1. 4

    I did this once, but with sam

    It didn’t really stick, but structural regular expressions almost kept me around.

    1. 11

      You might have heard of kakoune and how it’s a bit like vim, except that verb and object are reversed. One interesting and rarely-mentioned consequence is that you can do manipulation that is very close to what is described in the structural regexp document.

      Consider this hypothetical structural regex y/".*"/ y/’.*’/ x/[a-zA-Z0-9]+/ g/n/ v/../ c/num/ that they describe. Put simply, it is supposed to change each variable named n into num while being careful not to do so in strings (in \n for example).

      This exact processing can be done interactively in kakoune with the following key sequence: S".*"<ret>S'.*'<ret>s[a-z-A-Z0-9]+<ret><a-k>n<ret><a-K>..<ret>cnum<esc>

      It looks cryptic, but it’s a sequence of the following operations:

      • S".*"<ret> : split the current selection into multiple, such that the patterns ".*" are not selected anymore
      • S'.*'<ret> : same, but with '.*'
      • s[a-z-A-Z0-9]+<ret> : select all alphanumeric words from the current selections
      • <a-k>n<ret> : keep only the selections that contain a n
      • <a-K>..<ret> : exclude all selections that contain 2 or more characters
      • cnum<esc> : replace each selection with num

      And the nice thing about being interactive is that you don’t have to think up the entire command at once. You can simply do it progressively and see that your selections are narrowing down to exactly what you want to change.

      1. 7

        There’s also vis, which explicitly sets out to support structured regex.

        1. 2

          I can vouch for vis, I use it. Great editor!

        2. 2

          kakoune is definitely the best replacement to vim I’ve seen so far. But I enjoy the advantages of IDEs too much to switch (things like autocomplete, goto definition, catching errors while I type, etc.)

          Hopefully the Dance extension to vscode will become stable over time, and I can give it another shot.

          1. 8

            Kakoune has a pretty slick LSP plugin if the languages you work with have language servers available.

            1. 1

              FWIW I just spent a whole hour trying to install it on Linux and failed. And let’s say I’m not exactly a noob.

              To constrast, it took me only 10 mins to get it to work on neovim, and I’m equally unfamiliar with its ecosystem.

            2. 1

              Everything you described is available in Neovim’s built-in LSP client or in one of the many LSP plugins for Vim.

              1. 1

                I’m not sure I get it. Neovim has a kakoune mode?

                1. 1

                  I was referring to the “advantages of IDEs” (autocomplete, goto, diagnostics, renaming, documentation, etc.)

            3. 1

              I wish for something that has the object/verb ordering that kakoune does, but with the same plugins that vim does. I tried kakoune for a week and loved using it, but my workflow was broken and I found it was taking me a lot longer to get productive again as I tried finding some replacements for plugins I depend on in vim (and either not finding anything, or often finding a broken/incomplete alternative).

              1. 1

                Really curious now what vim plugins you use? I’ve never tried any plugins, so not sure what they can add

                1. 2

                  Here’s a short list of the plugins I use the most, losely in order of how much I depend on them

                  • deoplete (better [IMHO] autocomplete)

                  • ale (linting)

                  • fzf.vim (lots of integration with fzf)

                  • vimwiki (formatted note taking/organization)

                  • gitgutter (indicate changed/new/deleted lines not staged/committed)

                  • colorizer (changes hex text color codes to match the color they represent)

                  • file-beagle (nice file browsing within vim)

                  • indentline (I write a lot of python, visual indication of indention helps during long sessions)

                  I don’t recall which plugins I wasn’t able to find replacements for in kak.. I should give it another go soon since I really do like kak’s philosophy with object/verb.

                  1. 1

                    Interesting. Quite a few of those seem almost like adding IDE features to vim. Curious on your take on vim+plugins vs IDE with vi mode?

                    1. 2

                      vim + plugins all the way, since I can run that setup basically anywhere (e.g. headless remote systems, etc). I also conditionally enable some plugins based on the file type I am editing.

            4. 4

              If anyone is interested in an updated version of sam, here ya go. Sadly I haven’t been able to give it the time it deserves lately, but it works well enough.

            1. 6

              The thing I love about i3 is that I can have super-efficient window-management combined with all the niceties of a modern desktop environment like automatically mounting USB drives, and support for my laptop’s screen-brightness and volume keys, a system tray with a volume control slider and quick access to networking and bluetooth settings, etc. etc.

              It’s neat that the author figured out how to get their “paste the current date” keybind to work, but that’s not what I was hoping to get out of this article. :/

              1. 4

                Missing nm-applet (for NetworkManager) was a big blocker for me, when I tried sway on a laptop.

                1. 3

                  I agree that Sway has a long way to go when it comes to convenience and functional defaults. However, in my experience, support — or lack thereof — for the items you list in the modern desktop niceties category (convenient access to networking, and support for brightness, or laptop specific volume keys) has been pretty similar between Sway and i3. Sway comes in second, but not by much.

                  The main difference, in my experience, is how few programs run on Wayland without tinkering.

                  But maybe I was missing out on a lot i3 features, and therefore didn’t miss them when I switched to Sway. Or maybe the difference in our experience is partly a result of the distro we’re running.

                  1. 4

                    If you’re looking for a fancier way to change volume and brightness with function keys I find wob to be rather good.

                    1. 2

                      i3 itself doesn’t have a lot of those features built-in, but since it’s just an X11 window-manager and it supports most or all of the fancy desktop-environment window hints, it’s not too hard to slot it into a traditional desktop environment that provides all that other stuff.

                      Meanwhile, with Wayland, it seems all the pluggable components of the X11 model are collapsed into the compositor, so I can’t set up environment variables in ~/.profile or launch helpers in ~/.xsession. Maybe I can set up systemd to start things for my user session, if Sway integrates with that, but I’m kind of hoping that somebody will figure that stuff out and publish a blog post before I have to do it myself. :)

                      1. 4

                        Just like with i3, you can start helpers from your Sway config with exec whatever.

                        1. 3

                          The point is more that i3 can be used to replace the wm part of an already functioning DE.

                          1. 3

                            Have you done that? Under which DE did you swap out the WM for i3, and what did you do? I tried with both GNOME and KDE, and really wasn’t happy with the results. I wound up going with kwin-tiling on KDE (which is actually pretty good) and calling it done, after spending a week tinkering off and on with substituting i3 in for both of those.

                            1. 3

                              I’m a very happy user of i3 + GNOME.

                              1. 2

                                Are you using a recent, vanilla version of GNOME? Maybe I’m fighting the fedora packages as opposed to the DE, if so. I had a hard time getting most things in the settings applets to behave, and power management was really funky, whenever mutter wasn’t running. I even went so far as to try GNOME flashback, but getting that installed without breaking system packages got to be too much effort.

                                1. 3

                                  I’m using GNOME Flashback, which is a system package in Debian.

                                  1. 2

                                    Thanks. That’s probably worth trying again for me. It looks like it is now a system package for Fedora, too, but it wasn’t when I tried.

                                    1. 3

                                      I wrote up how I set things up on Debian, although there’s a bunch of updates at the bottom that really should be folded back into the main text.

                    2. 2

                      automatically mounting USB drives, and support for my laptop’s screen-brightness and volume keys,

                      How have you got that set up?

                      I don’t have automatic mounting of USB drives, and the support for screen and keyboard brightness as well as volume keys comes from bindings I’ve added to my i3 config file that executes brightnessctl for brightness and pactl for volume.

                      1. 3

                        As I mentioned in another comment, I’m using GNOME Flashback to handle all the non-window-management parts of my desktop experience. I wrote up how I set things up.

                        1. 2

                          Thanks, I’ll check it out.

                    1. 5

                      Another confusion easily solved by using proper units and measuring mass instead of volume, as commonly done in cooking instructions outside the US.

                      1. 6

                        For what it’s worth, even here in the EU my bag of quinoa has the same instructions in volume.

                      1. 16

                        So Microsoft GitHub is doing the “lower the price, so the competition dies”-trick in this market as well, now. Interesting.

                        1. 26

                          A company responding to market pressures and pricing their products more competitively. Truly an evil ploy 😒🙄

                          1. 8

                            Wouldn’t you say it’s unfair competition to be able to dump infinite money into a business area in order to drive out competitors? That’s way past aggressive pricing.

                            1. 4

                              Wouldn’t you say it’s unfair competition to be able to dump infinite money into a business area in order to drive out competitors? That’s way past aggressive pricing.

                              It depends on how much you do it and for how long. Most startups start by selling below cost. The joke about Amazon in the ‘90s was that they make a loss on each sale, but make it up in volume. The typical marker for anticompetitive behaviour is whether the low price is long-term sustainable. If you are selling below cost because you expect to be able to lower your costs via economies of scale, that’s fine. If you’re cross-subsidising from another revenue stream and just trying to push your competitors out of business, that typically isn’t.

                              As I understand it [1], GitHub is independently profitable, primarily from the enterprise offerings. The free offering is one of the highest return-on-investment advertising campaigns that any company has ever offered (Gillette sending free razors to everyone in the UK who appeared as male on the electoral roll one year is close). Pretty much everyone coming out of university with a vague interest in programming has GitHub experience and I would be shocked if that didn’t translate into a load of companies buying the enterprise offerings. Even the $21/month/dev offering is a lot cheaper for most companies than doing the same thing in-house (compare that to even the salary of one person full time maintaining the infrastructure and you need quite a lot of devs for that to reach the break-even point).

                              [1] Disclaimer: I work for Microsoft Research, so may be considered biased, but I have no visibility into GitHub.

                              1. 2

                                Bitbucket’s been like this forever right?

                                “Offer basic service for free, advanced features behind paywall” is not really an odd concept, and it doesn’t require infinite money pits. As a (relatively small, granted) team we evaluated this change and decided to keep on paying for the paid service because we wanted the feaetures it was providing.

                                I also remember a thing about how GH makes a bunch of money on its on-premise thing, and I imagine that pricing is not changing at all

                              2. 9

                                A company responding to market pressures with no regard for profit against competitors that don’t have vast resources backing them is a net detriment to the market. Similarly large companies (Google, Facebook) have no reason to get into the market and smaller companies (GitLab, sourcehut) can’t easily compete with Microsoft operating at a loss. This a classic monopoly tactic.

                                1. 5

                                  I’m not so sure if it’s the case that GitHub “has no regard to profit”; in the HN thread Nat said they’ve been wanting to do this for a while, but had to wait for revenue in the enterprise to be high enough. The existing pricing for BitBucket and GitLab are similar to the new GitHub pricing; GitHub was actually quite expensive before. The new pricing seems reasonable and fair to me, and is competitive. I see no evidence of it being sponsored by Windows sales, for example.

