1. 4

    A bit of context: this whole thing was so that https://github.com/rust-lang/rust/pull/82469 could be written, so I guess technically you could tag it was windows (because the reason it exists is so that you can just pull a diff generator out of crates.io instead of having to find it somewhere).

    But whatever. It does its job, it passes a few hours of fuzz testing, and I learned a bit about a really popular Unix tool.

    1. 19

      I love plain text protocols, but … HTTP is neither simple to implement nor neither fast to parse.

      1. 7

        Yeah the problem of parsing text-based protocols in an async style has been floating around my head for a number of years. (I prefer not to parse in the async or push style, but people need to do both, depending on the situation.)

        This was motivated by looking at the nginx and node.js HTTP parsers, which are both very low level C. Hand-coded state machines.


        I just went and looked, and this is the smelly and somewhat irresponsible code I remember:

        https://github.com/nodejs/http-parser/blob/master/http_parser.c#L507

        /* Proxied requests are followed by scheme of an absolute URI (alpha).

        • All methods except CONNECT are followed by ‘/’ or ‘*’.

        I say irresponsible because it’s network-facing code with tons of state and rare code paths, done in plain C. nginx has had vulnerabilities in the analogous code, and I’d be surprised if this code didn’t.


        Looks like they have a new library and admit as much:

        https://github.com/nodejs/llhttp

        Let’s face it, http_parser is practically unmaintainable. Even introduction of a single new method results in a significant code churn.

        Looks interesting and I will be watching the talk and seeing how it works!

        But really I do think there should be text-based protocols that are easy to parse in an async style (without necessarily using Go, where goroutines give you your stack back)

        Awhile back I did an experiment with netstrings, because length-prefixed protocols are easier to parse async than delimiter-based protocols (like HTTP and newlines). I may revisit that experiment, since Oil will likely grow netstrings: https://www.oilshell.org/release/0.8.7/doc/framing.html


        OK wow that new library uses a parser generator I hadn’t seen:

        https://llparse.org/

        https://github.com/nodejs/llparse

        which does seem like the right way to do it: do the inversion automatically, not manually.

        1. 4

          Was going to say this. Especially when you have people misbehaving around things like Content-Length, Transfer-Encoding: chunked and thus request smuggling seems to imply it’s too complex. Plus, I still don’t know which response code is appropriate for every occasion.

          1. 2

            Curious what part of HTTP you think is not simple? And on which side (client, server)

            1. 4

              There’s quite a bit. You can ignore most of it, but once you get to HTTP/1.1 where chunked-encoding is a thing, it starts getting way more complicated.

              • Status code 100 (continue + expect)
              • Status code 101 - essentially allowing hijacking of the underlying connection to use it as another protocol
              • Chunked transfer encoding
              • The request “method” can technically be an arbitrary string - protocols like webdav have added many more verbs than originally intended
              • Properly handling caching/CORS (these are more browser/client issues, but they’re still a part of the protocol)
              • Digest authentication
              • Redirect handling by clients
              • The Range header
              • The application/x-www-form-urlencoded format
              • HTTP 2.0 which is now a binary protocol
              • Some servers allow you specify keep-alive to leave a connection open to make more requests in the future
              • Some servers still serve different content based on the User-Agent header
              • The Accept header

              There’s more, but that’s what I’ve come up with just looking quickly.

              1. 3

                Would add to this that it’s not just complicated because all these features exist, it’s very complicated because buggy halfway implementations of them are common-to-ubiquitous in the wild and you’ll usually need to interoperate with them.

                1. 1

                  And, as far as I know, there is no conformance test suite.

                  1. 1

                    Ugh, yes. WPT should’ve existed 20 years ago.

                2. 1

                  Heh, don’t forget HTTP/1.1 Pipelining. Then there’s caching, and ETags.

              2. 2

                You make a valid point. I find it easy to read as a human being though which is also important when dealing with protocols.

                I’ve found a lot of web devs I’ve interviewed have no idea that HTTP is just plain text over TCP. When the lightbulb finally goes on for them a whole new world opens up.

                1. 4

                  It’s interesting to note that while “original HTTP” was plain text over TCP, we’re heading toward a situation where HTTP is a binary protocol run over an encrypted connection and transmitted via UDP—and yet the semantics are still similar enough that you can “decode” back to something resembling HTTP/1.1.

