there is a status quo with massive evidence and inertia about how we categorize gender that a small segment are countering in a more subjective way. We dont think the counters carry the weight of status quo. We also prefer objective criteria about anything involving biology or human categorization where possible. I know you’ve heard the details so I spare you that

                                                                                                                                      That means there will be people objecting every time a case comes up. If it seems mean, remember that there’s leftists who will be quick to counter anything they think shouldn’t be tolerated on a forum (eg language policing) on their principles. For me, Im just courteous with the pronouns and such since it has no real effect on me in most circumstances: I can default on kindness until forced to be more specific by a question or debate happening. Trans people are still people to me. So, I avoid bringing this stuff up much as possible.

                                                                                                                                      The dont-rock-the-boat, kinder approach wouldve been for person rejecting the gender claim to just ignore talking about the person he or she didnt think was a woman to focus on others. The thread wouldve stayed on topic. Positive things would be said about about deserving people. And so on. Someone had to stir shit up, though. (Sighs)

                                                                                                                                      And I agree Lobsters have handled these things much better than other places. I usually like this community even on the days it’s irritating. Relatively at least. ;)

                                                                                                                                      1. 6

                                                                                                                                        For us and partly for others, the root of the problem is there is a status quo with massive evidence and inertia about how we categorize gender that a small segment are countering in a more subjective way.

                                                                                                                                        I know you’re a cool dude and would be more than happy to discuss this with you in private, but I think we all mostly agree that this is now pretty outside the realm of tech, so continuing to discuss it publicly would be getting off topic :) I’ll DM you?

                                                                                                                                        1. 7

                                                                                                                                          I was just answering a question at this point as I had nothing else to say. Personally, Id rather the political topics stay off Lobsters as I voted in community guidelines thread. This tangent couldnt end sooner given how off topic and conflict-creating it is.

                                                                                                                                          Here’s something for you to try I did earlier. Just click the minus next to Derek’s comment. This whole thread instantly looks the way it should have in first place. :)

                                                                                                                                        2. 4

                                                                                                                                          I find the idea that everyone who disagrees with these things should avoid rocking the boat extremely disconcerting. It feels like a duty to rock it on behalf of those who agree but are too polite or afraid for their jobs or reputations to state their actual opinions, to normalize speaking honestly about uncomfortable topics.

                                                                                                                                          I mean, I also think it’s on topic to debate the political point made by the list.

                                                                                                                                          1. 4

                                                                                                                                            I agree with those points. It’s why I’m in the sub-thread. The disagreement is a practical one a few others are noting:

                                                                                                                                            “I mean, I also think it’s on topic to debate the political point made by the list.”

                                                                                                                                            I agree. I told someone that in private plus said it here in this thread. Whether we want to bring it up, though, should depend on what the goal is. My goal is the site stays focused on interesting, preferably-deep topics with pleasant experience with minimal noise. There’s political debates and flamewars available all over the Internet with the experience that’s typical of Lobsters being a rarity. So, I’d just have not brought it up here.

                                                                                                                                            When someone did, the early response was a mix of people saying it’s off-topic/unnecessary (my side) and a group decreeing their political views as undeniable truth or standards for the forum. Aside from no consensus on those views, prior metas on these things showed that even those people believed our standards would be defined by what we spoke for and against with silence itself being a vote for something. So, a few of us with different views on political angle, who still opposed the comment, had to speak to ensure the totality of the community was represented. It’s necessary as long as (a) we do politics here and (b) any group intends to make its politics a standard or enforeable rule. Countering that political maneuvering was all I was doing except for a larger comment where I just answered someone’s question.

                                                                                                                                            Well, that plus reinforcing I’m against these political angles being on the site period like I vote in metas. You can easily test my hypothesis/preference. Precondition: A site that’s usually low noise with on-topic, productive comments. Goal: Identify, discuss, and celebrate the achievements of women on a list or in the comments maintaining that precondition. Test: count the comments talking about one or more women versus the gender identity of one (aka political views). It’s easier to visualize what my rule would be like if you collapse Derek’s comment tree. The whole thread meets the precondition and goal. You can also assess those active more on politics than the main topic by adding up who contributed something about an undisputed woman in CompSci and who just talked about the politics. Last I looked, there were more users doing the politics than highlighting women in CompSci as well. Precondition and goal failed on two measurements early on in discussion. There’s a lot of on-topic comments right now, though, so leaned back in good direction.

                                                                                                                                            Time and place for everything. I’d rather this stuff stay off Lobsters with me only speaking on it where others force it. It’s not like those interested can’t message each other, set up a gender identity thread on another forum, load up IRC, and so on to discuss it. They’re smart people. There’s many mediums. A few of us here just want one to be better than the rest in quality and focus. That’s all. :) And it arguably was without that comment tree.

                                                                                                                                          2. 2

                                                                                                                                            The dont-rock-the-boat, kinder approach wouldve been for person rejecting the gender claim to just ignore talking about the person he or she didnt think was a woman to focus on others. The thread wouldve stayed on topic. Positive things would be said about about deserving people.

                                                                                                                                            Do you believe the most deserving will be talked about most? If you have a population that talks positively about people whether or not they are trans, and you have a smaller population that talks only about non trans people and ignores the trans people, Which people will be talked about most in aggregate? It isn’t kinder to ignore people and their accomplishments.

                                                                                                                                            It is also very strange for technology people to reject a technology that changes your gender. What if you had a magic gun and you can be a women for a day, and then be a man the next, why the hell not? We have a technology now where you can be a man or a women or neither or both if you wanted to. Isn’t technology amazing? You tech person you!

                                                                                                                                1. 7

                                                                                                                                  At that time, when you turned on your computer, you immediately had programming language available. Even in 90’s, there was QBasic installed on almost all PCs. Interpreter and editor in one, so it was very easy to enter the world of programming. Kids could learn it themselves with cheap books and magazines with lot of BASIC program listings. And I think the most important thing - kids were curious about computers. I can see that today, the role of BASIC is taken by Minecraft. I wouldn’t underestimate it as a trigger for a new generation of engineers and developers. Add more physics and more logic into it and it will be excellent playground like BASIC was in 80s.

                                                                                                                                  1. 5

                                                                                                                                    Now we have the raspberry pi, arduino, python, scratch and so many other ways kids can get started.