                                  GitLab seems to be doing quite well with $100M revenue, Atlassian has $1.2 billion revenue (can’t find numbers for BitBucket specifically), sourcehut will always remain a niche product due to its idiosyncrasies (which is not just fine, but great; niche markets deserve good products too). So I’m not especially worried about any of those.

                                  I’m also not hugely enthusiastic by large companies becoming ever larger, and would have preferred if GitHub had remained independent. I think we probably have some common ground here. But what I’m a little bit tired of is that everything GitHub does these days is seen as part of some sort of malicious plan, and the assumption that everything they do is done in bad faith. Certainly in this case, it seems like a normal common-sense business decision to me.

                                  Is there a potential for Microsoft to abuse their power with GitHub? Sure! But thus far I’ve seen no indications of this. I agree we should be watchful for this (and ideally we should have better anti-trust laws), but I think we must also keep a level head and not jump to conclusions over every small thing. As someone who started using Linux/BSD systems in the early 2000s I have plenty of gripes with Microsoft (being sent a .doc file was a proper hassle back then), but pretty much all of the leadership has changed and Microsoft is not the same company. Referring to long-since abandoned strategies like EEE is, quite frankly, just inappropriate. I have actually flagged that comment as “unkind”, because random accusations without evidence are not appropriate IMO, even when directed at companies.

                                  CC this this also replies to your comments: @nomto @caleb @azdle

                                  1. 2

                                    I wrote a whole in-depth response but then, upon re-reading, I realized that we pretty much have no common ground on which to discuss this.

                                    I have actually flagged that comment as “unkind”, because random accusations without evidence are not appropriate IMO, even when directed at companies.

                                    Y’all are on some real bootlicker shit over here.

                                    1. 1

                                      I can see you’re committed to constructive discourse where everyone is free to voice their opinions without fear of being insulted; not so much to convince each other, but to at least understand each other’s positions better. Thank you!

                                    2. 1

                                      But what I’m a little bit tired of is that everything GitHub does these days is seen as part of some sort of malicious plan, and the assumption that everything they do is done in bad faith.

                                      Everything that GitHub does these days is part of some sort of malicious plan. That’s how business works (at this scale and in this part of the economy, at any rate).

                                  2. 4

                                    It’s a ploy to eliminate competition and expand private control over the infrastructure used by developers. Whether you think it’s evil depends on your values.

                                  3. 5

                                    The interesting part is that they chose to do it after their Enterprise business got big enough to subsidize it, not as a loss-leader using Microsoft money. It seems like the strategy to keep GitHub and Microsoft relatively separated has allowed GitHub to continue to connect very well with their target audience. Someone on HN mentioned Cloudflare as another company that has done a similarly good job of understanding who they’re marketing to and making changes that makes their target market happy.

                                    1. 3
                                      1. 12

                                        Do you have any examples of GitHub or Microsoft extending git so that it’s incompatible with non-GitHub/Microsoft clients?

                                        1. 11

                                          I don’t know if/don’t think that this is a case of EEE, but FWIW, I’ve had a lot of trouble explaining people past a certain level of management (read: who have not programmed for more than some amount of time) that git and Github are different things. I’ve worked in a place where virtually everyone with a word to say in terms of budget, tooling and whatnot hadn’t used a version control system since back when SVN was pretty fresh, and some of the things that I had lots of trouble (read: needed countless hours and countless meetings) were:

                                          • Git is a VCS, Github is a tool that uses git. (This was all happening while I was lending a hand with a very tortuous transition to git and virtually everyone referred to it as “the transition to github”, even though we were actually using Gitlab!)
                                          • git is not developed by Microsoft.
                                          • Github is not the enterprise/SaaS version of git, git is not the free/community version of Github.
                                          • Gitlab is not a free/self-hosted/community edition of Github.
                                          • You don’t need something like Github or Gitlab to use git.
                                          • The pull request-oriented workflow of Github is just one of the possible workflows, and you can do it without Github or Gitlab.

                                          Some of these I’m pretty sure I never managed to really get across. The last meeting I attended before leaving that place saw a bunch of questions like “can we upgrade from Gitlab to Github” and “Can the CLI version of Github (NB: git. That guy meant git.) create pull requests?”

                                          I don’t really follow the politics of these things because I can’t really say I care – VCSs come and go, I self-host git for myself but otherwise I use whatever my customers want to use and I’m happy with it. But if Microsoft wanted to do the EEE thing, the fruit is definitely ripe.

                                          1. 3

                                            The fact that github run the git.io URL shortener is pretty darn deceptive, IMHO.

                                            1. 2

                                              I’m not so worried about that in the case of git/GitHub to be honest, since it’s primarily a development tool. If devs decide they want a different tool en-masse, then usually they will get it (…eventually). This is pretty much what happened with svn → git.

                                            2. 11

                                              It’s not git, but the other various services tacked on (issues, the workflow, CI, etc) that have basically become synonymous with ‘git hosting’, which require more and more effect to break free from once you become invested in using it.

                                              1. 21

                                                That’s not “Embrace, extend, extinguish”, that’s just building a successful product that people find pleasant to use. There is no “Microsoft git” and you can download all your data from GitHub. If you want to make the argument that there should be more competition in the market, then okay, fair enough. But again, very different from EEE.

                                                There is a massive difference because EEE is all about forcing people in to using a product and is malicious, whereas building a very popular product isn’t. There is nothing forcing you to use GitHub. If you want to use any competitor, then you have 100% freedom in doing so.

                                                GitHub is also quite far removed from being a monopoly. If anything, then lowering their prices is proof of that; monopolists don’t lower prices.

                                                more and more effect to break free from once you become invested in using it.

                                                This is true for anything. I stuck to tcsh for years because converting my extensive tcsh config to zsh would be a lot of work, as would re-learning all the tcsh tricks I knew. Even now I just stick with Vim even though Spacemacs is probably better just because I’m so invested in it.

                                                1. 4

                                                  There is a massive difference because EEE is all about forcing people in to using a product and is malicious, whereas building a very popular product isn’t. There is nothing forcing you to use GitHub. If you want to use any competitor, then you have 100% freedom in doing so.

                                                  But if you want to contribute to a project, and their workflow is centred on Github (push requests, CI, etc.) then you are kind of required to comply. And all that infrastructure is also not that easy to move around – or at the very least it’s an effort that would require a great dissatisfaction with GitHub.

                                                  1. 6

                                                    But if you want to contribute to a project, and their workflow is centred on Github (push requests, CI, etc.) then you are kind of required to comply.

                                                    In Microsoft’s defense, that was true of GitHub long before Microsoft took over.

                                                    1. 1

                                                      I wasn’t “attacking” Microsoft, but rather GitHub. The change in ownership is more of a formality to me ^^.

                                                    2. 4

                                                      But if you want to contribute to a project, and their workflow is centred on Github (push requests, CI, etc.) then you are kind of required to comply.

                                                      This is true for any workflow. I really don’t like mailing lists or IRC for example, but if that’s what a project uses then I’m “required to comply” just as much as you are “required to comply” with my GitHub workflow (although I won’t turn down patches sent over email, if that works better for you).

                                                      Unfortunately, there is no way to satisfy everyone here; different people just have different preferences, and the GitHub workflow works well for many.

                                                      1. 1

                                                        Sure, but you don’t need an account for mailing lists, you don’t have to sign anything. Also, due to it’s decentralized nature, it’s easier to prevent a lock-in.

                                                        GitHub workflow works well for many.

                                                        Exactly! This pushes developers to adopt GitHub, as they fear (and I have experienced myself) that any other platform will have less interactions (bug reports, patches, etc.).

                                                        1. 1

                                                          You need an email account, and you typically need to subscribe to the email list (resulting in a lot of email in my inbox I don’t care about). It also doesn’t offer things like a good code review UI, which are IMO much easier in a GitHub-like UI, especially for larger patches. I appreciate it works better for some, but there’s a lot of friction involved for many.

                                                          If you’re really opposed to the GitHub-style UI, then my suggestion would be to work on an alternative which doesn’t have the downsides you see, but also removes the friction and UX issues that many really do experience. “Everyone is doing it wrong” is not really very constructive; people usually do it “wrong” for a reason, so best to address that.

                                                          This pushes developers to adopt GitHub, as they fear (and I have experienced myself) that any other platform will have less interactions (bug reports, patches, etc.).

                                                          The same applies not just to GitHub, but also git itself. I much prefer mercurial myself, but there’s much more friction involved for (potential) contributors. Related thing I wrote a few years ago: I don’t like git, but I’m going to migrate my projects to it

                                                          The problem with these kind of tools that everyone needs to use, is that a lot of people don’t really like using and learning multiple of them, so there may be kind of a natural tendency to go towards a single tool. There are certainly some advantages with having these kind of “industry standards”.

                                                          1. 1

                                                            It’s true that subscribing to mailing lists can be annoying. But personally, I don’t have a “everyone is doing it wrong” approach, as I think that sourcehut is building towards a very good system that both works for web-oriented and mail-oriented users.

                                                            And regarding git, I think that main difference is tool vs service. Git is free software, I don’t need permission to use it, not could it be revoked. GitHub is a platform with their own interests. But other than that, I understand your point. I too find hg interesting, but what keeps me from transitioning is manly that in Emacs, Magit is too comfortable to git up.

                                                    3. 2

                                                      That’s not “Embrace, extend, extinguish”, that’s just building a successful product that people find pleasant to use. There is no “Microsoft git” and you can download all your data from GitHub. If you want to make the argument that there should be more competition in the market, then okay, fair enough. But again, very different from EEE.

                                                      There is a massive difference because EEE is all about forcing people in to using a product and is malicious, whereas building a very popular product isn’t. There is nothing forcing you to use GitHub. If you want to use any competitor, then you have 100% freedom in doing so.

                                                      Everything you say also applies to the classic examples of EEE like extending HTML in IE. Every example of EEE is “building a successful product that people find pleasant to use,” so I don’t know why you juxtapose those things. Users of IE in the 90s had 100% freedom in switching to Netscape too. If you think these are fine justifications, you simply have no problem with EEE.

                                                      And there is “Microsoft git,” it’s called “hub.”

                                                      1. 2

                                                        Extending HTML is different because it forced Netscape and other vendors to “catch up” or their product would be “defective” (in the eyes of the user, since it didn’t render websites correct). This is the devious part of the “Extend” phase because it seems like it’s adding useful helpful new features, but it’s done with the intention to make the competitor look “broken”.

                                                        As I said, GitHub has made no attempts to extend git in that way, or even hinted at attempts to do so.

                                                        1. 1

                                                          Adding helpful new features always has the effect of making the competitor look broken, and we have no way of evaluating intentions in either case. Extending git with pull requests makes repo.or.cz look defective because you can’t send pull requests with hub to a repo hosted there. It’s not different.