                  1. 1

                    UDP? I thought HTTP/2 was binary over TCP. But yes, TLS is a lot easier thanks to ACME cert issues and LetsEncrypt for sure.

                    1. 2

                      HTTP/3 is binary over QUIC, which runs over UDP.

                2. 1

                  SIP is another plain text protocol that is not simple to implement. I like it and it is very robust though. And it was originally modeled after HTTP.

                1. 12

                  We go through this every time some language designer comes up with a way of packaging and distributing: CPAN,pip,gems,npm,crates and it goes on and on. It seems like everybody likes re-inventing the distribution wheel.

                  Short version is, RPMs and debs have been around for 25 years, and, while they were originally designed with C in mind, they’re flexible enough to incorporate programs written in any language.

                  Yes, they have restrictions, and some of these restrictions are uncomfortable to people who do all their work in one or two particular languages, but distros like Debian and Redhat target people who just want to have a system that works out of the box, with programs written in many different languages co-existing in one reasonably coherent system. This is the problem distro packages like RPM and deb are trying to solve.

                  I appreciate that if I’m working in ruby, I usually have something like rvm, and bundler, and other utilities for keeping multiple ruby development environments in a sane way, and I appreciate that others like these tools for programming in their preferred environment.

                  However. If I just want to be able to install and use a script written in python (take for example, “Terminator” that is written in python), as a distro, I just want to be able to install the script, and ensure that it works cleanly with the rest of the system, I don’t care about setting up a special environment and managing dependencies, and all of the other baggage that these other distribution methods involve.

                  1. 10
                    • apt doesn’t handle multiple versions of the same library well. You can do it by renaming packages and an indirection layer of virtual packages, but this is tortured compared to auto deduplicating dependencies according to semver.

                    • People in charge of Linux package managers generally don’t care about Windows. There is nothing technically preventing RPM/deb from working on Windows, except that it “sucks” (for shits and giggles I’ve made cargo-deb Windows compatible, and it happily builds Windows-only deb packages).

                      npm has got a huge traction as a method of distributing dev tools, because it supports Windows as a first-class platform.

                    • RPM/deb as an archive format doesn’t make that much of a difference. Rust/Python/JS could use .deb as their format, after all it’s just a bunch of files together. The real issue is where do you publish to, and how other people find it. Linux distros set themselves as gatekeepers, which has its own value, but it’s very different from npm/cargo, etc. that have npm publish free for all with zero hassle, way easier than maintaining PPAs.

                    Having written all that, I realize it all comes to usability. The distinction between “it can do it” vs “it just works”.

                    1. 17

                      Short version is, RPMs and debs have been around for 25 years, and, while they were originally designed with C in mind, they’re flexible enough to incorporate programs written in any language.

                      No, they don’t. They don’t even work well for C++, and have been hobbling the development of template libraries for over 10 years now because of how bad they are at handling API-stable-ABI-unstable libraries.

                      1. 2

                        What’s the problem? It’s been a while since I looked at these in Linux environments, but in the FreeBSD ports collections if you upgrade a C++ library, it bumps the PORTREVISION of all of the ports that depend on that library. The next time a package set is built, the packages use the new version of the library. The FreeBSD project explicitly moved away from building packages outside of package sets to address this kind of thing - it’s easy for things to get out of sync and computers are so fast now that building everything (30,000+ packages) on a single machine is feasible in about a day.

                      2. 8

                        I never want to care about “the rest of the system”. I want to write complete programs, not shells of programs that work if slotted into the right system.

                        The more programs are like this, the less a system that works out of the box is a problem to think about.

                        1. 5

                          I’d argue the packaging system put up by Linux distros is actually not flexible, but rather the human sitting between applications to be packaged and the Linux distribution sinking hours into patching software to fit into the packaging system is. If rpm/deb were actually flexible we would not have these conflicts.

                          It seems like everybody likes re-inventing the distribution wheel.

                          I can say the same about the state of Linux distributions. It seems that I as an application developer can only rely on the featureset that is the intersection of all the distro’s package managers if I were to follow your advice.

                          1. 2

                            rpm/deb is fairly flexible. The reason you get these arguments is mostly because of distribution policies, not because deb/rpm can’t do it.

                            https://lwn.net/Articles/843313/rss

                            1. 2

                              I did not claim rpm/deb cannot deal with large bundled apps (that’s fairly trivial, curl|sh can do that too). I’m saying rpm/deb cannot deal with dependency management to the granularity npm/cargo can, and then not in an efficient manner. Kornel already replied with other examples where rpm/deb can’t do things.