                                                                                                                                    1. 10

                                                                                                                                      Right, but at the beginning you have to spend a lot of time more to show kid how to setup everything properly. I admire that it itself is fun, but in 80’s you just turned computer on with one switch and environment was literally READY :)

                                                                                                                                      1. 7

                                                                                                                                        I think the problem is that back then there was much less competition for kids attention. The biggest draw was TV. TV – that played certain shows on a particular schedule, with lots of re-runs. If there was nothing on, but you had a computer nearby, you could escape and unleash your creativity there.

                                                                                                                                        Today – there’s perpetual phones/tablets/computers and mega-society level connectivity. There’s no time during which they can’t find out what their friends are up to.

                                                                                                                                        Even for me – to immerse myself in a computer, exploring programming – it’s harder to do than it was ten years ago.

                                                                                                                                        1. 5

                                                                                                                                          I admire that it itself is fun, but in 80’s you just turned computer on with one switch and environment was literally READY :)

                                                                                                                                          We must be using some fairly narrow definition of “the ‘80s”, because this is a seriously rose-tinted description of learning to program at the time. By the late 80’s, with the rise of the Mac and Windows, the only way to learn to program involved buying a commercial compiler.

                                                                                                                                          I had to beg for a copy of “Just Enough Pascal” in 1988, which came with a floppy containing a copy of Think’s Lightspeed Pascal compiler, and retailed for the equivalent of $155.

                                                                                                                                          Kids these days have it comparatively easy – all the tools are free.

                                                                                                                                          1. 1

                                                                                                                                            Windows still shipped with QBasic well into the 90s, and Macs shipped with HyperCard. It wasn’t quite one-click hacking, but it was still far more accessible than today.

                                                                                                                                          2. 4

                                                                                                                                            Just open the web-tools in your browser, you’ll have an already configured javascript development environment.

                                                                                                                                            I entirely agree with you on

                                                                                                                                            And I think the most important thing - kids were curious about computers.

                                                                                                                                            You don’t need to understand how a computer program is made to use it anymore; which is not necessary something bad.

                                                                                                                                            1. 4

                                                                                                                                              That’s still not the same. kred is saying it was first thing you see with you immediately able to use it. It was also a simple language designed to be easy to learn. Whereas, you have to go out of your way to get to JS development environment on top of learning complex language and concepts. More complexity. More friction. Less uptake.

                                                                                                                                              The other issue that’s not addressed enough in these write-ups is that modern platforms have tons of games that treat people as consumers with psychological techniques to keep them addicted. They also build boxes around their mind where they can feel like they’re creating stuff without learning much in useful, reusable skill versus prior generation’s toys. Kids can get the consumer and creator high without doing real creation. So, now they have to ignore that to do the high-friction stuff above to get to the basics of creating that existed for old generation. Most won’t want to do it because it’s not as fun as their apps and games.

                                                                                                                                              1. 1

                                                                                                                                                There is no shortage of programmers now. We are not facing any issues with not enough kids learning programming.

                                                                                                                                                1. 2

                                                                                                                                                  I didnt say there was a shortage of programmers. I said most kids were learning computers in a way that trained them to be consumers vs creators. You’d have to compare what people do in consumer platforms versus things like Scratch to get an idea of what we’re missing out on.

                                                                                                                                          3. 4

                                                                                                                                            All of those require a lot more setup than older machines where you flipped a switch and got dropped into a dev environment.

                                                                                                                                            The Arduino is useless if you don’t have a project, a computer already configured for development, and electronics breadboarding to talk to it. The Raspberry pi is a weird little circuit board that, until you dismantle your existing computer and hook everything up, can’t do anything–and when you do get it hooked up, you’re greeted with Linux. Python is large and hard to put images to on the screen or make noises with in a few lines of code.

                                                                                                                                            Scratch is maybe the closest, but it still has the “what programmers doing education think is simple” problem instead of the “simple tools for programming in a barebones environment that learners can manage”.

                                                                                                                                            The field of programming education is broken in this way. It’s a systemic worldview problem.

                                                                                                                                            1. 1

                                                                                                                                              Those aren’t even close in terms of ease of use.

                                                                                                                                              My elementary school circa 1988 had a lab full of these Apple IIe systems, and my recollection (I was about 6 years old at the time, so I may be misremembering) is that by default they booted into a BASIC REPL.

                                                                                                                                              Raspberry Pis and Arduinos are fun, but they’re a lot more complex and difficult to work with.

                                                                                                                                            2. 3

                                                                                                                                              I don’t think kids are less curious today, but it’s important to notice that back then, making a really polished program that felt professional only needed a small amount of comparatively simple work - things like prompting for all your inputs explicitly rather than hard-coding them, and making sure your colored backgrounds were redrawn properly after editing.

                                                                                                                                              To make a polished GUI app today is prohibitive in terms of time expenditure and diversity of knowledge needed. The web is a little better, but not by much. So beginners are often left with a feeling that their work is inadequate and not worth sharing. The ones who decide to be okay with that and talk about what they’ve done anyway show remarkable courage - and they’re pretty rare.

                                                                                                                                              Also, of course, back then there was no choice of which of the many available on-ramps to start with. You learned the language that came with your computer, and if you got good enough maybe you learned assembly or asked your parents to save up and buy you a compiler. Today, as you say, things like Minecraft are among the options. As common starting points I’d also like to mention Node and PHP, both ecosystems which owe a lot of their popularity to their efforts to reduce the breadth of knowledge needed to build end-to-end systems.

                                                                                                                                              But in addition to being good starting points, those ecosystems have something else in common - there are lots of people who viscerally hate them and aren’t shy about saying so. A child just starting out is going to be highly intimidated by that, and feel that they have no way to navigate whether the technical considerations the adults are yelling about are really that important or not. In a past life, I taught middle-school, and it gave me an opportunity to watch young people being pushed away by cultural factors despite their determination to learn. It was really disheartening.

                                                                                                                                              Navigating the complicated choices of where to start learning is really challenging, no matter what age you are. But for children, it’s often impossible, or too frightening to try.

                                                                                                                                              I agree with what I took to be your main point, that if those of us who learned young care about helping the next generation to follow in our footsteps, we should meet them where they are and make sure to build playgrounds that they can enjoy with or without a technical understanding. But my real prediction is that the cultural factors are going to continue to be a blocker, and programming is unlikely to again be a thing that children have widespread mastery of in the way that it was in the 80s. It’s really very saddening.