                                                          1. 1

                                                            It’s just some UI to improve the process, not a incompatibility. To me it sounds like you’re basically saying “you can’t improve your product to make it easier to use, because that will make competitors seem bad”, which I find a rather curious line of thinking.

                                                            1. 1

                                                              I’m not saying anything about what a company can and can’t do. Hub is not compatible with standard git hosting, so that seems like an incompatibility to me.

                                                              You seem to have decided that EEE is inherently bad and malicious, yet it was a phrase originally used proudly by Microsoft employees. They were proud because they viewed their actions exactly the way you view the current GitHub developments. If you have no problem with proprietary git extensions, what’s wrong with upgrading a browser with proprietary extensions to enable video playback in a web page?

                                                              1. 1

                                                                Yeah, a solution that works for both would be best. I’m not entirely sure of SourceHut will be that – at least from the perspective of a “web hipster” like me – but I’m keeping an eye on it. You can already do that with GitHub to some degree as well btw; for example Vim sends all issues to the mailing list, and you can (and many people do) reply from there. You can probably do something similar with PRs if you want.

                                                                You seem to have decided that EEE is inherently bad and malicious, yet it was a phrase originally used proudly by Microsoft employees. They were proud because they viewed their actions exactly the way you view the current GitHub developments. If you have no problem with proprietary git extensions, what’s wrong with upgrading a browser with proprietary extensions to enable video playback in a web page?

                                                                Like I said, I don’t think it’s the same since the git protocol isn’t modified. It’s more similar to the video popup thingy Firefox added a while ago: it didn’t modify anything about the underlying protocols and standards, but it did modify the UI based on those standards.

                                                                I can see where you’re coming from since you’re “forced to use GitHub”, but isn’t that the case for any issue tracker I add? If I self-host some Ruby on Rails issue tracker, and maybe a code review system, then you’re “forced” to use that too, right? I’m not sure how different that would be to GitHub?

                                                                At the end of the day, I think by far the most important issue is that git remains the open and free protocol and tool that it is today; issue tracker, code review, and whatnot are all very convenient and nice, but they’re really just auxiliary features of relative low importance to the actual code. By far the most important thing is that everyone is able to clone, share, and modify the software freely, and GitHub doesn’t stand in the way of that at all as far as I can see.

                                                                1. 1

                                                                  I’m still not clear what problem you have with using otherwise-ignored HTML to embed useful features in a web page. Microsoft didn’t modify HTTP.

                                                                  1. 1

                                                                    A webpage is inaccessible if I view it in a browser which doesn’t implement the feature (how inaccessible depends on the details), whereas git is still the same git with GitHub.

                                                                    1. 1

                                                                      That is true of any advance in web standards. Web pages which use those standards are inaccessible from browsers which don’t implement those features.

                                                      2. 1

                                                        That’s not “Embrace, extend, extinguish”, that’s just building a successful product that people find pleasant to use. There is no “Microsoft git” and you can download all your data from GitHub. If you want to make the argument that there should be more competition in the market, then okay, fair enough. But again, very different from EEE.

                                                        There is a massive difference because EEE is all about forcing people in to using a product and is malicious, whereas building a very popular product isn’t.

                                                        If we ignore the pricing, it’s not “extinguish”, but it’s pretty clearly “embrace” and at least a little bit of “extend”.

                                                        There is nothing forcing you to use GitHub. If you want to use any competitor, then you have 100% freedom in doing so.

                                                        Yes, currently that is true. But if Microsoft is pricing GH below cost, it will make it hard for those commercial competitors to make enough money to continue existing.

                                                        GitHub is also quite far removed from being a monopoly. If anything, then lowering their prices is proof of that; monopolists don’t lower prices.

                                                        Pricing yourself lower than your costs is exactly how you use money to build a monopoly though.

                                                        All the being said, I don’t think anyone is worried about them “extinguishing” git, because you can’t extinguish open source software. But, it definitely doesn’t look good for GH’s commercial competitors.

                                                    4. 2

                                                      Applied to a service, what they’d do is something to get people to put their critical assets in it, build their business processes on using it, eliminate the better competition somehow if possible, and lock-in results. Once locked-in, they start jacking up prices, reducing quality, selling them out to advertisers, etc.

                                                      Microsoft has a long history of that for its own products and its acquisitions. I decided to recommend nobody depend on Github the second that… they were a SaaS startup. They usually become evil after acquisition or I.P.O.. If not a startup, the second Microsoft bought them.

                                                1. 3

                                                  System D

                                                  oh boy better be careful they don’t hunt you down for the improper typesetting of “systemd”

                                                  1. 5

                                                    Haha! Yes, it upsets people when it’s not written as “systemd”, but in the title it’s actually meant to be an allusion to old science fiction films, think “Escape from planet X”. I always capitalise proper nouns though, and so I’ve (otherwise) called it Systemd (as I call my own system Dinit, though the executable is called “dinit”). As far as I’m concerned you can spell it however you like :)

                                                    1. 5

                                                      In my experience, people who insist on calling it SystemD are the pettiest of detractors.

                                                      1. 2

                                                        Also they’d insist on systemd, all lowercase, lol

                                                        Yeah, agreed, it’s incredibly petty and stupid.

                                                        1. 1

                                                          I mean, this is a community that still uses “Micro$oft” as a moniker, so…

                                                        2. 1

                                                          Elasticsearch vs. ElasticSearch is also a fun one :)

                                                          1. 1

                                                            I remember SystemD being the right way to typeset it. At least, that’s what everyone seemed to be using at the start. Given I have had zero interest in the project since then (except using it on arch linux and finding it… inadequate for my purposes), I haven’t been updated with the systemd-official way of calling it. I do dislike systemd, but I think it’s silly to call everyone who hasn’t kept up to date with the name “detractors”.

                                                            Edit: Elsewhere in the thread there’s an implicit comparison between using SystemD and using Micro$oft. But I don’t see how you can compare those things. The first is a reasonably proper name for it (System Daemon, or whatever), the other is a jab at the FUD and EEE tactics of the corporation.

                                                        1. 2

                                                          Kakoune - Interactive only editor inspired by Vim.

                                                          I find that kakoune is actually very easy to write scripted text processing in, simply because it uses exactly the same language for interactive and scripted use.

                                                          1. 4

                                                            I’ll be trying this out, the situation with IRC bouncers is quite horrible, so almost anything is an improvement. A while back I tried to find ZNC alternatives, and found these

                                                            The joke is that almost every second one hasn’t been updated in the last ten years, and their code quality probably also varies substantially.

                                                            1. 8

                                                              The joke is that almost every second one hasn’t been updated in the last ten years, and their code quality probably also varies substantially.

                                                              I don’t know, it seems to me like an IRC bouncer is something you write, and then you’re done. What updates were you hoping for?

                                                              1. 6

                                                                In general I agree; I’m not planning to have to make many releases of pounce. However there have been some useful developments in IRC in the last 10 years, such as the server-time extension, that do improve the situation for bouncers.

                                                                1. 1

                                                                  There’s a feature I would like in a bouncer which (I believe) does not exist, and therefore this might be used as a data point that there’s still room for updates or innovation in bouncers.

                                                                  On the other hand, my feature, and indeed OP’s feature here, might be feasibly implemented in a ZNC plugin. Which would be a data point against the need for another cilent.

                                                                  My feature request is: I would like to be able to make one client->bouncer connection and for the bouncer to provide a view over multiple IRC networks in some fashion, so for example, from my client’s POV, I might join the channel “#oftc#debian-uk”, and the bouncer routes that to an OFTC server connection, channel #debian-uk. As things stand, I have to make a half-dozen individual client→bouncer connections, one per IRC network.

                                                                  1. 3

                                                                    Quassel does this, the problem with this idea is that you need a custom protocol between the bouncer and the client. Having to switch from your favourite IRC client to replace it with your bouncer’s only supported client isn’t always fun.

                                                                    1. 2

                                                                      I’ve thought about this sort of thing too, having some network connections where I use only one channel. Unfortunately it breaks down pretty quickly (unless you start using a custom protocol as @xi points out). How do you route commands that aren’t directly tied to channels, such as WHOIS or private messages for that matter? What happens if your nick ends up different on one network from another? It seems like it would end up more hassle than just a bunch of separate connections.

                                                                  2. 3

                                                                    I’m not exactly an IRC power-user, but I’ve been running weechat-headless on my server together with its relay feature, it fulfills my need for persistent and cross-device history.

                                                                    1. 1

                                                                      I’ve tried it once, but I hate having to ssh to any server for chats. As an Emacs user I much prefer to have a “proper” UI (ie. what I’m used to) and use something like rcirc or ERC – and to have a persistent setup with these client, a functioning bouncer is necessary.

                                                                      But what you mention is probably interesting, because that might be a reason that there hasn’t been much development on the bouncer front, since the intersection between those who think that’s ok and use IRC is not really getting smaller (percent-wise).

                                                                      1. 3

                                                                        I don’t actually ssh into it to use IRC, I use a “relay” web client. In the future you should be able to use weechat itself as a relay client, if you prefer its UI.

                                                                        1. 1

                                                                          Ah, I forgot about that. But it doesn’t help me, I don’t want to use Weechat, but want a real bouncer.

                                                                          1. 1

                                                                            Thanks for linking to Glowing Bear! I use weechat off and on, and that looks pretty slick for a wee-chat front-end

                                                                      2. 2

                                                                        I’ve been enjoying using Quassel, but it’s more of a fully fledged client rather than a CLI like weechat, but the “core” idea they have is very good. I just wish there was a bit more development on it to polish out the kinks.

                                                                        1. 5

                                                                          A worrying thing about Quassel is that communication with the “core” uses some Qt object serialization format which iirc isn’t necessarily stable and isn’t exactly designed for a network protocol

                                                                          1. 9

                                                                            We actually fixed that recently in 0.12.5/0.13.0.

                                                                            It’s still the exact same protocol, but we use custom serialisation/deserialisation to ensure it’s a stable protocol, and is safe to be used over the network.

                                                                            You’re right that it used to be undocumented and unstable, but we’ve spent a lot of work to keep everything compatible — a current 0.13.1 core or client can communicate with any client or core since 0.5.2, which was released in 2009 :)

                                                                            1. 1

                                                                              I have never really had an issue with the connection. It has had a few hiccups every now and then, but I have never bothered to spend time debugging it as it could be anything from my server throwing a fit, PostgreSQL doing a thing, certificate renewals via Let’s Encrypt or just some network buggery going on. All problems I have had have all disappeared in seconds as well, further making me not bother to deal with it :P

                                                                              Might be an issue for some, but I have never had much of a problem.