                          2. 7

                            Then the distribution maintainers should solve that problem within the constraints of the language and ecosystem the tool was developed in. The language and ecosystem are not going to change nor should they. If RPMs and debs can handle the change then they should just package them and move on. Complaining that new ways of doing development and deployment make the job harder helps no one. Either the distributions will adapt or they will lose the next generation of software developed in these new paradigms.

                            1. 9

                              A CVE gets assigned some widely popular library. For fun we will say they have a monthly release cadence and the bug is published mid release cycle. Upstream is not done with their integration tests and don’t want the release just for a 3 line patch, even if the issue is severe. Lets say it’s used for around 30 binaries.

                              What do you do?

                              If the solution here is to do some wonkey patching of Cargo.toml and Cargo.lock across 30 packages to ensure they are pulling the correct patch (is it even possible), how does this scale?

                              This isn’t the question of distributions adapting to anything, this is “the next generation of software” digging a deep grave and ignoring almost 3 decades worth of experience. This isn’t me claiming we should pretend Rust is C and package all crates like individual packages. Nobody has the time for that. But pretending this isn’t a problem is deeply unsettling.

                              1. 10

                                I don’t know, it’s not my problem, but if it were, I guess I would try solving it rather than trying to wedge everything into this old C paradigm.

                                1. 4

                                  Not having a solution doesn’t mean you can just paint an old solution as terrible.

                                  Lots of smart people are working on separating language ecosystems from system administration, and we have these problems. So now, what do we do?

                                2. 4

                                  Upstream is not done with their integration tests and don’t want the release just for a 3 line patch, even if the issue is severe.

                                  In the case of uncooperative and irresponsible upstreams, what Debian does is say “we will package this, but it is not covered by the security support that we provide for the rest of the OS”. They used to do this for webkit and node.

                                  What else can you do? At some point packaging implies cooperation.

                                  1. 3

                                    Cargo has multiple features for replacing dependencies. For individual packages you drop [patch.crates-io] (it works across the whole tree, so no need to patch deps-of-deps recursively). To do it at a distro scale, you can globally configure Cargo to use a local copy of the index instead of crates-io, and replace deps in your copy (it’s just a git repo with JSON, easy to modify).

                                    Binaries are built from lockfiles, so you can read them to know exactly what to rebuild. There are tools like cargo-audit that already deal with this.

                                    1. 1

                                      So there are then 30 patches to modify cargo. You would also need a secondary package repository to provide the patched cargo package? Does cargo build everything from source or would it require the patched packages to be built?

                                      1. 3

                                        You can tell Cargo to get code from a local directory. Distros already replace crates-io with their own packages, so they already have it all set up.

                                        Distros have managed to tame dozens of weird C build systems. Cargo is quite simple in comparison.

                                        1. 2

                                          Well, no. Most doesn’t. Just the two largest ones because of distro policies. But if you look at the raw numbers most distribution bundle everything vendored and does not provide this at all. I’m not even sure if Ubuntu follows the Debian guidelines?

                                          This is why I bring it up to begin with.

                                    2. 2

                                      I get it. Distro’s are downstream of everything. They get the sewage and the refuse and whatever else that results from trying to get hundreds if not thousands of different applications and libraries to work together and keep them patched appropriately. But that’s the job. If you don’t want that job then don’t work on a distro.

                                      In your particular example I would feel free to blacklist a project that doesn’t want to patch and test their code when it has a CVE. If the code is absolutely necessary and blacklisting it isn’t an option then patch it locally and move on. This isn’t substantially different from a terrible maintainers of a C application. Distributions have been carrying patches forward for libraries and applications for as long as I’ve been using distributions and longer.

                                      1. 7

                                        Back in the C days, it was considered basic etiquette to make sure your Makefile worked with DESTDIR properly.

                                        What happens now is simply Parkinson’s law in it’s finest. Flatpak, Snap and Docker included.

                                        It puzzles me that nobody is worried about our inability to maintain a coherent culture given the influx of programmers, but then again… Eternal September, right?

                                        Must be weird for old geezers to live through that the second time. I am far too young for that so I can’t tell.

                                        We need to negotiate a packaging standard that would not suck for most and then push it hard so that it gets adopted far and wide from Rust to ES. Funny times.

