Threads for netopwibby

  1. 12

    Hot take: Could font designers please just agree that the only valid way to write 0 for technical fonts is with a dot in the middle? 0-with-nothing is irritatingly ambiguous with O, 0-with-a-slash is irritatingly ambiguous with Ø, and I’ve never seen the 0-with-broken-edges actually used outsize of Brazilian license plates.

    1. 7

      Just pulled some statistics from what people download: https://neil.computer/notes/berkeley-mono-font-variant-popularity/

      The dotted-zero is indeed the most popular.

      1. 7

        I love slashed zeroes!

        I’ve never used Ø or had to.

        1. 17

          What a strange coincidence.

          1. 7

            An Ø bit my sister once.

            1. 5

              Ø bites cån be very painful!

              1. 3

                Yes but it’s not common for islands to bite.

                1. 2
          2. 4

            Nah, I like my slashed zeros. You just need properly distinguishable characters. Many font designers get it wrong.

            1. 2

              Or just let you choose. There were a few things about those fonts that bothered me initially, but with customisation they became my favourites.

              1. 7

                I’m at the sad and tired point in my life where I don’t want things where every nuance is customizable, I want things where the defaults are pretty good. :P

              2. 1

                What is your opinion on writing a 0 with a backslash, like in Atkinson Hyperlegible?

                1. 1

                  Never seen it before in practice! I suppose I have no objective complaints. I might worry a little about dyslexic legibility, but no practical experience with it.

                2. 1

                  Yeah, I agree. my eyes are pretty bad, and I struggle to read code at even 14pt sometimes. I pretty much exclusively use Source Code Pro as my main programming font because it has the most distinctly different letters and the dot-in-the-middle 0 and NO LIGATURES.

                1. 1

                  As mentioned in my infrastructure blog post, I have multiple networks (VLAN) at home. Because I didn’t want to do some unholy things, I needed to have a /64 per network, meaning multiple /64s for my home.

                  I don’t understand this part. Why can’t he split the network into multiple segments? What use case does anyone have for multiple /64 in their home? That’s 18446744073709551616 addresses per subnet.

                  1. 6

                    Each network need to be /64 for SLAAC to work.

                    1. 2

                      But that’s… a giant amount of addresses. Why is this? Not allowing smaller sizes looks as if we’re repeating the IPv4 mistakes?

                      1. 12

                        Because that’s the only functioning way we’ve been able to come up with for devices to be able to be able to automatically configure themselves with a predictable persistent address without any conflicts.

                        The issue is that people seem to have a hard time comprehending just how big of a number 2^128 is. With that address space we could for example assign 2^32 /64’s to each IPv4 address (of which there are 2^32). We can give the entire IPv4 address space to each IPv4 address.

                        Additionally, RIPE strongly discourages assigning prefixes longer than /56, and in general recommends assigning end-customers a /48 or /56, and that assigning a /48 to all customers is the most practical address plan.

                        1. 1

                          Thanks for the explanation. Indeed these numbers are just too large to properly imagine them…

                          Additionally, RIPE strongly discourages assigning prefixes longer than /56, and in general recommends assigning end-customers a /48 or /56, and that assigning a /48 to all customers is the most practical address plan.

                          Well, at least in Germany consumer ISPs seem to hand out /64 by default, though. I suppose one can ask to get a /48 or /58, though.

                          1. 2

                            Vodafone (previously Unitymedia) gives a /56 by default for IPv6-only cable, so it’s not uncommon.

                            1. 2

                              Well, at least in Germany consumer ISPs seem to hand out /64 by default, though. I suppose one can ask to get a /48 or /58, though.

                              When have consumer ISPs ever been known to follow guidelines. ;)

                              1. 1

                                Are you sure it’s the ISP specifically only giving a /64 and not the DHCP-PD client only taking a /64 out of the available /56?

                                1. 1

                                  That might actually be it. Sorry for the noise.

                                2. 1

                                  Just checked it, from Telekom I get a /56 without any interaction. As far as I know as a consumer you can ask for a /48 and as a commercial customer you just get a /48. A few years ago there was a news about Telekom asking for a bigger prefix then a default ISP get, because they wanted to follow the RIPE guidelines. As the biggest ISP in Germany they could argue this. As far as I know most ISP in Germany does this similar.

                                  I’m not sure how it is handled for mobile access. As far as I know you get default slaac in a provider managed /64 and can request prefixes per dhcpv6. I can’t check this, because I don’t have mobile Internet.

                          2. 4

                            Thanks for the comment, I guess I should update my post to be more precise about what the problem is. As kyrias explained, it’s not the number of addresses, but to be able to use SLAAC.

                            1. 4

                              IoT is old, new is IoA (internet of atoms).

                              1. 1

                                I used to work for a now defunct IoT startup. Your comment wounds/intrigues me.

                            1. 7

                              You can also use a perceptual linear colorspace to generate visually pleasing color palettes. I wrote a library few years ago for Processing framework: https://github.com/neilpanchal/Chroma

                              1. 2

                                This is an awesome work! I love how simple your API is

                                testColor = new Chroma(ColorSpace.LCH, l, c, h, 255);

                                The CIE-LCH color space is very attractive, uniform grays by default and closer to the eye.

                                Thank you for sharing it.

                                1. 2

                                  Hijacking your comment to say I’m looking forward to your mono typeface!

                                1. 1
                                  • Cleaning up the backyard like I promised the wife I would for the past two weekends.
                                  • Playing Fortnite to unlock cosmetics and hopefully have my friends join.
                                  • Scouring a massive stack of decade-old Moleskines, Field Notes, and other notebooks for ideas that’ll help me with current projects.
                                  • Stretching my arms…I woke up and they were pretty tight which means I wasn’t warmed up enough for my workouts this week. SMH
                                  1. 31

                                    The article doesn’t refute any of the arguments in the blog it’s responding to. Yet it has a point - Gemini seems to have taken off as a subculture.

                                    People rally around this protocol as a backlash against the complexity of the web, even though a non-complex website can be made with HTTP and HTML, and it can be read on low-powered computers with oldschool browsers like lynx or slightly more modern links, dillo or netsurf. Gemini is not about any of the technical features (or even the anti-features, if you will) but more about the emotion and ethos surrounding it.

                                    1. 11

                                      It’s simpler than that: Gemini is about having fun!

                                      1. 7

                                        Gemini is not about any of the technical features (or even the anti-features, if you will) but more about the emotion and ethos surrounding it.

                                        Gemini is an NFT.

                                        1. 1

                                          I can’t really see the similarity myself.

                                          1. 5

                                            It’s a technical solution to a social problem with a committed bunch of supporters who are Extremely Online.

