1. -6

    As usual with Rust articles about this sort of thing it started off quite well (really well!!) and then turned into a “write some obviously incorrect C code then point at it and say C code is incorrect”.

    Of course C doesn’t have UTF-8 strings built in. Why would it? There are a great many C programmes running in the wild on systems with less memory than the size of the tables you need for Unicode support. Comparing over and over and over again that you can do string things easily in a few lines of Rust is really boring, especially when you’re not comparing to, say, ICU, but to your own bad C Unicode implementation that you purposefully implemented badly to make a point.

    Of course C isn’t memory safe. This isn’t news to anyone. You don’t have to spend pages and pages and pages going on about it.

    You know what Rust doesn’t in fact prevent you from having to deal with? Proprietary libraries that do malicious things. Malicious functions that cast their inputs to nonconst pointers and modify them are possible in malicious Rust libraries too. The solution is free software, it’s not using proprietary libraries you can’t inspect.

    If you’re going to compare Unicode, compare ICU to Rust. You can still make all the same points about memory safety, if that’s what you’re actually concerned about. But it seems all this article is concerned about is to find reasons to criticise C unthinkingly.

    1. 16

      If this article’s problem is that it criticizes C unthinkingly, then surely, the numerous links to the various CVEs demonstrate that many people are using C unthinkingly. According to you, I suppose we should blame those people for using C unthinkingly and for missing “obviously incorrect” C code. It should be manifestly obvious that the entire point of Rust is to reject this way of thinking and instead improve on the tools to prevent the need to detect “obviously incorrect” code in the first place. That’s also one of the points this article made several times over, albeit with a thick layer of snark at pretty much exactly the attitude you are repeating here.

      You know what Rust doesn’t in fact prevent you from having to deal with? Proprietary libraries that do malicious things. Malicious functions that cast their inputs to nonconst pointers and modify them are possible in malicious Rust libraries too. The solution is free software, it’s not using proprietary libraries you can’t inspect.

      Classic. Because Rust isn’t a panacea we can’t compare its effectiveness at preventing bugs that keep reoccurring with other tools? Nevermind the fact that said malicious functions in Rust must be clearly demarcated somewhere with an unsafe annotation. So even then, Rust is going to make auditing said problems easier than other languages where the default is unsafe.

      1. 0

        If this article’s problem is that it criticizes C unthinkingly

        If the article had compared how easy it is to get code using Rust’s strings right using the ICU crate for Rust vs how easy it is to screw up when using ICU, that would be a fair comparison. In both cases you’re writing code that uses a comprehensive Unicode library to do some basic string munging, and I wouldn’t be even a bit surprised if the end result was that the Rust code was shorter, simpler, easier to write, easier to read and safer.

        If the article had compared actually implementing the Unicode support in Rust on top of raw bytes in a naive way vs doing the same in C, and shown how Rust helps you avoid the problems you encounter when you try to do things naively, that would have been a really valuable article showing how Rust helps you avoid problems in C code. I’d be interested to know how many uses of unsafe there are in the Unicode string handling bits of Rust’s standard library. How many places is it necessary for good performance? How many could you eliminate with only small performance loss (unnecessary bounds checking, for example).

        Instead the article compares implementing UTF-8 string handling in C with just using the built-in UTF-8 string handling in Rust, which doesn’t seem fair to me. It’s like saying Rust is a worse language than Python because Python has HTTP built in and the author’s implementation of HTTP in 10 lines in Rust has some serious issues. That’s what I’d expect! Different languages are different levels of batteries-included and in C’s case, the battery that’s included is arrays of bytes, anything else is up to libraries.

        So yes I do think that the criticism of C in the article is pretty unthinking.

        Classic. Because Rust isn’t a panacea we can’t compare its effectiveness at preventing bugs that keep reoccurring with other tools? Nevermind the fact that said malicious functions in Rust must be clearly demarcated somewhere with an unsafe annotation. So even then, Rust is going to make auditing said problems easier than other languages where the default is unsafe.

        If you’re linking to an arbitrary closed-source Rust library then you can’t tell where they wrote unsafe. The article, remember, says:

        This would pass unit tests. And if no one bothered to look at the len function itself - say, if it was in a third-party library, or worse, a proprietary third-party library, then it would be… interesting… to debug.

        Which is a good point: proprietary third-party C libraries can do anything, really. It’s not unreasonable to point out that there’s nothing stopping a proprietary third-party Rust library from doing anything either, including unsafe code that you can’t even find with grep, and it would be just as interesting to debug. But also the whole actix-web situation shows that a community attitude that unsafe should be treated with suspicion doesn’t hold for every Rust library author. Large amounts of unnecessary unsafe isn’t necessarily audited just because it can be audited, just like large amounts of C isn’t necessarily audited just because it can be.

        I didn’t say that Rust was bad, or that it shouldn’t be compared to other languages. I merely said that it’s unreasonable to compare intentionally-poorly-written-and-incomplete code in one language with the standard library of another regardless of language. If the whole point of the article is just ‘C isn’t memory safe, Rust is’ then good job, I guess? Probably doesn’t require that the article is quite so long though. But of course it isn’t. The point of the article is closer to something like ‘string handling in C is primitive compared to string handling in Rust using the Rust standard library and thus C is worse than Rust’.

        According to you, I suppose we should blame those people for using C unthinkingly and for missing “obviously incorrect” C code. It should be manifestly obvious that the entire point of Rust is to reject this way of thinking and instead improve on the tools to prevent the need to detect “obviously incorrect” code in the first place.

        But Rust doesn’t prevent you from writing incorrect code, does it. It prevents you from writing memory-unsafe code that isn’t explicitly marked as unsafe. You can implement UTF-8 string handling poorly in Rust, just like you can in C. The difference is that if you do so in Rust, and you don’t write unsafe in any of your code, then the result will be a panic or incorrect behaviour and not a buffer overflow.

        Is that a valuable property? Yes. Rust’s memory safety guarantees are valuable. I bolded that so it’s clear I’m not saying Rust is bad or useless because it isn’t a panacea, which seems to be how you’ve interpreted my comment.

        It’s also a well known property. A much more interesting property that Rust may or may not have (I do not know) is ‘helps write low-level string handling code correctly’. C does not help you do this correctly, as shown by the incorrect string handling code in the article written in C. But does Rust have this property? We don’t know, because the author doesn’t tell us. All it tells us is that someone’s written good string handling in Rust, and the well known fact that Rust gives memory safety guarantees. A lot of text for not much.

        That’s also one of the points this article made several times over, albeit with a thick layer of snark at pretty much exactly the attitude you are repeating here.

        I think it’s really very rude of you to ascribe my attitude as the tired old ‘C is fine just write correct code, thus Rust is pointless’. That’s not my view and not at all what I said or implied.

        1. 0

          Personally, I think you’ve completely missed the point of the article.

          But now that I realize you are milesrout, I’m just going to go back to ignoring you. It’s just not a productive use of my time to talk to you. I wouldn’t have responded to you originally if I had known who you were. But you had changed your username (and have since changed it back).

          1. -4

            You’re a childish troll. I make multiple constructive comments and you purposefully misinterpret them then make personal attacks.

            Lobsters is obviously not a good place for you to be. I suggest you go back to your horses of uncritical adoring fans on leddit who assume everything you say is good and true and correct just because you wrote ripgrep. Leave the serious discussion to people that can act like adults.

            The only other logical explanation is that you didn’t understand my comment somehow.

            1.  

              Perfect example of why I ignore you on this site. It was going well. I’ll just have to make sure I check user accounts now before responding to an unfamiliar username.

              1.  

                It was not going well. Both comments you made are as if you didn’t even read the comments you were responding to.

                1.  

                  Oh, no, it was. I have successfully avoided interacting with you for quite some time. There have been times where I’ve started writing a comment reply to you before seeing the username, after which I would delete what I wrote before responding. But you changed your username and I managed to get sucked into your bullshit. So I’ll be more careful in the future.

                  1.  

                    Just stop. You’re embarrassing yourself. Anyone can see that you can’t handle being wrong and just resort to personal attacks and mindless flaming as soon as someone says something you can’t come up with a snappy reply to.

                    “Personally, I think you’ve completely missed the point of the article.” Do you state what you think the point of the article is? No, of course not. Because that could actually be responded to. That could actually be discussed. Instead you just resort to personal attacks and trolling. You should be ashamed of yourself.

      2. 10

        Of course C doesn’t have UTF-8 strings built in. Why would it? There are a great many C programmes running in the wild on systems with less memory than the size of the tables you need for Unicode support.

        People have already addressed the other points. But this is suggests that you can’t support UTF-8 without large unicode tables, which is false. One can do many useful things with UTF-8 data and UTF-8 strings without unicode tables, such as:

        • Validating that a byte stream/array is valid UTF-8, which only requires looking at the leading bits.
        • Determining code point boundaries, which again only requires at leading bits. This results in many useful things, such as being able to: count the number of code points, indexing into code points, iterating over code points, etc.
        • Re-encode to another unicode encoding (UTF-16, UTF-32).
        1. 1

          I totally agree, those would be some really nice very useful library functions to have standardised. I suspect they won’t be, just because they’re not especially difficult to implement correctly and portably already compared to the effort required in standardising them, but it would be nice.

        2. 6

          The solution is free software, it’s not using proprietary libraries you can’t inspect.

          I think the evidence is clear at this point that free software (whether we mean free as in beer or speech) in and of itself does nothing to help security or reliability. Witness Heartbleed. Present in open-source software for years. The “bazzar” didn’t find it. Volunteer developers didn’t find it.

          Not to mention the constant stream of 0-days popping up and getting fixed in major browsers, all of which are open source, and basically none of which have security bugs found and fixed by community volunteers AFAIK.

          It seems clear that, based on evidence, neither being open to a world full of possible inspectors or having dozens of specialized testing tools and hundreds of highly paid experienced engineers can prevent software in C from exhibiting memory unsafety errors. Rust seems to show much more potential so far.

          1. 6

            You know what Rust doesn’t in fact prevent you from having to deal with? Proprietary libraries that do malicious things. Malicious functions that cast their inputs to nonconst pointers and modify them are possible in malicious Rust libraries too. The solution is free software, it’s not using proprietary libraries you can’t inspect.

            Rust’s implementation is F/L/OSS, the most conveniently-accessible libraries in Rust (the ones on crates.io) are all source-available, and, since Rust has no stable ABI, the best way to provide a first-class Rust library experience is to make its source available. Obviously the Rust core team can’t make all the proprietary libraries not exist, but they’ve thoroughly optimized in favour of free software ones.

            Nobody’s going to ask you to choose between free software and Rust. The obvious best option is both.

          1. 3

            He seems to be describing a scientist more than an engineer. Software engineering is much more about working on large codebases with many people over long timeframes without the entire thing collapsing under its own weight. Often you have to pick simplicity & durability over performance.

            1. 0

              What is your definition of a ‘software engineer’?

              1. 0

                “Software engineering is what happens to programming when you add time and other programmers.”

                By extension, a software engineer is somebody who works on a large codebase with many others over several years.

                1. 3

                  This definition sounds a bit circular to me. Software engineering is a skillset, and it allows you to work on large codebases with many others over several years. But the latter is a proxy for the former skillset, because if I asked you, “Why is not Joe here a software engineer?” you’d say, “Because he’s not working on a large codebase with many others over several years.”

                  “But why doesn’t he have a job where he does that, assuming he wants to?”

                  “He doesn’t have the necessary skills.”

                  “What are those skills called?”

                  “Software engineering!”

                  1.  

                    I don’t think it’s circular. I defined Software Engineering. You then created a fake conversation & put words in my mouth… I could try to list skills that help somebody to be an effective software engineer if you want but that’s not what you asked for initially.

                  2.  

                    A structural engineer isn’t just someone that works on buildings with other people. It’s someone with a particular set of qualifications that has passed a particular set of professional exams and is certified to be one.

                    I do not think that your definition of software engineering is good and I don’t think your definition of software engineer fits in at all with how engineering works in general.

                    Software engineering has nothing to do with large codebases or large numbers of people.

                    1.  

                      What’s your definition of software engineering?

                      [The regulations around who can call themselves an engineer vary across countries. They’re different in the US & Canada & probably in NZ too.]

              1. 8

                Even as a staunch advocate of C, I have a much simpler argument against this design from OpenBSD: languages which are not C should not depend on C. From a philisophical point of view, I think that a language design is much stronger when its compiler, runtime, stdlib, and so on - are all implemented in that language. If we constrain ourselves to language designs which can route syscalls through the C stdlib then we constrain our ability to innovate in new languages.