                                                                                                                                            1. 10

                                                                                                                                              Some of us miss native desktop applications that worked well. It’s tragic that desktop platforms are utterly non-interoperable and require near-complete duplication of every app. But at the same time not everyone is satisfied with the solution of “build them all as electron apps starting with a cross-platform browser base plus web technology for the UI”. I can sympathize with app developers who in no way want to sign up to build for 2 or 3 platforms, but I feel like berating dissatisfied users is unjust here. Try comparing a high quality native macOS app like Fantastical with literally any other approach to calendar software: electron, web, java, whatever. Native works great, everything else is unbearable.

                                                                                                                                              1. 8

                                                                                                                                                I think people are just tired of seeing posts like Electron is cancer every other day. Electron is here, people use it, and it solves a real problem. It would be much more productive to talk about how it can be improved in terms of performance and resource usage at this point.

                                                                                                                                                1. 3

                                                                                                                                                  One wonders if it really can be improved all that much. It seems like the basic model has a lot of overhead that’s pretty much baked in.

                                                                                                                                                  1. 2

                                                                                                                                                    There’s a huge opening in the space for something Electron-like, which doesn’t have the “actual browser” overhead. I’m certain this is a research / marketing / exposure problem more than a technical one (in that there has to be something that would work better we just don’t know about because it’s sitting unloved in a repo with 3 watchers somewhere.)

                                                                                                                                                    Cheers!

                                                                                                                                                    1. 2

                                                                                                                                                      There’s a huge opening in the space for something Electron-like, which doesn’t have the “actual browser” overhead.

                                                                                                                                                      Is there? Electron’s popularity seems like it’s heavily dependent on the proposition “re-use your HTML/CSS and JS from your web app’s front-end” rather than on “here’s a cross-platform app runtime”. We’ve had the latter forever, and they’ve never been that popular.

                                                                                                                                                      I don’t know if there’s any space for anything to deliver the former while claiming it doesn’t have “actual browser” overhead.

                                                                                                                                                      1. 1

                                                                                                                                                        “re-use your HTML/CSS and JS from your web app’s front-end”

                                                                                                                                                        But that’s not what’s happening here at all - we’re talking about an application that’s written from the ground up for this platform, and will never ever be used in a web-app front end. So, toss out the “web-app” part, and you’re left with HTML/DOM as a tree-based metaphor for UI layout, and a javascript runtime that can push that tree around.

                                                                                                                                                        I don’t know if there’s any space for anything to deliver the former while claiming it doesn’t have “actual browser” overhead.

                                                                                                                                                        There’s a lot more to “actual browser” than a JS runtime, DOM and canvas: does an application platform need to support all the media codecs and image formats, including all the DRM stuff? Does it need always on, compiled in built-in OpenGL contexts and networking and legacy CSS support, etc.?

                                                                                                                                                        I’d argue that “re-use your HTML/CSS/JS skills and understanding” is the thing that makes Electron popular, more so than “re-use your existing front end code”, and we might get a lot further pushing on that while jettisoning webkit than arguing that everything needs to be siloed to the App Store (or Windows Marketplace, or whatever).

                                                                                                                                                        1. 2

                                                                                                                                                          But that’s not what’s happening here at all - we’re talking about an application that’s written from the ground up for this platform, and will never ever be used in a web-app front end. So, toss out the “web-app” part, and you’re left with HTML/DOM as a tree-based metaphor for UI layout, and a javascript runtime that can push that tree around.

                                                                                                                                                          Huh? We’re talking about people complaining that Electron apps are slow, clunky, non-native feeling piles of crap.

                                                                                                                                                          Sure, there are a couple of outliers like Atom and VSCode that went that way for from-scratch development, but most of the worst offenders that people complain about are apps like Slack, Todoist, Twitch – massive power, CPU, and RAM sucks for tiny amounts of functionality that are barely more than app-ized versions of a browser tab.

                                                                                                                                                          “Electron is fine if you ignore all of the bad apps using it” is a terribly uncompelling argument.

                                                                                                                                                          1. 1

                                                                                                                                                            Huh? We’re talking about people complaining that Electron apps are slow, clunky, non-native feeling piles of crap.

                                                                                                                                                            Sure, there are a couple of outliers like Atom and VSCode that went that way for from-scratch development, but most of the worst offenders that people complain about are apps like Slack, Todoist, Twitch – massive power, CPU, and RAM sucks for tiny amounts of functionality that are barely more than app-ized versions of a browser tab.

                                                                                                                                                            “Electron is fine if you ignore all of the bad apps using it” is a terribly uncompelling argument.

                                                                                                                                                            A couple things:

                                                                                                                                                            1. Literally no one in this thread up til now has mentioned any of Slack/Twitch/Todoist.
                                                                                                                                                            2. “Electron is bad because some teams don’t expend the effort to make good apps” is not my favorite argument.

                                                                                                                                                            I think it’s disingenous to say “there can be no value to this platform because people write bad apps with it.”

                                                                                                                                                            There are plenty of pretty good or better apps, as you say: Discord, VSCode, Atom with caveats.

                                                                                                                                                            And there are plenty of bad apps that are native: I mean, how many shitty apps are in the Windows Marketplace? Those are all written “native”. How full is the App Store of desktop apps that are poorly designed and implemented, despite being written in Swift?

                                                                                                                                                            Is the web bad because lots of people write web apps that don’t work very well?

                                                                                                                                                            I’m trying to make the case that there’s value to Electron, despite (or possibly due to!) it’s “not-nativeness”, not defending applications which, I agree, don’t really justify their own existence.

                                                                                                                                                            Tools don’t kill people.

                                                                                                                                                          2. 1

                                                                                                                                                            we’re talking about an application that’s written from the ground up for this platform, and will never ever be used in a web-app front end.

                                                                                                                                                            I’m really not an expert in the matter, just genuinely curious from my ignorance: why not? If it is HTML/CSS/JS code and it’s already working, why not just uploading it as a webapp as well? I always wondered why there is no such thing as an Atom webapp. Is it because it would take too long to load? The logic and frontend are already there.

                                                                                                                                                            1. 2

                                                                                                                                                              I’m referring to Atom, Hyper, Visual Studio Code, etc. here specifically.

                                                                                                                                                              I don’t think there’s any problem with bringing your front end to desktop via something like Electron. I do it at work with CEFSharp in Windows to support a USB peripheral in our frontend.

                                                                                                                                                              If it is HTML/CSS/JS code and it’s already working, why not just uploading it as a webapp as well?