                                        I’m especially curious whether it can be done without effectively merging all distros into one. But hey, project maintainers seem to know the best how is their code supposed to be built and configured. Maybe it’s time.

                                        1. 3

                                          I am one of the old geezers and I’m fully on board with the new way of doing things. Let the software maintainers bear the burden of patching and securing their software when CVEs happen. In a way this could reduce the burden on distro packagers. Download or build the latest binaries and distribute that. If upstream won’t patch their stuff then warn the user and refer them to upstream. Yes this means packagers have to build more stuff. But we unlock a whole lot of benefits in the process. Less issues with shared libraries. More reliable software with these new tools.

                                        2. 4

                                          This isn’t substantially different from a terrible maintainers of a C application. Distributions have been carrying patches forward for libraries and applications for as long as I’ve been using distributions and longer.

                                          Previously we just needed to patch the shared library and move on. Now we suddenly need to care about what a number of upstreams vendor with complete disregard for what that implies.

                                          The comments reads as extremely unsympathetic to distributions. But why? This is a model Rust/Go/npm picked. This wasn’t decided by us, and you still need to deal with the issue regardless if there is a distribution involved or not. We are told “take this and deal with it”. Upstreams are not the one going to deal with user inquiries why XYZ isn’t fixed and what we are going to do about it. We are understaffed and given more problems to deal with.

                                          If you don’t want us to package the “next generation of software” say so… but users are going to disagree.

                                          1. 1

                                            I acknowledge the fact that you have to run cargo build more times than before. But that is the price you pay for packinging in a distro. If your users want the rust application then package it for them. Rust isn’t going to adapt for a whole host of really good reasons. And I as both a developer and someone who deploys some of these in production get a lot of benefit out of those reasons and as the primary user of the language would resist any such change.

                                            For the security issues if upstream won’t patch then remove them from the security policy and tell the user they need to take CVEs up with maintainer of the software. This isn’t hard and complaining about it gives no value to any end-user.

                                            1. 2

                                              Are we going to claim everything Rust touches to be unsupported? Seriously?

                                              I don’t think Rust is the C replacement the community thinks it is.

                                              1. 1

                                                If the distro needs something that Rust touches then they need to build the tooling to be able to package it. It’s more expensive to build it all but if that’s what you need to do then do that.

                                          2. 3

                                            But that’s the job. If you don’t want that job then don’t work on a distro.

                                            Note that Debian security team found the job so onerous that they decided to remove security support for all Go packages in Debian. See https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#golang-static-linking.

                                            1. 1

                                              This is a perfectly valid approach. If you can’t make your tooling do the job with that software then drop support for it.

                                              1. 2

                                                This works for Go, but does not work for Rust, because GNOME C libraries are starting to depend on Rust and distributions don’t want to drop support for GNOME.

                                                1. 1

                                                  Then I guess in the case of GNOME it is by definition not too onerous. It is not the case that you can’t package and ship updates for the software. It’s just harder and more complicated. But that’s why we write tooling. I don’t get to complain when my business wants a feature that requires me to write complicated hard code. I just role up my sleeves and start designing/typing. This is no different.

                                    1. 17

                                      TLDR:

                                      1. Start with big IDs so you don’t enter in PHP weird behaviors.
                                      2. Use UTF-8, always.
                                      3. Allow-list system with deny by default for anything related to security.
                                      4. Monitor your SQL queries.
                                      1. 5

                                        The one time I read the article before the comments…

                                        1. 2

                                          Monitor your SQL queries.

                                          The idea that SQL queries are a special kind of error is really weird. You should be reporting all your errors that aren’t caused by bad user input or network hiccups.

                                          The allow-list bit is a good call but the rest seems oddly language-specific. Starting with big IDs implies you’re using integers, which is not a great idea to begin with; stick with UUIDs and the whole problem isn’t even possible.

                                          1. 3

                                            The idea that SQL queries are a special kind of error is really weird.

                                            Because SQL syntax errors indicate injection bugs, and SQL injection bugs can exploited to accomplish literally anything. The OP isn’t talking about queries that are supposed to return exactly one result returning more than one, which are also bugs, but probably not exploitable to completely pwn the database.

                                            1. 1

                                              The OP isn’t talking about queries that are supposed to return exactly one result returning more than one, which are also bugs […]

                                              If it’s a bug … why are you ignoring it? You should … fix it instead?

                                              1. 2

                                                If a bug exists but nobody discovers it, is it truly a bug?