                1. 8

                  language designs which can route syscalls through the C stdlib

                  If your language design cannot call a function (with the platform’s standard ABI) from a shared library, something has gone terribly, horribly wrong. I haven’t seen any production language where FFI is impossible.

                  If your language design just really really does not want to use syscall wrappers because it uses a completely alien calling convention and weird stacks and calling a function with platform ABI would incur performance overhead… well, I would argue something has gone wrong in this case too. I blame Linux monoculture — Linux is about the only significant unix-like where raw syscall numbers (called via raw CPU trap instructions) are the public API of the platform.

                  So many advantages to defining syscalls as ELF symbols:

                  • massively easier portability. Adding FreeBSD/aarch64 support to Go took three or four people, many many months of occasional work, tons of lines of code. Doing the same with Rust, D (LDC), OCaml, Crystal, Pony and others was trivial (in the syscall department — of course there were fun thread-local storage bugs and so on :D)
                  • hooking via LD_PRELOAD, which is very useful for sandboxing existing programs (e.g. with libpreopen I can exec a gedit inside the incredibly strict Capsicum sandbox)
                  • the platform can replace any syscall that actually goes through the kernel with a fast vDSO without breaking anything
                  • with symbol versioning, old ABI can be kept around — sometimes as purely userspace wrappers around new ABI, and the kernel can be cleaned up
                  • flexibility in what the platform actually even is at runtime…

                  Sure, current unixes live with some legacy design decisions that actually tie everything closer to the C language — like the errno example — but this doesn’t mean you can’t design a good ABI with “C-ish” ELF symbols.

                  1. 4

                    You seem to be arguing with a strawman here - I never said I was opposed to a syscall wrapper library, though it has problems of its own. I’m arguing against blithely routing everything through libc.

                    1. 1

                      If your language design just really really does not want to use syscall wrappers because it uses a completely alien calling convention and weird stacks and calling a function with platform ABI would incur performance overhead…

                      So resizable stacks are a bad thing?

                      1. 1

                        So this is a bit late as a comment. But not necessarily! The kernel doesn’t use your stack, it uses its own stack. So you really don’t very much stack space for these calls, and you could document and stabilise as part of the ABI the amount of required stack space needed to call these functions.

                        1. 2

                          So you really don’t very much stack space for these calls

                          Yes you do.

                          1. 1

                            Any stack intensive functions can do a stack switch

                            1. 1

                              That’s what Go does.

                              The problem is that this adds overhead, so in order for Go to remain competitive, it must avoid stack switches for hot functions like time().

                              1. 1

                                The problem is that the system calls and libc are designed around big C-style stacks, so they expect effectively infinite stack space to be available. If you designed a libc that was intended to be used from languages with unusual/little stack space available, I would imagine that it would be possible to design things you can provide an ABI guarantee of a maximum amount of stack usage per function in your API. I believe that in embedded systems programming it’s quite common to work out your maximum possible stack space, with compiler help, and then just manually allocate that much stack space for that thread at compile time.

                                On 64-bit systems with virtual memory, just overcommitting ~10MiB of stack for every thread and letting virtual memory handle growing it in 4KiB chunks seems like the best, simplest approach. That’s what I’ve done in my implementation of fibres. Virtual address space is rather plentiful.

                                1.  

                                  This, of course, means that every thread always uses at least 4 KB just for the stack. Golang’s default stack size on Linux was, at least at one point, 2KB.

                                  1.  

                                    That’s a very tiny overhead for the simplicity and performance advantages of trivial C interop.

                    2. 3

                      For better or for worse, C is the Unix ABI. It’s not its contemporaries where calling conventions were either ill defined (mainframe stuff, PCs) or very language neutral (VMS, i).

                      1. 2

                        I think you’re looking at this from the wrong perspective. The SYSV ABI was standardized by SCO, and includes the ELF standard. It also happens to standardize the calling convention, and the way parameters about arguments (argc/argv) and the system (auxv) are passed to a program. It standardizes a lot more than that. Because of it being the System V Application Binary Interface, Linux and the BSDs chose to implement and follow that.

                        For many reasons, the C standards committee chose the SYSV ABI as the calling convention for the C language.

                        The C language ABI isn’t being forced on other languages, the C language chose the SYSV ABI as a base.

                        Edit:

                        everyone’s favorite case of errno, which you consult to get the error value from a failed system call (and from some failed library calls).

                        Eh? Linux system calls are returned in rax, and I assume that’s the case for OpenBSD too?

                        1. 4

                          Linux system calls are returned in RAX IF you use the raw system call ABI. If you use libc, then you need to check errno.

                          BSD system calls are returned in RAX:RFLAGS[OF], with OF acting as an error bit.

                          1. 2

                            The ABI is a different concern. I think that it’s reasonable to make an arbitrary programming language capable of speaking the C ABI. I am specifically talking about routing syscalls through libc.

                          2. 1

                            From my point of view, syscalls are another calling convention that occasionally leads to the C code in the kernel anyway. If platform (i.e. OpenBSD) developers want us to use cdecl instead of int 80h, then it’s fine as long as the ABI is specified.

                            The main difference from the C calling convention here is that usually the kernel won’t mess with your stack. Although, I think it’s possible for libc to wrap all function calls with switch to some internal stack, and use some dynamic linker tricks or just defines in C headers to actually call wrappee in programs that use traditional C ABI.

                            language design is much stronger when its compiler, runtime, stdlib, and so on - are all implemented in that language

                            This, however, is not a barrier to implementing FFI in that language.

                            1. 1

                              If platform (i.e. OpenBSD) developers want us to use cdecl instead of int 80h, then it’s fine as long as the ABI is specified.

                              I mostly agree. Is the ABI specified and stable though?

                          1. 9

                            Ask yourself “is this my opinion?” – This is so important. Engineers that keep making comments based on unproved opinions can slow down the whole project, and bring no benefits.

                            1. 2

                              Yes and no. Sometimes something is an opinion but ultimately you should still pick A or B and not a mixture of the two. Is there any actual evidence that brace position affects correctness or readability? No. But inconsistent brace position probably does, and while it might be based on someone’s opinion, picking one or the other way of putting in curly braces needs to be done.

                              What really frustrates me is that most code review systems (including the GitHub pull request model) have poor support for ‘this looks good I’ll just clean up the style issues with it before I merge it’. The effort to just go and fix the issues immediately is so much lower than marking the style issues, asking for them to be fixed, the person fixing them, them pushing again, me pointing out one they missed because I didn’t spend half an hour going through and marking every little instance, them doing it (probably annoyed themselves by now), them pushing, me finally approving and merging.

                            1. -3

                              I know that it’s is possible to use FreeBSD for development, but I don’t think anyone should, practically speaking.

                              A post like “Can you use Windows for a developer machine in 2020” would interest me more. Because it seems like everyone is either using Mac or Linux these days.

                              1. 16

                                I don’t think anyone should, practically speaking.

                                Why?

                                1. 1

                                  The reason is sum up nicely in the article already. IMO, if the software selection is the same, if I still use Gnome, still use bash, still use Emacs there is little reason to choose the OS with inferior hardware and community supported.

                                  1. 3

                                    Why should the default assumption be that you use Linux unless you have some especially good reason to use BSD? If FreeBSD meets your needs and Linux meets your needs, why should that mean that you use Linux?

                                    Personally, after using OpenBSD on one of my laptops for a couple of weeks I’m keen to use it wherever I can. It’s incredibly well documented, stable and simple. It’s just well designed through and through. OpenBSD vs Linux today feels like Linux vs Windows did 12-15 years ago: limited laptop hardware support (only really thinkpads can be relied upon to work) and poor power/thermal management in exchange for much better design, system layout and understandability.

                                    1. 3

                                      If FreeBSD meets your needs and Linux meets your needs, why should that mean that you use Linux?

                                      Speaking just for myself, if both are equally goods for my needs, I’ll surely go with the more popular option.

                                    2. 3

                                      The software selection being the same is only part of the story. If you can get the same software packages you need for Linux in FreeBSD, you’ll likely see the underlying system is far more stable and performs better. That’s the big advantage.

                                      1. 4

                                        Debian/Ubuntu is stable enough for daily usage, I wouldn’t ask for more stability. As in your article

                                        Once you get it configured, it can “stay out of your way” while you get real work done

                                        I has the same experience with Debian/Ubuntu. Maybe I’ll need to seriously gave BSD a try some day (I never manage to get it fully working on any hardware I had), but I’m pretty happy with Linux today.

                                        1. 3

                                          If you can get the same software packages you need for Linux in FreeBSD, you’ll likely see the underlying system is far more stable and performs better. That’s the big advantage.

                                          This is only anecdotal evidence, but the last time I had a kernel panic it was when I tried FreeBSD. Do you have any quantitative evidence that FreeBSD is more stable and performs better?

                                    3. 3

                                      True! Though with WSL the Windows world is catching up. It’s not the same as actual Linux, but a step in the right direction.

                                      1. 1

                                        Why is it not the same? WSL2 actually runs a Linux kernel under HyperV. You can even run an X server and have the same graphical programs. The only thing that does not really work are Wayland applications (AFAIK).

                                        1. 1

                                          I think certain issues still exist (AFAIK?), but hopefully will be resolved soon.

                                          1.  

                                            For me, filesystem issues are a complete deal breaker. I have no OS options at work and can only use Windows and while its a decent work machine, I still feel that my Linux workstation and laptop at home run rings around it.

                                    1. 3

                                      I should note that C11 did introduce a few limited functions to work with UTF-8 specifically; <uchar.h> defines char16_t and char32_t as well as mbrtoc16 (multibyte char to char16_t), c16rtomb (char16_t to multibyte char), mbrtoc32 (multibyte char to char32_t) and c32rtomb (char32_t to multibyte char). For the purposes of this specific article, however, this is not very helpful: toupper/towupper are only defined for char and wchar_t, respectively; however, you’re not guaranteed that wchar_t can actually represent a char32_t, so uppercasing remains very hard.

                                      Grapheme clusters make this seemingly simple tasks even harder, and this is all before realizing that these functions are also locale-dependent (necessarily so, plus this also means they are OS-dependent) because of regional variations.

                                      1. 4

                                        I should note that C11 did introduce a few limited functions to work with UTF-8 specifically

                                        How are any of the things you mention for UTF-8 specifically? C11 doesn’t guarantee UTF-8 interpretation for mb arguments. The interpretation depends on locale, AFAIK C11 doesn’t guarantee the availability of UTF-8 locales (and in practice, there exist Windows versions that don’t have UTF-8 locales), and changing the locale affects all threads, so you can’t change the locale from within a multithreaded program.

                                        C11 doesn’t guarantee UTF-16 semantics for char16_t or UTF-32 semantics for char32_t. This is even less sensible than not guaranteeing two’s complement math. At least when C got the possibility of non-two’s complement math, non-two’s complement hardware existed. When char16_t and char32_t were introduced, there were no plausible alternatives for UTF-16 and UTF-32 semantics. C++20 guarantees UTF-16 and UTF-32 semantics for char16_t and char32_t.

                                        1. 2

                                          C11, § 7.28(1):

                                          The header <uchar.h> declares types and functions for manipulating Unicode characters.

                                          (emphasis mine) J.3.4 on undefined behavior:

                                          The encoding of any of wchar_t, char16_t, and char32_t where the corresponding standard encoding macro (__STDC_ISO_10646__, __STDC_UTF_16__, or __STDC_UTF_32__) is not defined (6.10.8.2).

                                          I suppose you could read that as not necessarily meaning UTF-8 (or UTF-16 or UTF-32) if these specific macros are not defined, but at that point, an implementation is just so obviously insane that it’s no use trying to deal with it.

                                          Incidentally, you may find it interesting that a recent draft of C2x has dropped two’s complement support, see the mention of N2412 on p. ii.

                                          1. 4

                                            dropped two’s complement support

                                            You had me panicking for a moment, but looking at that PDF it looks like they’ve accepted N2412, which means they’ve guaranteed two’s complement support and dropped support for other sign representations.

                                            1. 2

                                              Right, I meant to say “dropped everything but two’s complement”, my bad. Not that I can edit it anymore.

                                            2. 2

                                              I suppose you could read that as not necessarily meaning UTF-8 (or UTF-16 or UTF-32) if these specific macros are not defined, but at that point, an implementation is just so obviously insane that it’s no use trying to deal with it.

                                              Those macros being defined mean that wchar_t has UTF-32 semantics, char16_t has UTF-16 semantics, and char32_t has UTF-32 semantics. None of those are about UTF-8.