                                                                                                                                                              I think the goal with the web platform is that you could - see APIs for device access, workers, etc. At the moment, platforms like Electron exist to allow native access to things you couldn’t have otherwise, that feels like a implementation detail to me, and may not be the case forever.

                                                                                                                                                              no such thing as an Atom webapp

                                                                                                                                                              https://aws.amazon.com/cloud9/

                                                                                                                                                              These things exist, the browser is just a not great place for them currently, because of the restrictions we have to put on things for security, performance, etc. But getting to that point is one view of forward progress, and one that I ascribe to.

                                                                                                                                                      2. 1

                                                                                                                                                        I can think of a number of things that could be done off top of my head. For example, the runtime could be modularized. This would allow only loading parts that are relevant to a specific application. Another thing that can be done is to share the runtime between applications. I’m sure there are plenty of other things that can be done. At the same time, a lot can be done in applications themselves. The recent post on Atom development blog documents a slew of optimizations and improvements.

                                                                                                                                                    2. 4

                                                                                                                                                      It’s tragic that desktop platforms are utterly non-interoperable and require near-complete duplication of every app.

                                                                                                                                                      It’s a necessarily sacrifice if you want apps that are and feel truly native that belong on the platform; a cross-platform Qt or (worse) Swing app is better than Electron, but still inferior to the app with a UI designed specifically for the platform and its ideals, HIG, etc.

                                                                                                                                                      1. 1

                                                                                                                                                        If we were talking about, say, a watch vs a VR system, then I understand “the necessary sacrifice” - the two platforms hardly have anything in common in terms of user interface. But desktops? Most people probably can’t even tell the difference between them! The desktop platforms are extremely close to each other in terms of UI, so I agree that it’s tragic to keep writing the same thing over and over.

                                                                                                                                                        I think it’s an example of insane inefficiency inherent in a system based on competition (in this case, between OS vendors), but that’s a whole different rabbit hole.

                                                                                                                                                        1. 2

                                                                                                                                                          I am not a UX person and spend most of my time in a Terminal, Emacs and Firefox, but I don’t think modern GUIs on Linux (Gnome), OS X and Windows are too common. All of them have windows and a bunch of similar widgets, but the conventions what goes where can be quite different. That most people can’t tell, does not mean much because most people can’t tell the difference between a native app and an electron one either. They just feel the difference if you put them on another platform. Just look how disoriented many pro users are if you give them a machine with one of the other major systems.

                                                                                                                                                          1. 1

                                                                                                                                                            I run Window Maker. I love focus-follows-mouse, where a window can be focused without being on top, which is anathema to MacOS (or macOS or whatever the not-iOS is called this week) and not possible in Windows, either. My point is, there are enough little things (except focus-follows-mouse is hardly little if that’s what you’re used to) which you can’t paper over and say “good enough” if you want it to be good enough.

                                                                                                                                                        2. 2

                                                                                                                                                          It’s tragic that desktop platforms are utterly non-interoperable and require near-complete duplication of every app.

                                                                                                                                                          There is a huge middle ground between shipping a web browser and duplicating code. Unfortunately that requires people to acknowledge something they’ve spent alot of time working to ignore.

                                                                                                                                                          Basically c is very cross platform. This is heresy but true. I’m actually curious: can anyone name a platform where python or javascript run where c doesn’t run?

                                                                                                                                                          UI libraries don’t need to be 100% of your app. If you hire a couple software engineers they can show you how to create business logic interfaces that are separate from the core services provided by the app. Most of your app does not have to be UI toolkit specific logic for displaying buttons and windows.

                                                                                                                                                          Source: was on a team that shipped cross platform caching/network filesystem. It was a few years back, but the portion of our code that had to vary between linux/osx/windows was not that big. Also writing in c opened the door for shared business logic (api client code) on osx/linux/windows/ios/android.

                                                                                                                                                          Electron works because the web technologies have a low bar to entry. That’s not always a bad thing. I’m not trying to be a troll and say web developers aren’t real developers, but in my experience, as someone who started out as a web developer, there’s alot of really bad ones because you start your path with a bit of html and some copy-pasted javascript from the web.

                                                                                                                                                          1. 1

                                                                                                                                                            There’s nothing heretical about saying C is cross-platform. It’s also too much work for too little gain when it comes to GUI applications most of the time. C is a systems programming language, for software which must run at machine speed and/or interface with low-level machine components. Writing the UI in C is a bad move unless it’s absolutely forced on you by speed constraints.

                                                                                                                                                          2. 1

                                                                                                                                                            It’s tragic that desktop platforms are utterly non-interoperable and require near-complete duplication of every app.

                                                                                                                                                            ++ Yes!

                                                                                                                                                            Try comparing a high quality native macOS app like Fantastical with literally any other approach to calendar software: electron, web, java, whatever. Native works great, everything else is unbearable.

                                                                                                                                                            Wait, what? I think there’s two different things here. Is Fantastical a great app because it’s written in native Cocoa and ObjC (or Swift), or is it great because it’s been well designed, well implemented, meets your specific user needs, etc? Are those things orthoganal?

                                                                                                                                                            I think it’s easy to shit on poorly made Electron apps, but I think the promise of crossplatform UI - especially for tools like Atom or Hyper, where “native feeling” UI is less of a goal - is much too great to allow us to be thrown back to “only Windows users get this”, even if it is “only OS X users get this” now.

                                                                                                                                                            It’s a tricky balancing act, but as a desktop Linux user with no plans to go back, I hope that we don’t give up on it just because it takes more work.

                                                                                                                                                            Cheers!


                                                                                                                                                            PS: Thanks for the invite, cross posted my email response if that’s ok :)

                                                                                                                                                            1. 2

                                                                                                                                                              Wait, what? I think there’s two different things here. Is Fantastical a great app because it’s written in native Cocoa and ObjC (or Swift), or is it great because it’s been well designed, well implemented, meets your specific user needs, etc? Are those things orthoganal?

                                                                                                                                                              My personal view is that nothing is truly well designed if it doesn’t play well and fit in with other applications on the system. Fantastical is very well designed, and an integral part of that great design is that it effortlessly fits in with everything else on the platform.

                                                                                                                                                              “Great design” and “native” aren’t orthogonal; the latter is a necessary-but-not-sufficient part of the former.

                                                                                                                                                              1. 1

                                                                                                                                                                “Great design” and “native” aren’t orthogonal; the latter is a necessary-but-not-sufficient part of the former.