                                                                            2. 4

                                                                              What are those kinks you feel need to be polished? I’d love to hear about them, so we can actually start working on improving them :)

                                                                              1. 3

                                                                                Cool to see you around here as well! I hang around on the IRC for when I need to get some help :)

                                                                                My biggest peeve is honestly the documentation and the convoluted setup of the core. My core is probably a bit outdated because I really don’t want to deal with the upgrade as I would have to figure out way too much stuff again. Here’s a few things that could be better about it though:

                                                                                • Setting up the database is documented on the website, but I don’t see why it couldn’t just have been a script?
                                                                                • Why is there a commandline switch to select the backend when you also have to provide a config file? Couldn’t it be specified there so the service setup would be simpler?
                                                                                • User administration is a bit of a drag to deal with. Adding a user is simple enough (commandline switches like that is a bit of a pain, but I can manage), but managing them requires dealing with the database directly (deleting for example).
                                                                                • It would be nice if more settings were synced between the clients, like the chat monitors and the input widget for example. Having to configure that every time is a bit of a pain. Also, it would be nice if the stylesheet would be synchronized between the clients.
                                                                                • Also, push notifications while disconnected would be nice, but I realize this isn’t completely straight forward to do.

                                                                                And a few words of praise!

                                                                                • The documentation on the website has improved greatly since I used it last. There are many things there that weren’t around when I tinkered with it last time. Good job on that :)
                                                                                • The client <-> core solution works very well in general. I feel this solution is way better than any other IRC client/bouncer combos I have ever used. It’s painfree to hop between clients.
                                                                                • Everyone on the IRC channel is very helpful and whenever I have asked about things I have gotten a decent answer, and even had some of the issues I brought up fixed in the next version; like being able to reload the core for SSL cert renewals.
                                                                                1. 2

                                                                                  Why is there a commandline switch to select the backend when you also have to provide a config file? Couldn’t it be specified there so the service setup would be simpler?

                                                                                  The command line switch automatically migrates between databases, while the config (or the new ENV variables) don’t automatically migrate, but only use that database.

                                                                                  Setting up the database is documented on the website, but I don’t see why it couldn’t just have been a script?

                                                                                  That’s actually planned, but we haven’t had time for that so far.

                                                                                  User administration is a bit of a drag to deal with. Adding a user is simple enough (commandline switches like that is a bit of a pain, but I can manage), but managing them requires dealing with the database directly (deleting for example).

                                                                                  That’s long been planned, but as you all know, we don’t have enough volunteers, and not enough time.

                                                                                  Also, push notifications while disconnected would be nice, but I realize this isn’t completely straight forward to do.

                                                                                  That’s actually my #1 priority right now (due to Quasseldroid), and it’s almost done! So you should see that within of 2020 :)

                                                                                  1. 3

                                                                                    Don’t get me wrong! I know you are all working hard on it and I see the progress all the time :)

                                                                                    When I said this:

                                                                                    I just wish there was a bit more development on it to polish out the kinks.

                                                                                    I was pretty much referring to what you say here:

                                                                                    but as you all know, we don’t have enough volunteers, and not enough time.

                                                                                    It’s really getting there :)

                                                                          1. 17

                                                                            Who exactly is arguing that a music library program should use a full-blown database? A large library (in the tens of thousand of files) could easily fit into memory, sqlite is easily running circles around this kind of workload.

                                                                            1. 2

                                                                              “If your data will grow to a size that you are uncomfortable or unable to fit into a single disk file, then you should select a solution other than SQLite. SQLite supports databases up to 140 terabytes in size, assuming you can find a disk drive and filesystem that will support 140-terabyte files. Even so, when the size of the content looks like it might creep into the terabyte range, it would be good to consider a centralized client/server database.”

                                                                              From the SQLite docs.

                                                                            1. 10

                                                                              Who is this guy? A frickin’ super genius. Look at the other cryptography work they’ve done.

                                                                              Some people are on a whole other plane of existence, I swear. What a beast.

                                                                              More on topic: I wonder how many people will use this with confidence? Is OpenVPN truly that difficult to setup, that you’d just write your own cryptographic primitives and VPN server and client?…

                                                                              1. 14

                                                                                Who is this guy?

                                                                                Someone who has earned a verbification of his name in the cryptography community, as anointed by Thomas Ptacek.

                                                                                (Disclosure: I am lucky enough to work with Frank.)

                                                                                1. 2

                                                                                  Is OpenVPN truly that difficult to setup

                                                                                  Not IME, though there’s certainly the possibility that the simple path I’ve taken has left holes I’m unaware of. What OpenVPN certainly has in its favour is Android apps, which is a must-have for me.

                                                                                  1. 3

                                                                                    It’s definitely difficult to set up an OpenVPN server and understand all the configuration options. Did you set everything you need to, or forget something important? Did you read the logs for warnings about unsafe configurations? Have any defaults been weakened to better support legacy things you don’t use? If you use an OpenVPN provider, did they do all those things?

                                                                                    Personally, it’s too much stress for me. I use strongSwan because I investigated all those questions at work, that time was paid for. But I wouldn’t have done that on my own time.

                                                                                  2. 1

                                                                                    Is OpenVPN truly that difficult to setup

                                                                                    I’ve never set up OpenVPN so I don’t know by experience, but now that I look up guides or scripts it does seem quite complex. Setting up dsvpn was so simple that it took me ~2 minutes, and I’m now tunneling to my server to post this, It’s pretty cool.

                                                                                    1. 1

                                                                                      I wonder how many people will use this with confidence?

                                                                                      Definitely not me. It’s literally a few days old, which from a purely statistical point of view, it is very likely to have all kinds of problems that weren’t obvious to the author as he was writing the code. Says right there in the readme, “This is a weekend project,” which means there was almost certainly little to no design process, no significant amount of peer review of the design, and obviously no real-world testing. The guy who wrote it can be as brilliant as they come but there is no such thing as writing bug-proof code.

                                                                                      1. 4

                                                                                        I highly doubt it’s 100% bug free, but it’s also ~1000 lines of C code. When people talk about auditing open source for bugs and vulnerabilities, I look at things like StrongSwan and I’m skeptical. It would take days just to get comfortable with that code. But I read DSVPN in half an hour. It’s nice, clean, well-designed code.

                                                                                        I read both source files from top to bottom. The “design process” is simply that the author clearly has a rock solid understanding of VPNs. You have to know exactly what you’re doing to write a fully functional VPN in that little code. And he’s added lots of optimizations that only a seasoned systems engineer would think of off the top of their head for a weekend project. He sets some TCP socketopts to make congestion control and kernel buffering much more responsive than you’d get with a more naive TCP-based VPN.

                                                                                        I agree DSVPN is extremely new and shouldn’t be used for Serious Security. But it’s small and simple, so I think it will achieve an asymptotically small bug count quickly, and I will soon have more confidence in it than big sprawling projects like OpenVPN and StrongSwan. And for casual coffee shop purposes, for a sufficiently technical user that understands how the firewall and routing setup commands fail, I think it’s already safe to use.

                                                                                    1. 11

                                                                                      I don’t get why the integrated terminal emulator/multiplexer is presented as a feature (the first in the list, even). Surely having yet another multiplexer implementation (see also: vim) with its own idiosyncrasies and key bindings is not a good thing, and it would be better design to expose some IPC or configuration so that a user could integrate their own preferred terminal emulators (standalone windows, tmux panes…), or even more traditional GUIs (like gedit).

                                                                                      1. 1

                                                                                        I think it’s an obvious solution that’s simply more intuitive and less complicated than what you describe. Also, it would otherwise be hard to keep the rest of the interface visible while editing/viewing e-mails.

                                                                                      1. 2

                                                                                        Standard question: Is there a WebRTC p2p alternative that doesn’t require a server?

                                                                                        1. 3

                                                                                          Yes file.pizza, although you still need the server to connect the two peers together.

                                                                                          1. 2

                                                                                            A huge thanks to WebTorrent which we use for the file transfers under the hood.

                                                                                            Interesting.

                                                                                        1. 9

                                                                                          Magic Wormhole works pretty well for some overlapping use cases. Differences from Firefox Send:

                                                                                          • Synchronous (sender waits for transfer)
                                                                                          • Data is never stored on 3rd-party server
                                                                                          • No URLs, just pronounceable short codes
                                                                                          • Both parties need to install a Python package
                                                                                          1. 4

                                                                                            file.pizza is similar, but uses webrtc and works in the browser, so you could realistically use it with non-technical users.

                                                                                          1. 2

                                                                                            This looks interesting and powerful, and seems like it would be easy to pick up for a Vim user.

                                                                                            Has anybody used it enough to give a quick review?

                                                                                            1. 15

                                                                                              I’ve used it for about 3 years now,. I’m involved in the community, a little bit in the development and I’ve written a few plugins for it.

                                                                                              • Multiple selections as a core feature instead of an afterthought. You get immediate feedback when doing batch changes. In fact, even though kakoune supports them, I never use macros.
                                                                                              • Swapping verb/object. This might seem like a novelty at first, but it has the direct advantage that you always see what you operate on. The second advantage, less immediately obvious, is that you get structural regex for free. You simply chain multiple selections actions and then do the operation(s) you want.
                                                                                              • Generally well designed. Features make sense, and they interact well together. The boundaries of what the editor should do are pretty clearly defined, for example instead of implementing window multiplexing, it defers that to your favorite terminal emulator (or tmux) through a plugin.
                                                                                              • Extremely lean and performant. The only dependencies are the C++ standard library and ncurses, and the compiled binary is ~3MB. It can handle huge files, and large number of files as well. Its (custom) regex engine supports feature I haven’t seen elsewhere, such as efficient backwards matching.

                                                                                              The first two points in particular allow me to do complex text processing very quickly, I don’t have to think hard about a regex and what its result might be, I just do things on the fly.

                                                                                              Some downsides:

                                                                                              • The shell being core to the extension model. (posix) shell is a pretty poor language to write things in, full of pitfalls and inefficiencies. It’s not all that bad since it is possible to make pretty complex things with it (such as an lsp client), and the number of plugins that have come out show that it does actually work.
                                                                                              • unlike vim/emacs, you can’t really use it as a text canvas for implementing a custom UI. You probably won’t be able to do a magit-like interface with kakoune’s extension model, but the kakoune mantra would be to delegate that to another tool anyway.
                                                                                              • no code folding (yet?) for those who care about that
                                                                                              1. 3

                                                                                                I gave it a little try a few years ago & wrote about it here. Basically, I thought it was nice & neat but not enough to make me switch from vim/emacs and their whole giant ecosystems.

                                                                                                1. 1

                                                                                                  seems like it would be easy to pick up for a Vim user.

                                                                                                  The more experienced a Vim user you are – the more painful it is IMHO. The “nearly Vim but not” can really get under your skin. If you work hard at it is a 2-3 week adjustment, but it can backslide a bit if you are switching back and forth.