                                            Thankfully there is no money involved however.

                                        2. 7

                                          It does address the charge of exclusionism. I would even respond to that charge in stronger terms: if you require every new project to be 100% inclusive from day 1, you’re a useful idiot for rich monopolists who have large departments devoted to marketing how inclusive and accessible they are[1].

                                          Reading pages on Gemini requires installing a program. We all used to do this, back in the day! It blows my mind that this is considered exclusionist.

                                          [1] Except they’re not really if you actually focus on the details. Why the fuck is the author of that other blog post not complaining about how exclusionist Twitter is? They can’t render 280 fucking characters without Javascript.

                                          1. 18

                                            Reading pages on Gemini requires installing a program. We all used to do this, back in the day! It blows my mind that this is considered exclusionist.

                                            People install apps on their phones and laptops all the time (lol you should see my “Messenger” app group.) Gemini isn’t exclusionist for asking for an app install, it’s exclusionary for being mostly text based, for emphasizing keyboard navigation, and for eschewing accessibility for minimalism. If I were ever interested in sharing math on Gemini it would be pretty much impossible; there’s no way to represent the markup. In theory you can share other formats, like HTML or images, but in practice the community strongly wants to stick to text/gemini.

                                            There’s also a decent amount of purity politics. See https://github.com/makeworld-the-better-one/amfora/issues/199 for example. It’s a set of cultural values that wants to exclude and circumscribe by default. There’s nothing wrong with this, but it makes the community by definition exclusionary.

                                            1. 10

                                              There’s also a decent amount of purity politics. See https://github.com/makeworld-the-better-one/amfora/issues/199 for example.

                                              I’ve been intrigued by the idea behind Gemini for awhile now (and Gopher before that) but reading through that conversation just made me absolutely certain that I never want anything to do with Gemini. To be fair, I now also doubt that they would want me involved in their community either :-)

                                              1. 14

                                                I mean, it’s mainly just Drew Devault who’s the issue in that exchange. If it makes you feel any better, he’s already been banned from Lobsters :)

                                                1. 1

                                                  I haven’t been here for a few months so this is news to me. Whoah.

                                                2. 9

                                                  That github issue made me so angry that I added a gemini title grabber to my IRC bot that would also fetch the favicon.txt file, just to spite that asshole.

                                                3. 4

                                                  Yeah, that’s totally valid. “Accessible” is a more precise keyword here than “inclusive” that isn’t talked about in either OP or the post it’s responding to. It’s true that plain text isn’t accessible.

                                                  I’ve been agonizing about this because my project is terminal-based. I’d characterize my current position as very/genuinely reluctantly excluding some people. I’d love to brainstorm ways to get around it with an accessibility expert.

                                                  1. 8

                                                    I’d love to brainstorm ways to get around it with an accessibility expert.

                                                    Yeah it’s something I’m a bit sensitive to because I have some really bad RSI issues. Personally, I’ve always learned much better with text than drawings (since I was a child), and when I found text interfaces on computers, I found them much easier to navigate around than graphical interfaces. Unfortunately I had a sports injury when I was young in my wrist, and years of coding have now made my RSI pretty bad. There are days when I get by with using only my left hand on an ambidextrous trackball. Those days using the terminal is a gigantic chore and I feel super bummed when I read the fashionable online TUI maximalism in tech spaces. And I’m relatively lucky and privileged, I wasn’t even born with an actual disability. I can only imagine what it’s like for folks with other accessibility issues.

                                                    I recall in the ’90s (though I may be conflating trends, so this might be more of a haphazard connection than a true connection) a desire to have the Web contain text and rich media to accommodate the information acquisition style most beneficial to the reader/viewer. By ideologically sticking to text the way Gemini does, I see Gemini making a strong statement that Geminauts should learn a certain way and that other types of learners (say graphical or aural learners) are not really considered. The Web as an open, welcoming technology then feels very different than the closed, specific community of Gemini.

                                                    That said, as a personal project, you can’t “fix the world”. Focusing on a niche is fine IMO. We all have finite time in our lives and we do what we can with our time.

                                                    1. 8

                                                      other types of learners (say graphical or aural learners

                                                      Just as a side note here: the idea that people have a “learning style” and one person will learn best with audio vs another best with visuals, has been widely refuted.

                                                      1. 3

                                                        Want to +1 your comment. I’m aware but I didn’t add that into my post and I don’t want folks to think that my statement is a statement on the pedagogy at large on education.

                                                      2. 2

                                                        Thanks! If you ever get around to trying out my thing, I’d love to hear any advice you have, whether on accessibility or anything else.

                                                      3. 1

                                                        There’s a big difference between a terminal-based application for people to explore and ‘the web is for normies and if you don’t join our clique “you’re a useful idiot for rich monopolists”’ – which is a rather exclusionary thing to say.

                                                        1. 1

                                                          I don’t actually use Gemini much! I don’t hang out on the mailing list, I don’t know anybody there. If I’m in a clique, it’s a clique of 1.

                                                          If you require every new project to be 100% inclusive from day 1, you’re a useful idiot for rich monopolists who have large departments devoted to marketing how inclusive and accessible they are

                                                          I stand by this statement in all particulars. But I’m not sure who I’m excluding from what by saying it.

                                                          1. 5

                                                            If you require every new project to be 100% inclusive from day 1, you’re a useful idiot for rich monopolists who have large departments devoted to marketing how inclusive and accessible they are

                                                            That statement implicitly assumes that projects will later be extended to be more inclusive.

                                                            The problem is, Gemini seems pretty hostile to any extensions made after day 1, and this seems to be a specific goal of the project. This means if they ever want to include accessibility, it has to be planned in from day 1.

                                                            1. 2

                                                              I’m not sure what accessibility it needs to include? It’s trivial to create an audio-only, reading only, braille-only, large print, high contrast, translated to any language, version of any gemini capsule. Lacking support for mathematical notation or music isn’t about accessibility, it’s about content.

                                                              1. 5

                                                                Questions I’d have:

                                                                • How would a screen reader know what language a capsule is? What if you use multiple languages in your capsule?
                                                                • How does a screen reader know what to parse and what not to (e.g. images)?
                                                                • Those Figlet ASCII art images are absolute garbage for a screen reader

                                                                It’s trivial to create an audio-only, reading only, braille-only, large print, high contrast, translated to any language, version of any gemini capsule

                                                                So it’s been said since the beginning of the protocol but all I’ve seen is TUI clients, an Emacs client, and a handful of GUI clients which are still not thinking about accessibility at all.

