1. 5

    My hobby projects are 90% web related, and I think C++ is simply not good for web services - especially if you’re a single developer and not a team.

    I’m writing a podcast thingy right now, and because it’s a native application for Windows+Linux it will be C++ and Qt. Right tools for the right thing.

    Also I’ve only been doing C++ for 2 years, so it’s just my daily work language, not my forever loved one-and-only language.

    1.  

      That is my default answer on C++ for web. That said, I did run into two, web frameworks for C++ that may or may not solve that. I haven’t seen any reviews by web developers yet. They’re CppCMS and CWF in case any of you want to try them. The examples for CWF look pretty approachable compared to most C++ source I glance at.

    1. 8

      I love C++, the language. If programming in C++ was only about the language, I wouldn’t stop using it. However, the biggest pain point in C++, to me, is the hopelessly outdated ecosystem.

      • First of all, the build system is a complete mess. Make, CMake and automake alleviate some of the problems, but the fact that every single library author invented their own hierarchy with their custom include paths guarantees a bumpy ride whenever you want to use a library, even if it’s a small, simple one. The C++ committee dropped the ball big time because it took them until now to even introduce modules, and in my eyes, it is too late now. I simply don’t care about build systems. Every second spent on build systems is wasted because it’s not spent on writing actual business logic.

      • A related issue is cross-platform builds. What a mess! Every platform has its own requirements and quirks. git clone X && cd X && make is guaranteed to fail spectacularly. But that is how a build system is supposed to work. Transitive dependency resolution is really not hard at all. In terms of computer science, this is a solved problem for at least half a century. The fact that building is such a big problem is insane. In addition to that, 80% of C++ developers think Linux is the only OS in existence, and broken builds on Windows and QNX are the norm, rather than the exception.

      • Another issue is that almost all C++ projects for Windows need proprietary software (Visual Studio) to be built. Support for libre / free build systems on Windows (like mingw64) is limited and often not well maintained and supported.

      • Eclipse CDT is so buggy and many bugs simply aren’t fixed at all. Some bugs that I encounter daily exist in Eclipse for a decade, which is remarkable. I expect nothing less of a Java-IDE-turned-C++.

      • There was a time in C++ history where nobody was sure if standard library functions should be in the std:: namespace. Common convention was that if you write #include <stdio.h> then it’s not in the std:: namespace, but if you write #include <cstdio> then it must be in the std:: namespace. But every compiler / standard library does it differently, ensuring build breakage across the board. Some require std::, some make it optional, some require omitting std::, depending on how you include the header. The standard is now clearer, but the damage has been done.

      • There are some pain points in the language. Locales in C and C++ are a complete mess (see this epic rant, what he says is entirely true and will bite you: https://github.com/mpv-player/mpv/commit/1e70e82baa9193f6f027338b0fab0f5078971fbe ). I have a strong dislike for Exceptions because they obscure the library APIs and control flow of the language and introduce needless ABI complexities. The fact that C++ still treats strings as “a bunch of bytes” is just completely unacceptable.

      These days I use Rust which addresses all the issues I mentioned here (and many more), the only thing I haven’t fully figured out yet is good IDE support in Rust. I largely use simple text editors with highlighting.

      1. 6

        I believe the build systems and cross platform issues are mainly a language issue.

        If C (yes, C) had proper modules from the start, instead of this header thingy that’s basically about leveraging a subset of m4 to avoid manual copy pasta of every interfaces, building a project, and managing dependencies would have become much easier down the line.

        Cross compilation problem comes from C and C++ being woefully under specified. Changing platforms often changes behaviour, and that’s a source of bugs. That, and the huge gaps in the standard library, which forces you to call system specific APIs every time you want to do any kind of I/O (drawing pixels and networking for instance). Thank goodness we have middleware like Qt, SDL, or Libuv, but they don’t have the advantage of being a standard library that ships with the compiler.

        1.  

          It seems you are not satisfied with existing editors or IDEs for Rust. What’s your dissatisfaction and expectations? No offense. I just wonder what kind of ideas people have for good IDE.

          1.  

            Oh, I’m not dissatisfied at all. I just didn’t have the time to evaluate all the IDE options I have with Rust, so I just used simple text editors with highlighting. My expectation is basically that the IDE does not get in my way, behaves predictably, is stable, has decent performance, does code highlighting (obviously) and allows me to follow function calls, definitions and references.

            1.  

              It would be cool to have code completion/navigation that understands cfg_if! {} directives or lazy_static! {}

              (unless it understands them already, I’ve tried Rust plugin to IDEA and it was several months ago)

            2.  

              The biggest language failure for me was slow compiles. Common Lisp, the most powerful PL, compiled really fast with interactive and incremental compilation. Before anyone argues the differences, a guy that wrote C++ compilers made a successor, D, have comparable capabilities with super-fast compiles. Along Lisp’s lines, they even have two compilers: one with Go’s philosophy for super-fast iterations; one targeting LLVM for fastest, runtime code. Eventually, I saw enough complex languages compile faster than C++ that it was clear it was just bad, language design causing the problem.

              One, Modula-3 in SPIN OS, also had type-safe linking, too. My stint with C++ was too brief to know if its ecosystem had linker problems. I did find a solution for C, though. That and SPIN made me think linker errors might also just be bad, language design.

            1.  

              If the problem is async, needs concurrency and/or IO related, I’d reach for go. If the problem is simple and doesn’t touch network IO, C. If it’s glue and doesn’t need to be deployed, bash/python.

              1.  

                Have you tried Flow that was used in FoundationDB?

              1. 7

                I strongly lean into simulator-driven design any time I need to do green-field distributed systems work, and am highly skeptical of any implementation that does not utilize this incredibly liberating technique. It makes code review much cheaper in many cases as well. Designing an algorithm with TLA+ is nice for similar reasons, because it can give you really rapid feedback of issues that are not obvious while writing your text.

                1.  

                  I was still really excited about the FoundationDB presentation back when you wrote that. So excited about sharing them that I forgot to tell you that was an utterly-epic comment. One I might be passing on for a while. :)

                1. 15

                  You may consider learning perl instead:

                  • the programs are as terse as awk
                  • much more flexible
                  • wide set of libraries
                  • as widely available

                  remember the power of perls ‘while(<>) func’ which hides command line arg parsing, stdio handling, and per-line loop. i highly recommend perl cookbook, you will be amazed how practical it is. dont allow to grow your perl(or awk) programs more than 10 lines long - they become a pain to maintain as they grow.

                  1. 7

                    I know perl, but found that awk was much more likely to be available and it’s much faster for quick scripts because there is less overhead in running the binary. i’ve moved most of my muscle memory to reach for awk instead.

                    1. 5

                      Awk does have the advantage of being a smaller language. You can understand awk enough to do useful things with it in an afternoon. Perl is Byzantine in it’s complexity as a language, which always scared me off using it for one-liners

                      1. 3

                        This is true especially when reading Perl scripts written by someone else. On the other hand, learn Perl enough to be able to write useful oneliners and process text streams, is quite easy.

                        1. 2

                          You can understand awk enough to do useful things with it in an afternoon.

                          I did that with Perl and a bunch of other languages at various times. The trick is you learn just the subset you need for structured programming, basic I/O, and whatever data format you deal with. Much tinier. Just cuz it’s there doesn’t mean you have to use it.

                          For Perl, I also had to learn regular expressions. They kept paying off outside of Perl, though.

                          1. 1

                            Just cuz it’s there doesn’t mean you have to use it.

                            Yeah, but finding a useful subset of Perl means I have to learn enough Perl to know what a useful subset would be, where awk is already that useful subset.

                            Doesn’t mean you can’t approach it like that, for sure, but I was pleasantly surprised how easy awk was to pick up when I decided to try to learn it a while back.

                          2. 1

                            Perl’s most ardent users are the language’s worst enemy ;) The downside of TMTOTDI[1] is that experienced Perl hackers settle into a set of personal idioms that they are comfortable with, but that others may not be.

                            Bondage and discipline languages with a much stricter focus on what’s “officially” idiomatic, like Python, don’t have this problem, and neither do small, focused languages like AWK.

                            [1] “There’s More Than One Way To Do It!”

                          3. 4

                            One of the reasons I prefer Perl is it’s portability between BSD and Linux. Sadly, this isn’t the case with AWK due to different implementations.

                            1. 2

                              scripts written for the One True awk (which most BSDs use) should work with gawk.

                              1. 1

                                There is also GNU awk as package.

                              2. 3

                                I used to think this, but after stuff like this I exited.

                                1. 1

                                  Update: That diff is not very clear, but here’s the issue from another repo I own that triggered the patch: https://github.com/akkartik/wart/issues/5

                                  1. 1

                                    Sad that enabling warnings caused this, it’s usually a given when writing scripts.

                                    1. 2

                                      It was a warning for a few minor versions, and then an error at some minor version.

                                      1. 3

                                        Wow, a lot of sotware was affected by this, based on this google search. Looks like an Autotools artifact? Someone wanted to avoid using / as delimeters?

                                        Edit for this specific use case, I think sed and AWK are a better fit…

                                1. 8

                                  This might be a good place to ask:

                                  • What is the BSD equivalent of the ArchWiki?
                                  • What is the usability tradeoff between Docker and Jails?
                                  • In what ways (if at all) can users contribute their own ports and make them available to other users?
                                  • How is BSD for gaming these days?

                                  These are genuine questions because I have pretty little clue about the BSD world. Would be cool if somebody with experience could share some insight. :)

                                  1. 6

                                    What is the BSD equivalent of the ArchWiki?

                                    The handbook (which, incidentally, is very good).

                                    In what ways (if at all) can users contribute their own ports and make them available to other users?

                                    There’s not terribly good tooling for unofficial ports. They can be done, and have been done, but generally this will take the form of a whole alternate ports tree with a couple of changes.

                                    How is BSD for gaming these days?

                                    The main person working on this is myfreeweb (actually, I think he uses lobsters, so maybe he can say better than I can)–see here. The answer is ‘not great’, but also close to ‘quite good’. There is excellent driver support for nvidia and AMD GPUs. You can run most emulators natively. However, if you want to use wine, you will probably have to compile it yourself, because the versions in ports come in 32-bit-only and 64-bit-only varieties (no, they can’t co-exist), and you almost certainly want the version that can run both 32-bit and 64-bit apps. There is a linux emulator, but it can’t run steam (I did some work to try to get it running a while back, but it needs some work on the kernel side, which is too much commitment so I gave up on it), limiting its usefulness.

                                    1. 2

                                      Thanks! Do you know if there’s an easier way to contribute to the handbook than to write suggestions to the mailing list? Do you know if small user-to-user tips (for instance for rather specific hardware fixes) are allowed on the handbook? If not, where would those end up?

                                      1. 1

                                        I’m not really working on gaming all that much, the last really “gaming” thing I did was a RetroArch update (that still didn’t land in upstream ports…) For gaming, I usually just reboot into Windows.