                                                                                                1. 16

                                                                                                  There is some irony in calling GUIs bloated when your stack has no less than 3 different, incompatible ways of doing window management (plus a fourth if we were to count the DE/WM) and a “framework” for managing your… shell.

                                                                                                  1. 4

                                                                                                    Yeah, the absolute nature of the statement is really stupid.

                                                                                                    If all guis are bloat, show me how you’re going to do 3D CAD or PCB layout inside tmux.

                                                                                                    1. 2

                                                                                                      The folks behind EROS Windowing System in particular would be really ticked given it was secure, minimalist, windowing system in 3,500 lines of code. I have a feeling Vim might be larger than that. I don’t know the lines of code, though.

                                                                                                      1. 2

                                                                                                        I’m pretty sure the author isn’t capable of critical thought, but instead cargo-culted various tools he heard about from other blogs of webdevs just like himself.

                                                                                                        1. 1

                                                                                                          At work we have a gateway server with an /etc/motd saying, essentially, “don’t use this system as anything but an SSH jump host – don’t run anything intensive or store anything large here”. Most people have no problem following this, but I noticed one user with an unreasonably large home directory. As a matter of policy I generally don’t abuse my admin access to look at anyone else’s stuff, but in this case I felt warranted to investigate, and found in said home directory:

                                                                                                          $ du -hs .vim/bundle/* | sort -h
                                                                                                          ...
                                                                                                          600M	.vim/bundle/YouCompleteMe
                                                                                                          

                                                                                                          You want bloat? I got yer bloat right here…

                                                                                                          (And I say this as a die-hard terminal junkie/GUI hater myself.)

                                                                                                        1. 2

                                                                                                          kimsufi.com is probably as cheap as it gets, they even have cheap dedicated servers with very reasonable HDD space. I can’t complain about the reliability, I’ve been using their service for a while and have had little downtime.

                                                                                                          1. 5

                                                                                                            I’d be interested to see a side-by-side comparison of kitty to alacritty. In particular, I’ve been using alacritty at work for a while and while it’s barebones at the moment, it’s exceptionally fast (which is probably my core feature for terminal emulators). That said, kitty looks like a fine emulator.

                                                                                                            1. 6

                                                                                                              Honest question: what need do you have for a fast terminal emulator?

                                                                                                              1. 8

                                                                                                                I have a minor obsession with input latency and scroll jank. It seems to creep up everywhere and is hard to stamp out (Sublime Text is a shining counterexample). I noticed a bit of weird input latency issues when using Terminal.app (purely anecdotal), and haven’t seen the same thing since using alacritty. So that’s the need I have for a fast emulator, it enables a smooth input and output experience.

                                                                                                                1. 4

                                                                                                                  I am sensitive to the same.

                                                                                                                  This is what kept me on Sublime Text for years, despite open source alternatives (Atom, VS Code and friends). I gave them all at least a week, but in the end the minor latency hiccups were a major distraction. A friend with similar sensitivity has told me that VS Code has gotten better lately, I would give it another go if I weren’t transitioning to Emacs instead.

                                                                                                                  I sometimes use the Gmail web client and, for some period of time, I would experience an odd buffering of my keystrokes and it would sometimes completely derail my train of thought. It’s the digital equivalent of a painful muscle spasm. Sometimes you ignore it and move on, but sometimes you stop and think “Did I do something wrong here? Is there something more generally broken, and I should fear or investigate it?”

                                                                                                                  1. 2

                                                                                                                    Web-based applications are particularly bad, because often they don’t just buffer, but completely reorder my keystrokes. So I can’t just keep typing and wait for the page to catch up; I have to stop, otherwise I’m going to have to do an edit anyway.

                                                                                                                2. 4

                                                                                                                  I have to admit, I thought for certain this was going to be Yet Another JavaScript Terminal but it turns out it’s written in Python. Interesting.

                                                                                                                  Anyway I would have a hard time believing it’s faster than xfce4-terminal, xterm, or rxvt. It’s been a long time since I last benchmarked terminal emulators, maybe I smell a weekend project coming on.

                                                                                                                  1. 7

                                                                                                                    kitty is written is about half C, half Python, Alacritty is written in Rust.

                                                                                                                    There were some benchmarks done for the recent Alacritty release that added scrollback, which include kitty, urxvt, termite, and st. https://jwilm.io/blog/alacritty-lands-scrollback/#benchmarks

                                                                                                                    1. 2

                                                                                                                      I just did a few rough-and-ready benchmarks on my system. Compared to my daily driver (xfce4-terminal), kitty is a little under twice as fast, alacritty and rxvt are about three times as fast. If raw speed was my only concern, I would probably reach for rxvt-unicode since it’s a more mature project.

                                                                                                                      Alacritty is too bare-bones for me but I could be sold on kitty if I took the time to make it work/behave like xfce4-terminal.

                                                                                                                      1. 1

                                                                                                                        I like xfce4-terminal, but it renders fonts completely wrong for me. It’s most noticeable when I run tmux and the solid lines are drawn with dashes. If I pick a font where the lines are solid, then certain letters look off. It’s a shame, because other vte-based terminals (e.g. gnome-terminal) tend to be much slower.

                                                                                                                  2. 2

                                                                                                                    For me it’s the simple stuff that gets annoying when it’s slow. Tailing high-volume logs. less-ing/cat-ing large files. Long scrollbacks. Makes a difference to my day by just not being slow.

                                                                                                                    1. 2

                                                                                                                      I don’t care that much about the speed it takes to cat a big file, but low latency is very nice and kitty is quite good at that. I cannot use libvte terminals anymore, they just seem so sluggish.

                                                                                                                      1. 2

                                                                                                                        For one thing, my workflow involves cutting and pasting large blocks of text. If the terminal emulator can’t keep up, blocks of text can come through out of order etc, which can be a bad time for everyone involved.

                                                                                                                      2. 3

                                                                                                                        I’m on macOS.

                                                                                                                        I used alacritty for a while, then switched to kitty as I’d get these long page redraws when switching tmux windows—so kitty is at least better for me in that regard. Both have similar ease of configuration. I use tmux within both, so I don’t use kitty’s scrolling or tabs. The way I was using them, they were more or less the same.

                                                                                                                        I’m going to try alacritty again to see if it’s improved. I’d honestly use the default Terminal app if I could easily provide custom shortcuts (I bind keys to switching tmux panes, etc).

                                                                                                                        1. 4

                                                                                                                          I came back to Alacritty on MacOS just the other day after trying it last maybe 6 months ago and finding it “not ready” in my head. It’s been significantly updated, there’s a DMG installer (and it’s in brew), a lot more polished overall and it works really well and really fast. No redraws in tmux switches. Weirded redraw artifiact while resizing main window, but snaps to fixed immediately you stop, and doesn’t bother me much. Using it as a full-time Terminal replacement right now, liking it so far, will see how it goes!

                                                                                                                          1. 1

                                                                                                                            Good to know! I’ve installed it via brew now and double-checked my old config. My font (as in, not the default Menlo. I’m using a patched Roboto Mono) looks a bit too bold, so just gotta figure out what’s wrong there.

                                                                                                                            1. 2

                                                                                                                              They’ve updated config files with additional info about aliasing and rendering fonts on Mac. So take a look at that if you are using your old config. It’s not a bad idea to start from scratch.

                                                                                                                              1. 1

                                                                                                                                Thanks for the tip! I did start from scratch and moved over changes bit by bit, but I’ll have to check the new macOS specific lines.

                                                                                                                          2. 3

                                                                                                                            Cool, thanks for your input! I also use tmux, and I haven’t seen anything like what you described (I also don’t really use tmux panes, only tabs). I know there has been a longstanding vim + tmux + osx bug as well, but I haven’t used vim proper in a while.

                                                                                                                            1. 2

                                                                                                                              I think that’s my exact problem (turns out I’m even subscribed to the issue haha). I use neovim so I think it is/was applicable to both

                                                                                                                          3. 1

                                                                                                                            do any of those really measure up when benchmarked.

                                                                                                                            I remember doing some writing to stdout and it alacritty turned out to be slower than say gnome-terminal or whatever.

                                                                                                                            Might’ve been that there was a bug with my intel graphics card though, don’t remember to well.

                                                                                                                          1. 10

                                                                                                                            Started to build on OpenBSD. A few simple linuxisms (always linking with -ldl, etc.) easily resolved, then I hit

                                                                                                                            linux_joystick.c:32:10: fatal error: 'sys/inotify.h' file not found
                                                                                                                            

                                                                                                                            I think I’ll stop here. I don’t need joystick support in my terminal emulator.

                                                                                                                            1. 5

                                                                                                                              That’s because kitty uses GLFW for window creation/OpenGL context/input handling, and bundles a copy of it. If you can make it use the system library (assuming it exists on OpenBSD) it should work.

                                                                                                                              1. 3

                                                                                                                                You vendor it, you own it. If it had just been a simple -lglfw I never would have noticed and the build would have just worked.

                                                                                                                            1. 5

                                                                                                                              Not to be overly criticial, but I’m not entirely sure what problems are solved by this - or, more accurately, why.

                                                                                                                              From the bullet points on the website I gather

                                                                                                                              GPU rendering for scrolling

                                                                                                                              This is not a problem I ever had with any terminal emulator. Anywhere (well, except maybe Windows). I’ve had scrollback buffers be too small, but never had problems actually scrolling. And I have a lot of long-running terminal sessions.

                                                                                                                              Threaded rendering to minimize input latency

                                                                                                                              In my experience, threads don’t really do anything for non-multiplexed sources such as keyboards. And even for multiplexed sources, they mostly do more harm than good.

                                                                                                                              Supports […] features: “Graphics (images)”

                                                                                                                              why?

                                                                                                                              unicode, true-color, OpenType ligatures, mouse protocol, […]

                                                                                                                              so does urxvt

                                                                                                                              […] and several new terminal protocol extensions.

                                                                                                                              Not sure this is a good thing. (Insert XKCD about (n+1) Standards here)

                                                                                                                              tiling multiple terminal windows side by side […] without […] tmux

                                                                                                                              Which would probably (haven’t checked) require me to learn new keybindings.

                                                                                                                              Can be controlled from scripts or the shell prompt […]

                                                                                                                              Uh, it’s a terminal emulator. I would expect it can be.

                                                                                                                              […] even over SSH

                                                                                                                              OK, why though?

                                                                                                                              […] Kittens, [….] for example, […] Unicode input, Hints and Side-by-side diff.

                                                                                                                              I have a strong dislike of introducing unnecessary home-grown terminology and being all cutesy about it, but even so, if Unicode input is a plugin, I’m not sure about this.

                                                                                                                              startup sessions, […] working directories and programs to run on startup.