                                              Incidentally, you may find it interesting that a recent draft of C2x has dropped two’s complement support, see the mention of N2412 on p. ii.

                                              Fortunately, reasonable things flow from the C++ committee to the C committee.

                                              1. 0

                                                C++ is a prescriptive standard. It describes what it wants the world to be, and then hopes the world catches up. You can do that when the entire language community is on board and the language is complex enough to only have a few implementations.

                                                C is a descriptive standard. C runs on a massive range of hardware. C cannot afford to exclude real existing hardware targets that work in weird ways. Ones complement and signed magnitude integers really do exist in hardware. It wasn’t unreasonable to support them.

                                                Now that C has threading and atomics and is ballooning in scope it’s probably not implementable on those computers anyway, and they can just stick with C89. Getting rid of that support today, now that those platforms are so insanely obscure, is probably fine. But it was not unreasonable to support them in 1989 or 1999.

                                                1. 4

                                                  C++ and C are quite a bit closer together in this regard. z/OS and AIX character encoding issues show up frustratingly often on C++ standardization context.

                                            3. 0

                                              I wouldn’t expect C to guarantee UTF-8 for argv, if I’m understanding your comment correctly. C is a descriptive standard, and the world it’s describing is not universally UTF-8, even on the systems where it is most popular. Pathnames in Linux, for example, are not UTF-8, they are arbitrary null-terminated strings of bytes.

                                              1. 2

                                                Short note: path names in Rust are of “OsStr/OsString” type, which “String” can be converted into, but the other way around is falliable.

                                                Both have mappings to “Path/PathBuf”.

                                                1. 0

                                                  Yes path names are of type OsStr, but command line arguments as returned by std::env::args are Strings, which means that your code works fine until it panics in production one day because someone passed a non-UTF-8 path name and std::env::args tries to turn it into a String even though you’re just going to turn it back into an OsStr anyway.

                                                2. 2

                                                  My point is that, AFAICT, contrary to your up-thread comment, C11 provides no facilities that you can actually trust to do UTF-8 processing in a cross-platform way. (If you know the program will run on macOS or OpenBSD, then you can rely on certain functions performing UTF-8 operations.)

                                                  1. 1

                                                    I have not made any comments suggesting that C11 provides UTF-8 support.

                                                    C2x should have char8_t, however.

                                                    1. 3

                                                      Sorry, I meant xorhash’s comment upthread.

                                            1. 13

                                              I disagree with this post.

                                              If messages can be sent in plaintext, they will be sent in plaintext.

                                              That’s not a bad thing. If the person you are communicating with doesn’t care about encrypting the conversation then they don’t care about the confidentiality of the conversation and encrypting the messages is a waste of everyone’s time, a waste of computing resources and false security anyway. You cannot have secure communication between parties that do not care about security, in my opinion.

                                              Metadata is as important as content, and email leaks it.

                                              Metadata is not important data. That I sent a message to someone at a particular time is known to someone whether it’s a peer-to-peer service in which case it’s all the links between us, or a centralised service in which case it’s the service provider. Either way, everyone is aware I sent a message, and in both cases someone knows who I sent a message to. You should not trust anyone with genuinely important information that genuinely needs to be encrypted. If it’s a centralised service, then the service provider knows, and you should assume everyone knows.

                                              A centralised messaging service might have end-to-end encrypted messages but it cannot have end-to-end encrypted metadata for the obvious reason that it can tell where it has got messages from and it can tell where the messages it’s relaying are meant to go.

                                              If you are sending anything over the public internet, who sent the message, when it was sent, how big it is, who it is to, etc. is public information. The metadata of your Signal messages is public information.

                                              Every archived message will eventually leak.

                                              If I send you a message, and you decrypt it, you are responsible for its confidentiality. I cannot in any technological way prevent you from leaking the message. You can take a screenshot of the programme showing you the message, you can take a photo of your phone or computer screen, you can print it out, you can read it aloud, you can copy it by hand onto some paper. Part of sending someone a message is acknowledging that, regardless of the social norms around confidentiality, there’s no technological means of forcing someone to keep a secret. There are no Unbreakable Vows in the real world.

                                              This really goes back to the first point: if the person you are communicating with doesn’t care about security, you are not communicating securely no matter how many technological safeguards you try to put in place. At some point, they will fuck up, because they do not care. Auto-deleting messages just give a false sense of security. They’re like password expiry dates: all they do is encourage people to write things down. I’d rather my message was archived on their encrypted hard drive than written down on a piece of paper ‘because it will disappear otherwise’.

                                              etc. etc. It just goes on, repeating the same false and misleading statements about how encryption and trust and communication actually work. Ultimately, if you cannot trust the person you are communicating with and you cannot trust that they care about security, then your communications with them are not secure and the only form of ‘security’ you should bother with is the basic TLS level of just ensuring that dragnet surveillance won’t be able to passively eavesdrop on your conversations. But any kind of targeted surveillance will easily compromise your conversation, so don’t give yourself a false sense of security trying to harden yourself against something that you inherently cannot prevent.

                                              1. 15

                                                First of all, you completely ignored the forward secrecy and key rotation part. That’s kind of the killer, here – in order to support these things, you have to actually negotiate a key, which pretty much wrecks the whole “regular email with an encrypted payload” thing. The rest of this discussion is almost completely irrelevant compared to the lack of forward secrecy.

                                                But anyway…

                                                There are actual solutions for the metadata problem, particularly Mix networks like the recently-brought-to-my-attention Loopix system and the older MixMinion. I would rather use Loopix than Signal, all else being equal, because metadata is really useful. Tell me who you’re with, and I can pretty much figure out who you are even if I can’t actually read your email. And that’s before we start asking uncomfortable questions about the Subject line.

                                                I’d rather use a mixnet than Signal, but I’d still rather use Signal than PGP, for mostly the same reason that the author gave, and the reason that you didn’t address. The UX for the widely-available PGP email systems is really, really bad because they fail open. A well-designed security system should fail by erroring out, not by falling back to plaintext. If someone makes a mistake while using the encryption system, it is not proof that they don’t care. It is, at worst, proof of ignorance, and everyone is ignorant when they start out. It is easy to accidentally send an unencrypted email in most encryption-enabled clients. It is almost impossible to accidentally use email instead of Signal, specifically because the applications are completely separate.

                                                This is the same reason why I would run a Tor hidden service, even if I myself don’t care about my own anonymity, if I expected a lot of anonymity-sensitive users. If someone tries to use an onion site without actually using Tor, the site will not load, and they will immediately notice and correct the mistake. Even if your site offers both an onion address alongside a clearnet address, it at least acts as double-confirmation; someone who wants to use Tor would have to simultaneously use a clearnet browser and a clearnet address in order to accidentally leak their identity to me.

                                                I agree with you that auto-deleting messages are dumb, but seriously, the lack of forward secrecy ought to be enough. The part about making it harder to accidentally send a plaintext message is just a UX improvement that you take at the same time that you do the forward secrecy fix.

                                                1. 4

                                                  First of all, you completely ignored the forward secrecy and key rotation part. That’s kind of the killer, here – in order to support these things, you have to actually negotiate a key, which pretty much wrecks the whole “regular email with an encrypted payload” thing.

                                                  I’m not going to nitpick every single line of the post.

                                                  The rest of this discussion is almost completely irrelevant compared to the lack of forward secrecy.

                                                  I honestly don’t think that forward secrecy is that important.

                                                  There are actual solutions for the metadata problem, particularly Mix networks like the recently-brought-to-my-attention Loopix system and the older MixMinion. I would rather use Loopix than Signal, all else being equal, because metadata is really useful. Tell me who you’re with, and I can pretty much figure out who you are even if I can’t actually read your email.

                                                  I think this is really just security through obscurity. It’s not a bad thing, of course. But it seems to me that it really just protects metadata from dragnet surveillance in the same way that SMTPS/IMAPS protects data from dragnet surveillance. It doesn’t really prevent any targeted attacks.

                                                  I’d rather use a mixnet than Signal, but I’d still rather use Signal than PGP, for mostly the same reason that the author gave, and the reason that you didn’t address. The UX for the widely-available PGP email systems is really, really bad because they fail open. A well-designed security system should fail by erroring out, not by falling back to plaintext.

                                                  I’ve never had any issues with the UI for PGP email. I see the same complaints about PGP all the time and frankly people seem to want a magical solution to a problem that doesn’t have any solution: public key encryption is a fairly complicated thing and users need to understand it to use it. You can’t get around that.

                                                  If someone makes a mistake while using the encryption system, it is not proof that they don’t care. It is, at worst, proof of ignorance, and everyone is ignorant when they start out. It is easy to accidentally send an unencrypted email in most encryption-enabled clients. It is almost impossible to accidentally use email instead of Signal, specifically because the applications are completely separate.

                                                  I want it to be easy to send an unencrypted email, because I want to send lots of unencrypted emails. I don’t want all my emails to be encrypted. Most of them don’t need to be encrypted. Emails I’m sending to public mailing lists don’t need to be and shouldn’t be encrypted, as that just provides a false sense of security.

                                                  I don’t want the applications to be completely separate. I think instant messaging (which is what Signal is and is for) should be separate from email, and for instant messaging things like always-on encryption probably does make sense. But email isn’t just for messaging privately to people you know, it’s used for loads of things where encryption isn’t appropriate, like mailing lists.

                                                  I know some people think that mailing lists should be replaced with online forums or reddit or something, but I personally like mailing lists a lot more than reddit or even than old phpBB-style forums.

                                                  This is the same reason why I would run a Tor hidden service, even if I myself don’t care about my own anonymity, if I expected a lot of anonymity-sensitive users. If someone tries to use an onion site without actually using Tor, the site will not load, and they will immediately notice and correct the mistake. Even if your site offers both an onion address alongside a clearnet address, it at least acts as double-confirmation; someone who wants to use Tor would have to simultaneously use a clearnet browser and a clearnet address in order to accidentally leak their identity to me.

                                                  I agree with you that auto-deleting messages are dumb, but seriously, the lack of forward secrecy ought to be enough. The part about making it harder to accidentally send a plaintext message is just a UX improvement that you take at the same time that you do the forward secrecy fix.

                                                  To me this is just optimising for stupid. If someone opens your website in Firefox instead of the Tor browser, they obviously don’t really care about their anonymity that much. If they really were worried they were being tracked by a government entity or something they’d be careful, constantly.

                                                  1. 1
                                                  2. 5

                                                    Wrong / misleading in more than one way:

                                                    If messages can be sent in plaintext, they will be sent in plaintext.

                                                    That’s not a bad thing. If the person you are communicating with doesn’t care about encrypting the conversation then they don’t care about the confidentiality of the conversation and encrypting the messages is a waste of everyone’s time, a waste of computing resources and false security anyway. You cannot have secure communication between parties that do not care about security, in my opinion.

                                                    It is possible to use unsafe mechanical equipment in a safe way. That doesn’t mean adding safety features is a bad idea.

                                                    Yep, people can (and do) still jam the dead man switch, remove the covers etc but on average less people get maimed and killed now than before.

                                                    Metadata is as important as content, and email leaks it.

                                                    Metadata is not important data.

                                                    If you can prove I sent a message to someone I was supposed to not tell I’m in trouble even if you cannot tell the exact contents of the message.

                                                    That I sent a message to someone at a particular time is known to someone whether it’s a peer-to-peer service in which case it’s all the links between us, or a centralised service in which case it’s the service provider. Either way, everyone is aware I sent a message, and in both cases someone knows who I sent a message to.

                                                    Emphasis mine. This does not necessarily follow. It depends on your threat model.

                                                    You should not trust anyone with genuinely important information that genuinely needs to be encrypted. If it’s a centralised service, then the service provider knows, and you should assume everyone knows.

                                                    Again: Threat model.

                                                    If you are sending anything over the public internet, who sent the message, when it was sent, how big it is, who it is to, etc. is public information.

                                                    I had a hard time figuring out what you meant here, one interpretation that makes it correct is if by “over the public internet” you mean if you send it by mail. You can do a lot to make sure this isn’t public information.

                                                    The metadata of your Signal messages is public information.

                                                    No. I’m not the biggest Signal fan (not open, Signal fans are seriously annoying etc), but let’s stick to the facts:

                                                    Signal messages including metadata are encrypted in transit and discarded afterwards.

                                                    Just like my 20 year old email hotmail messages aren’t public information, neither is the metadata from my Signal messages.