                                        1. 1

                                          @myfreeweb tags them with an email notification. If you’re replying to that person, leave off the @ so they don’t get hit with two emails for reply and @ mention notifications.

                                        2. 2

                                          How is BSD for gaming these days?

                                          I’d say the biggest effort is being undertaken by the openbsd_gaming community. A good starting point is the subreddit, then you can follow the most active members on Twitter or Mastodon to get more updates

                                          1. 2

                                            In what ways (if at all) can users contribute their own ports and make them available to other users?

                                            1. You can submit a new port, e.g. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=238584
                                            2. You can update an existing port, e.g. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=241769
                                            3. You can set up a custom category that contains your additions to the ports tree (I have not tried this…), e.g. https://www.amoradi.org/2019/11/12/maintaining-port-modifications-in-freebsd.html
                                            4. You can set up a poudriere build system to build your own packages from the ports tree, e.g. with non-standard settings (it’s harder to pronounce than do…), e.g. https://www.digitalocean.com/community/tutorials/how-to-set-up-a-poudriere-build-system-to-create-packages-for-your-freebsd-servers then use portshaker to merge it with the standard tree within the poudriere hierarchy, e.g. https://github.com/hartzell/freebsd-ports.

                                            I’ve found building packages for the ports that I want, the way that I want and then installing/upgrading them with pkg is a much smoother experience than trying to install directly from ports and then upgrade using one of the ports management tools.

                                            1. 1

                                              Thanks for the answer. You seem quite knowledgeable. How do people share build scripts for software that may not be shipped in binary form but that you can build yourself locally if you have the data? I’m thinking about some NVIDIA projects (like OptiX) or some games. Basically, is there an AUR for FreeBSD anywhere? I checked your links and obviously ports can be shared amongst users but I’m just curious whether there’s an index for those user-contributed ports anywhere.

                                            2. 1

                                              I ran into a thing just yesterday - jails (can) get an IP of their own, which seems to be automatically added to the host’s interface, but they do not (and afaik cannot) get their own MAC. This is FreeNAS for me (with iocage) and this is a little annoying because my fritzbox router seems to have a problem with port forwards now. But maybe I’m wrong and just haven’t solved in properly.

                                              In this case with docker at least would be possible to just use PORTS/EXPOSE and use the host’s main ip.

                                              Apart from that I’ve never encountered problems with jails and found them really smooth to work with.

                                              1. 2

                                                You can give a jail a whole virtual network interface (epair/vnet) and then bridge it or whatever. You can also just use the host’s networking if you don’t need to isolate networking at all for that jail.

                                                1. 1

                                                  thanks, that’s a good term to search for. I’m just a little surprised it (suddenly) doesn’t work anymore in my setup. My research so far has proven inconclusive with a lot of people saying that it can’t be done (in version X)

                                            1. 6

                                              AWK can be good for prototyping an idea, but you (very) quickly run into its limitations. No typing, no array literal, functions arent first class citizens, cant pass arrays by value, no imports. Its even missing basic functions like array length.

                                              But biggest negative is the myriad implementations: NAWK, MAWK (2 versions), GAWK. Makes it very difficult to write portable code.

                                              1. 6

                                                AWK can be good for prototyping an idea, but you (very) quickly run into its limitations.

                                                If I consider when AWK was created (1977), I must say, that it is incredibly well designed and successful piece of software. Yes, it is sometimes ugly, sometimes limited …but it is still in use after 44 years! God bless Alfred, Peter and Brian.

                                                (regardless we usually use the GNU implementation, it is still based on the original idea and language)

                                                AWK and classic unix approach is quite limited when it comes to structured data. But we can push it bit further and improve by borrowing ideas from relational data model – and still use classic tools like AWK.

                                                1. 3

                                                  funny enough, gawk’s –lint option will let you know what constructs are gawk (not posix awk) specific which helps with your biggest negative case. if you use vim, ALE for (g)awk scripts will highlight them inline.

                                                  1. 3

                                                    AWK can be good for prototyping an idea, but you (very) quickly run into its limitations.

                                                    A good programmer can work around these limitations. Just look at dwatch(8) on FreeBSD. Heavy use of awk.

                                                    https://svnweb.freebsd.org/base/head/cddl/usr.sbin/dwatch/

                                                    Or how about an HTTP caching proxy in gawk?

                                                    https://pastebin.com/raw/Fmf1Fu4b

                                                    1. 7

                                                      A good programmer can work around these limitations.

                                                      “Should they?” is a better question. They’re better off using a powerful tool that doesn’t limit them. Then, limit their use of it to what they need for maintainability. Subsets, DSL’s, and so on.

                                                      1. 2

                                                        Shell script with embedded awk in functions paired with fd redirection AND eval’ed sudo. That looks like a maintenance nightmare for anyone who’s not the original author.

                                                        1. 1

                                                          It was reviewed and signed off by three other core developers, so I don’t think that’s going to be a problem.

                                                          https://reviews.freebsd.org/D10006

                                                      2. 2

                                                        I don’t write awk for work, more so for pleasure, and its limitations can make it fun to use. It clearly was influential on the languages we use today and it would be interesting to see a programming historian trace that lineage.

                                                      1. 2

                                                        “Imagine programming without regular expressions. Can you even imagine the alternative? Would it entail building FSMs from scratch?”

                                                        I covered/countered that with these examples back when I was trying out StackExchage network. There’s all kinds of DSL’s and libraries for data/program transformation that might apply.

                                                        “Available everywhere.”

                                                        This is the best reason to learn both Awk and other standard stuff.

                                                        1. 2

                                                          The timing is good on this thread. I was recently recommending Python to several people wanting to get into programming. One of the benefits is the huge number of existing libraries that can given them both learning materials (esp reading source) and building blocks to increase odds they build something useful to them. Lots of pre-existing code.

                                                          I have a question for all the Python programmers here. Is most of the useful, maintained code out there Python 2.x or newer versions? What should I recommend to the beginners for best, ecosystem benefits? I’ve been defaulting on newer versions for now.

                                                          1. 3

                                                            While there will be a final packaged release of things that made it in ahead of the 2020-01-01 EOL deadline, Python 2 no longer receives upstream support from Python’s core team, and popular/maintained libraries either have dropped or are dropping Python 2 support.

                                                            So it really would be a disservice to a new programmer to start them on Python 2 at this point. And the first time they try to pip install something, for example, they’re going to get a scary warning saying their version of Python isn’t supported, while lots of packages will cryptically error out either at installation or, worse, at runtime.

                                                            1. 1

                                                              Thanks for the tip!

                                                          1. 9

                                                            @burntsushi

                                                            Damn, dude, you really put your heart into this one. Brave of you to write it up and share it with us. Powerful stuff, man. I really enjoyed reading it. I respect you even more now than I already did. This article is probably going to be popping in and out of my mind for a while.

                                                            Also, thanks for writing tools like xsv and ripgrep that help us do important jobs in a bit safer and faster way.

                                                            1. 7

                                                              Thanks for the kind words @nickpsecurity. Appreciate it. :-)

                                                            1. 13

                                                              Very good article @burntsushi.

                                                              I think what ends up happening—and this isn’t exactly an original insight—is that the negativity eclipses the neutral and the positive. The negative interactions stick in my memories and make it difficult to remember all the good that has come from being a FOSS maintainer. Even sitting down and writing the list above helped me remember how much positivity there is in FOSS. It was almost cathartic.

                                                              I believe it takes something like six positive interactions to cancel out one negative interaction.

                                                              One of my frustrations is that not enough people take the time to explain how to interact better. Communicating over text is hard. Really hard. In person, feedback is immediate so if I say something awkwardly phrased then I can correct it immediately, especially when the other party acts negatively (which doesn’t even need to be verbalized, but can be subtle body language clues).

                                                              Over text, you just make an awkward comment and then there is no feedback at all and I can’t correct it. Effective communication over text is a learned skill.

                                                              This is why adding comments like “hey, this is how that comment came across to me” is so important, as it provides the kind of feedback you have in real-life but is absent in text-only communication.

                                                              I also don’t like the “code of conducts” that are basically just a lazily written bullet list rephrasing “don’t be an asshole” in several ways – something everyone already agreed on in the first place – and then provides an in-depth explanation on how to punish people. That’s just not helpful in getting people to improve their behaviour, and a massive distraction at actually improving the situation.

                                                              1. 6

                                                                I also don’t like the “code of conducts” that are basically just a lazily written bullet list rephrasing “don’t be an asshole” in several ways – something everyone already agreed on in the first place – and then provides an in-depth explanation on how to punish people.

                                                                I have seen and experienced so much harassment coming from CoC-toting projects that participation in projects with CoCs has mostly become a red flag and an immediate “no thanks” for me.

                                                                A project will have to do something really interesting and important to override this stance (the only project that managed to do this recently was Rust, but only barely).

                                                                1. 3

                                                                  Every unwanted behaviour seen from far enough can be summed up as “being an asshole”. CoC need to spell out examples because we do not share a definition of what being an asshole is and giving most common problematic behaviours as explicit descriptions helps to draw a sketch of what is not wanted. Which of course does not mean that every CoC does it well.

                                                                  1. 12

                                                                    The problem is that many don’t even seem to “spell out examples”, but rather just list a bunch of terms as unwanted behaviour which are very open to interpretation. The “Contributor covenant” - by far the most popular CoC – does this. What it notably doesn’t do is actually give people guidance on how to avoid negative interactions, explain how certain behaviours/phrasings might be perceived, how people can do better, how to constructively handle things when a conflict does arrive in such a way that everyone leaves the interaction on a positive note, etc.

                                                                    It’s just a mostly useless list of things almost everyone already agrees on. It provides no guidance, no advice, or anything of real value at all. No one who has read it will be one iota better at participating. Making such a list is easy whereas giving the above guidance is hard, hence my comment calling it “lazy”.

                                                                    Now, if your goal is communicate “do this, or else be banned” then okay, fair enough. But I don’t think that’s very helpful or useful for anyone involved.

                                                                    1. 3

                                                                      What it notably doesn’t do is actually give people guidance on how to avoid negative interactions, explain how certain behaviours/phrasings might be perceived, how people can do better, how to constructively handle things when a conflict does arrive in such a way that everyone leaves the interaction on a positive note, etc.

                                                                      I’m still collecting links on all of that both for continuous personal improvement and handing out to others trying to improve themselves. You or other readers can feel free to message me any that you have which you thought were really helpful. I’ll pass them along to others.

                                                                    2. 2

                                                                      CoC need to spell out examples because we do not share a definition of what being an asshole is

                                                                      That’s nice in theory, but in practice I think it’s actually harmful to spell out specifics too much. It leads to people rules lawyering instead of discussing things based on general principles. I don’t think we need to share a definition of what being an arsehole is. Our definitions are close enough, and if they really differ a lot then we should have our own separate communities with our own standards.