                                                1. 2

                                                  If a bug exists and all your users find out about it before you do, are you really a professional?

                                                  1. 1

                                                    Precisely. I’m sure I don’t need to tell a fellow professional how this kind of disparate-parity bug can quietly develop over time.

                                                2. 2

                                                  Because I need to fix the highest severity bugs first, and SQL injections are much higher severity.

                                              2. 2

                                                What’s wrong with using integers as keys? If you want to make sure that two integers with different semantic meanings are never confused for each other, you should be relying on a type system, not the improbability of UUID collisions. (Unless I’ve mistaken your point?)

                                                1. 2

                                                  Integers are enumerable, while (some kinds of) UUIDs are not.

                                                  1. 1

                                                    What’s the problem with enumerability—that someone might be able to guess a valid ID?

                                                    Which kinds of UUIDs aren’t enumerable?

                                                    1. 3

                                                      You can technically enumerate UUIDs, but considering how many there (quite a few) are and how they are generated (randomly for version 4 UUIDs), it may take you some time.

                                            1. 4
                                              • Apparently, HDMI / Ethernet is actually standardized, but since it can only do 100baseT, it can’t be what those switches are doing.

                                              • I guess the reason for this is that HDMI cables are easily available, available in the lengths that they want, and tested for the data throughput that they need. The more I think about it, the more obvious it seems that HDMI cables would work great for network patching, except if the HDMI Forum tried to sue you for it.

                                              1. 1

                                                Apparently, HDMI / Ethernet is actually standardized, but since it can only do 100baseT, it can’t be what those switches are doing.

                                                Yes, I knew about this, I’ll add it to the article to avoid any confusion.

                                                The more I think about it, the more obvious it seems that HDMI cables would work great for network patching

                                                I don’t really agree. Ethernet cables have a clip so they don’t fall off easily. DisplayPort or DVI would have been better choices.

                                                1. 3

                                                  From a pure cable perspective, why is DisplayPort better than HDMI? Their cables have a similar profile unless I’m missing something.

                                                  1. 4

                                                    Because full-sized DisplayPort cables have a clip that keeps them from falling off.

                                                    1. 2

                                                      Huh, looks like you’re right. TIL. Can’t believe I hadn’t noticed that before. DisplayPort cables tends to be plug-in-and-forget-about-it-for-months for me.

                                                      1. 1

                                                        God I hate those clips so much. Every monitor I have has the ports hidden behind a plastic “lip” that I guess is supposed to shield them from dust or something, and just makes the tiny buttons on most DP cables nigh on impossible to press with the apparently-oversized meat-sausages I call fingers :(

                                                1. 1

                                                  Is Merge Queue’s open source? Mergify is, and they’re basically offering the same thing.

                                                  1. 0

                                                    Thanks for sharing that. No Merge Queue instead offers a hosted solution that can be configured without writing a single line of code.

                                                    1. 2

                                                      But Mergify offers both. They have a hosted plan, and also release their source code.

                                                  1. 6

                                                    Downvoted as off-topic. This is business news, not technical content.

                                                    1. 6

                                                      This is the kind of news that has a gigantic impact on future technical content.

                                                      1. 2

                                                        Is this a new thing here to explain your downvote?

                                                        1. 5

                                                          No, some people want to be transparent.

                                                      1. 2

                                                        Maybe, but there’s no tags for any other linux distro so I’m not sure why nix should be a special case for a distro-specific linux tag, other than it seems to be interesting to a lot of crustaceans currently.

                                                        1. 26

                                                          Treating a tag system as a taxonomy robs it of many useful functions. I’d prefer we optimized for the users.

                                                          1. 12

                                                            In the interests of pedantry, nix is a package manager which is not particularly tied to NixOS Linux distribution. It is relatively popular on macOS, for example.

                                                            1. 11

                                                              And on top of that, Nix is a functional programming language. Since we have tags for haskell, clojure, and many other languages, it would be good to have a tag for nix.

                                                              1. 1

                                                                You’re technically correct, but I would name the tag nixos anyway, since “*nix” is a common generic term for UNIX-like operating systems, and also the Nix language and package manager are all hosted on nixos.org, so it’s reasonable to say that “NixOS” is the name of the overall project.

                                                                1. 8

                                                                  There is already a unix tag, and tags have short descriptions next to them in the dropdown selection box. So if there was a nix tag and someone started typing nix they would see:

                                                                  • unix - *nix
                                                                  • nix - OS, package manager, language (e.g.)
                                                                  1. 1

                                                                    That makes total sense, I, for example, am still regularly confused by the nix Rust crate.