                                                    1. 1

                                                      metadata Who talks to who is of a high interest among surveillance agencies, perhaps the central nerve.

                                                    2. 2

                                                      Metadata is not important data. That I sent a message to someone at a particular time is known to someone whether it’s a peer-to-peer service in which case it’s all the links between us, or a centralised service in which case it’s the service provider.

                                                      The amount of stuff that can be worked out just from metadata might surprise you. And the fact that modern secure messaging systems are working to make it harder for third parties to snoop on even the graph of who talks to whom should be a hint that maybe it is an important part of security.

                                                      1. 0

                                                        There’s no reasonable expectation of privacy with metadata. It doesn’t matter what data can be worked out AT ALL. That’s not what’s in question.

                                                        If I send you a letter, that I sent you a letter is not private. The postman knows, the government is allowed to know, it might as well be public. What I sent you is private. Nobody is allowed to look in. We should be turning those legal privacies into technical, mathematical privacy. We shouldn’t be inventing new types of privacy and just assuming without any actually debate that privacy maximalism is philosophically correct.

                                                        1. 3

                                                          If I send you a letter, that I sent you a letter is not private.

                                                          Only if you put your name on the outside of the envelope, surely? Otherwise, yes, it’s completely private who and where the letter originated from because …

                                                          Nobody is allowed to look in.

                                                    1. 65

                                                      What should people use instead?

                                                      Real secure messaging software. The standard and best answer here is Signal,

                                                      Oh please. They aren’t even close to sharing the same level of functionality. If I want to use Signal, I have to commit to depending on essentially one person (moxie) who is hostile towards anyone who wants to fork his project, and who completely controls the server/infrastructure. And I’d have to severely limit the options I have for interfacing with this service (1 android app, 1 ios app, 1 electron [lol!] desktop app). None of those are problems/restrictions with email.

                                                      I don’t know what the federated, encrypted ‘new’ email thing looks like, but it’s definitely not Signal. Signal is more a replacement for XMPP, if perhaps you wanted to restrict your freedom, give away a phone number, and rely on moxie.

                                                      1. 12

                                                        I think Matrix is getting closer to being a technically plausible email and IM replacement.

                                                        The clients don’t do anything like html mail, but I don’t think I’d miss that much, and the message format doesn’t forbid it either.

                                                        1. 27

                                                          If you can’t send patches to mailing lists with them then they’re not alternatives to email. Email isn’t just IM-with-lag.

                                                          1. 5

                                                            Email can be exported as text and re-parsed by Perl or a different email client.

                                                            Until that functionality is available, I won’t consider something a replacement for email.

                                                            1. 4

                                                              In all fairness: cmcaine says “Matrix is getting closer”.

                                                              1. 3

                                                                Matrix is a federated messaging platform, like XMPP or email. You could definitely support email-style use of the system it’s just that the current clients don’t support that. The protocol itself would be fine for email, mailing lists and git-send-email.

                                                                The protocol also gives you the benefits of good end-to-end encryption support without faff, which is exactly what general email use and PGP don’t give you.

                                                                1. 2

                                                                  Adding patch workflow to Matrix is no different to adding it to XMPP or any other messaging solution. Yes, it is possible but why?

                                                                  I can understand you like Matrix but it’s not clear how Matrix is getting closer to e-mail replacement with just one almost-stable server implementation and the spec that’s not an IETF standard. I’d say Matrix is more similar to “open Signal” than to e-mail.

                                                                  1. 2

                                                                    “Getting closer” is a statement towards the future, yet all of your counter arguments are about the current state.

                                                                    1. 2

                                                                      If I only knew the future I’d counter argument that but given that the future is unknown I can only extrapolate the current and the past. Otherwise Matrix may be “getting closer” to anything.

                                                                      Do you have any signs that Matrix is getting e-mail patch workflow?

                                                                2. 2

                                                                  Mailing lists could move to federated chatrooms. They moved from Usenet before, and in some communities moved to forums before the now common use of Slack.

                                                                  I’m not saying it would be the best solution, but it’s our most likely trajectory.

                                                                  1. 6

                                                                    Mailing lists existed in parallel with Usenet.

                                                                    1. 5

                                                                      Both still exist :)

                                                                      I do think, actually, that converting most public mailing lists to newsgroups would have a few benefits:

                                                                      1. It’d make their nature explicit.
                                                                      2. It’d let us stop derailing designs for end-to-end encryption with concerns that really apply only to public mailing lists.
                                                                      3. I could go back to reading them using tin.

                                                                      Snark aside, I do think the newsgroup model is a better fit for most asynchronous group messaging than email is, and think it’s dramatically better than chat apps. Whether you read that to mean slack or any of the myriad superior alternatives to slack. But that ship sailed a long time ago.

                                                                      1. 3

                                                                        Mailing lists are more useful than Usenet. If nothing else, you have access control to the list.

                                                                        1. 2

                                                                          Correct, and the younger generation unfamiliar with Usenet gravitated towards mailing lists. The cycle repeats.

                                                                        2. 4

                                                                          Mailing lists don’t use slack and slack isn’t a mailing list. Slack is an instant messaging service. It has almost nothing in common with mailing lists.

                                                                          It’s really important to drive this point home. People critical of email have a lot of good points. Anyone that has set up a mail server in the last few years knows what a pain it is. But you will not succeed in replacing something you don’t understand.

                                                                          1. 4

                                                                            The world has moved on from asynchronous communication for organizing around free software projects. It sucks, I know.

                                                                            1. 3

                                                                              Yeah. Not everyone, though.

                                                                              Personally I think that GitHub’s culture is incredibly toxic. Only recently have there been tools added to allow repository owners to control discussions in their own issues and pull requests. Before that, if your issue got deep linked from Reddit you’d get hundreds of drive by comments saying all sorts of horrible and misinformed things.

                                                                              I think we’re starting to see a push back from this GitHub/Slack culture at last back to open, federated protocols like SMTP and plain git. Time will tell. Certainly there’s nothing stopping a project from moving to {git,lists}.sr.ht, mirroring their repo on GitHub, and accepting patches via mailing list. Eventually people will realise that this means a lower volume of contributions but with a much higher signal to noise ratio, which is a trade-off some will be happy to make.

                                                                              1. 2

                                                                                Only recently have there been tools added to allow repository owners to control discussions in their own issues and pull requests. Before that, if your issue got deep linked from Reddit you’d get hundreds of drive by comments saying all sorts of horrible and misinformed things.

                                                                                It’s not like you used to have levers for mailing lists, though, that would stop marc.org from archiving them or stop people from linking those marc.org (or kernel.org) threads. And drive-bys happened from that, too. I don’t think I’m disputing your larger point. Just saying that it’s really not related to the message transfer medium, at least as regards toxicity.

                                                                                1. 3

                                                                                  Sure, I totally agree with you! Drive-bys happen on any platform. The difference is that (at least until recently) on GitHub you had basically zero control. Most people aren’t going to sign up to a mailing list to send an email. The barrier to sending an email to a mailing list is higher than the barrier to leaving a comment on GitHub. That has advantages and disadvantages. Drive-by contributions and drive-by toxicity are both lessened. It’s a trade-off I think.

                                                                                  1. 3

                                                                                    I guess I wasn’t considering a mailing list subscription as being meaningfully different than registering for a github account. But if you’ve already got a github account, that makes sense as a lower barrier.

                                                                      2. 5

                                                                        Matrix allows sending in the clear, so I suppose this has the “eventually it will leak” property that the OP discussed?

                                                                        (A separate issue: I gave up on Matrix because its e2e functionality was too hard to use with multiple clients)

                                                                        1. 5

                                                                          (A separate issue: I gave up on Matrix because its e2e functionality was too hard to use with multiple clients)

                                                                          and across UA versions. When I still used it I got hit when I realized it derived the key using the browser user agent, so when OpenBSD changed how the browser presented itself I was suddenly not able to read old conversations :)

                                                                          1. 2

                                                                            Oh! I didn’t know that!

                                                                      3. 5

                                                                        Functionality is literally irrelevant, because the premise is that we’re talking about secure communications, in cases where the secrecy actually matters.

                                                                        Of course if security doesn’t matter then Signal is a limited tool, you can communicate in Slack/a shared google doc or in a public Markdown document hosted on Cloudflare at that point.

                                                                        Signal is the state of the art in secure communications, because even though the project is heavily driven by Moxie, you don’t actually need to trust him. The Signal protocol is open and it’s basically the only one on the planet that goes out of it’s way to minimize server-side information storage and metadata. The phone number requirement is also explicitly a good design choice in this case: as a consequence Signal does not store your contact graph - that is kept on your phone in your contact store. The alternative would be that either users can’t find each other (defeating the point of a secure messaging tool) or that Signal would have to store the contact graph of every user - which is a way more invasive step than learning your phone number.

                                                                        1. 9

                                                                          even though the project is heavily driven by Moxie, you don’t actually need to trust him

                                                                          Of course you must trust Moxie. A lot of the Signal privacy features is that you trust them not to store certain data that they have access to. The protocol allows for the data not to be stored, but it gives no guarantees. Moxie also makes the only client you can use to communicate with his servers, and you can’t build them yourself, at least not without jumping hoops.

                                                                          The phone number issue is what’s keeping me away from Signal. It’s viral, in that everyone who has Signal will start using Signal to communicate with me, since the app indicates that they can. That makes it difficult to get out of Signal when it becomes too popular. I know many people that cannot get rid of WhatsApp anymore, since they still need it for a small group, but cannot get rid of the larger group because their phone number is their ID, and you’re either on WhatsApp completely or you’re not. Signal is no different.

                                                                          And how can you see that a phone number is able to receive your Signal messages? You have to ask the Signal server somehow, which means that Signal then is able to make the contact graph you’re telling me Signal doesn’t have. They can also add your non-Signal friends to the graph, since you ask about their numbers too. Maybe you’re right and Moxie does indeed not store this information, but you cannot know for sure.

                                                                          What happens when Moxie ends up under a bus, and Signal is bought by Facebook/Google/Microsoft/Apple and they suddenly start storing all this metadata?

                                                                          1. 5

                                                                            Signal is a 501c3 non-profit foundation in the US, Moxie does not control it nor able to sell it. In theory every organization can turn evil but there is still a big difference between non-profits who are legally not allowed to do certain things vs corporations who are legally required to serve their shareholders, mostly by seeking to turn a profit.

                                                                            And how can you see that a phone number is able to receive your Signal messages? You have to ask the Signal server somehow, which means that Signal then is able to make the contact graph you’re telling me Signal doesn’t have.

                                                                            There are two points here that I’d like to make, one broader and one specific. In a general sense, Signal does not implement a feature until they can figure out how to do that securely and with leaking as little information as possible. This has been the pattern for basically almost every feature that Signal has. Specifically, phone numbers are the same: The Signal app just sends a cryptographically hashed, truncated version of phone numbers in your address book to the server, and the server responds with the list of hashes that are signal users. This means that Signal on the server side knows if any one person is a Signal user, but not their contact graph.

                                                                            1. 3

                                                                              In theory every organization can turn evil

                                                                              Every organization can also be bought by an evil one. Facebook bought WhatsApp, remember?

                                                                              The Signal app just sends a cryptographically hashed, truncated version of phone numbers in your address book

                                                                              These truncated hashes can still be stored server-side, and be used to make graphs. With enough collected data, a lot of these truncated hashes can be reversed. Now I don’t think Signal currently stores this data, let alone do data analysis. But Facebook probably would, given the chance.

                                                                              1. 6

                                                                                Every organization can also be bought by an evil one. Facebook bought WhatsApp, remember?

                                                                                WhatsApp was a for-profit company, 501(c)3 work under quite different conditions. Not saying they can’t be taken over, but this argument doesn’t cut it.

                                                                          2. 3

                                                                            The phone number requirement is also explicitly a good design choice

                                                                            No, it’s an absolutely terrible choice, just like it is a terrible choice for ‘two factor authentication’

                                                                            Oh but Signal users can always meet in person to re-verify keys, which would prevent any sim swap attack from working? No, this (overwhelmingly) doesn’t happen. In an era where lots of people change phones every ~1-2yr, it’s super easy to ignore the warning because 99% of the time it’s a false positive.

                                                                            The alternative would be that either users can’t find each other (defeating the point of a secure messaging tool)

                                                                            This is a solved problem. I mean, how do you think you got the phone numbers for your contacts in the first place? You probably asked them, and they probably gave it to you. Done.

                                                                          3. -8

                                                                            Careful there… you can’t say bad things about electron in here….