                                                                      This is a pretty off-topic aside, but I see the same contrast in how Americans tend to think of important issues (as issues relating to the interpretation of an important document) vs how Britons tend to think of important issues. The ‘rights-based’ approach in America tends to lead people towards rules lawyering about the interpretation of particular passages of pretty ambigious text. It’s anecdotal, but I see a lot of appeals to the constitution in American discussions of what the law should be, but more appeals to ethics, morality, religion, rule of law and other general principles in British discussions of what the law should be.

                                                                      The purpose of this admittedly off-topic point is that I think we’d be better off with codes of conduct that say ‘Don’t be a dick’ and then leave being a dick up to the decision of the people in charge on a case-by-case basis, rather than specifiying a set of rules that is only going to get rules-lawyered by the person that’s being an arsehole. Like, if the person is being an arsehole just tell them to stop and if they don’t, kick them out. ‘Oh but technically your rules don’t say anything about [arseholish behaviour type 1242]’ should be met with ‘yeah but you’re an arsehole, goodbye’ not a big debate around whether the rules are comprehensive enough.

                                                                      In the real world we have laws because our communities are so big we can’t have consistentcy and fairness without them. In an 99.9% of open source projects simply giving 1-5 people the right to decide what is appropriate behaviour seems much more sensible. If you’re having so many issues you need to write down a set of rules for dealing with them, that’s a pretty big red flag!

                                                                    3. 1

                                                                      I also don’t like the “code of conducts” that are basically just a lazily written bullet list rephrasing “don’t be an asshole” in several ways – something everyone already agreed on in the first place – and then provides an in-depth explanation on how to punish people.

                                                                      I agree that this kind of CoC is not ideal. Have you seen examples of really effective CoCs? I would love to see examples of what has actually worked well before.

                                                                      1. 6

                                                                        The places I’ve seen CoCs working the best were not software projects but conferences. I’ve seen many instances where CoC acted as a good mechanism to prevent and react to abusive people.

                                                                        1. 4

                                                                          Interesting, in my opinion, take on the subject sircmpwn published recently: https://drewdevault.com/2020/01/17/Effective-project-governance.html

                                                                          1. 1

                                                                            ZeroMQ proces by Hintjens: https://rfc.zeromq.org/spec:42/C4/

                                                                            Basically extends sircmpwn’s one with maintainers and an explicit default-to-merge policy.

                                                                        2. 4

                                                                          Have you seen examples of really effective CoCs?

                                                                          Don’t know if effective, but the coreboot CoC was a result of lots of debate to counter the fear/threat of a “weaponized CoC”. It’s based on a (by now rather old) version of the Citizen Code of Conduct, which was perceived to be less harsh than the Covenant, and we added to it to resolve further concerns:

                                                                          • “Remember that people might be sensitive to other things than you are.”
                                                                          • “Most of our community members are not native English speakers, thus misunderstandings can (and do) happen. Assume that others are friendly and may have picked less-than-stellar wording by accident as long as you possibly can.”
                                                                          • “Using this code of conduct aggressively against other people in the community might also be harassment. Be considerate when enforcing the code of conduct and always try to listen to both sides before passing judgment.”

                                                                          The first one is an appeal to remember that the project has global reach: what’s appropriate with the buddies you grew up with while you’re in your living-room may not be appropriate when broadcasted to the world (even if you’re, in fact, in your living-room). It may be received in a horribly unintended way.

                                                                          The second one was added because some folks come across as rather harsh and inconsiderate, but their only flaw is a limited command of the English language. We don’t kick out folks for stuff like that!

                                                                          The third one is the “don’t abuse the anti-abuse tool” clause. I don’t think we’d have achieved rough consensus on adopting the CoC without that one.

                                                                          Generally speaking, I found it the most effective though to already handle minor transgressions in a friendly manner (pointing out that things veered off towards the edge - friendly tone, no sanctions, open to discussion) and point out the global reach issue. It’s a real issue, it doesn’t delve into the political fight of the day, and it allows people to adapt their behavior to community norms while in the community without feeling knocked down for being who they are.

                                                                          1. 1

                                                                            I found a few when I searched last year which at least attempted it to some degree, but I’m not aware of any that I really like. I’ve written draft versions of my own CoC and companion rationale document, which I’d like to put out there with some fanfare in the future, but it’s not ready yet (it’s actually still in a rather rough state).

                                                                            Feel free to contact me (email on profile) if you’d like to read and criticize drafts and/or collaborate in the pre-release. I won’t have much time in the coming weeks though as I’m focused on other things, but I’d very much like to pick this up in a few month’s time.

                                                                        1. 1

                                                                          Great write-up! I love your overall idea where maintainers just tell us what their goal is. Then folks respect it. I also like your approach to saying calling unsafe stuff is just going to be unsafe: just make the use of it safer. Just seems realistic.

                                                                          “This is most likely to yield positive results for lower level data structures; it should finally be possible to implement a doubly-linked list efficiently and without anxiety.”

                                                                          I still say re-code the unsafe construct in C, throw all its analyzers/testers at it, and port the final form back to unsafe Rust. That should do until a similar level of tooling comes online for Rust. Which will never happen anyway given C’s inertia and how much has been built for working with it. Even with Rust-based tools, the fact that different tools find different bugs means analyzing a C version of unsafe, Rust code with C tooling will still find more bugs on average. So, that approach should cover yall on high-performance, data structures if you know Rust and C.

                                                                          Tangent since you mentioned them: I read the Reddit thread with comments by Shnatzel on the smoke test. Yall might find it funny that they also feed Open Clip Art to random things to see what happens. One component was exploded by a picture of a volcanic eruption haha.

                                                                          1. 9

                                                                            Hmm, I’m not sure. Obviously tooling is more mature in C space, but just porting things back and forth has its own risks. Shared mutable state is fine in C (it’s the norm), but defined as UB in Rust. Conversely, signed integer overflow is UB in C but safe in Rust.

                                                                            Also, MIRI is the tool of choice for running safety tests in Rust, and I’m not sure anything quite like it exists in C, though the LLVM sanitizer suite is close.

                                                                            1. 1

                                                                              When I conceived this, I originally wanted it to be an automated process where defects went through a sanity check to make sure they even made sense across two languages. For instance, a C tool analyzing Java code reporting use-after-free’s wouldn’t be so helpful given the GC.

                                                                              I think a checklist could still knock out a lot of that problem. For each type of issue, it shows you the considerations. You can also use command line flags in a lot of the C tools to turn off certain kinds of analysis.

                                                                            2. 7

                                                                              Yes, C has more mature tools, but these tools work with a harder to analyze language.

                                                                              C static analyzers find wide variety of general problems in large codebases, but Rust’s use of unsafe is usually limited to very small, but very tricky problems. C analyzers I’ve seen point out potential null dereferences and function-local codepaths that leak memory, but are not nearly smart enough to say that a custom lock makes a wrong assumption about memory model.

                                                                              There’s also a big problem of equivalence between C and Rust semantics at the very edge cases that these tools would be for. The code isn’t just for the hardware you compile it for. It’s symbolically executed by the optimizer as if it was running on the imaginary machine from the C spec.

                                                                            1. 30

                                                                              Feminintendo on Reddit called out the people calling him out. Had three, good options at the end.

                                                                              Edit to add: @ddevault said same thing even shorter on Hacker News.

                                                                              1. 10

                                                                                I think their responses go overboard ‘the other way’. People are expecting too much of open source authors, but I don’t believe the correct response is: ‘they have no responsibilities at all’. I believe that if you choose to release something to the public, you carry some responsibility for it. And I believe the discussion should be about which few responsibilities others may reasonably expect you to take on.

                                                                                Some analogies to illustrate my though process here:

                                                                                • If I offer to borrow my hedge trimmer to my neighbours, it would be disapproved of if it was, known to me, broken or dangerously malfunctioning
                                                                                • If I claim a piece of a communal garden and don’t take care of it, it would be disapproved of and I would consider it right for the piece to be offered to someone else
                                                                                • If I offer to do some volunteer work and I subsequently don’t do it or do a lousy job for whatever reason, people are right to be disappointed and call me out on it
                                                                                • If I would have been the first to claim recipes.com and I would largely, deliberately, publish recipes that are incomplete or disgusting, people would be right to be disappointed and one could wonder what gives me the right to cause so many negative emotions.
                                                                                • If I would be a famous chef and I would publish a book with such defects, people could also wonder whether they shouldn’t be able to hold me responsible for resulting harm (and yes, frustration and disappointment are harms, usually offset by being a minority response or by being unintentional).

                                                                                If you release code, you stake a claim to at least the name of the project and filling a certain niche. You choose to have your intellectual property invade the minds of everyone that is reached. That can have many benefits for the world and particular communities within it. At the same way your code being published and ‘out there’ can cause harm. That it’s free doesn’t change that. That you didn’t intend harm doesn’t change that. That people could theoretically choose to ignore it doesn’t change that, because in practice people don’t and you know that beforehand. That’s why I believe that publishing code carries some minimal responsibilities with it, like giving your neighbour a list of things they can borough from you does.

                                                                                I don’t know exactly how those responsibilities translate to open source software. That’s the hard part here. I would tentatively say something like:

                                                                                • At the very least things should, to your knowledge, do what they are described to do.
                                                                                • If something is in known ways defective, you should make that known.
                                                                                • If you own a project and associated publishing permissions (e.g. for libraries to your the library repo of your language of choice) and are tired of it or the community in general seems like it would like to fork, be cooperative. Offer to cede the name and the publishing permissions and to not compete with the fork. Names and niches are not yours to own because you were the first to move into them.

                                                                                Responsibilities you explicitly don’t have:

                                                                                • Keeping the code functional, including secure
                                                                                • Responding to issues
                                                                                • Merging push requests
                                                                                • Sharing any knowledge of how the code works, including documentation
                                                                                • Anything else you don’t want to do, except when listed under the responsibilities you do have

                                                                                Is that unreasonable?

                                                                                1. 5

                                                                                  At the 36C3 congress there was a talk about declaring what people can expect from software (German) (at least that’s what I learned from the talk). The speaker proposed that software should have labels that describe what kind of promises the authors of the software are making. The speaker proposed a few dimensions for this, for example:

                                                                                  • ownership (license, FOSS? closed source? cloud vendor-lock-in?)
                                                                                  • confidence (do you make any guarantees about your software? how experienced are you in the field?)
                                                                                  • correctness (unit tests? formal proof?)
                                                                                  • and some more.

                                                                                  (the speaker said that this is just a rough idea and probably not the best approach, yet; but I like the idea, thus I want to refer to it here)

                                                                                  Such an approach could help with the issue that people expect something from you which you cannot or do not want to deliver. For example, there could be one dimension commitment (how much time are you spending on this project) with options like:

                                                                                  • this project has a full corporate team (5+ members)
                                                                                  • this is a one man project, but related to my business so I earn money from it (higher chance for support that on hobby project)
                                                                                  • this project is developed by a team of hobbyists - so if I do not want to continue, others can
                                                                                  • this is a hobby project which I do myself in my free-time. Do not expect any work from me when I’m busy. Expect it to be discontinued at any time.