                                                                                                                              So, a shell. I don’t know, I thought this was a terminal emulator

                                                                                                                              Allows you to open the scrollback buffer […] for browsing the history comfortably in a pager or editor.

                                                                                                                              I’m pretty sure my needs are met with history, C-R and .zsh_history

                                                                                                                              1. 21

                                                                                                                                […] and several new terminal protocol extensions.

                                                                                                                                Not sure this is a good thing.

                                                                                                                                It is most certainly a good thing, terminal protocol has been stagnant and–until recently–few terminals got off the couch to implement even basic, ancient features like cursor shaping.

                                                                                                                                Teaching users to have higher standards, makes life easier for application developers who must target the lowest common denominator. Kitty, iTerm2, mintty, libvte (gnome-terminal, termite, etc.), and libvterm (nvim, vim, pangoterm) have been raising the bar, so the lowest common denominator is now… higher.

                                                                                                                                Just like Internet Explorer 6 held back the web, stagnant terminals hold back terminal applications. urxvt is the IE6 of terminals. Isn’t it a bit ironic that iTerm2/Terminal.app (macOS) and mintty (Windows) have more features than any of the terminals you find on desktop unix?

                                                                                                                                (Insert XKCD about (n+1) Standards here)

                                                                                                                                Doesn’t apply here. Thomas Dickey (xterm/ncurses) sets the standard, except there’s a loophole: the most popular behavior wins (and applications must swallow it, standard be damned).

                                                                                                                                The kitty/libvte/iTerm2/libvterm authors have been cooperating, which means “popular”. And I’ve seen successful efforts to “upstream” choices to Dickey.

                                                                                                                                libvterm author has compiled a spreadsheet of known terminal behaviors (contributions welcomed/encouraged).

                                                                                                                                1. 7

                                                                                                                                  I love these new behaviours! until fairly recently, I figured I just can’t do some things in a terminal emulator, and then someone went ahead and implemented proper right-to-left support in one of the mentioned terminals. It’s frustrating to think of how long that’s been broken for me.

                                                                                                                                  I was sharing this with a group so excited to finally have this feature and someone mentioned like, “I learned to read backwards”. Why should we put up with these barriers in technology? I certainly used computers before I knew English.

                                                                                                                                  1. 2

                                                                                                                                    It is most certainly a good thing, terminal protocol has been stagnant and–until recently–few terminals got off the couch to implement even basic, ancient features like cursor shaping.

                                                                                                                                    I’d rather have those programs just start doing proper graphics, and stop trying to use the terminal as a bad graphics protocol.

                                                                                                                                    1. 2

                                                                                                                                      Kitty has implemented several extensions, such as colored undercurl (which is now also implemented in libvte).

                                                                                                                                      Not to mention “just start doing proper graphics” is meaningless and would discard the actually useful properties of a terminal.

                                                                                                                                      1. 1

                                                                                                                                        I’ve always felt that the one advantage of the terminal was the ability to easily pipe data from a program to another (which I would consider a property of the shell rather than a property of the terminal) and that terminal UIs were the worst of both worlds: bad at piping and bad at rendering things. I’m sure you have way more experience with terminals than me though, so I’m wondering if you could expand on what you think the useful properties of a terminal are.

                                                                                                                                  2. 20

                                                                                                                                    I agree that reading the feature list seems like a confusing mix of shell feature plugged into a tty. However,

                                                                                                                                    Supports […] features: “Graphics (images)”

                                                                                                                                    why?

                                                                                                                                    Why not? Why isn’t there a “standard” yet to output graphics in my tty? Wouldn’t it be nice to ls --thumbnails and have a list of thumbnails for images? icat images? Preview graphviz result? Have a dropdown with a preview when I hover a path in Vim and hit a shortcut? I don’t see why we still can’t do any of this nowadays. I for one would welcome graphics in my terminal.

                                                                                                                                    1. 4

                                                                                                                                      As a security minded user I would argue with separation of concerns. Image formats have long been a prime attack vector due to their internal complexities. I would not like a terminal emulator to be concerned with parsing image files, a task which specialized tools still get wrong sometimes. Sandboxing/Jailing the image rendering process would also mean confining the terminal emulator. I also would like a very good terminal emulator, not a pretty meh image viewer with terminal capabilities.

                                                                                                                                      Continuing down this road, where do you stop? SVGs support animation and scripting, should my terminal emulator pull in V8 or an entire chromium instance to run it? What are the implications of that? (And I’m aware that sadly that is exactly what many developers already do).

                                                                                                                                      1. 4

                                                                                                                                        It’s possible to implement graphic support in other ways. Looking at Kitty, the protocol make it so the terminal emulator only require bitmap capabilities. All image parsing is done by the process writing to the tty. SVG support can be done simply by rendering it as bitmap. Animation can be done the same way they are done with text. No need for complexity or trade security for something else when you properly design something.

                                                                                                                                        1. 1

                                                                                                                                          That would be a good idea, yes.

                                                                                                                                          Sadly, good (software) design has become something of an exception these days :)

                                                                                                                                      2. 3

                                                                                                                                        I have a strong dislike of introducing unnecessary home-grown terminology and being all cutesy about it, but even so, if Unicode input is a plugin, I’m not sure about this.

                                                                                                                                        I have found the kittens interface to be the best plugin/scripting interface of any terminal I’ve ever used.

                                                                                                                                        The unicode input kitty allows you to insert by code point, and search/browse by character name. Think of it as vim’s digraph selector on steroids. It’s pretty cool.

                                                                                                                                        The kitten system is also simple enough for me to write a quick password manager (using the OS keychain) in 150 lines of python (including a bunch of unnecessary stuff like “press any key to continue” and tab completion). I tried writing an iTerm plugin once, and I gave up quickly.

                                                                                                                                        Kitty strikes a remarkably good balance between minimal (and low overhead) and fully-featured. I’m not sure it solves any unsolved problem per se, but it strikes a perfect balance for me. I think that’s because I’m not as interested in configuring my terminal as I’d need to be for urxvt to suit me perfectly, but I am interested in playing with very particular things.

                                                                                                                                        1. 1

                                                                                                                                          I run Terminology for irssi, despite using XFCE4, because it can display images from URLs overlaid onto the terminal.

                                                                                                                                          I don’t really love Terminology that much, or maybe it’s gotten otherwise better with eg. tabs since the ancient version I’m stuck with, so it is strange no one else is doing these cool things. Not even as an opt-in thing.

                                                                                                                                        2. 7

                                                                                                                                          If you don’t understand, you don’t have to use it!

                                                                                                                                          Uh, it’s a terminal emulator. I would expect it can be.

                                                                                                                                          You should read more about what that means:

                                                                                                                                          https://sw.kovidgoyal.net/kitty/remote-control.html

                                                                                                                                          1. 6
                                                                                                                                            […] and several new terminal protocol extensions.
                                                                                                                                            

                                                                                                                                            Not sure this is a good thing. (Insert XKCD about (n+1) Standards here)

                                                                                                                                            Considering that the currently used standard for terminal input still relies on timing for the alt modifier and that it cannot do lossless input (see <tab> and <ctr+i> being the same for example), I’d argue that a new standard is very much needed.

                                                                                                                                            I’m pretty sure my needs are met with history, C-R and .zsh_history

                                                                                                                                            That has little to do with history which is only about the commands you’ve entered and not their output. With kitty I can open the entire contents of the scrollback in my favourite text editor (kakoune if you’re asking), to do powerful text manipulation, instead of being constrained by whatever primitives the terminal implemented (for example, termite’s limited vim mode). After all the scrollback is just a big buffer of text so opening it in a text editor is particularly suitable.

                                                                                                                                            1. 1

                                                                                                                                              if Unicode input is a plugin

                                                                                                                                              That probably refers to something fancy like an emoji picker or something. Definitely not to just typing non-ASCII characters from the keyboard.

                                                                                                                                            1. 37

                                                                                                                                              Such irony in the title here–“open source” is not about you; it’s a movement to hijack the free software movement and turn it into something a company can profit from, riding on free software goodwill and stripping the political aspects that are hard to reconcile with shameless capitalism.

                                                                                                                                              I don’t think it’s what Rich meant here, but it does nicely serve to underscore the vast gulf between the oss and free software camps; if you are in software because you want to make the world a better place, move right along.

                                                                                                                                              1. 26

                                                                                                                                                it’s a movement to hijack the free software movement

                                                                                                                                                There’s a problem with this statement, it doesn’t apply to me.

                                                                                                                                                When I was open-sourcing my project I wasn’t joining any movement. I didn’t sign any contract. I use the words “open source” in a plain sense: this is a source code that someone can get and use according to the posted license. I’m totally fine with any company making profit off of this code. No company ever indoctrinated me into thinking this, and I deliberately chose BSD license over GPL exactly to not having to be associated with Free Software movement (I don’t hate it, I just didn’t want to). Yes, for real. People like me exist.

                                                                                                                                                What I’m saying is, we already have a term meaning “open source + a particular ideology”. It’s Free Software. Please don’t try to appropriate “open source” to mean anything more than “available source code”. And no, I don’t really care what OSI thinks about this “term”. It’s their idea, not mine. I need some words to describe what I’m doing, too.

                                                                                                                                                1. 9

                                                                                                                                                  When I was open-sourcing my project I wasn’t joining any movement

                                                                                                                                                  That’s exactly the difference between the “free software” movement and Open Source. You made @technomancy’s point for him.

                                                                                                                                                  1. 1

                                                                                                                                                    It’s contradicting the framing that he’s somehow been duped out of believing in the fsf’s ideology by an open source movement.

                                                                                                                                                  2. 9

                                                                                                                                                    P.S. In fact, there was a time when “Free Software” also wasn’t associated with not letting companies profit from it. Here’s a classic Mark Pilgrim on this: https://web.archive.org/web/20091102023737/http://diveintomark.org/archives/2009/10/19/the-point

                                                                                                                                                    Part of choosing a Free license for your own work is accepting that people may use it in ways you disapprove of.

                                                                                                                                                    1. 5

                                                                                                                                                      Check Selling Free Software from 1996.

                                                                                                                                                      1. 6

                                                                                                                                                        I came here to share this link. the GPL, and free software, was never about gratis, was never about not paying for software. It has always been about liberty and the freedom to control one’s own software.

                                                                                                                                                      2. 3

                                                                                                                                                        2009 is classic? Am I old?

                                                                                                                                                        1. 1

                                                                                                                                                          “Classic” in a sense “explains well”, has nothing to do with being old :-)

                                                                                                                                                      3. 5

                                                                                                                                                        Just because you use a term doesn’t mean you get to define it. Saying “I don’t care what OSI thinks or why the term was invented” seems pretty strange to me… it’s their term and has a history, like it or not.

                                                                                                                                                        1. 8

                                                                                                                                                          What word should I use if I publish source code so people can use it but don’t care about furthering the cultural revolution?