                                                                1. 5
                                                                  • The MIME type of the resource requested is included in the response, and it’s there where one can include a language tag (it’s even specified for text/gemini). At best, you can set a language per file, but if the document includes multiple languages, you are out of luck. But to be fair, does anyone actually tag foreign language words or phrases in HTML? I know I do (via tags) but I think I might be the only one.
                                                                  • Images (like gif and jpegs) aren’t displayed inline. Yes, it’s an issue knowing a link is to an image (and what type of image) until it’s requested.
                                                                  • The spec for text/gemini allow for “alt text” after the pre-formatted block marker, but there is no standard for how it should work, nor what it should contain. There’s been an insane amount of talk about the issue, but rarely (if ever) does someone even bother with a “proof-of-concept” to see how it might look or work (my biggest gripe with the Gemini community—mostly talk, no experimentation because actual working code is hard work and who wants to do that?)

                                                                  Disclaimer: I wrote the first available Gemini server which helped with identifying the worst bits of the protocol (I did not bother much with text/gemini). I pretty much left the community because of the community, but I still run my Gemini site (gemini://gemini.conman.org/ in case anyone is interested).

                                                                  1. 1
                                                                    • A screen reader would know the language the same way anyone ever does. Language Detection is a pretty reasonably solved problem, certainly for long-ish passages.
                                                                    • What images?
                                                                    • That’s a screen reader problem (actually an ascii art problem), not a protocol accessibility problem. The web is no better at dealing with bad actors.

                                                                    Feel free to write an Alexa client. It’d be pretty easy. (Like, legitimately so. It actually sounds kind of fun. I might try.)

                                                                    1. 1

                                                                      Those Figlet ASCII art images are absolute garbage for a screen reader

                                                                      The standard allows for an optional “alt text” to be attached to preformatted sections.

                                                                      Edit

                                                                      How would a screen reader know what language a capsule is? What if you use multiple languages in your capsule?

                                                                      The server I run (gemserv) has an optional directive indicating the language. I don’t know if it communicates this to the client though.

                                                          2. 2

                                                            I’m not familiar with the insider politics of Gemini. Now I’m regretting wading into this. I’d have kept quiet if either blog post said, “the people on the mailing list are rude,” something I’m not qualified or interested to debate.

                                                            1. 2

                                                              it’s exclusionary for being mostly text based

                                                              Like the Amish.

                                                              If people want to live without electricity, who am I to tell them otherwise?

                                                              If I were ever interested in sharing math on Gemini it would be pretty much impossible;

                                                              Yes yes, all your calculus I’m sure is quite good, but there are other things too, and you might say nothing quite captures the beauty of a rose like a picture of a rose, and that music is best heard not talked about, and to say nothing of the medium of games and interactivity, where even being able to see all the code can spoil the ending!

                                                              We already have something perfectly mediocre at representing all of those things, but we don’t have anything really great at just doing text and links besides Gemini.

                                                              There’s nothing wrong with this, but it makes the community by definition exclusionary.

                                                              I disagree wholeheartedly: A meetup for blind people isn’t exclusionary if a sighted person can join. You are so welcome! You’re free to consume or produce whatever content you want, but so are they, and your inability to share your math with me speaks more of your abilities than mine for simply lacking the eyes with which to “read” it.

                                                              1. 14

                                                                Like the Amish.

                                                                The Amish don’t proselytize. In fact I suspect they’d be relieved if the outside world stopped being fascinated by them. This does not describe most Gemini evangelists.

                                                                We already have something perfectly mediocre at representing all of those things, but we don’t have anything really great at just doing text and links besides Gemini.

                                                                Well, views differ. I see the lack of semantic content for emphasis as crippling, for text. And I really cannot see any reason for this to be the case apart of the rigid “each line should be parseable as a unit” argument, and “it’s up to the client to decide how to present”.

                                                                Quoting myself from here:

                                                                italics and boldface are good, I am still mad

                                                                You can’t reproduce most prose works without having fugly underscores or asterisks all over. This is defacing our cultural heritage. Asking the user/client to download on the side and using an external reader is a cop-out.

                                                                It’s increasingly apparent to me that gemtext is well suited for one thing: writing about and discussing gemtext and Gemini. A bargain-basement Sapir-Worf theory, in other words.

                                                                Gemtext is designed by someone who thought that the pinnacle of human communication is a 1990s Usenet post. Gutenberg and Aldus Manutius wept.

                                                                1. 2

                                                                  The Amish don’t proselytize.

                                                                  I think that depends on what you mean by proselytize; Many Amish vote, and they have Amish lobbyists, and some are even quite mission-oriented in how they talk of their faith (e.g. NOA). Some have certain rules that you have to follow if you want to participate in their community (like for example, visiting an Amish church), and both (to me) seem quite tolerant of the existence of other faiths.

                                                                  In any event, I don’t follow exactly is it about what Gemini “evangelism” that has anything to do with your inability to express yourself to blind people. To me, it’s like you’re telling people to remove the braille from elevators. Why? If you don’t want to use Gemini? Who is forcing you?

                                                                  I see the lack of semantic content for emphasis as crippling. … I really cannot see any reason for this.

                                                                  That’s too bad. Again, why do you care that something exists that isn’t for you? Do you bring your cat to dog-walking clubs as well? A child to the pub? Do you think everyone should like the things you like?

                                                                  1. 3

                                                                    I dunno man, I’m just here, working on my gemsite, participating on Antenna, hanging out in the #gemini IRC and generally having a good time. I’m sorry I’m not comporting myself befitting a member of the Church of Gemini.

                                                            2. 8

                                                              Twitter used to have a nice mobile site. It worked beautifully with text-mode browsers. I used to use it with edbrowse. They killed it in December 2019, a couple weeks after I quit twitter.

                                                              And then there’s twitter’s crusade against third-party clients. Third-party clients happen to be very popular with the blind.

                                                          1. 1

                                                            It’s happening!

                                                            1. 8

                                                              I fear the same thing happening in the Rust ecosystem some day, because you quickly pull in a non-trivial number of small libs even for a simple project, and most of them are hosted on GitHub and maintained often by separate individuals or small groups. I know there is version pinning, but how well is this followed? This might be a good idea for an explorative analysis, and maybe someone can say more about this concern, which probably has been addressed in some way.

                                                              As a side note, many think the circumstances of Aaron Swartz’ death raise a lot of questions, to put it lightly.

                                                              1. 19

                                                                As a side note, many think the circumstances of Aaron Swartz’ death raise a lot of questions, to put it lightly.

                                                                I mean, yeah, sure, but I’m having a hard time seeing how that is at all related to this situation.

                                                                1. 2

                                                                  It’s supposedly an integral part of the rantings of the developer in question.

                                                                  1. 3

                                                                    Is there more background? I saw the hashtag in a tweet from Marak and was completely confused.