                                                                                  Even if we do not have a standardized system for this, yet, I guess it could still make sense for a FOSS project to state such things in the README.md at the top. That way people know what to expect. The speaker of the talk proposes a shortcut scheme for this (e.g. O++ for permissive licenses), but that’s only possible once categories are known and there is some adoption.

                                                                                  1. 9

                                                                                    Yes, I think it’s unreasonable.

                                                                                    When I release code, I do it as a gift. I expect nothing from you and you should expect the same from me.

                                                                                    If I write documentation, respond to issues, etc. is because I get something from it, even if it’s only the satisfaction of doing something useful for others, but I have no obligation to keep doing it.

                                                                                    Take it or leave it

                                                                                    1. 4

                                                                                      That seems like an oversimplification to me.

                                                                                      Open source authors reap non-monetary social and reputational rewards for their efforts that can be desirable in their own right and sometimes translate to significant real world benefits (projects can be the reason you’re hired at a high-paying job, the reason you’re invited to speak at a conference that gets you more consulting clients, and so on)

                                                                                      Given that, it strikes me as little disingenuous if your POV as an open source author, especially of a popular project, is “Anyone who expects anything from me is an entitled asshole, and I’m a holy selfless person.” Not totally disingenuous, mind you (it’s partly reasonable), but also not the whole story.

                                                                                      The details really matter too.

                                                                                      For example, if you want the relationship between you and your users to be “I expect nothing from you and you should expect the same from me,” I think you should make that clear in your README, one way or another. Set the expectations clearly.

                                                                                      But I think it’s dishonest to, e.g., silently claim that as your philosophy when it suits you, and at the same time build an active community around your project, maintain it regularly, accept PRs, and so on. (btw, I’m discussing the general case now, not casting accusations at the Rust maintainer that spurred this thread – I’m not familiar with those details but it seems like he was genuinely treated unfairly.)

                                                                                      1. 3

                                                                                        My argument is based on the observation that what you are giving the world is not just a gift. There are costs even to ‘leaving it’.

                                                                                        1. 3

                                                                                          Those costs should be evaluated by the people taking it, as they are the ones that it affects.

                                                                                          1. 2

                                                                                            Having to evaluate things Is exactly one of the costs imposed on the world by publishing things. It’s not optional.

                                                                                            1. 3

                                                                                              But still your own decision. You can always write your own thing, if that seems to be cheaper than evaluating existing solutions. I don’t think that would be wise in most cases, but it is an option. Do you think people should only release their projects as open source if they are prepared to help with the costs that software project might have for others who evaluate/eventually use those projects? I know, personally, that if I’d think that was true, I’d never release anything at all…

                                                                                              1. 2

                                                                                                I am looking for minimal responsibilities and the ones you mention seem unlikely to be an agreed upon minimum. Not deliberately making it hard to evaluate things would be a smaller responsibility. At least not being deliberately deceptive in ways to would obviously cause harm was kind of the minimum thing I was going for, but it seems agreement on that cannot be reached.

                                                                                          2. 1

                                                                                            But those costs are not the responsibility of the OSS author.

                                                                                            1. 3

                                                                                              Why not? They are the one imposing the costs on the world: they claim a name and set things up so their publication takes space in the heads of people.

                                                                                              1. 5

                                                                                                Call it freedom of speech. It’s like saying you wrote a book. Nobody has to read it and you can’t blame the author if you don’t like it.

                                                                                                Please also don’t blame the author if you use a book you didn’t like as a stand for you monitor and it somehow tips over.

                                                                                                1. 0

                                                                                                  If you don’t like ads, don’t look at them. That giant billboard, that lightshow, that banner at the top of the page you are visiting, don’t look at them. Easy, right? No effort at all to ignore them. No reason to install ad blockers or pi-holes whatsoever.

                                                                                                  1. 3

                                                                                                    You’re missing the point. Everyone can cram as many ads on their page as they like. I take the liberty to not use those sites. Or if I do, use an adblocker. Or in this case, I might not use the library. Or read the source and patch it. I’m not demanding the author change anything, but I might open a friendly issue or PR.

                                                                                                    1. -1

                                                                                                      I think you’re missing the point :). Those ads enforced a cost on you. You had to take the trouble to use an adblocker. Similarly, publishing something with the intent it be found and presented to you by search engines imposes a cost on you and everyone else: more results to evaluate. If you impose a cost on the world, perhaps you have to take on some minimum of responsibility, such as a least having a short description truthful about the further contents of what was published. That is what we’re arguing about here: do you have a certain minimum of responsibility to the world and what is that minimum?

                                                                                                      1. 2

                                                                                                        To me, that’s just the cost of participating in a community, be it our small one here, or the ‘big’ one outside. You can’t expect to not have to pay anything (be it money, time, attention, whatever), if you choose to participate. You participating in this thread has a cost for me too, but I don’t blame you :-)

                                                                                                        1. 2

                                                                                                          That is absolutely true and I think that in comparable situations some of those costs of participating in a community are costs you voluntarily pay to reduce the costs multiple other members would otherwise have to pay, so the aggregate cost for everyone stays lower.

                                                                                                          1. 2

                                                                                                            Fair enough, yes. Personally, I like the little inefficiencies, surprises and unexpected-nesses when participating in contexts like those. That’s usually where the (to me) worthwhile and interesting stuff happens. And I can always choose to opt-out (forever, or for a while) if something gets on my nerves.

                                                                                                2. 3

                                                                                                  Um, no. Pushing a repo to GitHub and setting up a website does not force people to use the project. It doesn’t force people to pay a cost or even if it does the cost is so small–in a sea of other projects like this–that it’s trivial. And because it’s trivial, removing the project is also a trivial cost to people who are not using it. It’s not a cost that people normally even think about. Like, my existence imposes a cognitive load on your mind. Does that mean I pay you something? What, like $0.01?

                                                                                                  1. 2

                                                                                                    You didn’t choose to exist, so you can’t be held responsible for that.

                                                                                                    even if it does the cost is so small–in a sea of other projects like this–that it’s trivial

                                                                                                    It’s death by a thousand cuts.

                                                                                                    It’s not a cost that people normally even think about.

                                                                                                    That doesn’t make it less real. Across all people and projects it adds up. It will get worse in the coming decennia and it will need to be solved.

                                                                                                    But that’s all going much further than what I argued. In the end, my question was only: what are the minimal responsibilities. Can we agree on ‘being honest about what software is supposed to do’ and ‘not hiding (valid) bug reports’?

                                                                                                    1. 3

                                                                                                      It’s death by a thousand cuts.

                                                                                                      Only if you’re actually personally evaluating a thousand OSS projects–are you personally evaluating a thousand OSS projects?

                                                                                                      That doesn’t make it less real. Across all people and projects it adds up.

                                                                                                      So do the cognitive ‘cost’ of books, music, and other art forms being published, but somehow you don’t hear about calls to ‘solve’ this problem.

                                                                                                      my question was only: what are the minimal responsibilities.

                                                                                                      I’ve already answered this question: please check the license file of the software you’re using to understand what the maintainer owes you.

                                                                                          3. 3

                                                                                            Then again both BSD and MIT licenses expressly say that the software is provided “as is”. This is not incidental, it specifically is there to tell people that the author does not owe the licensees a damn thing.

                                                                                            Which is also why, if bugs arise in some of my open source libraries, I will tell people that I might fix them one day because I built them for fun on my spare time, also giving them the option to contract me – for money – to actually fix them short notice. Even if the libraries are not popular by any margin, a company is actually using one of them in production, and did offer to pay for me to fix them “next week”. Eventually we decided this wasn’t necessary but we keep the option open for the future. I am also open to selling nonfree versions of the libraries with support contracts.

                                                                                            So many companies use open source software in their products it makes very little sense to not see a market there. A hobby is a hobby, fun is free, but entitlement isn’t. I already get paid to write software, if someone really wants me to spend a Saturday fixing bugs for them, they might as well pay for it. Otherwise they’ll have to wait an indeterminate amount of time.

                                                                                            Here are the respective bits from BSD and MIT.

                                                                                            THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

                                                                                            THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

                                                                                            1. 3

                                                                                              I think it makes sense to do distinguish between the responsibilities you (want to) legally have (towards everyone) and the responsibilities you can morally be expected to have (towards your neighbour).

                                                                                              You can legally disclaim any responsibility without also (intending to) morally disclaim all responsibility.

                                                                                              1. 5

                                                                                                Some answers I’d like to hear from people who insist software authors have no moral responsibility. If I deliberately release a program that promises to, for example, display a fractal animation, but instead deletes user’s home dir, am I morally responsible? Am I less morally responsible if it deletes user’s home dir due to an unintentional bug?

                                                                                                1. 3

                                                                                                  A tourist asked me for directions at the train station. I did my very best to explain to him what platform to use, but later, I saw him in the middle of a crowd as he moved towards a different one (it was the same number, but a different orientation, as I apparently failed to explain before). Unfortunately, I didn’t have the time to follow him and send him to the opposite side as I was already late for my own train.

                                                                                                  I feel really bad about this, because it was a very polite gentleman and if he missed the train, who knows how long he had to wait for the next one. I actually think he didn’t, as he still had some time left and hopefully double-checked which train he’s getting on, but it still troubles me. Am I morally responsible? :-/

                                                                                                  I certainly would be responsible if I did this intentionally, but that was not the case and I tried to repeat myself a couple of times. I felt reasonably confident we understand each other and didn’t feel the need to ask someone else for help.

                                                                                                  The similar goes with bugs. When the author’s intentions are clear and he takes reasonable measures to prevent vulnerabilities or damage, it’s not fair to accuse him. Sure, a normal person will feel bad for such incident and apologize, but that’s it. What else? Should he pay you money or something for using his software?

                                                                                                  1. 2

                                                                                                    Some answers I’d like to hear from people who insist software authors have no moral responsibility.

                                                                                                    am I morally responsible?

                                                                                                    The people who say software authors have no moral responsibility–what do you think they will answer to your question?

                                                                                                    1.  

                                                                                                      I’m not sure why you ask as the question was rhetorical, but I’d expect them to say no.

                                                                                                  2. 1

                                                                                                    Maybe, and you are certainly free to do that in your own projects, but in the absence of that the disclaimer that is actually in effect is the one included in the license.

                                                                                                    1. 1

                                                                                                      It is. Does that mean we are fine with people lying in their README or hiding legitimate bug reports?

                                                                                                      1. 1

                                                                                                        Their project, they do whatever they want with it. You don’t like it–don’t use it.

                                                                                                        1. 1

                                                                                                          people lying

                                                                                                          This type of slanderous characterization is why I flagged the original entry as off-topic. Most of the comments here, to their credit, is sincere reflection on the pressures of writing and contributing to open source. But some, like this, as just rehashing the persecution of the software maintainer.