                                                                                                                                                          1. 5

                                                                                                                                                            “Open source”.

                                                                                                                                                            1. 1

                                                                                                                                                              Billionaire. In a historical interview, that’s what the CEO of Apple believed he’d become if a lot of things lined up, one being getting a whole, networking stack for free from BSD developers. The other thing he envisions is them begging for money at some point so their projects don’t close down. He bragged his main competition would be contributing their fixes back since they got themselves stuck with la licence de la révolution. Attendees were skeptical about such a one-sided deal going down.

                                                                                                                                                            2. 4

                                                                                                                                                              No :-) The only way a natural languages is defined is through use, and the most common usage becomes a definition. OSI didn’t make this term theirs by simply publishing their definition, they just joined the game and have as much weight in it as every single user of the word.

                                                                                                                                                              1. 4

                                                                                                                                                                True, but also like it or not language evolves over time (always to the chagrin of many). This is not unique to technology or English. At the end of the day it doesn’t matter what either OSI or /u/isagalaev thinks, society at large makes the definitions.

                                                                                                                                                                Having said that, if you step outside of the FOSS filter bubble, it seems pretty clear to me that society leans towards /u/isagalaev’s definition.

                                                                                                                                                                1. 3

                                                                                                                                                                  Also, as a sensible dictionary would, Merriam-Webster defines both current interpretations of it: https://www.merriam-webster.com/dictionary/open-source

                                                                                                                                                              2. 4

                                                                                                                                                                we already have a term meaning “open source + a particular ideology”. It’s Free Software.

                                                                                                                                                                You can’t remove politics from this question; the act of pretending you can is in itself a political choice to support the status quo.

                                                                                                                                                                1. 2

                                                                                                                                                                  You can remove “politics” from open source, and that is precisely what open source has done.

                                                                                                                                                                  The term open source can be operationally defined (i.e., descriptive, constructed, and demonstrable). From Wikipedia, citing the book “Understanding Open Source & Free Software Licensing.” (Though feel free to use Merriam Webster or the OED as a substitute): “source code is released under a license in which the copyright holder grants users the rights to study, change, and distribute the software to anyone and for any purpose.”

                                                                                                                                                                  The license terms are selected that most parsimoniously accomplish the stated definition. (i.e., make it possible for the stated definition to become externally correspondent and existentially possible). The fewest number of rules (formula, statements, decisions) possible to accomplish the work–producing a limited number of legal operations (rights, grants, privileges) that can be fully accounted for.

                                                                                                                                                                  It is the deflationary nature of the process that removes “politics.” Making the license commensurable and testable while removing suggestion, loading, framing, or overloading. BSD/MIT are small and shrinking, whereas GPL 2/3 are large and growing. That’s the difference.

                                                                                                                                                                  1. 2

                                                                                                                                                                    “source code is released under a license in which the copyright holder grants users the rights to study, change, and distribute the software to anyone and for any purpose.”

                                                                                                                                                                    You can still get patent sued for that due to laws paid for by lobbyists. The effects of politicians on what we can and can’t do with open-source mean it’s inherently political. The people who say they want its benefits with no interest in politics or whose licenses don’t address it are still involved in a political game: they’re just not players in it.

                                                                                                                                                                    1. 1

                                                                                                                                                                      I’m not sure why do you think I’m trying to “remove politics”. Of course I do have some political view on this, however vague it might be. This is totally beside the point. The point is that I don’t want to proclaim/discuss my political views every time I want to say that the code is available. It’s a completely valid desire.

                                                                                                                                                                    2. 1

                                                                                                                                                                      Why BSD license over public domain? The latter makes the source code more “available”, does it not?

                                                                                                                                                                      (If you wonder how I feel about the GPL, check my repos.)

                                                                                                                                                                      1. 11

                                                                                                                                                                        The latter makes the source code more “available”, does it not?

                                                                                                                                                                        No. In jurisdictions that don’t recognise public domain (e.g. France) and in which authors cannot give up their copyright, giving it to the public domain is meaningless and it’s as if the code has no free license at all. It’s the same as “all rights reserved”.

                                                                                                                                                                        1. 2

                                                                                                                                                                          That’s very interesting. Would folks in such jurisdictions be interested in working together with others to reform copyright law? Perhaps among .. other things?

                                                                                                                                                                          1. 2

                                                                                                                                                                            Why? It’s a different branch of copyright law and the idea of authorship being something you cannot give up is fundamental to those. You can only perpetually license.

                                                                                                                                                                            CC0 is a great license to use in those cases, btw.

                                                                                                                                                                            1. 2

                                                                                                                                                                              Why?

                                                                                                                                                                              One reason being that some people think copyright, or perhaps even more generally, intellectual property, is unethical. Another reason could be a desire for a single simple concept of “public domain,” perhaps similar to what we have in the US.

                                                                                                                                                                        2. 1

                                                                                                                                                                          I like the idea of retaining an exclusive right to the project’s name, BSD is explicit about it.

                                                                                                                                                                      2. 10

                                                                                                                                                                        Companies are profiting massively from both. The License Zero author figured out the reason is the FOSS authors focused on distribution methods instead of results. That’s why Prosperity straight up says commercial use like many non-free licenses mention. The other one says any change has to be submitted back.

                                                                                                                                                                        The license needs to explicitly mention them making money or sharing all changes to achieve what you’re describing. That plus some patent stuff. The “free” licenses trying to block commercial exploitation are neither believably free nor stopping commercial exploitation after companies like IBM (massive capitalist) bet the farm on them. I mean, the results should prove they dont work for such goals but people keep pushing old ways to achieve them.

                                                                                                                                                                        Nope. Just reinforcing existing systems of exploitation by likes of IBM. We need new licenses that send more money and/or code improvements back.

                                                                                                                                                                        1. 3

                                                                                                                                                                          It should not be the job of a license enforced by copyright to extract rents. That’s the playbook we are fleeing.

                                                                                                                                                                          1. 2

                                                                                                                                                                            ““open source” is not about you; it’s a movement to hijack the free software movement and turn it into something a company can profit from”

                                                                                                                                                                            The commenter wrote as if they expected whatever license or philosophy was in use to prevent companies from using the software for profit or with exploitation central focus. Several companies are making billions leveraging FOSS software. One even lobbies against software freedom using patent law since suits won’t affect it. So, if the goal is stopping that and spreading software freedom, then the so-called “free” licenses aren’t working. Quite the opposite effect moving billions into the hands of the worst, lobbying companies imaginable.

                                                                                                                                                                        2. 2

                                                                                                                                                                          I just don’t see “open-source” being an hijack of “free software” for corporate purposes. Why would corporate care, they can exploit the free labor of free software just as much, the politics are not visible in the final software product. If anything, it seems like the social goals of free software have been diluted by other programmers who like the technical side of it, but neither care or agree about the politics.

                                                                                                                                                                          1. 3

                                                                                                                                                                            Why would corporate care, they can exploit the free labor of free software just as muc

                                                                                                                                                                            Depends on the market. If it’s software they sell directly, the copyleft requirement means they have to give up their changes. Those changes might be generating the customers. They might also be causing lock-in. Better for them to keep their changes secret.

                                                                                                                                                                            Your point remains if it’s anything that lets them dodge the part about returning changes, esp SaaS.

                                                                                                                                                                            1. 3

                                                                                                                                                                              I just don’t see “open-source” being an hijack of “free software” for corporate purposes.

                                                                                                                                                                              It’s not really a matter of opinion. That hijacking is exactly what happened in 1998. The fact that today you forgot that this is what happened means that it worked: you stopped thinking about free software, as the OSI intended to happen in 1998.

                                                                                                                                                                              OSI was created to say “open source, open source, open source” until everyone thought it was a natural term, with the goal of attracting corporate interests. They even called it an advertising campaign for free software. Their words, not mine.

                                                                                                                                                                          1. 15

                                                                                                                                                                            Your thinkpad is shared infrastructure on which you run your editor and forty-seven web sites run their javascripts. If that a problem for you?

                                                                                                                                                                            1. 2

                                                                                                                                                                              Mmm what did you mean by this? I didn’t get it.

                                                                                                                                                                              1. 13

                                                                                                                                                                                In We Need Assurance, Brian Snow summed up much of the difficulty securing computers:

                                                                                                                                                                                “The problem is innately difficult because from the beginning (ENIAC, 1944), due to the high cost of components, computers were built to share resources (memory, processors, buses, etc.). If you look for a one-word synopsis of computer design philosophy, it was and is SHARING. In the security realm, the one word synopsis is SEPARATION: keeping the bad guys away from the good guys’ stuff!

                                                                                                                                                                                So today, making a computer secure requires imposing a “separation paradigm” on top of an architecture built to share. That is tough! Even when partially successful, the residual problem is going to be covert channels. We really need to focus on making a secure computer, not on making a computer secure – the point of view changes your beginning assumptions and requirements! “

                                                                                                                                                                                Although security features were added, the fact that many things are shared and closer together only increased over time to meet market requirements. Then, researchers invented hundreds of ways to secure code and OS kernels, Not only were most ignored, the market shifted to turning browsers into OS’s running a malicious code in a harder-to-analyze language whose compiler (JIT) was harder to secure due to timing constraints. Only a handful of projects in high-security, like IBOS and Myreen, even attempted it. So, browsers running malicious code are a security threat in a lot of ways.

                                                                                                                                                                                That’s a subset of two, larger problems:

                                                                                                                                                                                1. Any code in your system that’s not verified to have specific safety and security properties might be controlled by attackers upon malicious input.

                                                                                                                                                                                2. Any shared resource might leak your secrets to a malicious observer via covert channels, storage or timing. Side channels are basically the same concept applied more broadly, like in physical world. Even the LED’s on your PC might internal state of the processor depending on design.

                                                                                                                                                                                1. 2

                                                                                                                                                                                  Hmm. I had a friend yonks ago who worked on BAE’s STOP operating system, that supposedly uses complex layers of buffers to isolate programs. I wonder how it’s stood up against the many CPU vulnerabilities.

                                                                                                                                                                                  1. 4

                                                                                                                                                                                    I’ve been talking about STOP for a while but rarely see it. Cool you knew someone that worked on it. Its architecture is summarized here along with GEMSOS’s. I have a detailed one for GEMSOS tomorrow, too, if not previously submitted. On the original implementation (SCOMP), the system also had an IOMMU that integrated with the kernel. That concept was re-discovered some time later.