                                                                2. 10

                                                                  That same reasoning would suggest that we collapse unix, freebsd, openbsd, dragonflybsd, illumos, netbsd, mac, and arguably linux togther.

                                                                1. 18

                                                                  Just use federated systems like Matrix or Tox. Signal is just yet another silo and not a long-term solution amid increasing government censorship. The same applies to Threema, Telegram and others.

                                                                  1. 13

                                                                    Now I’m feeling like a broken record, but…

                                                                    Domain-name-based federation is a half-assed solution to data portability. It gives special privileges to people who can run always-on nodes, which not everyone can or should be doing. It’s also tied to the domain name system, which is neither practical nor ideal.

                                                                    Either do real P2P, or don’t bother pretending.

                                                                    1. 10

                                                                      I really want to disagree with you but I have come to think the same way over the last few months, having myself run a matrix home server and an XMPP server.

                                                                      • If my server gets taken down, people have to regroup and find a new one somehow.
                                                                      • If Signal goes down, people have to regroup and find a new service somehow.

                                                                      There’s not much difference here to the average user. If they can’t talk they can’t talk, regardless of everyone else.

                                                                      Sure, the first option is better because the rest of network stays up, but it’s not enough of an advantage compared to the benefits of a centralised system.

                                                                      If anything, the ease of moving from WhatsApp to Signal highlighted just how easy it can be to go from silo to silo. It doesn’t even feel like you have an ‘account’ in the traditional sense.

                                                                      There are lots of big problems to solve with P2P, most of them to do with mobile and multiple devices, but until someone gets there I’m just glad that people are looking at Signal over WhatsApp.

                                                                      1. 4

                                                                        Who says you need to use matrix.org? There are many, many options…

                                                                        Far more than just the 1 single option you get with moxiechat.

                                                                      2. 3

                                                                        I tend to believe that federated networks, while obviously being harder to block than centralized ones, are also no panacea against government censorship. Because as censor, you now have to block not a single entity, but multiple, which is also doable. And the nodes in a federated network are also inflexible, as they have a unique name that identifies them. Which is nice for users, but also helps the censor to track them. As soon as a node is one the censor’s list, it’s only option is to reappear under a different name (which is bad for users).

                                                                        Not sure if this applies to all federated networks, but probably to most. If you have counterexamples then please share and explain how they avoid those, IHMO inherent properties of federated networks.

                                                                        1. 1

                                                                          How do federated systems approach problems that require hardware solutions (e.g. Signal’s use of SGX)? Is there a way to guarantee that whatever server is running for a particular federated node is using the correct hardware?

                                                                          1. 3

                                                                            That’s exactly what SGX does - it guarantees that the in-enclave code matches the recorded signature (or that intel have been compromised). Every federated node would need an intel SGX-compatible CPU but no other issues.

                                                                            In the case of signal, the server sends a blob signed by intel (very difficult to forge) which confirms

                                                                            • The hash of the server code
                                                                            • The hash of signals public key
                                                                            • The version of intel CPU / enclave
                                                                            • Arbitrary data sent by the signal server

                                                                            One approach from there would be: the ‘arbitrary data’ bit contains a public key, which your signal client can use to encrypt messages to the server. The corresponding private key does not leave the enclave (and you can verify that by comparing the open source implementation with the hash of the server code).

                                                                        1. 2

                                                                          There is another interesting term, which is maybe easier to define: “expression-based programming”.

                                                                          In Haskell, if you sequence some actions, where each action depends on the previous, you can use do-notation (which even works if you’re not working with a monad). And even though it spans multiple lines and has no braces around it (like in lisps), it is still an expression.

                                                                          In Pure FP such as Haskell, people refer to “referential transparency”. You can refactor with the monad laws (even if they haven’t been proven), because the sequential-looking code means that things like the monad bind function is available, even if it wasn’t mentioned in the sugared code. You can be sure that even “effectful” code can be manipulated as just another expression.

                                                                          Sure, you can refactor Rust code pretty well, but since there are no higher-kinded types, you will have to keep those 30 versions of what in Haskell is called “traverse”; often it will be a a couple of nested loops. But you can’t treat a for-loop as an expression. You won’t even see that the code is duplicated since the inside of the loops will be different.