                                                                                                          1. 1

                                                                                                            This entire subthread is not about the specific situation reported here and is wondering in general what minimum responsibilities we may expect open source authors to take on. There seem to be people that believe we may not expect them to take on any responsibility at all, even excluding the minimum moral responsibilities we normally asociate with any other human interaction as reasonable expectations. That is what I am explicitly asking after.

                                                                                                            1. 2

                                                                                                              OK, so someone explicitely stating untruths in READMEs and hiding issues is just a hypothetical example?

                                                                                                              1. 2

                                                                                                                Shit, I understand my mistake. Those are both things are alleged to have happened in this particular case and repeating them can be seen as accepting them as facts.

                                                                                                                To be explicit, for both things: no, that is not what I had in mind. I’m not talking about this case.

                                                                                                                • I don’t know the facts concerning the alleged untruths. I have something in mind like “This code is safe to run to see a puppy” when you know it will delete the home directory. Something that obviously causes harm. Anything more gray is, well, more gray and requires separate discussion. My goal is establishing a bare minimum responsibility.
                                                                                                                • The thing with the issues happened in frustration and is defensible. I’m thinking of someone hiding/deleting an issue that literally says “Don’t run this project, it will remove your home directory” when it indeed does that.
                                                                                                                1. 2

                                                                                                                  Thanks for clearing that up!

                                                                                                  3. 1

                                                                                                    I’ll say first I thank you for a detailed, thoughtful write-up on the other side of this.

                                                                                                    “ I believe that if you choose to release something to the public, you carry some responsibility for it.”

                                                                                                    I’m actually with you on that belief. I’m utilitarian. I look out for the public a bit. So, it just fits my beliefs. Thing is, other people have all kinds of beliefs. I tend to go with lowest-common denominator if I’m aiming for a universal expectation. For OSS/FOSS, they’ve done volunteer work, shared it with others, and typically with a license denying responsibility. So, I shouldn’t hold them responsible for any problems I experience from my use of their work they published. Plus, if people need it fixed, they have options ranging from pull requests (denied) to forking their own version.

                                                                                                    I’ll run through the analogies to see how they might fit:

                                                                                                    Hedge trimmer. Used as intended, the hedge trimmer would work. It only breaks if the neighbor is doing malicious or weird things with it. Someone requests the hedge trimmer be modified by the supplier or its buyers to block all such malicious and weird uses. That really on them?

                                                                                                    Communal garden. This is more like someone planting the garden (or a lot of it), it being used by many people, planter takes care of it almost exclusively themselves, it gets some improvements by others here and there, and original planter leaves due to disagreements on managing the garden. They still planted, maintained, and left a garden. If anything, the other people look suspect here.

                                                                                                    Volunteer work done lousy. This is the closest thing to where I agree with you. I’d say that’s a matter of personal integrity to do what one promised. I hate it when I slip too much to do that. In this case, I don’t know if author promised anything so much as just shared their work which outperformed most others. They did what they intended and were volunteers. What others expected wasn’t actually their promise as volunteers.

                                                                                                    Recipes.com and Chef. Responding to chef since they’re similar. I’d first look to see what was promised. This author would be a chef that was making their prefered kind of recipe, used some ingredients a lot of people liked, some people didn’t, and shared it with others. The chef’s preferences for their style of cooking caused them to not accept recipe changes from others to be published in the chef’s recipe. Others were allowed to pubish their own version. They didn’t. Most enjoyed the recipe. Some didn’t even read the ingredients to spot potentially nasty ones or things they were allergic to. Some found out about suspicious ingredients but ate it anyway. Again, it’s not the chef that’s suspect to me since they’re just doing their thing with the questionable ingredients dominating the menu at other providers.

                                                                                                    “You choose to have your intellectual property invade the minds of everyone that is reached.” “because in practice people don’t and you know that beforehand”

                                                                                                    That’s a big difference in our thinking. I’m from free speech, thick skin, control-how-people-influence-you part of the country. Realistically, what you describe will happen to some degree or even most of the time due to human nature. Realistically, we also need to know this, be wary of it (esp our biases/triggers), skeptical about what others offer, and only allow good ideas into our minds or as our working dependencies. We also need to introspect occasionally to prune bad ones out. If the audience didn’t do that, they need to address their bad habits before the screw up again.

                                                                                                    I’m no exception. I’m actually spending most of this week flushing out last year’s stresses, assessing bad habits, new goals, and how I’ll handle them. Those that affected me negatively were almost universally those I allowed to be a mental dependency. There’s the root problem. Sometimes I have little choice or one with high coercion. Most I could’ve handled differently, though. I strongly encourage that in others who are considering being emotionally tied to or walking into an artificial, nearly-pointless catastrophe such as the Actix situation. I’m responding just because I find these things interesting with some good usually coming out of it. Raph’s write-up on the front page is an example.

                                                                                                    On your three part list, the third isn’t reasonable since its the owners’ work and property. The license allows a fork. That’s enough. The first, honesty, should be a must on basic principle. The second is really where all this happened. Is it really defective if it does what the owner wanted it to do? In security, we evaluate the software against a correctness or security goal or policy. There’s endless possibilities. We usually only care about a subset of it. Author found it correct enough for now with no urgency for a fix, planning on their own. If it meets author’s requirements, is it really defective or even defective enough to warrant calling it a failure? Remember that most useful, deployed software sucks in some way when you try to answer that.

                                                                                                    Your thoughts are all reasonable. I could see maintainers subscribing to that philosophy. I just can’t justify pushing it on them at large. Many wouldn’t accept it either due to ideological differences.

                                                                                                    1. 1

                                                                                                      As is usual in discussions I’m going to focus on where we (seem to) differ, but we’re largely in agreement.

                                                                                                      An explanation I should have added to my original post: my analogies were not intended as analogies of this specific situation, but as analogies of open source in general. My intention is to flesh out some general expectations people may have of each other, to get to some minimum responsibilities.

                                                                                                      You e.g. adjusted the hedge trimmer example to match this specific situation, which was not what I had in mind. So to be clear: I was not implying the author of the project under discussion violated reasonable expectations by delivering something similar to a dangerously broken hedge trimmer. I agree that unforeseen and dangerous use of a hedge trimmer is in no way the responsibility of the lender. Similar things hold for the other analogies as you formulated them: I agree with your takes.

                                                                                                      Realistically, what you describe will happen to some degree or even most of the time due to human nature.

                                                                                                      Absolutely true and wouldn’t it be very nice if the amount of work we had to do to guard against that would be lower, because of shared general principles that result in more people taking on some minimum responsibility to not cause the problems we’re guarding ourselves against? I believe often the problem isn’t so much that people don’t believe they have responsibilities as that they have never explicitly thought about them or forget about them and would take action when reminded of a responsibility they have previously agreed they have. Perhaps we need something like an ‘Open source author manifesto’ that people can include with their repo.

                                                                                                      The second is really where all this happened.

                                                                                                      Not within the scope of the minimum responsibility I had in mind there. In the context of Github, I would say it’s enough that ‘issues’ exist that document brokenness. The minimum responsibility here is not closing/hiding/deleting issues that could cause users grief. My opinion on this specific situation is that the author did nothing wrong with respect to the responsibilities we may minimally expect them to take on.

                                                                                                      The license allows a fork. That’s enough.

                                                                                                      That seems to be the majority opinion, but in practice it seems to be very ineffective to me. It doesn’t happen as much as it should.

                                                                                                      I think one of the main obstacles is that just forking a project isn’t enough: you also need to communicate to everyone, including newcomers, that the previous project has been superseded, with the blessing of the community. Forking causes confusion and makes it hard for people to pick the option generally considered ‘the best’. Wouldn’t it be helpful to the community if authors would give up their claims to project names and publication permissions so the fork can continue under that name? Wouldn’t that make forks likelier to succeed?

                                                                                                      So what I’m assuming here is that one of the major problems open source has is not so much availability of people who want to maintain a fork, but the availability of such people who also believe that spending that effort is useful, because the fork will succeed.

                                                                                                      But in the end the entire third bullet can be a separate discussion. If people would in general agree open source authors have at least the minimum responsibilities of being honest about what the code is supposed to do and about defects that may cause users harm, then already we have at least established there are some responsibilities and that the discussion should be about those; not about ‘none’ vs ‘all’.

                                                                                                    2. 1

                                                                                                      You offer to create no value for me, only to “respect” my claim and deed to property, and you think I owe you money/time for that.

                                                                                                      I think you’re going to be disappointed.

                                                                                                      1. -1

                                                                                                        We generally don’t accept people just giving the world ‘gifts’. We hold that they have a minimum of responsibility with respect to their gifts. If we find that giving African villages wells has counterproductive results, because it disrupts the social fabric, then we are responsible to undo the damage. We frown upon someone giving a recovering alcoholic a free bottle of booze. We frown upon someone promising to help you and reneging on that promise. You can think of countless examples yourself where the fact that something is a gift does not absolve the giver from all responsibility concerning that gift.

                                                                                                        So yes, I believe there is a minimum responsibility, and thus a minimum of time, you owe the world if you choose to ‘give’ it something. And I think you believe exactly the same.

                                                                                                        1. 2

                                                                                                          My reason for producing software is not a gift. It is entirely selfish!

                                                                                                          When I have published software, gratis or otherwise, it is not because I’m trying to get you hooked on booze, or even because I don’t think you can produce it yourself.

                                                                                                          I do things because they benefit me, or because I expect them to benefit me, and I think that’s true of everyone, including you.

                                                                                                          That’s why you try and convince people into thinking they owe you more: Because that more can benefit you.

                                                                                                          Maybe you even think that’s necessary/economy: To convince people to take a worse deal than you, but that’s sad. I don’t want to be friends with people like that. I think we can find a deal where we’re both happy with the outcome, and happy enough we would do it again, and I hope that you might learn to actually prefer that as well.

                                                                                                          1. 0

                                                                                                            If you think lending a broken hedge trimmer to your neighbour for the laughs is fine, because you have the selfish benefits of having a laugh at them – or the only reason you don’t do it is because you might need something from your neighbour in the future and some form of utilitarianism informs you not to do such a thing, then I’m not interested in being friends either.

                                                                                                            I prefer people to not be entirely selfish, to consider what costs they impose on the world to get the benefits they are after and to take some minimal responsibility to reduce those costs.

                                                                                                            1. 2

                                                                                                              Yes. The only reason I don’t buy a hedge trimmer, break it, then lend it to my neighbour, is obviously because I might need something from my neighbour in the future, and not because I might have bought the hedge trimmer in the first place for my own purposes. After all, I only would ever buy a hedge trimmer in the first place, if I wanted to lend it to someone for some social currency I can redeem in the future.

                                                                                                              Obviously.

                                                                                                              @friendlysock - you really vouch for Confusion?