                                                                2. 7

                                                                  and most of them are hosted on GitHub

                                                                  The rust ecosystem has a tool enforced rule that for all crates hosted by crates.io, all rust dependencies are also hosted by crates.io. Technically you can have a build.rs that manually downloads things from github (or elsewhere), but that is incredibly rare.

                                                                  I know there is version pinning, but how well is this followed

                                                                  Every time you run a build, it generates a Cargo.lock file pinning the version. Most people developing binaries commit this, that’s what the default .gitignore encourages, so it’s followed pretty well.

                                                                  1. 3

                                                                    The lock file also includes checksums for each dependency and crates.io doesn’t allow re-pushing the same version.

                                                                  2. 5

                                                                    Dependencies update when you run cargo update, and not automatically. It’s not foolproof: if you don’t preserve Cargo.lock and use CI/Docker that naively wipes all state away, you’re going to get fresh(est) deps every time.

                                                                    crates.io is lucky that it’s a step behind npm, so it can learn from npm’s mistakes. For example, from the start it prevented left-pad incidents by not deleting any packages (yanking only hides packages from UI, not direct downloads).

                                                                    But it’s only a matter of time before the next big mess happens on crates.io too. Sadly, crates.io is understaffed, so there are several features/mitigations it probably should have, but hasn’t got yet.

                                                                    There’s cargo-crev that aims to create a set of manually-verified trustworthy packages, but crates.io is growing by 70 releases a day, so it’s hard to keep up.

                                                                    1. 1

                                                                      I think the feature is inherent. If you’re downloading stuff in apt, you’re trusting the people packaging that application (and their download servers). If you’re installing stuff manually, you’re trusting the people where you download it. And if you’re developing things you’ll have to trust the developers. And I’m certain at each of these steps are many “hidden dependencies” you don’t actually realize when downloading. It will fail somewhere in the future, and people will rally about how bad crates.io is, while the rest of the world moves on.

                                                                    2. 1

                                                                      Automatic generated for all builds, should be committed for all applications:

                                                                      # This file is automatically @generated by Cargo.
                                                                      # It is not intended for manual editing.
                                                                      version = 3
                                                                      
                                                                      [[package]]
                                                                      name = "actix-codec"
                                                                      version = "0.4.1"
                                                                      source = "registry+https://github.com/rust-lang/crates.io-index"
                                                                      checksum = "13895df506faee81e423febbae3a33b27fca71831b96bb3d60adf16ebcfea952"
                                                                      [...]
                                                                      
                                                                    1. 57

                                                                      The developer of these libraries intentionally introduced an infinite loop that bricked thousands of projects that depend on ’colors and ‘faker’.

                                                                      I wonder if the person who wrote this actually knows what “bricked” means.

                                                                      But beyond the problem of not understanding the difference between “bricked” and “broke”, this action did not break any builds that were set up responsibly; only builds which tell the system “just give me whatever version you feel like regardless of whether it works” which like … yeah, of course things are going to break if you do that! No one should be surprised.

                                                                      Edit: for those who are not native English speakers, “bricked” refers to a change (usually in firmware on an embedded device) which not only causes the device to be non-functional, but also breaks whatever update mechanisms you would use to get it back into a good state. It means the device is completely destroyed and must be replaced since it cannot be used as anything but a brick.

                                                                      GitHub has reportedly suspended the developer’s account

                                                                      Hopefully this serves as a wakeup call for people about what a tremendously bad idea it is to have all your code hosted by a single company. Better late than never.

                                                                      1. 25

                                                                        There have been plenty of wakeup calls for people using Github, and I doubt one additional one will change the minds of very many people (which doesn’t make it any less of a good idea for people to make their code hosting infrastructure independent from Github). The developer was absolutely trolling (in the best sense of the word) and a lot of people have made it cleared that they’re very eager for Github to deplatform trolls.

                                                                        I don’t blame him certainly; he’s entitled to do whatever he wants with the free software he releases, including trolling by releasing deliberately broken commits in order to express his displeasure at companies using his software without compensating him in the way he would like.

                                                                        The right solution here is for any users of these packages to do exactly what the developer suggested and fork them without the broken commits. If npm (or cargo, or any other programming language ecosystem package manager) makes it difficult for downstream clients to perform that fork, this is an argument for changing npm in order to make that easier. Build additional functionality into npm to make it easier to switch away from broken or otherwise-unwanted specific versions of a package anywhere in your project’s dependency tree, without having to coordinate this with other package maintainers.

                                                                        1. 31

                                                                          The developer was absolutely trolling (in the best sense of the word)

                                                                          To the extent there is any good trolling, it consists of saying tongue-in-cheek things to trigger people with overly rigid ideas. Breaking stuff belonging to people who trusted you is not good in any way.

                                                                          I don’t blame him certainly; he’s entitled to do whatever he wants with the free software he releases, including trolling by releasing deliberately broken commits in order

                                                                          And GitHub was free to dump his account for his egregious bad citizenship. I’m glad they did, because this kind of behavior undermines the kind of collaborative trust that makes open source work.

                                                                          to express his displeasure at companies using his software without compensating him in the way he would like.

                                                                          Take it from me: the way to get companies to compensate you “in six figures” for your code is to release your code commercially, not open source. Or to be employed by said companies. Working on free software and then whining that companies use it for free is dumbshittery of an advanced level.

                                                                          1. 33

                                                                            No I think the greater fool is the one who can’t tolerate changes like this in free software.

                                                                            1. 1

                                                                              It’s not foolish to trust, initially. What’s foolish is to keep trusting after you’ve been screwed. (That’s the lesson of the Prisoner’s Dilemma.)

                                                                              A likely lesson companies will draw from this is that free software is a risk, and that if you do use it, stick to big-name reputable projects that aren’t built on a house of cards of tiny libraries by unknown people. That’s rather bad news for ecosystems like node or RubyGems or whatever.

                                                                            2. 12

                                                                              Working on free software and then whining that companies use it for free is dumbshittery of an advanced level.

                                                                              Thankyou. This is the point everybody seems to be missing.

                                                                              1. 49

                                                                                The author of these libraries stopped whining and took action.

                                                                                1. 3

                                                                                  Worked out a treat, too.

                                                                                  1. 5

                                                                                    I mean, it did. Hopefully companies will start moving to software stacks where people are paid for their effort and time.

                                                                                    1. 6

                                                                                      He also set fire to the building making bombs at home, maybe he’s not a great model.

                                                                                      1. 3

                                                                                        Not if you’re being responsible and pinning your deps though?