                                                                                                                                                                Have to agree to disagree here, I guess. I definitely can believe that there can be well-designed, not-native application experinces, but I think that depends on the success and ‘well-designed-ness’ of the platform you’re talking about.

                                                                                                                                                                As part of necessary background context, I run Linux on my laptop, with a WM (i3) rather than a full desktop manager, because I really didn’t like the design and cohesiveness of Gnome and KDE the last time I tried a full suite. Many, many apps that could have been well designed if they weren’t pushed into a framework that didn’t fit them.

                                                                                                                                                                I look at Tomboy vs. Evernote as a good example. Tomboy is certainly well integrated, and feels very native in a Gnome desktop, and yet if put next to each other, Evernote is going to get the “well-designed” cred, despite not feeling native on really any platform it’s on.

                                                                                                                                                                Sublime Text isn’t “native” to any of the platforms it runs on either.

                                                                                                                                                                Anyway, I feel like I’m losing the thread of discussion, and I don’t want to turn this into “App A is better than App B”, so I’ll say that I think I understand a lot of the concerns people have with Electron-like platforms better than I did before, and thank you for the conversation.

                                                                                                                                                                Cheers!

                                                                                                                                                          1. 25

                                                                                                                                                            I used to do the things listed in this article, but very recently I’ve changed my mind.

                                                                                                                                                            The answer to reviewing code you don’t understand is you say “I don’t understand this” and you send it back until the author makes you understand in the code.

                                                                                                                                                            I’ve experienced too much pain from essentially rubber-stamping with a “I don’t understand this. I guess you know what you’re doing.” And then again. And again. And then I have to go and maintain that code and, guess what, I don’t understand it. I can’t fix it. I either have to have the original author help me, or I have to throw it out. This is not how a software engineering team can work in the long-term.

                                                                                                                                                            More succinctly: any software engineering team is upper-bound architecturally by the single strongest team member (you only need one person to get the design right) and upper-bound code-wise by the single weakest/least experience team member. If you can’t understand the code now, you can bet dollars to donuts that any new team member or new hire isn’t going to either (the whole team must be able to read the code because you don’t know what the team churn is going to be). And that’s poison to your development velocity. The big mistake people make in code review is to think the team is bound by the strongest team member code-wise too and defer to their experience, rather than digging in their heels and say “I don’t understand this.”

                                                                                                                                                            The solution to “I don’t understand this” is plain old code health. More functions with better names. More tests. Smaller diffs to review. Comments about the edge cases and gotchas that are being worked around but you wouldn’t know about. Not thinking that the code review is the place to convince the reviewer to accept the commit because no-one will ever go back to the review if they don’t understand the code as an artifact that stands by itself. If you don’t understand it as a reviewer in less than 5 minutes, you punt it back and say “You gotta do this better.” And that’s hard. It’s a hard thing to say. I’m beginning to come into conflict about it with other team members who are used to getting their ungrokkable code rubber stamped.

                                                                                                                                                            But code that isn’t understandable is a failure of the author, not the reviewer.

                                                                                                                                                            1. 7

                                                                                                                                                              More succinctly: any software engineering team is upper-bound architecturally by the single strongest team member (you only need one person to get the design right) and upper-bound code-wise by the single weakest/least experience team member.

                                                                                                                                                              Well put – hearing you type that out loud makes it incredibly apparent.

                                                                                                                                                              Anywhoo, I think your conclusion isn’t unreasonable (sometimes you gotta be the jerk) but the real problem is upstream. It’s a huge waste when bad code makes it all the way to review and then and then needs to be written again; much better would be to head it off at the pass. Pairing up the weaker / more junior software engineers with the more experienced works well, but is easier said than done.

                                                                                                                                                              1. 4

                                                                                                                                                                hmm, you make a good point and I don’t disagree. Do you think the mandate on the author to write understandable code becomes weaker when the confusing part is the domain, and not the code itself? (Although I do acknowledge that expressive, well-structured and well-commented code should strive to bring complicated aspects of the problem domain into the picture, and not leave it up to assumed understanding.)

                                                                                                                                                                1. 3

                                                                                                                                                                  I think your point is very much applicable. Sometimes it takes a very long time to fully understand the domain, and until you do, the code will suffer. But you have competing interests. For example, at some point, you need to ship something.

                                                                                                                                                                  1. 2

                                                                                                                                                                    Do you think the mandate on the author to write understandable code becomes weaker when the confusing part is the domain, and not the code itself?

                                                                                                                                                                    That’s a good question.

                                                                                                                                                                    In the very day-to-day, I don’t personally find that code reviews have a problem from the domain level. Usually I would expect/hope that there’s a design doc, or package doc, or something, that explains things. I don’t think we should expect software engineers to know how a carburetor works in order to create models for a car company, the onus is on the car company to provide the means to find out how the carburetor works.

                                                                                                                                                                    I think it gets much tricker when the domain is actually computer science based, as we kind of just all resolved that there are people that know how networks work and they write networking code, and there’s people who know how kernels work and they write kernel code etc etc. We don’t take the time to do the training and assume if someone wants to know about it, they’ll learn themselves. But in that instance, I would hope the reviewer is also a domain expert, but on small teams that probably isn’t viable.

                                                                                                                                                                    And like @burntsushi said, you gotta ship sometimes and trust people. But I think the pressure eases as the company grows.

                                                                                                                                                                    1. 1

                                                                                                                                                                      That makes sense. I think you’ve surfaced an assumption baked into the article which I wasn’t aware of, having only worked at small companies with lots of surface area. But I see how it comes across as particularly troublesome advice outside of that context

                                                                                                                                                                  2. 4

                                                                                                                                                                    I’m beginning to come into conflict about it with other team members

                                                                                                                                                                    How do you resolve those conflicts? In my experience, everyone who opens a PR review finds their code to be obvious and self-documenting. It’s not uncommon to meet developers lacking the self-awareness required to improve their code along the lines of your objections. For those developers, I usually focus on quantifiable metrics like “it doesn’t break anything”, “it’s performant”, and “it does what it’s meant to do”. Submitting feedback about code quality often seems to regress to a debate over first principles. The result is that you burn social capital with the entire team, especially when working on teams without a junior-senior hierarchy, where no one is a clear authority.