                                                                                                              1. 0

                                                                                                                I started this thread suggesting open source authors at the very least have the responsibility of basic decency. You responded negatively and are now promoting selfishness, attempting to extract more and finding mutually beneficial deals so that you may do it again. And somehow I’m the offensive one, even though your principles lead to the offensive scenario and you are the one denying any basic moral responsibility when that might have a cost to you without any benefit?

                                                                                                                1. 2

                                                                                                                  Yes. On all points: You started this thread. You called working for free “basic decency”. I did respond negatively (makes sense, I was indeed offended by that). I did say I will not work for free. Yes you’re the offensive one. Yes not working for free is selfish. Yes I do not work for free.

                                                                                                                  Sounds like you’re a communist (or whatever it is where they can make you work) and I’m a socialist and we just have ourselves a little ideological difference of opinion, but since I don’t have to do anything I don’t want to, and you haven’t convinced me of anything (all that comparing my writing code to enabling alcoholics definitely didn’t help) that’s probably just going to be the way things will be.

                                                                                                                  1. 0

                                                                                                                    Let me.emphasize, based on comments in another subthread, that I emphatically do not mean the things that are alleged to have happened in the specific case reported here. I’m thinking of things like saying “you can safely run this code” when you know it actually deletes a home directory or removing an issue that warns others of such an obviously harm-causing thing.

                                                                                                                    You called working for free “basic decency”

                                                                                                                    You call ‘being honest about what something does’ (not writing anything is honest) and ‘not hiding bug reports’ work?

                                                                                                                    (all that comparing my writing code to enabling alcoholics definitely didn’t help)

                                                                                                                    Not writing code: the equivalent would be publishing it and then lying about what it does, negatively impacting people for no reason.

                                                                                                    3. 7

                                                                                                      I’d just like to point out that nowhere here has anybody linked to a new fork of the code everybody is handwringing about being gone. Instead, we are now just linking to other fora, doubtless perpetuating a tempest in a teacup.

                                                                                                      This is why I flagged the submission.

                                                                                                      1. 3

                                                                                                        I would love for the technical community to forget trying to figure out precisely where blame and responsibility lie and why, and instead move on to working out a plan for immediate and seamless recovery from a catastrophic bus factor reduction. Next time, I want to see more “this happened, yes it sucked, but more importantly here’s how we’re going to pick up the pieces and carry on smoothly” and less 90+-comment threads (to which I reluctantly contribute) focusing on a single person who very likely wants to be left alone right now.

                                                                                                        1. 1

                                                                                                          Exactly. Just more flying peanuts from the peanut gallery.

                                                                                                        2. 3

                                                                                                          I think the linked two takes go too far in the direction of letting anything go for developers of Open Source who don’t adhere to minimal social norms while appearing too restrictive on what other people can say.

                                                                                                          For developers, even if one agrees that developers of a piece of Open Source software don’t have an obligation to keep developing the piece of software or to provide support, it’s still reasonable to hold it as a social norm that if the original developer quits they shouldn’t take disruptive active action (such as making the repo go away on GitHub or pushing breakage via cargo, npm, or similar; not suggesting that the latter is relevant in this case).

                                                                                                          Handing off maintainership is a tricky case if there isn’t already a trusted co-developer. One one hand, properly handing off maintainership is socially expected, but the hand-off is also a potentially disruptive active action. Clearly, as npm incidents has taught us, one should not hand over control of a software distribution channel to some random person who volunteers. If quitting happens under emotionally heavy circumstances, handling the hand-off responsibly to a properly trustworthy party may be too burdensome. In that case, it’s best not to take any action (except maybe marking the repo archived on GitHub).

                                                                                                          As for other people, especially in the case of an infrastructural library, it should be an acceptable response to publicly advise against the use of a particular library with a polite fact-based explanation why. (See @burntsushi’s post on Reddit.) When other people are relying on code that someone wrote, it’s no longer just about the person who wrote the code. It’s bad for the Rust ecosystem for a crate whose approach to soundness doesn’t meet the soundness issue handling expectations for Rust to end up in a keystone position in the ecosystem. In practice, you don’t get true freedom of choice about what crates are in your dependency tree. There needs to be a way for the Rust community to communicate norms such that crates that don’t meet the soundness issue handling expectations of Rust don’t end up in keystone positions in the ecosystem.

                                                                                                          In this case, some people failed badly at the “politely” part. Also, not everything has to happen that fast, and the Rust community is a bit too quick and harsh to react to things that are look like people who haven’t bought into Rust could use them as counter-examples against Rust’s evangelism promises. I’ve been perceived to do a thing undermining Rust’s promises (not on soundness), and the response hasn’t been particularly nice and at times it has been more on the quick than researched side. Things don’t need to be resolved on Reddit the moment you discover them.

                                                                                                        1. 5

                                                                                                          The same kind of flexibility that gives room to unexpected behaviors as mentioned in the article is responsible for their fitness to creative problem solving. Developers nowadays take things like pipes for granted but, in 1968, their architectural description served as a true paradigm shift to an industry that had been ailing since its early days. More than 50 years later, we still have two main approaches to software development: either produce it fast and full of failures, giving developers time to discover which are those and fix them, hence delivering somewhat reliable products; or produce it full of failures. No amount of sanding on the rough edges of complexity could make things better.

                                                                                                          1. 3

                                                                                                            “Developers nowadays take things like pipes for granted but, in 1968, their architectural description served as a true paradigm shift to an industry that had been ailing since its early days. “

                                                                                                            We had function calls that can do the same thing. Except there were languages emerging with type checks. Hoare and Dijkstra were doing pre/post-conditions and invariants. You get composition with stronger guarantees. Smalltalk and Lisp showed better pace of development with easier maintenance, too.

                                                                                                            “we still have two main approaches to software development”

                                                                                                            Fagan Inspections (pdf), Cleanroom, and OpenVMS argued oppositely way back in the 1980’s with Hansen’s RC 4000 showing it in the 1960’s. You can cost-effectively inject reliability into software processes in many ways. It’s even easier now with safer languages plus automated tooling for test generation, static analysis, etc. Even moving quickly, the majority of errors should be in business/domain logic or misunderstanding of the environment at this point. Far as environments, OS’s such as OpenVMS and OpenBSD also show you can eliminate a lot of that by using platforms with better design, documentation, and resilience mechanisms.

                                                                                                            Example: FoundationDB was a startup using ultra-reliable engineering in an intensely-competitive space. They got acquired by Apple.

                                                                                                            So, newest approach if reliability-focused is to prototype it fast using modern tooling, document your intended behavior as contracts + tests (if hard to specify), use automated tooling to find the problems in that, make sure the components are composable, and integrate them in safe ways. You can do this very quickly. If 3rd-party, use mature components, esp libraries and infrastructure, to reduce number of time-wasting surprises. You will get a small slow-down up-front, possible speed-up from reduced debugging, and the speed-up may or may not knock out the slow-down. The result should be reliable software coming out at a competitive pace, though.

                                                                                                            1. 1

                                                                                                              Hi, Nick, I am pretty sure you have your historical facts in much better shape than I have mine, but I will give it a go and try to discuss.

                                                                                                              We had function calls that can do the same thing. Except there were languages emerging with type checks. Hoare and Dijkstra were doing pre/post-conditions and invariants. (…) Smalltalk and Lisp showed better pace of development with easier maintenance, too.

                                                                                                              Programming languages with support to function calls predate pipes by approximately 15 years: the first implementation of pipes dates from 1973. FORTRAN II, for example, had support to subroutines in 1958; and I am not sure, but ALGOL introduced procedures either with its first iteration, from 1958, or with ALGOL 60. So even if their use was not widespread, at least they had implementations by 1968, year of NATO Software Engineering Conference in which Doug McIlroy’s ideas were presented. Subroutines were an important paradigm shift, but if they did offer any substantial help to developers back in the day, that was avoiding the aggravation of the software engineering crisis, not preventing it.

                                                                                                              Needless to say, LISP predates any of those technologies, and Smalltalk got popular by the mid 80’s. And, IMHO, Unix systems were definitely a big influence over Smalltalk’s architectural decisions: at least one of them, LOCUS, is mentioned by Alan Kay as an inspiration to Smalltalk. IIRC, it was by watching that system in action that he thought that even natural numbers could be represented as processes and communicate via IPC. But the overhead of such solution would be too big back in the day, and he opted to represent message passing via ordinary procedure calls.

                                                                                                              Far as environments, OS’s such as OpenVMS and OpenBSD also show you can eliminate a lot of that by using platforms with better design, documentation, and resilience mechanisms.

                                                                                                              I chose to reply this fragment because it was the easiest one to address with a platitude. :) OpenBSD also shows that you can keep the bulk of an Unix system and still provide above par security.

                                                                                                          1. 1

                                                                                                            Project drama, flagged.

                                                                                                            Alternately, maybe a release tag would be appropriate.

                                                                                                            1. 13

                                                                                                              This is a really big project, used by a lot of people, was the flagship in terms of performance for rust webservers.

                                                                                                              1. 13

                                                                                                                And it is being removed nominally due to drama and armchair quarterbacking. There is already at least one comment here already doing the same stuff the author cites as why they’re shutting down the project.

                                                                                                                That’s why I believe it is worth flagging–is it more likely something constructive is going to happen in the comments, or just that people will dump on the project and navelgaze about the Rust ecosystem and software at large?

                                                                                                                1. 3

                                                                                                                  I hadn’t heard about this at all until today. I think this can still be constructive by looking at all sides of it.

                                                                                                                  1. 2

                                                                                                                    A constructive thing that might happen is that people may trust each other enough here that an opposing opinion is taken seriously instead of immediately discarded and argued against without listening?

                                                                                                                2. 7

                                                                                                                  Agreed. After some time an article or two will emerge about it. Those are more appropriate for lobste.rs.

                                                                                                                  1. 8

                                                                                                                    I disagree if only because Klabnik is one of the dwindling number of programming thought-leaders that should command deep respect. Even if the post itself isn’t everyone’s cup of tea (it certainly is mine FWIW), I think that we should always welcome articles from people like Klabnik on lobste.rs and let The Great Arrows of Up and Down decide.

                                                                                                                    1. 6

                                                                                                                      and let The Great Arrows of Up and Down decide.

                                                                                                                      I disagree with this position. Klabnik mentioned how reddit’s degradation is built into reddit itself, and IMO he’s right and this is exactly why.

                                                                                                                      I think this kind of drama is inherently poisonous for communities like lobste.rs (and reddit), because it attracts a lot of attention (and thus upvotes) and because of the kind of discussion that it generates, which only leads to more drama. It’s a vicious cycle.

                                                                                                                      A little bit is fine every now and then, but too much of it will kill the community. So just be careful :)

                                                                                                                      1. 4

                                                                                                                        Funny you say that since he left Lobsters after declaring it a toxic community. I did read his article on HN, though.