                                                                          1. 1

                                                                            No idea what this is. Any chance of an explanation?

                                                                            1. 2

                                                                              It is a versioned triplestore database with “pull-request” mechanic. It somewhat inspired from datomic and rely on FoundationDB and django.

                                                                              Here is quick tour https://www.youtube.com/watch?v=wqbYfuOhG9w

                                                                            1. 3

                                                                              This is a great article!

                                                                              I loved both the C part (which did not surprise me at all) and the Rust part (where everything was new to me). I am left with the somewhat strange feeling that I actually prefer the C way of doing things. The “simple” Rust program does too many things under the hood and this makes me uncomfortable.

                                                                              1. 8

                                                                                you prefer the subtly broken implementation that half works on latin-1 left-to-right text? Imagine this on japanese or korean, or in a right to left script like arabic or hebrew. You can still use OSstring in rust or access the raw bytes if you need to, but why not use the safe version by default?

                                                                                1. 1

                                                                                  The thing is that both implementations may be broken, but the C code is more explicit. When it fails, or it receives bad input, I can look at the code that I have in front of me and understand why it fails, and maybe how to solve it. Let us say that the rust code receives a malformed argument string, where an invalid utf sequence contains a byte with the value ’ ’. What will happen? Will the iterator break? Or the upper case conversion? Or will my program break before even the first line of my program? I always get this kind of anguish about the inevitable impredictability when working in “high level” languages.

                                                                                  1. 11

                                                                                    Let us say that the rust code receives a malformed argument string, where an invalid utf sequence contains a byte with the value ’ ’. What will happen?

                                                                                    if I’m understanding your question correctly it’ll panic when it attempts to put it into a string, which is what the example in the article shows. What it won’t do is happily continue until it reads outside its buffer or causes some other error by corrupting memory.

                                                                                    When it fails, or it receives bad input, I can look at the code that I have in front of me and understand why it fails, and maybe how to solve it.

                                                                                    you may be able to, I don’t think I can. I don’t think I’m particularly inept, but this is incredibly subtle and complicated work that people get wrong all day every day

                                                                                    1. 8

                                                                                      The nice thing about Rust here is that “breaking” will usually consist of the program panicking and exiting without doing anything unexpected or dangerous. Most of the time, such panics are caused by unwrap or expect statements where you didn’t think an error case could happen, but it infact did.

                                                                                      What seems to be very common with the C bugs, and almost, but not quite entirely, unheard of in Rust (and other safe languages) is memory unsafety issues, including leaking, corruption, disclosure, and even RCE based on coding errors.

                                                                                      1. 5

                                                                                        Let us say that the rust code receives a malformed argument string, where an invalid utf sequence contains a byte with the value ’ ’. What will happen?

                                                                                        That depends on how you retrieve the arguments. If you want the user to pass only valid Unicode, you’d retrieve the process arguments with std::env::Args(), which will panic if any of the arguments are not valid Unicode. This enforces argument validity at the boundary of your program.

                                                                                        If arbitrary byte sequences make sense, too, you’d retrieve the process arguments with std::env::ArgsOs.

                                                                                        If you want valid Unicode arguments, but want to handle malformed input gracefully rather than panic, you’d retrieve the process arguments with std::env::ArgsOs, try to parse them to UTF-8 with OsStr::to_str, and handle success and failure of the parsing attempt.

                                                                                        match arg.to_str() {
                                                                                            Some(arg) => println!("valid UTF-8: {}", arg),
                                                                                            None => println!("not valid UTF-8: {:?}", arg),
                                                                                        }
                                                                                        

                                                                                        All of this is set out more elaborately in the article, starting at Now for some Rust.

                                                                                      2. 1

                                                                                        C strings are null terminated arrays of bytes, as they are defined in the standard. Sometimes those bytes represent text, sometimes they do not. Some text is encoded in ASCII, some in UTF-8, and some in other encodings. Some Unicode encodings, like UTF-16, can’t even be stored in a C string, because they contain null bytes.

                                                                                        This isn’t “subtly broken”, it’s just a different level of abstraction to Rust.

                                                                                      3. 4

                                                                                        Understandable take. What kind of under-the-hood manipulation of raw strings do you imagine needing? (Rust does provide ready access to the bytes of a String as needed, just in case.)

                                                                                      1. 13

                                                                                        I found this to be a lovely 30-minute read on C’s motivation, history, design, and surprising success. I marked down over 50 highlights in Instapaper.

                                                                                        If you haven’t written C in awhile, you should give it a try once more! Some tips: use a modern build of clang for great compiler error messages; use vim (or emacs/vscode) to be reminded C “just works” in editors; use a simple Makefile for build/test ergonomics.

                                                                                        In writing loops and laying out data in contiguous arrays and structures, remind yourself that C is “just” functions, data atoms, pointers, arrays, structs, and control flow (plus the preprocessor!)

                                                                                        Marvel at the timeless utility of printf, a five-decade-old debugging Swiss army knife. Remember that to use it, you need to #include <stdio.h>. As Ritchie laments here, C regrettably did not include support for namespaces and modules beyond a global namespace for functions and a crude textual include system.

                                                                                        Refresh your memory on the common header files that are part of the standard and needed for doing common ops with strings, I/O, or dynamic heap allocation. You can get a nice refresher on those in your browser here:

                                                                                        https://man.cs50.io/

                                                                                        Overall, you’ll probably regain some appreciation for the essence of programming, which C represents not due to an intricate programming language design with an extensive library, but instead due to a minimalist language design not too far from assembly, in which you simply must build your own library, or rely directly on OS system calls and facilities, to do anything useful. There is something to be said for languages so small they can truly fit in your head, especially when they are not just small, but also fast, powerful, stable, ubiquitous, and, perhaps, as timeless as anything in computing can be.

                                                                                        1. 5

                                                                                          I don’t think that a lack of namespaces is really something to lament. _ is prettier than ::. For all the handwringing you see about them, I’ve literally never seen a symbol clash in C ever.

                                                                                          1. 5

                                                                                            I love C and it continues to be my first language of choice for many tasks, but namespaces are the first thing I’d add to the language if I could. Once programs get beyond a certain size, you really need a setting between “visible to one file” and “visible EVERYWHERE”. (You can get some of the same effect by breaking your code up into libraries, but even then the visibility controls are either external to the language or non-portable compiler extensions!)

                                                                                            And for the record, I’d prefer an overload of the dot operator for namespaces. Or maybe a single-colon operator – some languages had that before the double-colon became ubiquitous.

                                                                                            1. 2

                                                                                              I tend to agree that this isn’t a huge issue in practice, especially since so very many large and well-organized C programs have been written (e.g. CPython, redis, nginx, etc.), and the conventions different teams use aren’t too far apart from one another. As you noted, they generally just group related functions together into files and name them using a common function namespace prefix, like ns_. But, clashes are possible, and it has meant C is used much more as a starting point for bespoke and self-contained programs (again, CPython, redis, and nginx are great examples), rather than as a programming environment to wire together many different libraries, as is common in Python, or even Go.

                                                                                              As dmr describes it in the OP, this is just a “smaller infelicity”.

                                                                                              Many smaller infelicities exist in the language and its description besides those discussed above, of course. There are also general criticisms to be lodged that transcend detailed points. Chief among these is that the language and its generally-expected environment provide little help for writing very large systems. The naming structure provides only two main levels, ‘external’ (visible everywhere) and ‘internal’ (within a single procedure). An intermediate level of visibility (within a single file of data and procedures) is weakly tied to the language definition. Thus, there is little direct support for modularization, and project designers are forced to create their own conventions.

                                                                                              1. 2

                                                                                                I don’t really think that namespaces are the reason people don’t use C for gluing together lots of other C programs and libraries. I think people don’t do that in C because things like Python and Bash are a million times more suitable for it in a million different ways, only one of which is namespaces.

                                                                                                Large systems don’t need to all be linked together with one big ld call. Large systems should be made up of small systems interacting over standardised IPC mechanisms, each of which of course have their own independent namespaces.

                                                                                                There’s also the convention we see of lots of tiny files, which is probably not actually necessary today. It made more sense in there days of centralised version control and global file locking in very old version control systems where merging changes from multiple people was difficult or impossible and one person working on a file meant nobody else could. But today, most modules should probably be one file. Why not?

                                                                                                For example, OpenBSD drivers are usually a single .c file, for example, and they recommend that people porting drivers from other BSDs merge all the files for that driver into one. I actually find this easier to understand: it’s easier for me to navigate one file than a load of files.

                                                                                            2. 4

                                                                                              If you haven’t written C in awhile, you should give it a try once more! Some tips: use a modern build of clang for great compiler error messages; use vim (or emacs/vscode) to be reminded C “just works” in editors; use a simple Makefile for build/test ergonomics.

                                                                                              I am going through the Writing An Interpreter In Go book but in C (which is totally new to me, coming from a JavaScript background) and it’s been the most fun I had in years. I’m actually starting to get quite fond of the language and the tooling around it (like gdb and valgrind).

                                                                                              1. 2

                                                                                                I recommend you take a look at http://craftinginterpreters.com as well, if you want something similar for C. The book is in two parts: the first part a very simple AST-walking interpreter written in Java, the second part a more complex interpreter that compiles the language to bytecode and has a VM, closures, GC, and other more complicated features, written in C. If you’ve already read Writing An Interpreter In Go you can probably skip the Java part and just go straight to the C part.

                                                                                                1. 3

                                                                                                  Thanks, I will (after I’m done with this). I actually really liked it that the book is in Go but my implementation in C, as it made it a bit more exciting for me to think about how I would structure things in C and see what the tradeoffs are versus doing it in Go. Otherwise I’d be tempted to skip entire chapters and just re-use the author’s code, which obviously doesn’t help if my goal is to learn how it’s actually done.

                                                                                              2. 4

                                                                                                so small they can truly fit in your head

                                                                                                Very true. One thing I’ve noticed, going to C from Rust and especially C++, is how little time I spend now looking at language docs, fighting the language or compiler itself, or looking at code and wondering, “WTF does this syntax actually mean?”

                                                                                                There’s no perfect language though. I do pine sometimes for some of the fancier language features, particularly closures and things which allow you to directly concepts directly in code, like for(auto i : container_type) {...} or .map(|x| { ...}).

                                                                                                1. 1

                                                                                                  One thing I’ve noticed, going to C from Rust and especially C++, is how little time I spend now looking at language docs, fighting the language or compiler itself, or looking at code and wondering, “WTF does this syntax actually mean?”

                                                                                                  It’s also really nice being able to type:

                                                                                                  man $SOME_FUNCTION
                                                                                                  

                                                                                                  to get the documentation for any function in the standard library (and many others not in the standard library). I do a lot of my development on the train (without access to the internet) and man pages are my best friend.


                                                                                                  On the topic of “wtf does this syntax actually mean” I do think C has some pain points. East const vs west const is still a point of confusion for many, and C’s function pointer syntax will melt your brain if you stare at it too long.

                                                                                                  At one point I wrote a C backend for a compiler I was working on and needed to really understand how declarations worked. I found that this article does a really good job explaining some of the syntax insanity.

                                                                                                2. 4

                                                                                                  If anyone is looking to give modern C a try I would recommend reading How to C. It’s a short article that bridges the gap between C from K&R Second Edition and C in $CURRENT_YEAR. The article doesn’t cover the more nuanced details of “good” C programming, but I think that K&R + How to C is the best option for people who are learning the C language for the first time.

                                                                                                  1. 2

                                                                                                    Awesome recommendation! As someone who is picking up C for some programming fun & tasks again after a decade-long hiatus (focused on other higher-level languages), this is super useful for me. I have been re-reading K&R 2nd Ed and been looking for something akin to what you shared in “How to C”.

                                                                                                    I also found these two StackOverflow answers helpful. One, on the various C standards:

                                                                                                    https://stackoverflow.com/questions/17206568/what-is-the-difference-between-c-c99-ansi-c-and-gnu-c/17209532#17209532

                                                                                                    The other, on a (modern) set of useful reference books:

                                                                                                    https://stackoverflow.com/questions/562303/the-definitive-c-book-guide-and-list/562377#562377

                                                                                                1. 4

                                                                                                  The best known is probably the clause in the Affero GPL (or AGPL) that requires that users interacting with covered code over a network be able to download the source code

                                                                                                  This is a restriction on distribution. The Affero GPL is basically identical to the GPL but with ‘distribution’ changed to ‘propagation’ where ‘propagation’ includes hosting the programme on a public-facing network. The idea is that ‘server’ software is being conveyed to users in the same way that ‘client’ software is, so the same kinds of restrictions should apply. But it’s really not a restriction on use, it’s still a restriction on distribution.