                                                                                                                                                                    1. 2

                                                                                                                                                                      Not well. I don’t have a good answer for you. If someone knows, tell me how. If I knew how to simply resolve the conflicts I would. My hope is that after a while the entire team begins to internalize writing for the lowest common denominator, and it just happens and/or the team backs up the reviewer when there is further conflict.

                                                                                                                                                                      But that’s a hope.

                                                                                                                                                                      1. 2

                                                                                                                                                                        t’s not uncommon to meet developers lacking the self-awareness required to improve their code along the lines of your objections. For those developers, I usually focus on quantifiable metrics like “it doesn’t break anything”, “it’s performant”, and “it does what it’s meant to do”. Submitting feedback about code quality often seems to regress to a debate over first principles.

                                                                                                                                                                        Require sign-off from at least one other developer before they can merge, and don’t budge on it – readability and understandability are the most important issues. In 5 years people will give precisely no shits that it ran fast 5 years ago, and 100% care that the code can be read and modified by usually completely different authors to meet changing business needs. It requires a culture shift. You may well need to remove intransigent developers to establish a healthier culture.

                                                                                                                                                                        The result is that you burn social capital with the entire team, especially when working on teams without a junior-senior hierarchy, where no one is a clear authority.

                                                                                                                                                                        This is a bit beyond the topic at hand, but I’ve never had a good experience in that kind of environment. If the buck doesn’t stop somewhere, you end up burning a lot of time arguing and the end result is often very muddled code. Even if it’s completely arbitrary, for a given project somebody should have a final say.

                                                                                                                                                                        1. 1

                                                                                                                                                                          The result is that you burn social capital with the entire team, especially when working on teams without a junior-senior hierarchy, where no one is a clear authority.

                                                                                                                                                                          This is a bit beyond the topic at hand, but I’ve never had a good experience in that kind of environment. If the buck doesn’t stop somewhere, you end up burning a lot of time arguing and the end result is often very muddled code. Even if it’s completely arbitrary, for a given project somebody should have a final say.

                                                                                                                                                                          I’m not sure.

                                                                                                                                                                          At very least, when no agreement is found, the authorities should document very carefully and clearly why they did take a certain decision. When this happens everything goes smooth.

                                                                                                                                                                          In a few cases, I saw a really seasoned authority to change his mind while writing down this kind of document, and finally to choose the most junior dev proposal. And I’ve also seen a younger authority faking a LARGE project just because he took any objection as a personal attack. When the doom came (with literally hundreds of thousands euros wasted) he kindly left the company.

                                                                                                                                                                          Also I’ve seen a team of 5 people working very well for a few years together despite daily debates. All the debates were respectful and technically rooted. I was junior back then, but my opinions were treated on pars with more senior colleagues. And we were always looking for syntheses, not compromises.

                                                                                                                                                                      2. 2

                                                                                                                                                                        I agree with the sentiment to an extent, but there’s something to be said for learning a language or domain’s idioms, and honestly some things just aren’t obvious at first sight.

                                                                                                                                                                        There’s “ungrokkable” code as you put it (god knows i’ve written my share of that) but there’s also code you don’t understand because you have had less exposure to certain idioms, so at first glance it is ungrokkable, until it no longer is.

                                                                                                                                                                        If the reviewer doesn’t know how to map over an array, no amount of them telling me they doesn’t understand will make me push to a new array inside a for-loop. I would rather spend the time sitting down with people and trying to level everyone up.

                                                                                                                                                                        To give a concrete personal example, there are still plenty of usages of spreading and de-structuring in JavaScript that trip me up when i read them quickly. But i’ll build up a tolerance to it, and soon they won’t.

                                                                                                                                                                      1. 7

                                                                                                                                                                        I’m seeing a lot of people downplay Spectre compared to Meltdown – basically, the common claim seems to be that patching for Meltdown is super important but people shouldn’t worry too much about Spectre because it’s “hard to exploit in practice”.

                                                                                                                                                                        This is the third working proof-of-concept in a VM or sandbox I’ve seen since yesterday.

                                                                                                                                                                        1. 3

                                                                                                                                                                          The base PoC mentioned here involves a very specifically crafted function within the same process as the attacker function.

                                                                                                                                                                          Unlike Meltdown, Spectre is a class of attack which requires some pretty specific style of code path to be present in the victim process, and for that code path to be somewhat controllable from outside processes. It’s a really high bar!

                                                                                                                                                                          Thought it’s a bit of a nightmare for sandboxing, since it gives easy ways to read a process’ own memory. Though to be honest, that’s probably more evidence of the futility of sandboxing in general than other things. But cross-process attacks are tricky.

                                                                                                                                                                          (The biggest danger I saw from Spectre was the possibility of exploitable code being in shared libraries, because that makes it a lot easier for the attacker process to poison the well).

                                                                                                                                                                        1. 3

                                                                                                                                                                          AMD claims “zero vulnerability due to AMD architecture differences”, but without any explanation. Could someone enlighten us about this?

                                                                                                                                                                          1. 10

                                                                                                                                                                            AMD’s inability to generate positive PR from this is really an incredible accomplishment for their fabled PR department.

                                                                                                                                                                            1. 7

                                                                                                                                                                              The spectre PoC linked elsewhere in this thread works perfectly on my Ryzen 5. From my reading, it sounds like AMD processors aren’t susceptible to userspace reading kernelspace because the cache is in some sense protection-level-aware, but the speculative-execution, cache-timing one-two punch still works.

                                                                                                                                                                              1. 4

                                                                                                                                                                                From reading the google paper on this it’s not quite true but not quite false. According to google AMD and ARM are vulnerable to a specific limited form of Spectre. They’re not susceptible to Meltdown. The google Spectre PoCs for AMD and ARM aren’t successful in accessing beyond the user’s memory space so it’s thought that while the problem exists in some form it doesn’t lead to compromise as far as we currently know.

                                                                                                                                                                                1. 2

                                                                                                                                                                                  aren’t successful in accessing beyond the user’s memory space so … it doesn’t lead to compromise as far as we currently know.

                                                                                                                                                                                  Well, no compromise in the sense of breaking virtualization boundaries or OS-level protection boundaries, but still pretty worrying for compromising sandboxes that are entirely in one user’s memory space, like those in browsers.

                                                                                                                                                                                2. 4

                                                                                                                                                                                  I just found this in a Linux kernel commit:

                                                                                                                                                                                  AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against. The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault.

                                                                                                                                                                                  1. 4

                                                                                                                                                                                    Which is a much stronger statement than in the AMD web PR story. Given that it is AMD, I would not be surprised if their design does not have the problem but their PR is unable to make that clear.