                                                                                                                        1. 1

                                                                                                                          If I recall correctly, this comment was regarding the github link, before the Klabnik article was merged with it(?*)

                                                                                                                          • I’m unfamiliar with this feature of lobste.rs
                                                                                                                          1. 1

                                                                                                                            Entries that cover the same “topic” can be merged together.

                                                                                                                        2. 1

                                                                                                                          Calling this drama is extremely dismissive. Someone got hurt to the point of quitting and you’re just being needlessly mean.

                                                                                                                          1. 6

                                                                                                                            People get hurt during drama all the time, that’s rather what makes it drama. It is precisely because somebody got hurt that I don’t think rehashing it here is something we should normalize.

                                                                                                                            I don’t believe Lobsters should be a secondary attack vector.

                                                                                                                            1. 1

                                                                                                                              It’s not a value judgement on what happened, it’s just an observation that this entry isn’t on-topic for this site.

                                                                                                                              It was also referring to the original github submission, before the Klabnik piece was merged into the discussion.

                                                                                                                              1. -1

                                                                                                                                I understand what you were referring to. Calling something drama is a value judgment. It’s possible your intention wasn’t to judge but your statements are judging by nature and mean in effect.

                                                                                                                                1. 2

                                                                                                                                  I have not been mean or judging in this thread, and I try very hard not to be in others. I resent your accusation.

                                                                                                                          1. 12

                                                                                                                            And thus the commons become more tragic.

                                                                                                                            I’ve wondered, since we rely so much on the whim of others, if, say, Google were just to completely vanish overnight (say, the CEOs think it was an incredible journey, but it’s time to shut off the company, beginning with google.com)… does society have any recourse? I mean, legally, is there any way we can say, no, you can’t shut down google.com because it’s now ingrained into the fabric of our society?

                                                                                                                            Or does Google not owe us anything? What about Twitter, Facebook, or Youtube, which drive so much of the worldwide economy and politics? How different is this from one small unpaid maintainer of an obscure package closing up shop?

                                                                                                                            1. 7

                                                                                                                              Isn’t that logic not really applicable here, since Actix is open source? Someone can just fork it. You can’t fork Google’s entire business and infrastructure.

                                                                                                                              1. 13

                                                                                                                                My guess is no-one forks it and it dies. I don’t know what drives anyone to write open source code, I simply can’t fathom the mental health hit it would take to manage a community. People filing bugs on my code in my own company makes me anxious. People filing bugs in public? People shittalking me in public and filing angry bugs on me? Forget it. No way.

                                                                                                                                The word I am looking for about open source maintainers isn’t hero exactly, but something like that. You have to have a certain stuff that most of us don’t. I would hazard none of those in the peanut gallery who were throwing shells are not the same people who have that stuff.

                                                                                                                                1. 3

                                                                                                                                  Sadder and confirming your point is that we just had the article on Actix’s optimizations showing the maintainer was ahead of the curve.

                                                                                                                                  1. 2

                                                                                                                                    If not hero, how about martyr?

                                                                                                                                    1. 1

                                                                                                                                      I used to maintain a large open source project with a friend. Our community is mostly very supportive and when some people aren’t we feel very comfortable telling them that we don’t owe them squat.

                                                                                                                                    2. 4

                                                                                                                                      Also, what logic? I’m just wondering what happens when we rely on someone’s good will and that good will goes away. People were obviously relying on this guy for something, or otherwise wouldn’t be upset that he’s no longer providing it.

                                                                                                                                      1. 6

                                                                                                                                        What you’re saying now, about someone’s good will, is totally disjoint from what you were saying in your other comment: Google, Twitter, Facebook owing us anything.

                                                                                                                                        I’m just pointing out your statement is not really comparable to what has happened.

                                                                                                                                        My opinion on all this is… the community killed the project. There are approaches to things, and harassment is not one of them.

                                                                                                                                        Know what would’ve been super effective?

                                                                                                                                        Fork the project, make the SAFE changes, show the performance impacts, and if they are marginal, and people like it, then they will use the fork. This introduces a game theory approach: if more people use the fork, the original will fade unless it adapts the changes. And we know this model works - it’s been done many times.

                                                                                                                                      2. 2

                                                                                                                                        Being free software doesn’t mean that the original author is required to keep distributing it. If people had neglected to keep copies of the original (which isn’t the case here, granted) the original author has no obligation to make sure you can keep receiving those copies.

                                                                                                                                        But sometimes, depending on the terms that you received something, free licenses can be revoked. The GPL has an irrevocability clause, but weaker licenses don’t.

                                                                                                                                        1. 1

                                                                                                                                          Also crates.io will maintain the current state, so your builds won’t fail from today to tomorrow*

                                                                                                                                          *(Yes there is still DMCA but that’s a complete different situation.)

                                                                                                                                        2. 5

                                                                                                                                          We could charge them for securities fraud. Everything Everywhere Is Securities Fraud!

                                                                                                                                          1. 2

                                                                                                                                            Oh, interesting. So, right, shareholders could sue. But can a judge order, bring google.com back up or go to jail or something like that?

                                                                                                                                          2. 4

                                                                                                                                            I’ve wondered, since we rely so much on the whim of others, if, say, Google were just to completely vanish overnight (say, the CEOs think it was an incredible journey, but it’s time to shut off the company, beginning with google.com)… does society have any recourse? I mean, legally, is there any way we can say, no, you can’t shut down google.com because it’s now ingrained into the fabric of our society?

                                                                                                                                            i’d say we would end up with a positive outcome medium-term. short-term it would be “interesting” i guess.

                                                                                                                                          1. 2

                                                                                                                                            I’m currently immersing myself in program synthesis, this is a really nice intro! Especially how NNs compare with synthesis.

                                                                                                                                            I think it’s strange to go at it with the viewpoint of synthesizing huge programs (Flappy Bird, Facebook) and “inferring user intent”. That’s an incredible goal. For now it makes more realistic sense to give programmers the power to synthesize machine-checked single-purpose functions. Things that aren’t worth your time to debug (but need debugging), like

                                                                                                                                            • regexes to extract or replace strings
                                                                                                                                            • parsers for user input
                                                                                                                                            • rearranging axes in n-dimensional arrays (like transposition in 2D)
                                                                                                                                            • conversion functions from datatype A to datatype B

                                                                                                                                            should all be generated by specification, rather than handwritten. Arguably the debugging is now in writing program specification, but it’s a much better problem to have, and it’s one that we’re familiar with. Debugging examples-as-specification is fixing unit tests, debugging verifiers-as-specification is fixing assertions.

                                                                                                                                            1. 1

                                                                                                                                              On top of that, heuristics for achieving the non-correctness goals such as optimizing for throughput, latency, or RAM usage. It can be a bunch of generators that feed into other generators that… and so on. Start from small capabilities that are already useful, gradually add more on top, refactor when they mismatch, and keep at it. Synthesis toolkits for real-world systems should be grown like complex applications are.

                                                                                                                                              1. 1

                                                                                                                                                Check out CS294 - Program Synthesis for Everyone if you haven’t come across it. An excellent lecture series with recordings and assignments that are free to download.

                                                                                                                                              1. 3

                                                                                                                                                The cool thing about this book is that it’s a big pile of techniques you might apply with or without Z. I’ve found that one can also use a subset of them without mathematical proof just to add a bit more rigor to software development. That’s often called “semi-formal” verification. An example is looking at input/output ranges for data, their ordering, and quick calculations on how the control flow might affect them to estimate correctness.

                                                                                                                                                1. 3

                                                                                                                                                  My main experience of MISRA is they are trying to force people to write in a language that isn’t C. It might be compiled by a C compiler, but it’s an arcane (mostly) subset of C.

                                                                                                                                                  Admittedly C is a shitty language for safety critical software, but the fix isn’t coding standards.

                                                                                                                                                  The fix is to use a language that doesn’t have all those footguns.

                                                                                                                                                  eg. D or Rust.

                                                                                                                                                  1. 7

                                                                                                                                                    Which D or Rust compilers possessing certifications necessary for safety-critical applications do you suggest for this? Do they support the target architecture used?

                                                                                                                                                    I don’t have fond memories of the tools we worked with when I worked on a car component’s firmware, yet I understand why accountability is important in safety critical systems, and very few vendors are willing to pay the costs of verifying their toolchain, and selling that. Open Source simply does not cut it there, with the famous “NO WARRANTY WHATSOEVER” phrase in each and every license. Being responsible for your own code is just enough of a burden, when you may even end up in jail if your product malfunctions in some disastrous way.

                                                                                                                                                    I also think that C is not a very good language for writing robust code, as it has too many traps, yet currently that is one of the few languages mature enough (with regards to tooling and accumulated knowledge of its pitfalls) available for such work (Ada being another one I know of). On the longer run I’m sure Rust will make its way to the embedded and safety critical scene, but is not there yet. It is not matured enough for other vendors to build a compiler and have it audited and certified. Also it does not have enough developers yet, so the customer side is also not ready yet for adopting it. Maybe a decade later.

                                                                                                                                                    Until then coding standards are a tool to ensure better quality code we already posses, and it is known to work, albeit admittedly with great overhead.

                                                                                                                                                    1. 2

                                                                                                                                                      certifications necessary for safety-critical applications. Open Source simply does not cut it there, with the famous “NO WARRANTY WHATSOEVER” phrase in each and every license

                                                                                                                                                      I always wondered about that.

                                                                                                                                                      One of the reasons I switched wholly to open source was I entirely disinterested in warranties. I wanted my code to work, not someone to blame when it didn’t.

                                                                                                                                                      I found over a decade ago no warranty, open source code, was usually less buggy than paid for code.

                                                                                                                                                      Especially compilers.

                                                                                                                                                      Why? More users, more people creating compelling test cases, more people looking at the code.

                                                                                                                                                      I have received patches for everything from libraries I use, down to the kernel, in my mailbox, the next day… simply by writing a compelling test case for a bug that was bothering me… and submitting that to an email list.

                                                                                                                                                      In other cases I fixed it myself.

                                                                                                                                                      In the close source projects where massive amounts of monies were paid… the usual response is “it will be fixed in the next release”….

                                                                                                                                                      As promised by a customer service rep who actually hadn’t a clue what I was talking about.

                                                                                                                                                      But then it’s almost irrelevant. Yes, I have been hit by compile bugs in my life. About three orders of magnitude less than common or garden homegrown bugs.

                                                                                                                                                      What finds and fixes bugs before they even get to release builds? Compiler warnings. These days they are bloody marvellous. Every new release of gcc they come up with more. Every release I run around our code base fix up the new warnings. Every time I find a couple of real live bugs.

                                                                                                                                                      Alas, the C language design disables a lot of what the compiler could warn about.

                                                                                                                                                      Unit tests, especially with valgrind. Valgrind is worth way more than any certified compiler (or coding standard).