                                                                                                  1. 1

                                                                                                    On my previous team we had one team member who was remote. Doing standup in the open office was difficult because they would be on a screen and we’d need to connect one of those disk shaped conference microphones so that they could hear us and we could hear them. It wasn’t the most comfortable because of ambient noise in the office so we resorted to reserving a conference room with a TV screen, camera, microphones. Always having a room for standup was a challenge though, and if we didn’t get it, the ambient noise and awkward huddle around a desk made standup difficult. So we started doing “Slack standup” here and there. Other than that I haven’t had a bad experience collaborating informally through Slack and Zoom with this teammate or working remotely myself. Zoom always works except it uses a ton of CPU. I miss ScreenHero.

                                                                                                    1. 10

                                                                                                      Doing standup in the open office was difficult because they would be on a screen and we’d need to connect one of those disk shaped conference microphones so that they could hear us and we could hear them.

                                                                                                      That’s not remote work. That’s local work, done remotely. If you’re videoconferencing with someone and trying to include them in inherently local activities like a standup then it’s not remote work.

                                                                                                    1. 70

                                                                                                      He’s not wrong, but a quarter of a page about how almost all laptops are worse than 2008-era thinkpads is a little bit low-information for the lobste.rs frontpage isn’t it?

                                                                                                      1. 13

                                                                                                        I think you’re right, it’s low information. But, if others here feel the same as the article, I’m optimistic it will promote conversation on what can be used (I’m hoping I am wrong about what’s out there). I’d love an alternative to the Dell stack I currently use.

                                                                                                        1. 11

                                                                                                          It is a good justification for me to mention (once again) that there are a lot of barely-touched second hand 10 year old thinkpads on ebay for, like, less than $100. So, you can get like a dozen good laptops for the price of a bad one.

                                                                                                        2. 18

                                                                                                          Maybe it’s not the most “technical” post, but I think the point / heart of it is that there is a change that many would like to see in future laptops. Instead of razor thin laptops with horrible keyboards, many people want something that just works.

                                                                                                          It’s an opinion piece, and I personally don’t see anything wrong with it being posted here (and the tags are correct).

                                                                                                          1. 7

                                                                                                            Sure. It’s just both an opinion piece & very short.

                                                                                                            1. 23

                                                                                                              The only reason it’s on the front page is because drew wrote it. There’s zero doubt about this.

                                                                                                              This place loves to laud over him which annoys me specifically given I’ve seen him harass friends of mine because according to him, if you don’t use the “right software” (aka, software he believes is right), it makes you an absolute horrible person deserving of harrassment.

                                                                                                              Wish I could filter out domains…

                                                                                                              1. 7

                                                                                                                Mostly, I wish there was more consistency. I post ranty things with more substance than this & get downvoted to hell (here & HN) – and my rants are rarely less than a five minute read. (On top of that, I stay away from ad hominems when arguing with strangers on the internet, which is not nothing.) If lobste.rs was rant-friendly I’d post more of them here.

                                                                                                                Folks posting links to low-quality posts that are popular because people already agree with them is a much bigger part of the signal/noise ratio problem on lobste.rs than actual spammers, & because Drew is a name, he seems to get attention even when the same exact content in a comment would get one or two upvotes. (Like, this blog post is just a more severe version of comments I’ve literally made on this site.)

                                                                                                              2. 7

                                                                                                                I’d rather read this than yet another post about how Unix is so terrible because it’s based on plain text like that “Programmer’s critique of missing structure of operating systems” post, or some company talking about using AWS (literally nobody cares whether you use AWS), or yet another “I rewrote [unix standard command] in Rust” post.

                                                                                                                1. 3

                                                                                                                  “Programmer’s critique of missing structure of operating systems” post,

                                                                                                                  There was a lot more in that post than you’re giving it credit for, the AWS thing can be interesting from a “This is how switching works/is motivated”. The Rust stuff is what it is.

                                                                                                                  This submission was basically a complaint about the state of consumer products without any relevant links or analysis/context (at least when I read it). It contains really inflammatory and frankly mean screeds like:

                                                                                                                  If you work at any of these companies and you’re proud of the garbage you’re shipping, then I’m disappointed in you.

                                                                                                                  On a factual basis, it’s a lot easier to get a multicore laptop right now with a better camera than it was 12 years ago. It is a lot easier to get one with USB 3. It is a lot easier to get one with a high-resolution screen. It is a lot easier to get one with a good graphics card. Drew is happy to ignore all of that progress because he finds them difficult to service and difficult to run Free as in Freedom software on, and so immediately condemns everything else as garbage.

                                                                                                                  I’d rather read somebody talking about their attempt at making wordcount in Rust than such a shallow and negative and just obviously narrow-minded outburst.

                                                                                                                  1. 1

                                                                                                                    Fair enough. I like that first category so long as it says something new (which it often does), but the other two are at least as spammy & low-effort as this.

                                                                                                              3. 18

                                                                                                                It’s correctly tagged as rant, and @cfenollosa can’t help that Drew is the darling child of lobsters who can say no wrong.

                                                                                                                EDIT (clarification, in case you don’t see the below): this is criticism of Lobsters, and defense of this blog post being posted, not criticism of any individuals.

                                                                                                                1. 50

                                                                                                                  In reality, there also seem to be a fair number of people on Lobsters who think I can say no right. I don’t post my own writing to Lobsters anymore because of issues ranging from valid concerns about spam to obnoxious toxicity.

                                                                                                                  My take is, I write for myself, not for Lobsters. When a Lobster seems to think something I’ve written is worth discussing, then I leave it up to the community to vote on as they see fit. I’ll usually drop into the threads to answer questions, but I find it difficult to engage with Lobsters beyond this - and even that much is difficult. Because you know who I am and what I work on, it seems like any topic I weigh in on is interpreted as spam, be it via submissions or commenting in discussions, even if I go out of my way not to frame my comments in the context of anything I work on.

                                                                                                                  I don’t really like this community anymore, but I reckon some Lobsters would argue that’s by design.

                                                                                                                  1. 13

                                                                                                                    obnoxious toxicity

                                                                                                                    I’m not going to claim that Lobsters is perfect, but “obnoxious toxicity” doesn’t seem like an apt description either; at least not in my experience. How is it toxic, specifically?

                                                                                                                    1. 28

                                                                                                                      Obviously tone is mostly subjective, but I have noticed the same thing recently on some of Drew’s writings that get posted here. Even the comment by @mz could be seen as really negative

                                                                                                                      @cfenollosa can’t help that Drew is the darling child of lobsters who can say no wrong

                                                                                                                      I have a hard time not reading that with vitriol or almost malice (though as indicated by @mz this was supposed to be sarcastic). Saying, “hey I don’t think there isn’t a ton of technical information here” and not upvoting is one thing, but when Drew clearly didn’t post the article themselves and still gets comments that to me seem very unpleasant. It really would be hard to like a community.

                                                                                                                      EDIT: Again in this same thread, I’m just going to start collecting the comments that if I were reading about me that I’d consider to be disheartening and drive me away from this community.

                                                                                                                      I’ve seen much worse Drew Dewalt rants keep the top spot on lobste.rs for weeks tbh.

                                                                                                                      1. 22

                                                                                                                        Ya, that comment is clearly less-than-perfect, but I also wouldn’t describe it as “obnoxious toxicity” personally, but YMMV.

                                                                                                                        It’s not like Drew’s communication style is always … gentle. I mean, in this post he’s literally telling people they should die. Obviously I know it’s supposed to be a joke and intended to be hyperbolic, but sjeez man; that’s pretty harsh… Reasonably sure such a comment would be downvoted to hell on Lobsters or HN.

                                                                                                                        If you dish out harsh words, then don’t be surprised if people reply with harsh words, too.

                                                                                                                        1. 4

                                                                                                                          This is definitely a case of a missing /s or otherwise tone being lost in text form. Please see my clarification and comment follow-up.

                                                                                                                          1. 5

                                                                                                                            I really don’t mean this as a cut to you either, it is just how I read it tonally. Text communication is hard.

                                                                                                                        2. 9

                                                                                                                          In my experience the toxicity has various specific loci, and if you happen to avoid those in your interactions with the community then you’re fine.

                                                                                                                          Woe betide you however it you step on a hot button.

                                                                                                                          Still love the place. I donned my asbestos underwear for the first time long before at least some of you were born :)

                                                                                                                        3. 5

                                                                                                                          I absolutely know what you’re saying, and I commend you for writing for yourself rather than for clout or for internet points. I think a lot of the blog spam we see on lobsters is stuff trying to be topical enough to be unoffensive, but content-less enough to be spam.

                                                                                                                          I in no way meant this as a criticism of you @ddevault. I meant it as a criticism of lobsters, a community which seems to be very addicted to being polarized over your content.

                                                                                                                          I totally get why you don’t post your stuff here. In general, a blog post not being appropriate for lobsters is not a criticism of the blog post (to think otherwise is some serious tech elitism).

                                                                                                                          Thanks for engaging with the comment. It seems you interpreted it the way I intended it, as I had no intention of offense.

                                                                                                                          1. 5

                                                                                                                            Point of fact: you took advantage of us as a marketing channel.

                                                                                                                            1. 43

                                                                                                                              Here is my self-evaluation of my posting history. Green = unambiguously not spam. Blue = cool stuff I made, but which doesn’t make me money. Together these make up almost half of my posts. Pink = dubious, I could benefit indirectly from these, but would argue that they’re on topic and relevant. That covers all but 3 of my posts. Of the remainder, which are definitely more ads than not, one is the most highly upvoted story of all time in each of its tags.

                                                                                                                              I think that this balance was reasonable enough, but in the BSD submission there was some discussion about whether or not it was too spammy, so I curbed my posting on Lobsters. The vast majority of submissions from my blog are not submitted by me, but it seems like I’m being held accountable for all of them as spam.

                                                                                                                              In any case, I don’t post my stuff here anymore. Take it up with the rest of the community if you don’t like seeing my posts here.

                                                                                                                              1. 30

                                                                                                                                I’m sad and sorry that the community has responded this way to your posts, especially as you have stopped linking them yourself. You can’t control what other people do, yet you bear the brunt of their unhappiness.

                                                                                                                                I like seeing your posts here, as there is often good discussion that is prompted by them. Even if some think of them as “ads”, at least it’s for good, open source software (and not things much worse like Google and Facebook).

                                                                                                                                I’m glad you’re writing for yourself- I (and others) will continue to enjoy reading what you write.

                                                                                                                              2. 7

                                                                                                                                Drew’s content may not always be earth-shattering, but a typical post of his likely opens my eyes as anything else on the site. Lobsters is not a place that discourages people from posting their own content.

                                                                                                                                ☑️ I am the author of the story at this URL (or this text)

                                                                                                                                1. 6

                                                                                                                                  The link doesn’t seem to prove the “took advantage of” part, or am I missing something?

                                                                                                                              3. -1

                                                                                                                                Fair enough! And yes, I’ve seen much worse Drew Dewalt rants keep the top spot on lobste.rs for weeks tbh. I guess I can’t argue with success.

                                                                                                                              4. 3

                                                                                                                                Yes, it could have been contained in a comment. But maybe that’s why the article gets upvoted a lot: It’s low-effort to read, everyone basically agrees, and it’s a relief that apparently everyone feels the same (and it’s not their fault for not being able to find a proper laptop).

                                                                                                                                1. 0

                                                                                                                                  How’s it a quarter of a page? It’s an entire page on my fairly high-resolution screen (1440p with no scaling). How zoomed out is your web browser?

                                                                                                                                  1. 1

                                                                                                                                    I have a portrait display & my zoom setting is only 100% – basically because I don’t want a ‘screenful’ to be thirty seconds of reading.

                                                                                                                                1. 14

                                                                                                                                  This list seems to be based on a super Frankenstein’d, incompletely applied threat model.

                                                                                                                                  There is a very real privacy concern to be had giving google access to every detail of your life. Addressing that threat does not necessitate making choices based on whether the global intelligence community can achieve access into your data — and less than skillfully applied that probably makes your overall security posture worse.

                                                                                                                                  1. 1

                                                                                                                                    I agree that mentioning of the 5/9/14/howevermany eyes is unnecessary, and also not helpful. It’s not like if your data is stored on a server in a non-participating country that it somehow makes you more secure. All of that data still ends up traveling through the same routers on its way to you.