                                                                                                                                                                                  2. 2

                                                                                                                                                                                    AMD is not vulnerable to Meltdown, an Intel-specific attack.

                                                                                                                                                                                    AMD (and ARM, and essentially anything with a speculative execution engine on the planet) is vulnerable to Spectre.

                                                                                                                                                                                  1. 7

                                                                                                                                                                                    Clojure. It felt like the natural progression, especially since I was interested in diving deeper into FP. Now I can’t not love s-exps and structural editing, as well as even more powerful meta-programming.

                                                                                                                                                                                    (Also notable that I saw Russ Olsen, author of Eloquent Ruby, moved to Clojure, and now works for Cognitect.)

                                                                                                                                                                                    1. 3

                                                                                                                                                                                      I’m really interested in Clojure, but compared to Ruby there seems to be an order of magnitude fewer jobs out there for it.

                                                                                                                                                                                      I can’t swing a dead cat without seeing 4 or 5 people a week looking for senior Rubyists. I’ve seen maybe 2 major Clojure opportunities in the last 6 months.

                                                                                                                                                                                      1. 4

                                                                                                                                                                                        I can’t swing a dead cat without seeing 4 or 5 people a week looking for senior Rubyists.

                                                                                                                                                                                        What’s been your success rate when bringing carrion to job fairs?

                                                                                                                                                                                        1. 1

                                                                                                                                                                                          The way the local job market is, I doubt it’d damage my chances that much.

                                                                                                                                                                                      2. 1

                                                                                                                                                                                        Clojure is absolutely great and so is Russ. He still loves Ruby (as well) though :)

                                                                                                                                                                                        I still maintain that one of the best books I ever read for my coding skills is Functional Programming Patterns in Scala and Clojure.

                                                                                                                                                                                        Clojure never really got me personally - I would have liked but weirdly short names, friends telling me that for libs tests are more considered “optional” & others were ultimately a bit off putting to me. Still wouldn’t say no, just - switched my focus :)

                                                                                                                                                                                        1. 3

                                                                                                                                                                                          Tests are definitely not considered optional by the Clojure community. However, you’re likely to see a lot less tests in Clojure code than in Ruby.

                                                                                                                                                                                          There are two major reasons for this in my experience. First reason is that development is primarily done using an editor integrated REPL as seen here. Any time you write some code, you can run it directly from the editor to see exactly what it’s doing. This is a much tighter feedback loop than TDD. Second reason is that functions tend to be pure, and can be tested individually without relying on the overall application state.

                                                                                                                                                                                          So, most testing in libraries tends to be done around the API layer. When the API works as expected, that necessarily tests that all the downstream code is working. It’s worth noting that Clojure Spec is also becoming a popular way to provide specification and do generative testing.

                                                                                                                                                                                      1. 7

                                                                                                                                                                                        Really? 24 comments already and no one has even mentioned the phrase responsible disclosure?

                                                                                                                                                                                        Bugs are bugs. No one can claim Apple deliberately shipped this behaviour. Yes it should have been caught but there is no malicious intent.

                                                                                                                                                                                        This fucking clown knowingly publicises a vulnerability with instructions on fucking Twitter.

                                                                                                                                                                                        This is 0% about security and 100% about some jackass getting his 15 minutes of fame. “Software Craftsman” my ass.

                                                                                                                                                                                        1. 16

                                                                                                                                                                                          Over on the Orange Site half the people are having to explain to the other half what responsible disclosure even is. I wouldn’t be terribly surprised if this guy, of which there is no signs he’s familiar with standard security community practices, just didn’t know that there was a standard practice for disclosure. especially when these days the only way to get half-decent tech support is to publicly complain on Twitter.

                                                                                                                                                                                          Yes, he should have done the research on responsible disclosure. But if we’re willing to say extend the benefit of the doubt to the richest tech company on the planet, we should extend the benefit of the doubt a random guy who stumbled into this bug.

                                                                                                                                                                                          1. 1

                                                                                                                                                                                            Oh believe me, I saw the comments in that other place.

                                                                                                                                                                                            And I agree the guy is clearly not a security researcher or anything close to it. But even so - he clearly understood the ramifications of the bug, heck he could have just stopped typing at the first full stop (period) and hit “Send Tweet”.

                                                                                                                                                                                            Apple Support would have responded, asking for more details via DM.

                                                                                                                                                                                            I understand you want to give him the benefit of the doubt, but I find it hard to believe anyone who understands how powerful a local root account is, didn’t comprehend the danger of publicising an exploit to the fucking world.

                                                                                                                                                                                            As I said. He wants his 15 minutes of fame.

                                                                                                                                                                                          2. 8

                                                                                                                                                                                            Responsible disclosure is a “truthy” phrase like “responsible encryption”. It sounds good on the visceral level but once you unpack the arguments, not so much.

                                                                                                                                                                                            Full disclosure is actually preferred by a lot of security people, because - especially in the case of a very simple bug - you never know who knows about the security issue already.

                                                                                                                                                                                            In this case, before it was posted on twitter someone already mentioned this issue two weeks ago on apple’s developer forum and I find it hard to believe that adversaries do not already have pretty thorough test suites running against popular operating systems to discover vulnerabilities like this.

                                                                                                                                                                                            Apple should also have a bug bounty program covering macOS. Reporting a vulnerability is a long and painful* task, where a security researcher is playing project manager for months with oftentimes unfriendly organizations. I perfectly appreciate the argument that people who discover vulnerabilities are under no obligation to spend a lot of time and effort helping random companies fix security issues. That’s where a bug bounty should come in.

                                                                                                                                                                                            *I regularly watch security researchers ask their twitter followers to help them get in touch with organization x or y, after they already exhausted pretty much every other avenue of contacting people in an org who can deal with a security issue. See this for an example from today.

                                                                                                                                                                                            (Disclaimer: I’m blue team infosec)

                                                                                                                                                                                            1. 3

                                                                                                                                                                                              Full disclosure is actually preferred by a lot of security people, because - especially in the case of a very simple bug - you never know who knows about the security issue already.

                                                                                                                                                                                              I would seriously question the judgement or motivations of any researcher who believed that. You may not know who knows about the issue already, but following disclosure, you can be extremely confident that a whole lot more people know. If your goal is to minimize harm to users, letting a whole bunch of attackers know about a vulnerability before the vendor has a chance to patch it is not a rational route to that goal.