                                                                                        Even if that weren’t true though, the maintainer doesn’t have any obligation to companies using their software. If the company used the software without acquiring a support contract, then that’s just a risk of business that the company should have understood. If they didn’t, that’s their fault, not the maintainer’s - companies successfully do this kind of risk/reward calculus all the time in other areas, successfully.

                                                                                        1. 1

                                                                                          I know there are news reports of a person with the same name being taken into custody in 2020 where components that could be used for making bombs were found, but as far as I know, no property damage occurred then. Have there been later reports?

                                                                                        2. 3

                                                                                          Yeah, like proprietary or in-house software. Great result for open source.

                                                                                          Really, if I were a suit at a company and learned that my product was DoS’d by source code we got from some random QAnon nutjob – that this rando had the ability to push malware into his Git repo and we’d automatically download and run it – I’d be asking hard questions about why my company uses free code it just picked up off the sidewalk, instead of paying a summer intern a few hundred bucks to write an equivalent library to printf ANSI escape sequences or whatever.

                                                                                          That’s inflammatory language, not exactly my viewpoint but I’m channeling the kind of thing I’d expect a high-up suit to say.

                                                                                2. 4

                                                                                  There have been plenty of wakeup calls for people using Github, and I doubt one additional one will change the minds of very many people

                                                                                  Each new incident is another feather. For some, it’s the last one to break the camel’s back.

                                                                                  1. 4

                                                                                    in order to express his displeasure at companies using his software without compensating him in the way he would like.

                                                                                    This sense of entitlement is amusing. This people totally miss the point of free software. They make something that many people find useful and use (Very much thanks to the nature of being released with a free license, mind you), then they feel in their right to some sort of material/monetary compensatiom.

                                                                                    This is not miss universe contest. It’s not too hard to understand that had this project been non free, it would have probably not gotten anywhere. This is the negative side of GitHub. GitHub has been an enormously valuable resource for free software. Unfortunately, when it grows so big, it will inevitably also attract this kind of people that only like the free aspect of free software when it benefits them directly.

                                                                                    1. 28

                                                                                      This people totally miss the point of free software.

                                                                                      An uncanny number of companies (and people employed by said companies) also totally miss the point of free software. They show up in bug trackers all entitled like the license they praise in all their “empowering the community” slides doesn’t say THE SOFTWARE IS PROVIDED “AS IS” in all fscking caps. If you made a list of all the companies to whom the description “companies that only like the free aspect of free software when it benefits them directly” doesn’t apply, you could apply a moderately efficient compression algorithm and it would fit in a boot sector.

                                                                                      I don’t want to defend what the author did – as someone else put it here, it’s dumbshittery of an advanced level. But if entitlement were to earn you an iron “I’m an asshole” pin, we’d have to mine so much iron ore on account of the software industry that we’d trigger a second Iron Age.

                                                                                      This isn’t only on the author, it’s what happens when corporate entitlement meets open source entitlement. All the entitled parties in this drama got exactly what they deserved IMHO.

                                                                                      Now, one might argue that what this person did affected not just all those entitled product managers who had some tough explaining to do to their suit-wearing bros, but also a bunch of good FOSS “citizens”, too. That’s absolutely right, but while this may have been unprofessional, the burden of embarrassment should be equally shared by the people who took a bunch of code developed by an independent, unpaid developer, in their spare time – in other words, a hobby project – without any warranty, and then baked it in their super professional codebases without any contingency plan for “what if all that stuff written in all caps happens?”. This happened to be intentional but a re-enactment of this drama is just one half-drunk evening hacking session away.

                                                                                      It’s not like they haven’t been warned – when a new dependency is proposed, that part is literally the first one that’s read, and it’s reviewed by a legal team whose payment figures are eye-watering. You can’t build a product based only on the good parts of FOSS. Exploiting FOSS software only when it benefits yourself may also be assholery of an advanced level, but hoping that playing your part shields you from all the bad parts of FOSS is naivety of an advanced level, and commercial software development tends to punish that.

                                                                                      1. 4

                                                                                        They show up in bug trackers all entitled like the license they praise in all their “empowering the community” slides doesn’t say THE SOFTWARE IS PROVIDED “AS IS” in all fscking caps

                                                                                        Slides about F/OSS don’t say that because expensive proprietary software has exactly the same disclaimer. You may have an SLA that requires bugs to be fixed within a certain timeframe, but outside of very specialised markets you’ll be very hard pressed to find any software that comes with any kind of liability for damage caused by bugs.

                                                                                        1. 1

                                                                                          Well… I meant the license, not the slides :-P. Indeed, commercial licenses say pretty much the same thing. However, at least in my experience, the presence of that disclaimer is not quite as obvious with commercial software – barring, erm, certain niches.

                                                                                          Your average commercial license doesn’t require proprietary vendors to issue refunds, provide urgent bugfixes or stick by their announced deadlines for fixes and veatures. But the practical constraints of staying in business are pretty good at compelling them to do some of these things.

                                                                                          I’ve worked both with and without SLAs so I don’t want to sing praises to commercial vendors – some of them fail miserably, and I’ve seen countless open source projects that fix security issues in less time than it takes even competent large vendors to call a meeting to decide a release schedule for the fix. But expecting the same kind of commitment and approachability from Random J. Hacker is just not a very good idea. Discounting pathological arseholes and know-it-alls, there are perfectly human and understandable reasons why the baseline of what you get is just not the same when you’re getting it from a development team with a day job, a bus factor of 1, and who may have had a bad day and has no job description that says “be nice to customers even if you had a bad day or else”.

                                                                                          The universe npm has spawned is particularly susceptible to this. It’s a universe where adding a PNG to JPG conversion function pulls fourty dependencies, two of which are different and slightly incompatible libraries which handle emojis just in case someone decided to be cute with file names, and they’re going to get pulled even if the first thing your application does is throw non-alphanumeric characters out of any string, because they’re nth order dependencies with no config overrides. There’s a good chance that no matter what your app does, 10% of your dependencies are one-person resume-padding efforts that turned out to be unexpectedly useful and are now being half-heartedly maintained largely because you never know when you’ll have to show someone you’re a JavaScript ninja guru in this economy. These packages may well have the same “no warranty” sticker that large commercial vendors put on theirs, but the practical consequences of having that sticker on the box often differ a lot.

                                                                                          Edit: to be clear, I’m not trying to say “proprietary – good and reliable, F/OSS – slow and clunky”, we all know a lot of exceptions to both. What I meant to point out is that the typical norms of business-to-business relations just don’t uniformly apply to independent F/OSS devs, which makes the “no warranty” part of the license feel more… intense, I guess.

                                                                                      2. 12

                                                                                        The entitlement sentiment goes both ways. Companies that expect free code and get upset if the maintainer breaks backward compatibility. Since when is that an obligation to behave responsibly?