                                                                                                                                                                                    Far as your question, I have no idea. These two platforms, along with SNS Server, have had no reported hacks for a long time. You know they have vulnerabilities, though. The main reasons I think the CPU vulnerabilities will effect them is (a) they’re hard to avoid and (b) certification requirements mean they rarely change these systems. They’re probably vulnerable, esp to RAM attacks. Throw network Rowhammer at them. :)

                                                                                                                                                                                  2. 2

                                                                                                                                                                                    Thanks, that was really interesting and eye opening on the subject. I never saw it that way! :)

                                                                                                                                                                                  3. 5

                                                                                                                                                                                    I think @arnt is saying that website JavaScript can exploit CPU bugs, so by browsing the internet you are “shared infrastructure”.

                                                                                                                                                                                    1. 6

                                                                                                                                                                                      Row Hammer for example had a JavaScript implementation, and Firefox (and others) have introduced mitigations to prevent those sorts of attacks. Firefox also introduced mitigations for Meltdown and Spectre because they could be exploited from WASM/JS… so it makes sense to mistrust any site you load on the internet, especially if you have an engine that can JIT (but all engines are suspect; look at how many pwn2own wins are via Safari or the like)

                                                                                                                                                                                      1. 3

                                                                                                                                                                                        If browsers have builtin mitigation for this sort of thing, isn’t this an argument in favor of disabling the OS-level mitigation? Javascript is about the only untrusted code that I run on my machine so if that’s already covered I don’t see a strong reason to take a hit on everything I run.

                                                                                                                                                                                        1. 4

                                                                                                                                                                                          I think the attack surface is large enough even with simple things like JavaScript that I’d be willing to take the hit, though I can certainly understand certain workloads where you wouldn’t want to, like gaming or scientific computing.

                                                                                                                                                                                          For example, JavaScript can be introduced in many locations, like PDFs, Electron, and so on. Also, there are things like Word documents such as this RTF remote code execution for MS Word. Additionally, the mitigations for Browsers are just that, mitigations; things like retpolines and the like work in a larger setting with more “surface area” covered, vs timing mitigations or the like in browsers. It’s kinda like W^X page protections or ASLR: the areas you’d need that are quite small, but it’s harder to find individual applications with exploits and easier to just apply it wholesale to the entire system.

                                                                                                                                                                                          Does that make sense?

                                                                                                                                                                                          tl;dr: JS is basically everywhere in everything, so it’s harder to just apply those fixes in a single location like a browser, when other things may have JS exposed as well. Further more, there are other languages, attack surfaces, and the like I’d be concerned about that it’s just not worth it to only rely on browsers, which can only implement partial mitigations.

                                                                                                                                                                                          1. 1

                                                                                                                                                                                            Browsers do run volatile code supplied by others more than most other attack surfaces. You may have an archive of invoices in PDF format, as I have, and those may in principle contain javascript, but those javascripts aren’t going to change all of a sudden, and they all originate from a small set of parties (in my case my scanning software and a single-digit number of vendors). Whereas example.com may well redeploy its website every Tuesday morning, giving you a the latest versions of many unaidited third-party scripts, and neither you nor your bank’s web site really trust example.com or its many third-party scripts.

                                                                                                                                                                                            IMO that quantitative difference is so large as to be described as qualitative.

                                                                                                                                                                                            1. 1

                                                                                                                                                                                              The problem is when you bypass those protections you can have things like this NitroPDF exploit, which uses the API to launch malicious JS. I’ve used these sorts of exploits on client systems during assessments, adversarial or otherwise. So relying on one section of your system to protect you against something that is a fundamental CPU design flaw can be problematic; there’s nothing really stopping you from launching rowhammer from PostScript itself, for example. This is why the phrase “defense in depth” is so often mentioned in security circles, since there can be multiple failures throughout a system, but in a layered approach you can catch it at one of the layers.

                                                                                                                                                                                              1. 1

                                                                                                                                                                                                Oh, I’m not arguing that anyone should leave out everything except browser-based protection. Defense in depth is indisputably good.

                                                                                                                                                                                          2. 3

                                                                                                                                                                                            There’s also the concept of layers of defense. Let’s say the mitigation fails. Then, you want the running, malicious code to be sandboxed somehow by another layer of defense. You might reduce or prevent damage. The next idea folks had was mathematically-prove the code could never fail. What if a cosmic ray flips a bit that changes that? Uh oh. Your processor is assumed to enable security, you’re building an isolation layer on it, make it extra isolated just in case shared resources have effect, and now only one of Spectre/Meltdown affected you if you’re Muen. Layers of security are still good idea.

                                                                                                                                                                                        2. 2

                                                                                                                                                                                          That’s not what I got from it. I perceived it as “You’re not taking good precautions on this low hanging fruit, why are you worried about these hard problems?”

                                                                                                                                                                                          I see it constantly, everyone’s always worried about X, and then they just upload everything to an unencrypted cloud.

                                                                                                                                                                                          1. 1

                                                                                                                                                                                            I actually did mean that when you browse the net, your computer runs code supplied by web site operators you may not trust, and some of those web site operators really are not trustworthy, and your computer is shared infrastructure running code supplied by users who don’t trust each other.

                                                                                                                                                                                            Your bank’s site does not trust those other sites you have open in other tabs, so that’s one user who does not trust others.

                                                                                                                                                                                            You may not trust them, either. A few hours after I posted that, someone discovered that some npmjs package with millions of downloads has been trying to steal bitcoin wallets, so that’s millions of pageviews that ran malevolent code on real people’s computers. You may not have reason to worry in this case, but you cannot trust sites to not use third-party scripts, so you yourself also are a distrustful user.

                                                                                                                                                                                      2. 2

                                                                                                                                                                                        This might be obvious, but I gotta ask anyway: Is there a real threat to my data when I, let’s say, google for a topic and open the first blog post that seems quite right?

                                                                                                                                                                                        • Would my computer be breached immediately (like I finished loading the site and now my computers memory is in north korea)?
                                                                                                                                                                                        • How much data would be lost, and would the attacker be able to read any useful information from it?
                                                                                                                                                                                        • Would I be infected with something?

                                                                                                                                                                                        Of course I’m not expecting any precise numbers, I’m just trying to get a feel for how serious it is. Usually I felt safe enough just knowing which domains and topics (like pirated software, torrents, pron of course) to avoid, but is that not enough anymore?

                                                                                                                                                                                        1. 5

                                                                                                                                                                                          To answer your questions:

                                                                                                                                                                                          Would my computer be breached immediately (like I finished loading the site and now my computers memory is in north korea)?

                                                                                                                                                                                          Meltdown provides read-access to privileged memory (including enclave-memory) at rates of a couple of megabits per second (lets assume 4). This means that if you have 8GB of ram it is now possible to dump the entire memory of your machine in about 4,5 hours.

                                                                                                                                                                                          How much data would be lost, and would the attacker be able to read any useful information from it?

                                                                                                                                                                                          This depends on the attackers intentions. If they are smart, they just read the process table, figure out where your password-manager or ssh-keys for production are stored in ram and transfer the memory-contents of those processes. If this is automated, it would take mere seconds in theory, in practice it won’t be that fast but it’s certainly less than a minute. If they dump your entire memory, it will probably be all data in all currently running applications and they will certainly be able to use it since it’s basically a core dump of everything that’s currently running.

                                                                                                                                                                                          Would I be infected with something?

                                                                                                                                                                                          Depends on how much of a target you are and whether or not the attacker has the means to drop something onto your computer with the information gained from what I described above. I think it’s safe to assume that they could though.

                                                                                                                                                                                          These attacks are quite advanced and regular hackers will always go for the low-hanging fruit first. However if you are a front-end developer in some big bank, big corporation or some government institution which could face a threat from competitors and/or economic espionage. The answer is probably yes. You are probably not the true target the attackers are after, but you system is one hell of a springboard towards their real target.

                                                                                                                                                                                          It’s up to you to judge how much of a potential target you are, but when it happens, you do not want to be that guy/girl with the “patient zero”-system.

                                                                                                                                                                                          Usually I felt safe enough just knowing which domains and topics (like pirated software, torrents, pron of course) to avoid, but is that not enough anymore?

                                                                                                                                                                                          Correct. Is not enough anymore, because Rowhammer, Spectre and Meltdown have JavaScript or wasm variants (If they didn’t we wouldn’t need mitigations in browsers). All you need is a suitable payload (the hardest part by far) and one simple website you frequently visit, which runs on an out-of-date application (like wordpress, drupal or yoomla for example) to get that megabit-memory-reading meltdown-attack onto a system.

                                                                                                                                                                                          The attacker still has to know which websites those are, but they could send you a phishing-mail which has a link or some attachment that will be opened in some environment which has support for javascript (or something else) to obtain your browsing history. In that light it’s good to know that some e-mail clients support the execution of javascript in received e-mail messages

                                                                                                                                                                                          If there is one lesson to take home from rowhammer, spectre and meltdown, it’s that there is no such thing as “computer security” anymore and that we cannot rely on the security-mechanisms given to us by the hardware.

                                                                                                                                                                                          If you are developing sensitive stuff, do it on a separate machine and avoid frameworks, libraries, web-based tools, other linked in stuff and each and every extra tool like the plague. Using an extra system, abandoning the next convenient tool and extra security precautions are annoying and expensive, but it’s not that expensive if your livelihood depends on it.

                                                                                                                                                                                          The central question is: Do you have adversaries or competitors willing to go this far and spend about half a million dollars (my guesstimate of the required budget) willing to pull off an attack like this?

                                                                                                                                                                                          1. 1

                                                                                                                                                                                            Wow, thanks! Assuming you know what you’re talking about, your response is very useful and informative. And exactly what I was looking for!

                                                                                                                                                                                            […] figure out where your password-manager or ssh-keys for production are stored in ram […]

                                                                                                                                                                                            That is a vivid picture of the worst thing I could imagine, albeit I would only have to worry about my private|hobby information and deployment.

                                                                                                                                                                                            Thanks again!

                                                                                                                                                                                            1. 1

                                                                                                                                                                                              You’re welcome!

                                                                                                                                                                                              I have to admit that what I wrote above, is the worst case scenario I could come up with. But it is as the guys from Sonatype (from the Maven Nexus repository) stated it once: “Developers have to become aware of the fact that what their laptops produce at home, could end up as a critical library or program in a space station. They will treat and view their infrastructure, machines, development processes and environments in a fundamentally different way.”

                                                                                                                                                                                              Yes, there are Java programs and libraries from Maven Central running in the ISS.

                                                                                                                                                                                          2. 1

                                                                                                                                                                                            The classic security answer to that is that last years’s theoretical attack is this year’s nation-state attack and next year it can be carried out by anyone who has an midprice GPU. Numbers change, fast. Attacks always get better, never worse.

                                                                                                                                                                                            I remember seeing an NSA gadget for $524000 about ten years ago (something to spy on ethernet traffic, so small as as be practically invisible), and recently a modern equivalent for sale for less than $52 on one of the Chinese gadget sites. That’s how attacks change.