                                                                                                                                                      The GNU D is a front end for the gcc compiler, so whichever targets the backend supports (ie. more than any other compiler) in principle D supports. There is some fine print around the library runtime support though for odd targets though. Support for arm does exist.

                                                                                                                                                      1. 3

                                                                                                                                                        Well we have also met some bugs in the Green Hills compiler we used in a project, and actually the code was compiled with multiple compilers and large parts tested on multiple architectures. C also had this advantage, that you could cross check compilers. (In-system tests were single-compiler tested, but 95% of the code was tested on multiple compilers on the project I worked on)

                                                                                                                                                        Still I can only recall Ada a mature and established embedded language with multiple compilers available… (Also avoiding vendor lock in at least as an option is important at a large project)

                                                                                                                                                        edit: BTW oftentimes regulators may also demand you use certified tooling. (I’m not totally sure, but lots of regulations applied to the automotive industry, AFAIK developing according to MISRA was a regulatory requirement)

                                                                                                                                                        1. 1

                                                                                                                                                          C also had this advantage, that you could cross check compilers.

                                                                                                                                                          D has two compilers the DMD and the gnu D compilers so you have that advantages two open source compilers.

                                                                                                                                                          Certainly if you’re multithreading (heaven forfend, wash your mouth out if you do “safety critical” and “multithreaded” together), running your code under every damn target, os, compiler and number of CPU’s you can find does wondrously at shaking bugs out of the tree.

                                                                                                                                                          BTW oftentimes regulators may also demand you use certified tooling

                                                                                                                                                          BTW oftentimes regulators may also demand you use certified tooling suffer from regulatory capture

                                                                                                                                                          1. 3

                                                                                                                                                            I see you really want to believe, yet still that is not how the industry works. Safety critical embedded development is quite different from other areas of the software industry. It is more conservative, independently of regulatory capture’s involvment or not. Projects move slowly and lot of stuff has to be decided up front.

                                                                                                                                                            I don’t know why you mention multi-threaded programming, it was not considered anywhere in the discussion. Using multiple architectures and compilers can help catching other subtle bugs around memory alignment, endiannes and such things, which are common in low level code. Or in the compilers themselves.

                                                                                                                                                            D might have two open source compilers, but that is only one aspect of the problem. D has not proven in that field, there are no expert and seniors in D, and the industry is not backing it. However better it may be (I believe it is not revolutionary enough to justify investment, Rust is more promising), nobody will risk its billion euro project for this, when C or ADA is already known and proven with all its pros and cons.

                                                                                                                                                            A new generation of programmers needs to come and they must push safer languages, and their tooling must meet the regulatory requirements. If you don’t like regulators, and government, so be it, yet those are the rules, and if you want to sell stuff as a automotive/aerospace component, you must play by those rules.

                                                                                                                                                            1. 2

                                                                                                                                                              I been on this hamster wheel for a few turns of the cycle.

                                                                                                                                                              The way it works is the bureaucracy ramps up and up and the costs ramp up and up…..

                                                                                                                                                              ( Here’s a very very old joke….

                                                                                                                                                              What do you call a MilSpec mouse?

                                                                                                                                                              An Elephant )

                                                                                                                                                              Until the users note that commodity devices are way way way cheaper, way way more functional, and actually way less buggy.

                                                                                                                                                              The regulations and red tape remain in place, but the users aren’t actually using those devices.

                                                                                                                                                              Eventually someone renames that class of devices the users are using so the old regs don’t apply…. and the slow the cycle starts up on the new class of devices.

                                                                                                                                                              Sigh.

                                                                                                                                                              Gone round that wheel a couple of times. On the “users are starting to ignore us and all the regs” phase of the current one.

                                                                                                                                                      2. 1

                                                                                                                                                        Which D or Rust compilers possessing certifications necessary for safety-critical applications do you suggest for this? Do they support the target architecture used?

                                                                                                                                                        Ada/SPARK has you covered. I think they also have compilers to C for event the target isn’t supported.

                                                                                                                                                        1. 1

                                                                                                                                                          Sure, but it may be more dificult to find experienced workforce for Ada. (Note that I also mentioned Ada as an available mature tool)

                                                                                                                                                          1. 1

                                                                                                                                                            The bootstrap problem is best solved by just teaching people how to use the better tools. Like Jane St does. They can do mock or just non-critical stuff for the learning projects.

                                                                                                                                                            1. 4

                                                                                                                                                              If you have people expert in those better tools, and confidence in those tools. Being revolutionary on the internet is easy, but then Euro billions are at stake you tend to be more conservative. Especially if you are German. :)

                                                                                                                                                              For non-critical stuff it was free for all, we used Python, Java, Excel/VBA, even PHP. For safety critical stuff only approved tools were used.

                                                                                                                                                              Lots of Simulink was used BTW, as most of the complexity was in control system. Simple stuff like hardware drivers were fine in C, and I understand the decision, as it was easy to kickstart the project back in the past with C..

                                                                                                                                                            2. 1

                                                                                                                                                              Ada is not used in automotive as far as I know. Apparently, Toyota made a push a few years ago but it did not catch on.

                                                                                                                                                        2. 3

                                                                                                                                                          Michael Wong called it “MISRAable code”. 😉

                                                                                                                                                          1. 1

                                                                                                                                                            A common anti-pattern I have seen in “MISRAable code” is that it’s correct in the small and wrong in the large. ie. much thought and care had been invested in ticking every rule for that particular function, but when you look at all the invocations of it, you know things aren’t going to quite work, and certainly not reliably.

                                                                                                                                                            1. 4

                                                                                                                                                              I find MISRA warnings often have a quick fix which makes the code worse. However, if you think further it may also reveal a reasonable design issue. Of course, a design (or architecture) issues are more work to fix, so the quick fix is tempting.

                                                                                                                                                              Example: We use object-oriented state machines a lot. This means every state is a member variable. At some point someone wanted to iterate over the states and thus put them in an array. Our checker then came up with some lifetime issue. The quick fix was some casting trickery. The real problem is about the design. We have ownership confusion: Is a state object owned by the array or by the object?

                                                                                                                                                              (Btw learning some Rust has helped me for C++. Concepts like ownership and borrowing are useful terms.)

                                                                                                                                                              1. 2

                                                                                                                                                                I know the situation you are talking about. This also depends on the review culture of the org. We have thrown out lots of “clever” code (MISRA passing) at the review phase.

                                                                                                                                                                MISRA is just one element in a puzzle, and while some of its rules are totally straightforward (eg. don’t use if(a() == b()) because order of evaluation is undefined, which can cause problems if they have side-effects), but usually they should make you stop and consider what are you about to do and why? They are indicators of code smells. Just as you said: the real problem usually is the design.

                                                                                                                                                          2. 3

                                                                                                                                                            Just by following the Directive 4.12 (Dynamic memory allocation shall not be used) you can eliminate quite a few footguns, I think.

                                                                                                                                                            As the article says, MISRA “wrote out any and all ways to make a mistake”, which is a treasure trove by it’s own; whether you enforce MISRA-C in your project or not.

                                                                                                                                                            1. 1

                                                                                                                                                              Translation: Thou shalt effectively re-invent (poorly) your own schemes to solve the problem hand carved out of a raw emasculated C.

                                                                                                                                                              Yes, malloc() is an atrocious design, I could rant on for hours about it’s flaws.

                                                                                                                                                              What it needs to provide, is out of the box, a collection of better, safer, more effective tools, not merely don’t use the sharp ones..

                                                                                                                                                              C++ is heading in the right direction here…

                                                                                                                                                              https://github.com/isocpp/CppCoreGuidelines/blob/master/CppCoreGuidelines.md

                                                                                                                                                              ..they are aiming for machine checkable standards complete with supporting libraries of better alternatives.

                                                                                                                                                              1. 2

                                                                                                                                                                I have never seen the need for dynamic allocation in safety critical code. Everything had fixed buffer sized, fixed sampling rates, fixed response times.

                                                                                                                                                                Could you provide an example where dynamic allocation is necessary in safety critical context?

                                                                                                                                                                1. 2

                                                                                                                                                                  Typically where you have a resource limited device that has different modes and can only be in one at a time.

                                                                                                                                                                  Yup, the joys of embedded, we will always be pushed to deliver mechanically smaller, lower power, cheaper unit cost devices.

                                                                                                                                                                  Always.

                                                                                                                                                                  No matter what Moore’s law gives us.

                                                                                                                                                                  Another common place is resource pools. eg. in an IP connected device, you’ll have a fixed size pool of ram for packets. If you get flooded with more packets than you have in your pool, you just drop them. So note…

                                                                                                                                                                  • Malloc is a shitty solution as you can make a trivial DoS attack the rest of your system by flooding with packets, so MISRA is right so far, don’t do that.
                                                                                                                                                                  • The packets are typically allocated when/where they arrive in the stack and deallocated when/where they leave (or acked). ie. It’s dynamic allocation.

                                                                                                                                                                  Yup, I’m most familiar with the insides of an IP stack, but I bet other packet based protocols will have something similar.

                                                                                                                                                                  1. 2

                                                                                                                                                                    Well, when I was working on auto parts (5+ years ago) our component did not need an IP stack. (Thank God!) I understand that nowadays everything is connected, but are those devices also safety critical? Anyways, where I worked MISRA was a fine aid in our work, gave a sane baseline for automatically checkable quality, so the testers could focus on tests for larger scale logic problems (which was mentioned in a different thread).

                                                                                                                                                                    1. 1

                                                                                                                                                                      I’m not saying MISRA doesn’t make things safer, it certainly does make things safer than using C without anything else.

                                                                                                                                                                      I’m saying it’s a bad tool for the job. It’s a bandaid, it’s security theater.

                                                                                                                                                                      There are a lot better ways of making things safer.

                                                                                                                                                                      Alas, where MISRA makes things less safe, it allows butt coverers to say, “Job Done, the safety risks with using C have been addressed.”

                                                                                                                                                                      Which is simply not true, not even close.

                                                                                                                                                                      I use IP stack as an example,, as I have the code in front of me. But I bet any packet based protocol based on top of say CAN bus will have the same.

                                                                                                                                                                      1. 3

                                                                                                                                                                        MISRA should be a part of a safety net, not the sole item providing safety. Safety critical code must be designed and implemented in such manner. The regulations usually also require development practices, independent audits, tests, requirements traceability, and safety experts who are liable for the safety of the system.

                                                                                                                                                                        If at your project safety criticality is claimed after passing a set of static tests for coding style (MISRA), than that sure is security theater, but also that is a serious deviation from the norms experienced in the European automotive industry. With such attitude a component cannot qualify for roadworthiness in the EU.

                                                                                                                                                                        Our CAN stack used fixed sized buffers, the whole system was hard realtime, no dynamic allocation happened.

                                                                                                                                                          1. 2

                                                                                                                                                            I have a feeling this is one of those things where machine learning could help a lot. I like the simplicity of your pressure model, though. Covers a lot of situations with better efficiency than ML would have.