                                                                                        When open source started, there wasn’t that much money involved and things were very much in the academic spirit of sharing knowledge. That created a trove of wealth that companies are just happy to plunder now.

                                                                                      3. 1

                                                                                        releasing deliberately broken commits in order to express his displeasure at companies using his software without compensating him in the way he would like.

                                                                                        Was that honestly the intent? Because in that case: what hubris! These libraries were existing libraries translated to JS. He didn’t do any of the hard work.

                                                                                      4. 8

                                                                                        There is further variation on the “bricked” term, at least in the Android hacker’s community. You might hear things like “soft bricked” which refers to a device that has the normal installation / update method not working, but could be recovered through additional tools, or perhaps using JTAG to reprogram the bootloader.

                                                                                        There is also “hard bricked” which indicates something completely irreversible, such as changing the fuse programming so that it won’t boot from eMMC anymore. Or deleting necessary keys from the secure storage.

                                                                                        1. 3

                                                                                          this action did not break any builds that were set up responsibly; only builds which tell the system “just give me whatever version you feel like regardless of whether it works” which like … yeah, of course things are going to break if you do that! No one should be surprised.

                                                                                          OK, so, what’s a build set up responsibly?

                                                                                          I’m not sure what the expectations are for packages on NPM, but the changes in that colors library were published with an increment only to the patch version. When trusting the developers (and if you don’t, why would you use their library?), not setting in stone the patch version in your dependencies doesn’t seem like a bad idea.

                                                                                          1. 26

                                                                                            When trusting the developers (and if you don’t, why would you use their library?), not setting in stone the patch version in your dependencies doesn’t seem like a bad idea.

                                                                                            No, it is a bad idea. Even if the developer isn’t actively malicious, they might’ve broken something in a minor update. You shouldn’t ever blindly update a dependency without testing afterwards.

                                                                                            1. 26

                                                                                              Commit package-lock.json like all of the documentation tells you to, and don’t auto-update dependencies without running CI.

                                                                                              1. 3

                                                                                                And use npm shrinkwrap if you’re distributing apps and not libraries, so the lockfile makes it into the registry package.

                                                                                              2. 18

                                                                                                Do you really think that a random developer, however well intentioned, is really capable of evaluating whether or not any given change they make will have any behavior-observable impact on downstream projects they’re not even aware of, let alone have seen the source for and have any idea how it consumes their project?

                                                                                                I catch observable breakage coming from “patch” revisions easily a half dozen times a year or more. All of it accidental “oh we didn’t think about that use-case, we don’t consume it like that” type stuff. It’s truly impossible to avoid for anything but the absolute tiniest of API surface areas.

                                                                                                The only sane thing to do is to use whatever your tooling’s equivalent of a lock file is to strictly maintain the precise versions used for production deploys, and only commit changes to that lock file after a full re-run of the test suite against the new library version, patch or not (and running your eyeballs over a diff against the previous version of its code would be wise, as well).

                                                                                                It’s wild to me that anyone would just let their CI slip version updates into a deploy willynilly.

                                                                                                1. 11

                                                                                                  This neatly shows why Semver is a broken religion: you can’t just rely on a version number to consider changes to be non-broken. A new version is a new version and must be tested without any assumptions.

                                                                                                  To clarify, I’m not against specifying dependencies to automatically update to new versions per se, as long as there’s a CI step to build and test the whole thing before it goes it production, to give you a chance to pin the broken dependency to a last-known-good version.

                                                                                                  1. 7

                                                                                                    Semver doesn’t guarantee anything though and doesn’t promise anything. It’s more of an indicator of what to expect. Sure, you should test new versions without any assumptions, but that doesn’t say anything about semver. What that versioning scheme allows you to do though is put minor/revision updates straight into ci and an automatic PR, while blocking major ones until manual action.

                                                                                                  2. 6

                                                                                                    The general form of the solution is this:

                                                                                                    1. Download whatever source code you are using into a secure versioned repository that you control.

                                                                                                    2. Test every version that you consider using for function before you commit to it in production/deployment/distribution.

                                                                                                    3. Build your system from specific versions, not from ‘last update’.

                                                                                                    4. Keep up to date on change logs, security lists, bug trackers, and whatever else is relevant.

                                                                                                    5. Know what your back-out procedure is.

                                                                                                    These steps apply to all upstream sources: language modules, libraries, OS packages… dependency management is crucial.

                                                                                                    1. 3

                                                                                                      Amazon does this. Almost no-one else does this, but that’s a choice with benefits (saving the set up effort mostly) and consequences (all of this here)

                                                                                                    2. 6

                                                                                                      When trusting the developers (and if you don’t, why would you use their library?)

                                                                                                      If you trust the developers, why not give them root on your laptop? After all, you’re using their library so you must trust them, right?

                                                                                                      1. 7

                                                                                                        There’s levels to trust.

                                                                                                        I can believe you’rea good person by reading your public posts online, but I’m not letting you babysit my kids.

                                                                                                    3. 2

                                                                                                      Why wouldn’t this behavior be banned by any company?

                                                                                                      1. 2

                                                                                                        How do they ban them, they’re not paying them? Unless you mean the people who did not pin the dependencies?

                                                                                                        1. 4

                                                                                                          I think it is bannable on any platform, because it is malicious behavior - that means he intentionally caused harm to people. It’s not about an exchange of money, it’s about intentional malice.

                                                                                                        2. 1

                                                                                                          Because it’s his code and even the license says “no guarantees” ?

                                                                                                          1. 2

                                                                                                            The behavior was intentionally malicious. It’s not about violating a contract or guarantee. For example, if he just decided that he was being taken advantage of and removed the code, I don’t think that would require a ban. But he didn’t do that - he added an infinite loop to purposefully waste people’s time. That is intentional harm, that’s not just providing a library of poor quality with no guarantee.

                                                                                                            Beyond that, if that loop went unnoticed on a build server and costed the company money, I think he should be legally responsible for those damages.

                                                                                                      1. 2

                                                                                                        I love this post, I read most of it with much interest.

                                                                                                        On the orange site there’s been talk about email hosting and I’ve been thinking about moving mine to a “real” server. I’m currently paying DO about a hundred dollars for several servers…this can be combined to mirror what OP has done.

                                                                                                        All this to say I’m gonna investigate my options in the AM, thanks for sharing.

                                                                                                        1. 6

                                                                                                          I used to rent a dedicated server and I’ve moved entirely to using cloud VMs instead. The problem with dedicated servers is that failure is your responsibility.