                                                                                                                                    1. 1

                                                                                                                                      If you’re going to put a whole lot of effort into switching away from Google, you might as well do it properly and move to actually secure services.

                                                                                                                                      1. 11

                                                                                                                                        In a long list of ways, Google is the most secure service. For some things (i.e. privacy) they’re not ideal, but moving to other services almost certainly involves security compromises (to gain something you lose something).

                                                                                                                                        Again, it all goes back to what your threat model is.

                                                                                                                                        1. 3

                                                                                                                                          Google is only the most secure service if you are fully onboard with their business model. Their business model is privacy violating at the most fundamental level, in terms of behavioral surplus futures. Whatever your specific threat model it then becomes subject to the opacity of Google’s auction process.

                                                                                                                                          1. -1

                                                                                                                                            Running everything yourself is much more secure than Google, which happily hands over data to the NSA when asked.

                                                                                                                                            1. 6

                                                                                                                                              which happily hands over data to the NSA when asked.

                                                                                                                                              Emphasis mine.

                                                                                                                                              As someone who don’t like Google anymore I still think this is still plain wrong I think and I’ll give reasons why:

                                                                                                                                              • Google is known to have put serious effort into countermeasures against wiretaps.

                                                                                                                                              • Google is known to be challenging NSA and others where possible.

                                                                                                                                              • and for the best reason that exist in a capitalist society: it is bad for their business if people think they happily hand over data to the NSA.

                                                                                                                                              • (and FWIW I guess a number of Googlers took offense to the smiley in the leaked NSA slides)

                                                                                                                                              Also, for most people running their own services isn’t more secure, and can in many cases be even less secure, even against NSA. I’ll explain that as well:

                                                                                                                                              Things you get for free with Google and other big cloud providers:

                                                                                                                                              • physical security
                                                                                                                                              • patching
                                                                                                                                              • monitoring
                                                                                                                                              • legal (yep, for the selfish business reasons mentioned above they actually challenge requests for data)
                                                                                                                                              1. -8

                                                                                                                                                “Security” is not an absolute value; it is meaningless without a threat model.

                                                                                                                                                You have demonstrated that you are well out of your league here. Quiet down, listen and learn.

                                                                                                                                                1. 6

                                                                                                                                                  You have demonstrated that you are well out of your league here. Quiet down, listen and learn.

                                                                                                                                                  Wow, that seems an incredibly uncalled for level of incivility, even for lobsters.

                                                                                                                                                  1. 9

                                                                                                                                                    Yeah, that was definitely going off the deep end.

                                                                                                                                                    There’s an appropriate level of criticism here, and this ain’t it.

                                                                                                                                                    /u/friendly - I apologise unreservedly for that comment.

                                                                                                                                                    1. 2

                                                                                                                                                      Thankfully this attitude is not common here.

                                                                                                                                                    2. -1

                                                                                                                                                      You’re lucky I’m intentionally being very friendly on lobsters at the moment, or this reply would be a lot less polite.

                                                                                                                                                      The idea that security is ‘meaningless without a threat model’ is just a meme: one of those ideas people read somewhere that sounds good and so they repeat it ad nauseum without stopping and thinking critically about what it means. It doesn’t matter whether it’s true or how true it is! It’s not actually relevant to what we’re discussing.

                                                                                                                                                      Rather than repeating something you’ve read in an article that you think sounds good, without tying it to what I said in any way, and then making a totally unnecessary and very rude patronising remark, I suggest you actually respond to what I said directly.

                                                                                                                                                      Running everything yourself (for example, running your own mail server) is for a start more secure than using Google’s services, given that we already know that Google inspects all the data you give them. Google reads your emails. What more do you actually need to know to judge whether Gmail is as secure as running your own mail server. If you run your own mail server, only you can read your emails. If you use Gmail, then you can read your emails and third parties can too. That’s less secure. This is actually quite a simple concept.

                                                                                                                                                      1. 10

                                                                                                                                                        if I protect my house by getting the biggest strongest door out there, but the burglars turn up with a brick they throw though my window, then my “security” was useless as my threat model was way off. The concept of threat modelling is most certainly not a “meme”.

                                                                                                                                                        Lots of people get hacked when they self-host, because it requires quite some knowledge not everyone has and even if you do, it’s easy to make mistakes. Just self-hosting does not make anything automatically secure, and it also won’t protect you from “tne NSA”: you’ll still be obliged to follow laws etc. Besides, the distributed nature of email/SMTP makes it hard to protect from this anyway: chances are most of your emails will still be routes through a US server.

                                                                                                                                                        All services “read my emails” to some degree as that’s pretty much a requirement for processing them. This doesn’t necessarily say anything about security or privacy.

                                                                                                                                                        1. -2

                                                                                                                                                          if I protect my house by getting the biggest strongest door out there, but the burglars turn up with a brick they throw though my window, then my “security” was useless as my threat model was way off. The concept of threat modelling is most certainly not a “meme”.

                                                                                                                                                          No, it isn’t. But repeating the concept over and over again as an ‘argument’ without actually tying it to what you’re responding to is a meme. It’s not okay to just say “security is meaningless without a threat model” and expect the conversation to be over without justifying that it’s actually a response to what the person is saying. It’s just a stock phrase being repeated by someone that doesn’t really understand what it means or where it’s relevant, as far as I can tell.

                                                                                                                                                          I’m not even saying that it is necessarily irrelevant here. But just saying it doesn’t justify it being relevant. I don’t like this trend I see more and more of here of acting like this is reddit or HN where you can just drop pithy one-liners and people upvote you when you haven’t actually said anything meaningful.

                                                                                                                                                          1. 5

                                                                                                                                                            It’s not like your comment was especially detailed or overflowing with nuance. Short abrupt one-line comments with blanket statements tend to elicit the same kind of replies.

                                                                                                                                                        2. 8

                                                                                                                                                          yeah, but what does “more secure” mean? When people say threat model, they are just talking about what “more secure” means in a certain context. It’s not exactly infosec dogma…. There is no singular axis of more/less secure

                                                                                                                                                          1. 7

                                                                                                                                                            “Secure” is a vague term in this context. Giving google and their partners access to your e-mails is not a security issue, I would expect that all to be written down in their ToS and similar documents. It is bad for your privacy and anonymity, definitely.

                                                                                                                                                            But I suspect google would be better prepared for a 3rd party that is attempting to hack their servers and forcefully obtain your e-mails than you or any other single individual are. I think that’s also what @ec and others are referring to. Moving away from Google is definitely a good decision to get back (some of) your privacy. Security wise, it really depends on where you are moving to.

                                                                                                                                                            1. 3

                                                                                                                                                              Google hands over its users’ data to the American government and through the Five Eyes agreement and similar agreements to many of the governments of the western world. That is not a ‘privacy’ issue it’s a security issue.

                                                                                                                                                            2. 7

                                                                                                                                                              Running my own email is not more secure against data loss (unless you also have multi-point off-site backups, encrypted, with the crypto keys stored securely).

                                                                                                                                                              It’s also not more secure against email delivery failures causing you to lose business (a much bigger issue for me than google reading them).

                                                                                                                                                              Neither is it more secure against your abusive spouse accessing your emails (or destroying the hardware).

                                                                                                                                                              Finally, anytime you communicate with a gmail user, google is reading your emails anyways - so to improve your security you also need your mail client to check whether the recipients MX records resolve to a google-controlled IP range.

                                                                                                                                                              That’s what “irrelevant without a threat model” means.

                                                                                                                                                              I’ve nearly finished de-googling everything in my life. Doing it in a way that preserves the security properties I care about is very hard work.

                                                                                                                                                              1. 2

                                                                                                                                                                It’s also not more secure against email delivery failures causing you to lose business

                                                                                                                                                                Eh, I’ve run my own email and did gmail side by side for years. I lost more legitimate emails to google’s spam filter false positives than to server down.

                                                                                                                                                                Remember that email is designed to be resilient against delivery failures, designed in the days of temporary dial-up connections. If a server is down, it just queues the message and tries again later. If it still doesn’t work, it notifies the sender that the message failed. Not everyone will try to contact you another way when that happens…. but surely more than people whose messages just disappeared into a spam filter.

                                                                                                                                                                1. 1

                                                                                                                                                                  I’ve been on Fastmail for years now. I regularly check my spam folder; in almost four years I have had one false positive.

                                                                                                                                                                  When I briefly tried running my own, google randomly stopped accepting my mail after a little while (hence briefly).

                                                                                                                                                                  I’m glad you have had a good experience with it; I haven’t found it as good a use of my recreational sysadmin time as other things (plex, vscode-over-http, youtube-dl automation, repo hosting etc).

                                                                                                                                                  1. 2

                                                                                                                                                    The comparison table is at best misleading.
                                                                                                                                                    The author compares the “PCG family” against other RNGs in an unrealistic configuration.
                                                                                                                                                    For example, Xorshift128 was used in Safari, Firefox, and Chrome (as of 2015).
                                                                                                                                                    Also, which family member and what is the state space size?

                                                                                                                                                    1. 1

                                                                                                                                                      For example, Xorshift128 was used in Safari, Firefox, and Chrome (as of 2015).

                                                                                                                                                      Which makes the comparison table misleading how?

                                                                                                                                                      1. 2

                                                                                                                                                        Here are the reasons I feel this comparison table is misleading.

                                                                                                                                                        • Nonspecific
                                                                                                                                                          PCG has implementations for 8bit, 16bit, 32bit, 64bit, and 128bit integers.
                                                                                                                                                          They won’t all perform the same; narrower widths have a smaller range of possible values.
                                                                                                                                                          Good comparisons are specific, like-to-like, concrete, and falsifiable.
                                                                                                                                                          Compare the PCG table to the xoshino/xoroshiro table.
                                                                                                                                                          The latter is a good comparison and the former is marketing fluff.
                                                                                                                                                        • Realistic
                                                                                                                                                          Most systems have strengths and weakness.
                                                                                                                                                          It’s often possible to make another system look worse by comparing your best case to their worst case.
                                                                                                                                                          Good comparisons reflect how the system is used in the real world.
                                                                                                                                                          This is why the SPEC benchmarks, for example, include gcc, perl, and x264.
                                                                                                                                                          XorShift has variants that improve the quality of the output.
                                                                                                                                                          I mentioned XorShift128+ (my post had a typo) because I feel that it is more representative of a real world XorShift generator.
                                                                                                                                                    1. 10

                                                                                                                                                      In general, mainstream computer security advice is lacking. There’s a saying that goes something like:

                                                                                                                                                      A man will be interested to read the news for his industry, only to find that much of it is incorrect. Then, he will move on to read news for other industries and not question the correctness.

                                                                                                                                                      1. 9

                                                                                                                                                        This is called the Gell-Mann Amnesia Effect or Crichton’s law.

                                                                                                                                                        From Michael Crichton’s wikipedia page:

                                                                                                                                                        In a speech in 2002, Crichton coined the term Gell-Mann amnesia effect. He used this term to describe the phenomenon of experts believing news articles on topics outside of their fields of expertise, even after acknowledging that articles written in the same publication that are within the experts’ fields of expertise are error-ridden and full of misunderstanding. He explains the irony of the term, saying it came about “because I once discussed it with Murray Gell-Mann, and by dropping a famous name I imply greater importance to myself, and to the effect, than it would otherwise have”.

                                                                                                                                                      1. 7

                                                                                                                                                        Please don’t use JavaFX, Swing, Tk, FLTK — anything without Wayland support. Just don’t.

                                                                                                                                                        I would prefer GTK 3 (or even the very exciting WIP 4.x branch of GTK, which brings GPU rendering to all the classic widgets we know and love, unlike Qt which created a whole new world (QML) for this) but here’s some more options:

                                                                                                                                                        wxWidgets, libui, Eto are there for abstracting over native toolkits. (btw, since you mentioned IDE-like things, this Eto project uses various native code editor components)

                                                                                                                                                        If you go with the web route, there are better ways to do it than Electron. web-view uses GTK/Cocoa native WebKit and EdgeHTML on Windows — tiny executables without dragging a whole Chromium copy around, automatic Wayland support (due to GTK), etc. Tauri is a higher-level thingy around web-view.

                                                                                                                                                        1. 8

                                                                                                                                                          Please don’t use […] anything without Wayland support. Just don’t.

                                                                                                                                                          I have no interest in supporting wayland. And for people who want to use it, xwayland is good-enough.

                                                                                                                                                          Someone else mentioned libui is not feature-complete yet. Eto is interesting, I will take a look at it.