                                                                                                                                                                                              1. 4

                                                                                                                                                                                                More people know about it, therefor they can mitigate the impact even before a vendor patch is out. Once a vulnerability is publicly known, vendors usually react faster too. Compare that to a month-year-multiyear process where some people know, noone knows to which extent blackhats know about it (they are heavily incentivised against disclosing what they know) and people who would be impacted by a given issue generally don’t.

                                                                                                                                                                                                For example in the recent infineon RSA vulnerability the >6 month timeline put people relying on that faulty library at risk.

                                                                                                                                                                                              2. 2

                                                                                                                                                                                                I would totally buy this argument in general, but for Apple it’s not that hard. I did a search for “Apple security” and literally the first result had an email for the security team and even a PGP key you could use if you wanted. No excuses for this guy, he put lots of people at risk and acted like an ass for no reason.

                                                                                                                                                                                              3. 3

                                                                                                                                                                                                Responsible disclosure is for security researchers. When your bug is so bad that someone who has no idea what they’re doing finds it they’re just going to tell their friends, or maybe even just exploit it themselves quietly. We’re frankly lucky he decided to shout that out to the whole world, and that everyone didn’t think it was a prank.

                                                                                                                                                                                                1. 0

                                                                                                                                                                                                  Right, like driving safely is only for bus drivers and safe sex is only for hookers?

                                                                                                                                                                                                  1. 1

                                                                                                                                                                                                    The difference is that driving safely and safe sex have personal implications. With responsible disclosure there really are absolutely no consequences for not doing it. So don’t expect people to do it, and definitely don’t depend on it.

                                                                                                                                                                                                2. 2

                                                                                                                                                                                                  If apple quietly fixed it without fanfare, mac customers wouldn’t realize they bought from a shit company. Especially important since Apple has been hitting the security angle. If they can’t get this right, what chance in hell do they have getting a neural net based face detection as password system right?

                                                                                                                                                                                                  1. 2

                                                                                                                                                                                                    Apple has been ‘hitting’ the privacy angle.

                                                                                                                                                                                                    But frankly, I say bullshit to your entire premise. Responsible disclosure doesn’t mean:

                                                                                                                                                                                                    you can’t say shit about this

                                                                                                                                                                                                    It means (assuming the vendor responds and is cooperative):

                                                                                                                                                                                                    You can’t tell the world about this until an agreed upon date, before which the vendor will distribute a patch to users

                                                                                                                                                                                                    Once the embargo date passes, you can make any manner of publication about the bug you like.

                                                                                                                                                                                                    What this guy did is just fucking dickish.

                                                                                                                                                                                                    1. 7

                                                                                                                                                                                                      He’s not a security researcher, he’s just some dude. I don’t understand what incentive he has, or how he would even know to do what you’re saying. Just be grateful he didn’t sell it on the black market.

                                                                                                                                                                                                      1. 1

                                                                                                                                                                                                        The responsible thing to do is publish it as soon as possible with a known work around. Since users can protect themselves without waiting for Apple to fix the issue, they should know about it NOW. In this case the known work around is to set a password for the root account. Another work around is to never let anyone near your computer until its fixed.

                                                                                                                                                                                                        Users can fix it themselves, they need to know NOW.

                                                                                                                                                                                                        In regards to my premise, I disagree. In most cases users can take actions to protect themselves. It is irresponsible for the security community to keep these these private to “protect the weak and useless user”.

                                                                                                                                                                                                        These embargoes serve only the purpose of minimizing embarrassment and cost to the bottom line. “Look, we screwed up a month ago but fixed it, so don’t worry” doesn’t really bring about the same anger as “Look, you are exposed now, protect yourself by doing X, we are working on a fix.”, which brings less anger than “Hey guys, Apple has this huge issue and they didn’t even know about it”. The first costs Apple little. The second costs Apple more. The third costs Apple the most. Which do you think will push Apple to change their processes to prevent these problems?

                                                                                                                                                                                                        1. 3

                                                                                                                                                                                                          The responsible thing to do is publish it as soon as possible with a known work around. Since users can protect themselves without waiting for Apple to fix the issue, they should know about it NOW. In this case the known work around is to set a password for the root account. Another work around is to never let anyone near your computer until its fixed.

                                                                                                                                                                                                          Users can fix it themselves, they need to know NOW.

                                                                                                                                                                                                          This really depends on what your mental model of a “user” is:

                                                                                                                                                                                                          1. In a “Responsible Disclosure” scenario, there are certainly users who are being “hung out to dry” in that they would be in a position to do something to protect themselves a lot sooner if there were informed of the bug ASAP. These users are exposed to risk by not being informed immediately.

                                                                                                                                                                                                          2. In an “Immediate Disclosure” scenario, there are a large number of users who will not hear about the security bug, and are not possessed of the kinds of skills that would allow them to mitigate the problem even if they did hear about it. These users are exposed to risk by not giving the vendor time to step in and provide them with mitigation via automated channels.

                                                                                                                                                                                                          It is irresponsible for the security community to keep these these private to “protect the weak and useless user”.

                                                                                                                                                                                                          I would suggest that this is in no way a clear-cut conclusion, and that reasonable people have room for reasonable disagreement on this topic. It’s fundamentally a train-tracks Ethics problem, and there is no real “right answer” here, however passionately you believe that yours is the only correct one.

                                                                                                                                                                                                          These embargoes serve only the purpose of minimizing embarrassment and cost to the bottom line.

                                                                                                                                                                                                          I don’t think that’s a charitable reading. My own take is that the number of users exposed to risk in scenario #2 is larger than the number in scenario #1, and therefore scenario #1 is preferable. You’re free to disagree, of course, but attributing that disagreement to bad faith isn’t conductive to communication.

                                                                                                                                                                                                          1. 1

                                                                                                                                                                                                            I don’t believe your disagreement is in bad faith. I believe there are business reasons, not user reasons, that disclosure rules for bounties are the way they are.

                                                                                                                                                                                                            Read the first paragraph of their disclosure. https://support.apple.com/en-us/HT208315

                                                                                                                                                                                                            Might as well say “we will keep security issues secret from you so forget any thought you had of keeping yourself safe. Let us adults take care of you.”

                                                                                                                                                                                                            If you are right that the #2 group is larger, doesn’t that bother you? What would have to change so most users have power to protect themselves vs rely on the paternal powers of the company?