                                                                                                          If a hard disk fails in an Azure datacenter, then I won’t notice. Even if it’s storing some of my data, something in the background will transparently resilver. If I have a disk die in a dedicated host (which happened to me twice), then I need to buy a new one, pay for remote hands at the hosting company to install it, and then restore from backups if I’m not doing some form of RAID, or wait with degraded performance for the resilver if I am (and hope that the other disk doesn’t fail at the same time).

                                                                                                          Similarly, if a CPU or RAM fails catastrophically in a cloud datacenter, my VM will die, the node will be taken offline, my VM will be redeployed immediately and I’ll experience probably a minute of downtime. For other other kinds of fault (including RAM with too many recoverable ECC failures) the hypervisor will migrate my VM to a node that isn’t failing, or will try to remove the faulty resources from any assigned VMs. If I experience hardware issues with a dedicated machine, I have to buy a new one, pay for remote hands to move the disks over, and so on.

                                                                                                          On top of that, it’s much easier to pay for what I use with cloud hosting. Buying 4 TiB of cloud storage is more expensive than buying a 4 TiB disk, but if I’m only using 500 GiB now and just want to be able to expand later, I can do that trivially with cloud hosting and pay per GiB, whereas with dedicated hardware I either need to buy the big disks up front or have the same kind of issues as I’d have with hardware failure: needing to buy the new disks, schedule downtime, have remote hands install the new ones, and so on.

                                                                                                          1. 2

                                                                                                            If a hard disk fails in an Azure datacenter, then I won’t notice. Even if it’s storing some of my data, something in the background will transparently resilver

                                                                                                            FWIW this does very wildly depending on your luck. e.g. people I know using AWS and Rackspace Cloud (hey it was fairly good for a while, tbh) have had fairly unceremonious emails to the effect that “your VM and all the data on it is gone, deal with it”.

                                                                                                            The fact that I can set up new infra and restore backups to it straight away (provided us-east-1 doesn’t die again) is the useful part.

                                                                                                            1. 1

                                                                                                              Yeah that’s a very good point. I’ve not had issues with the hard drive or anything else so far, but I know it’s definitely a possibility.

                                                                                                          1. 1

                                                                                                            I’ve just started work on refactoring the frontend to my registrar API. I remember running into issues with SvelteKit a couple months ago but I conveniently realized I needed to do a refactor to my registry API.

                                                                                                            It’s fun to figure out the most optimal way of creating something technical and useful but I thoroughly enjoy scratching that design itch.

                                                                                                            1. 5

                                                                                                              Finally putting the new version of the frontend at work that I’ve been working on for about 3 months into production! It’s an exciting and also scary week, everything seems to work fine in staging but fingers crossed.

                                                                                                              1. 1

                                                                                                                Whew, good luck!

                                                                                                              1. 0

                                                                                                                I am most pleased with today’s announcements. Can’t wait to get my hands on the 16” M1 Max. I was looking to configure it with 64GB memory but that pushed my ship date to late November. I’ll make do with the (ridiculously powerful) 32GB base config.

                                                                                                                This laptop should last for quite some time.

                                                                                                                1. 8

                                                                                                                  Anyone who’s worked at AWS knows everything is constantly on fire, but they do manage to keep blast radius small enough and overwork their on-calls enough that the chaos is rarely visible to customers.

                                                                                                                  1. 1

                                                                                                                    How the heck is this viable to them?

                                                                                                                    1. 4

                                                                                                                      It’s what AWS users pay Amazon for, right? Hardware fails, software has bugs, things will catch fire (figuratively or literally). We pay AWS so that Amazon’s workers take care of all that and we don’t have to think about it too much.

                                                                                                                      1. 1

                                                                                                                        It’s just fascinating to me that such a process hasn’t been streamlined at this point, I guess.

                                                                                                                        1. 4

                                                                                                                          Amazon’s whole thing is basically to shave the margins down to nothing and grease the wheels with human misery. It’s working as designed as far as I can tell.

                                                                                                                          1. 2

                                                                                                                            There’s some truth there but this statement also misses the forest for the trees.

                                                                                                                          2. 1

                                                                                                                            What is streamlined?

                                                                                                                            1. 1

                                                                                                                              Not have things on fire all the time?

                                                                                                                              1. 2

                                                                                                                                I don’t think you can “streamline away” disk failures, RAM failures, power supply failures, datacenter cooling system failures, Internet connection failures, and all the other kinds of messy failures which occur when working with vast amounts of physical hardware. And they’re not in control of the software they run for the most part; companies like Netflix can design intelligent systems where a whole bunch of nodes can fail at the same time and other nodes seamlessly take over for the failed nodes, and some workers can take their time to fix the failed nodes whenever it’s most convenient. But that requires fancy distributed software, and one of the core abstractions Amazon provides is that of one highly reliable Linux computer with a fixed, large hard drive and a fixed IP address which never shuts down, and that seriously limits what you can do to engineer your way around downtime caused by hardware failures.

                                                                                                                                I’m not an expert in this by any means, it would be interesting to hear more specific details from someone who has done operations work for a cloud provider. But it doesn’t seem that difficult to me to imagine why what AWS is doing is a hard problem to do cleanly.

                                                                                                                    1. 1

                                                                                                                      Wow. At first glance this thing crushes the ~$30 Teensies I’ve been using for my home brew phone project. Amazing.

                                                                                                                      1. 2

                                                                                                                        I’m not sure how it “crushes” a $20 Teensy 4.0 with five times the clock speed, dual issue full Thumb2, FPU, four times the RAM, …

                                                                                                                        Cheaper, yes. Better documentation, yes. Better capability – not even close.

                                                                                                                        1. 1

                                                                                                                          Ooh, what’s this phone project?

                                                                                                                          1. 2

                                                                                                                            I wrote up a few updates on this project if you’re still interested in reading about it: http://zacstewart.com/2019/06/17/im-making-a-phone.html

                                                                                                                            1. 1

                                                                                                                              Thanks!

                                                                                                                        1. 5

                                                                                                                          I was plotting out a small hard sci-fi novella, but realized early on that the setting and plot would lend itself really well to a 2D platformer. So now I’m learning Godot.

                                                                                                                          1. 1

                                                                                                                            I’m intrigued af.

                                                                                                                          1. 5

                                                                                                                            Last week I received another thank you email from Facebook for a position. It took me 1 week to get over. This week I focus on creating new plan how to get a job in FAANG again (:cry)

                                                                                                                            1. 2

                                                                                                                              I believe in you

                                                                                                                            1. 1

                                                                                                                              My new MacBook Air showed up late yesterday so I’m gonna be setting it up to my liking and cursing myself for not keeping my dotfiles up to date.