                                                                                                                                                          1. 1

                                                                                                                                                            xwayland is good-enough

                                                                                                                                                            No. Most importantly it does not support HiDPI. It’s legacy cruft, I usually keep it off. I’d like to eventually get rid of all X11 libraries on my system completely.

                                                                                                                                                            1. 2

                                                                                                                                                              You’re free to do that, of course. But X11 is not ‘legacy’. It’s a standard across a wide range of Unix-like systems. It’s not going anywhere any time soon. Wayland still doesn’t have a standardised way to do basic desktop things like take screenshots.

                                                                                                                                                              1. 2
                                                                                                                                                                1. -1

                                                                                                                                                                  That’s very nice for Android phones but they have nothing to do with desktop systems.

                                                                                                                                                                  1. 3

                                                                                                                                                                    I think you will find plenty of folk use or will use an ARM SBC for a desktop system.

                                                                                                                                                                2. 2

                                                                                                                                                                  I don’t think the question of “Is X11 legacy cruft?” is interesting; it is what it is, and it’ll stay with us for a while. However, the problems with XWayland are very real. It doesn’t support HiDPI, input is sometimes wonky, features which expect there to be one X server used by all clients don’t work, etc.

                                                                                                                                                                  Wayland desktops have protocols for most things, they’re mostly at feature parity with X11. You’re right that many of those protocols aren’t standard though, which sucks. There’s a lot of protocols which aren’t standard but still implemented by every serious Wayland desktop - except for Gnome.

                                                                                                                                                                  Gnome usually just implement their own completely different protocols, and Gnome is one of the biggest obstacles to Wayland adoption imo. Lots of Wayland software either works only on Gnome, or on everything other than Gnome.

                                                                                                                                                          1. 5

                                                                                                                                                            If you’re looking for something a little different and a lot of fun, might I recommend GNUstep?

                                                                                                                                                            It might also be interesting to play with one of the less mainstream paradigms, like immediate mode GUIs.

                                                                                                                                                            1. 3

                                                                                                                                                              imgui is not suitable for people who require accessibility features.

                                                                                                                                                              1. 4

                                                                                                                                                                True. A11y and, to a lesser extent, i10n are often completely ignored in the smaller or lesser-known toolkits. Electron and things built on it seem to be an a11y nightmare from what I can tell.

                                                                                                                                                                My comment was more a “here’s some fun things you can mess around with that you may not have considered.”

                                                                                                                                                              2. 2

                                                                                                                                                                I did think about imgui a bit. I think that for my purposes it will require me to keep a lot of extra state, though. Also, re-render every frame is a bit expensive. I will take a look at gnustep.

                                                                                                                                                                1. 2

                                                                                                                                                                  The “re-render every step” semantics aren’t meant to imply that that’s the implementation. That’s just the mental model for working with it, and libraries like Conrod work to only re-render the things that have changed.

                                                                                                                                                                  1. 1

                                                                                                                                                                    I mean like, you have to rebuild the tree every frame.

                                                                                                                                                                    Remember that imgui was created by a game developer; games tend not to have super complex UIs, and have to re-render every frame anyway.

                                                                                                                                                                    1. 2

                                                                                                                                                                      imgui was created really for game development tools, not even real game UIs. It’s meant to be quick and easy debug UIs, asset editors, etc. The kinds of things you get loads and loads of in game development. I think almost all commercial games just do their UIs from scratch.

                                                                                                                                                                      1. 2

                                                                                                                                                                        AAA game dev here. We used Coherent UI for our most recent project which is WebKit based. It’s just easier to find people who write HTML/CSS. Previous project was ScaleForm but no one would recommend that anymore as it’s Flash based.

                                                                                                                                                                2. 1

                                                                                                                                                                  might I recommend GNUstep

                                                                                                                                                                  Is objective-c still a thing? IIRC GCC’s support for it has diminished, which is rather ironic for a project that includes ‘GNU’ in the name.

                                                                                                                                                                  1. 1

                                                                                                                                                                    Afaik, clang still has good support.

                                                                                                                                                                1. -3

                                                                                                                                                                  About implemented useless features: “What is so wrong about […]”
                                                                                                                                                                  About non-implemented useless features: “Support has borders”
                                                                                                                                                                  We really don’t need to get too detailed to affirm that ShitDSystemD sucks, even because most people that says the contrary are not aware of the internal details (or do not care about technical quality at all)

                                                                                                                                                                  1. 5

                                                                                                                                                                    To not let people completely aimless about my statement (and let new downvotes consider using “unkind” instead of “troll”).

                                                                                                                                                                    Main Problems:
                                                                                                                                                                    • Too big
                                                                                                                                                                    • Is becoming a hard dependency of many projects

                                                                                                                                                                    Those are the biggest problems (the rest, such as bricking your BIOS, are bonus), because as we become more dependent of it, the harder it becomes to use alternatives (gl trying to re-implement the necessary interfaces, especially when it grows ad-infinitum); Otherwise people who still cares about quality could simply use an alternative.

                                                                                                                                                                    1. 9

                                                                                                                                                                      Don’t you think that the reason why it’s becoming a hard dependency of many projects is because it’s actually pretty useful?

                                                                                                                                                                      1. 1

                                                                                                                                                                        Does a bad thing being useful mean it’s use should be supported?

                                                                                                                                                                        1. 2

                                                                                                                                                                          Bad is a moral judgement, and software doesn’t have moral character.

                                                                                                                                                                          A more obvious form of the question is “Does a complex, buggy, opaque thing being useful mean it’s use should be supported?”.

                                                                                                                                                                          This form of the question is unpopular with people who insist the answer should be “no” - possibly because it makes clear the reasons why it might sometimes be “yes”.

                                                                                                                                                                          1. 1

                                                                                                                                                                            Your question is too generic to answer ;), also I think it’s too generic to be adequate for our “should we use systemd’ problem.

                                                                                                                                                                            • Should you use your car to travel? It contains complex, buggy, opaque and user-hostile systems (user-hostile when you’re trying to fix it yourself), it influences the environment in a negative way, it’s loud, kills people, and is designed to be replaced few years after buying. But because ambulances use it, people’s lives can be saved.

                                                                                                                                                                            • Do you have the source code of the UEFI implementation of your motherboard? It’s complex, buggy, closed, nobody knows what it’s doing, and it’s running every time you power on your computer. But because it can be used to bootstrap your operating system, it allows you to connect with other people.

                                                                                                                                                                            • Do you eat sugar / do you smoke / drink alcohol? It’s bad for your health, but it’s tasty / can help with social interaction.

                                                                                                                                                                            1. 2

                                                                                                                                                                              Wether or not you should use a car is a personnal concern. Some people don’t want to be bothered and need it (ambulances, police, etc..). The problem is that distros are getting rid of the bike lanes and sidewalks because they don’t want to be bothered with alternative transportation methods, as the car do it well. And me, a longboard enthusiast that don’t need a car at all to move around the city is forced into it, even though I neither need or want it.

                                                                                                                                                                              1. 1

                                                                                                                                                                                Wether or not you should use a car is a personnal concern.

                                                                                                                                                                                I don’t agree. There are lots of people who would like to limit other people to have cars. Also lots of people who are bothered because 1 person has more than one car. Also, the environment that we live in is influenced by other people having cars (noise, pollution, sidewalks as parking spots, etc). So, I understand that me having a car can influence another person in a negative way. So since it influences another person, it’s not a personal concern. There’s also a non-zero risk that the car owner does some damage with it, since using a car involves manipulating a high energy object, that’s why the car insurance exists (disclaimer: I own a car and I’m not against using it).

                                                                                                                                                                                The example with removing bike lanes and sidewalks seems adequate, but maybe the distro does it because the majority of people uses cars. So I’m not sure is it sensible to try to limit the optimization of the city for the majority, because a small percent of citizens desn’t want it. Also, removing sidewalks and bike lanes is not the goal here. Future features that will be possible to be implemented by optimizing the city for cars are the goals.

                                                                                                                                                                                1. 2

                                                                                                                                                                                  the environment that we live in is influenced by other people having cars (noise, pollution, sidewalks as parking spots, etc). So, I understand that me having a car can influence another person in a negative way

                                                                                                                                                                                  This is where the metaphor stops applying. Of course an init system has zero impact on the environment, and does not directly impact other people. If we both use gentoo, and my system runs systemd while yours uses openrc, you won’t be bothered at all, no matter how bad I tune/use my system.

                                                                                                                                                                                  Back when systemd appeared, I was running archlinux, so I mostly remember the design choice for this particular distro. When they decided to make systemd the default init, many people asked why a tinkerer distro like this would enforce the init system on its users (it was possible at the time to replace the init system, SysV with openrc or runit fairly easily). The developers/maintainers stated that they chose systemd because it would unify how the services would be managed, so they would not have to maintain all the scripts for other daemon managers. They wanted a single way to write service files so they won’t be bothered with bugs in shell init scripts.

                                                                                                                                                                                  They did not remove the sidewalks and bike lanes because people used cars. They forced users into it so they won’t have to maintain the sidewalks and bike lanes. The choice didn’t come from the users at all, it cames from the distro makers.

                                                                                                                                                                                  edit: Found to official communication from 8 years ago! https://bbs.archlinux.org/viewtopic.php?pid=1149530#p1149530 There were more than just the initscripts part obviously, as systemd solves real problems. I just remember getting into a discussion where the main argument was that maintaining init scripts was a waste of time for the devs because with systemd provides a unique interface for them, that distro can share together in a common effort (I still believe each distro maintain their own service files and don’t use a common source…).

                                                                                                                                                                        2. 7

                                                                                                                                                                          such as bricking your BIOS

                                                                                                                                                                          This was buggy firmware that bricked itself when no EFI variables were set; such behaviour should be a factory reset instead. And it’d be exposed regardless of init system if you mounted the EFI variable filesystem.

                                                                                                                                                                          1. 3

                                                                                                                                                                            yep, but in SystemD case specifically, it needs the efivars to be mounted writable, according to Poettering because SystemD writes to it (with systemctl reboot --firmware)

                                                                                                                                                                            1. 3

                                                                                                                                                                              And that is systemd’s fault exactly how?

                                                                                                                                                                              1. 3

                                                                                                                                                                                Why does it need to write to the EFI filesystem every single boot?

                                                                                                                                                                                No seriously, the whole point of having EFI on a separate filesystem is to protect the security and integrity of the boot process. systemd writes data to what should be a read-only partition unless you’re altering your bootloader.

                                                                                                                                                                                1. 1

                                                                                                                                                                                  First, I think you’re mistaking EFI Filesystem (the FAT32 blob store with kernels) for EFIvars, NAND-backed kv configuration store. Systemd only writes to the latter when you explicitly invoke a reboot-to-firmware. And for that you need efivars mounted as rw.

                                                                                                                                                                                  EDIT: Also, traditionally, the former has always been mounted as rw somewhere under /boot, just like in BIOS days. And no one complains about it. And for EFIvars there are other customers too: gdisk, syslinux, grub2, efibootmgr, fwupd’s fwupdmgr and Gnome-Software frontends…

                                                                                                                                                                                  1. 1

                                                                                                                                                                                    If systemd needs to write to the EFI filesystem it should mount it read-write in a private namespace, not in the global namespace. I understand that namespaces are a relatively new feature but they’re not that new honestly.

                                                                                                                                                                                    1. 3

                                                                                                                                                                                      That’s much more actionable feedback. Makes sense to me.

                                                                                                                                                                                      1. 2

                                                                                                                                                                                        If systemd needs to write to the EFI filesystem it should mount it read-write in a private namespace, not in the global namespace.

                                                                                                                                                                                        Fine, but what about the half-dozen other clients, that expect writable efivars in the global namespace? Especially efibootmgr and fwupd.

                                                                                                                                                                                        1. 1

                                                                                                                                                                                          They should do the same IMO. This is an area you can permanently brick your machine, needing a little bit of inconvenience is a good thing

                                                                                                                                                                                          1. 1

                                                                                                                                                                                            Okay, that might work, can’t disagree here.

                                                                                                                                                                              2. 2

                                                                                                                                                                                I don’t see how that’s an excuse. It wouldn’t have happened if not for the actions of systemd’s developers.

                                                                                                                                                                                1. 7
                                                                                                                                                                                  1. The EFI spec says you can reboot to firmware by wiping EFI vars.
                                                                                                                                                                                  2. Someone shipped hardware that is bricked if you follow the EFI spec.
                                                                                                                                                                                  3. Someone else shipped free software that follows the EFI spec.

                                                                                                                                                                                  How is it that the free software that follows the spec attracts more blame than the paid hardware that doesn’t?