                                                                                                                              I’ll also be doing some $WORK when I have time. Teams got behind and we’re working up to a deadline. Not gonna stress myself though, it’s not life critical.

                                                                                                                              Sunday I may attempt getting Acid Pro 7 running on this laptop so I can finally free old songs from their ancient jail.

                                                                                                                              1. 2

                                                                                                                                The default styling for Firefox is not my taste so I use a Firefox Safari theme (find it on Github). Lately, I’ve been using The Browser Company’s beta browser and I’m loving it thus far (about a month or two in).

                                                                                                                                I still use FF for web development but for me, it’s days are numbered.

                                                                                                                                1. 3

                                                                                                                                  Svelte and Tauri, some of my favorite projects on the front page of Lobsters? Nice.

                                                                                                                                  I’ve built node-webkit, nwjs, and Electron apps. Tauri is best in class.

                                                                                                                                  1. 3

                                                                                                                                    I love Svelte. I always bring out this comparison between create-react-app and svelte’s sveltejs/template:

                                                                                                                                    After a fresh app from create-react-app:

                                                                                                                                    $ npm install
                                                                                                                                    npm WARN deprecated babel-eslint@10.1.0: babel-eslint is now @babel/eslint-parser. This package will no longer receive updates.
                                                                                                                                    npm WARN deprecated chokidar@2.1.8: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
                                                                                                                                    npm WARN deprecated querystring@0.2.1: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
                                                                                                                                    npm WARN deprecated fsevents@1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
                                                                                                                                    npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
                                                                                                                                    npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
                                                                                                                                    npm WARN deprecated @hapi/joi@15.1.1: Switch to 'npm install joi'
                                                                                                                                    npm WARN deprecated rollup-plugin-babel@4.4.0: This package has been deprecated and is no longer maintained. Please use @rollup/plugin-babel.
                                                                                                                                    npm WARN deprecated sane@4.1.0: some dependency vulnerabilities fixed, support for node < 10 dropped, and newer ECMAScript syntax/features added
                                                                                                                                    npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
                                                                                                                                    npm WARN deprecated @hapi/bourne@1.3.2: This version has been deprecated and is no longer supported or maintained
                                                                                                                                    npm WARN deprecated @hapi/address@2.1.4: Moved to 'npm install @sideway/address'
                                                                                                                                    npm WARN deprecated @hapi/hoek@8.5.1: This version has been deprecated and is no longer supported or maintained
                                                                                                                                    npm WARN deprecated @hapi/topo@3.1.6: This version has been deprecated and is no longer supported or maintained
                                                                                                                                    npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
                                                                                                                                    npm WARN deprecated core-js@2.6.12: core-js@<3.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Please, upgrade your dependencies to the actual version of core-js.
                                                                                                                                    
                                                                                                                                    [...]
                                                                                                                                    
                                                                                                                                    added 1810 packages from 736 contributors and audited 1813 packages in 68.426s
                                                                                                                                    
                                                                                                                                    145 packages are looking for funding
                                                                                                                                      run `npm fund` for details
                                                                                                                                    
                                                                                                                                    found 3 moderate severity vulnerabilities
                                                                                                                                      run `npm audit fix` to fix them, or `npm audit` for details
                                                                                                                                    
                                                                                                                                    $ du -h node_modules/ | tail -n 1
                                                                                                                                    229M	node_modules/
                                                                                                                                    

                                                                                                                                    After a fresh app from the Svelte template:

                                                                                                                                    $ npm install
                                                                                                                                    added 96 packages from 126 contributors and audited 97 packages in 2.922s
                                                                                                                                    
                                                                                                                                    6 packages are looking for funding
                                                                                                                                      run `npm fund` for details
                                                                                                                                    
                                                                                                                                    found 0 vulnerabilities
                                                                                                                                    
                                                                                                                                    $ du -h node_modules/ | tail -n 1
                                                                                                                                    21M	node_modules/
                                                                                                                                    

                                                                                                                                    One of those seems like a fairly neat system which I can understand, keep up to date with software updates, and take responsibility for as the dependencies for my application. The other seems completely unmanagable to me. I know that React isn’t just adding dependencies for the hell of it, I know it probably has a lot more features than Svelte. But… I say “probably” because I honestly haven’t ran into any features I miss yet, Svelte seems completely up to the task of building the kinds of web apps I need it to. And the development experience is really nice, with .vue files, automatic recompilation, a really fast compiler, live reloading, …

                                                                                                                                    1. 2

                                                                                                                                      With Svelte you can’t go wrong. Aside from complexity and whatnot of React, one of the things that irritates me the most is all. The damn. <div>s!

                                                                                                                                      “Hey bro I heard you liked <div>s so we’re gonna put <div>s inside your <div>s!”

                                                                                                                                      With Svelte I can write semantic HTML and ensure the output is that way too.

                                                                                                                                      1. 3

                                                                                                                                        You can write semantic HTML in React too though, I don’t understand this complaint. The reason why React devs only use divs so much is simply that they don’t bother learning/using semantic HTML.

                                                                                                                                        1. 1

                                                                                                                                          Last I checked (which admittedly hasn’t been in a while), it was an uphill battle to get my React app to get started in an element that was not <div>.

                                                                                                                                          1. 3

                                                                                                                                            I don’t remember having any issues getting React to mount on an element that is not <div> or mount a tree that doesn’t start with a <div>. It used to give a warning (it still might, I haven’t checked) if you tried to mount the app directly on <body> because external libraries often append and delete elements from <body>, which might cause a conflict with React if the whole tree is rerendered, but other than that you can use whatever element you want as root/mount point.

                                                                                                                                            1. 1

                                                                                                                                              This has never been a problem as far as I know (been using it since version 0.8), save for the warning about <body> elements that @steinull mentions.

                                                                                                                                        2. 1

                                                                                                                                          As a React user I took one look at create-react-app and decided never to touch it (for exactly the reason you highlighted). React isn’t create-react-app though. React itself is very small and you really really don’t need create-react-app.

                                                                                                                                          1. 1

                                                                                                                                            Oh wow, that’s news to me!

                                                                                                                                        3. 1

                                                                                                                                          How well do they work on other *NIX platforms? I’m always a bit nervous of things that are based on web technologies for GUI apps because they seem to abruptly break as soon as the deployment platform is anything other than Linux/Windows/macOS (in a large part because Google refuses to accept Chromium patches for any minority OS unless it’s one that they own). One of the ones that was featured on Lobste.rs a while ago had a GTK WebView-based UI. The code for it was portable to any GTK/POSIX platform (no Linux-specific stuff), but was guarded by #ifdef __linux__.

                                                                                                                                          1. 1

                                                                                                                                            I honestly don’t know but their Discord is super helpful and responsive.