                                                                          From a Haskeller perspective, I like the term “expression” over “function” because if I have such a series of actions, the type of that do-expression won’t be a function! Haskell is lazy, so there is less emphasis on “calling” as function, as the value won’t be computed until necessary anyway. But everything is indeed an expression, which it isn’t in other languages. So isn’t it the more general description of the phenomenon?

                                                                          You could even argue that the term covers lisps, since their s-exps can be introspected and quoted, giving you the opportunity to treat even imperative Clojure do-notation as an expression, before it is executed.

                                                                          1. 1

                                                                            But you can’t treat a for-loop as an expression. You won’t even see that the code is duplicated since the inside of the loops will be different.

                                                                            I think you might have just not been precise with your wording, but in Rust, “for” is an expression. It evaluates to the value of the last iteration it computes.

                                                                            It must be that you’re using the word “expression” differently than in the sense of “expression vs. statement”.

                                                                            EDIT: I stand corrected. @notriddle pointed out that for loops always return void as an expression (still technically is an expression, I guess). You can return non-void values from loop {}, though.

                                                                            1. 1

                                                                              No it doesn’t. It evaluates to (). Always.

                                                                              1. 1

                                                                                Oh, shucks. My memory was fuzzy. I was pretty sure I had returned values out of for-loops before, but you’re right.

                                                                                I was thinking of this feature: https://doc.rust-lang.org/edition-guide/rust-2018/control-flow/loops-can-break-with-a-value.html

                                                                                I’m not sure where I came up with “returning the last value of the iteration”. Maybe another language I was working in recently does that.. /shrug/

                                                                              2. 1

                                                                                I guess the term would be even better if there were a word like “expression” which also meant that it was introspectable and parameterized. Is it “function”? ;) Maybe this is why people like the term “FP”; in Haskell a loop, even after (partially) applying the body, actually is still a function. I guess you can manipulate loop contents in Lisps and Rust too, but you have to use macros… If you allow macros, almost everything becomes an expression, but it really is a different language, so maybe it shouldn’t count. Or maybe it should, since it is always available and switching between the two is second-nature for some.

                                                                                1. 2

                                                                                  I guess the term would be even better if there were a word like “expression” which also meant that it was introspectable and parameterized.

                                                                                  When I first learned Racket I was confused as to why they kept calling functions “procedures” but then I realized it was because of this. Maybe “mathematical function” would be a more precise term for what you’re looking for? I agree “expression” is way too overloaded.

                                                                            1. 13

                                                                              I’ve really enjoyed reading this blog over the last few weeks. He has a great perspective and explains the legal side well. Seems like there is an “Open Source Industrial Complex” where lots of money is made selling products and having conferences about “open source”.

                                                                              1. 5

                                                                                You’ll hear people who work in the field joke about a “compliance-industrial complex”. I think that started back in the early 2000s, after big companies started permitting use of open source in masse. Salespeople for nascent compliance solutions firms would fly around giving C-level officers heartaches about having to GPL all their software. My personal experience of those products, both for ongoing use and for one-off due diligence, is that they’re way too expensive, painful to integrate, just don’t work that well, and only make cost-benefit if you ingest a lot of FUD. Folks who disagree with me strongly on other issues, like new copyleft licenses, agree with me here.

                                                                                That said, I don’t mean to portray what’s going on in the open source branding war as any kind of conspiracy. There are lots of private conversations, private mailing lists, and marketing team meetings that don’t happen in the open. But the major symptoms of the changing of the corporate guard are all right out there to be seen online. That’s why I walked through the list of OSI sponsors, and linked to the posts from AWS and Elastic. It’s an open firefight, not any kind of cloak-and-dagger war.

                                                                                1. 7

                                                                                  Agreed. I’m getting increasingly tired by some communities’ (especially Rust’s) aggressive push of corporate-worship-licenses like BSD, MIT (and against even weak copy-left licenses like MPL).

                                                                                  1. 17

                                                                                    I’m saying this with all the respect in the world, but this comment is so far detached from my perception of license popularity that I wanna know from which niche of the tech industry this broad hatred of Rust comes from. To me it seems like one would have to hack exclusively on C/C++/Vala projects hosted on GNU Savannah, Sourcehut or a self-hosted GitLab instance to reach the conclusion that Rust is at the forefront of an anti-copyleft campaign. That to me would make the most sense because then Rust overlaps with the space you’re occupying in the community much more than, say, JavaScript or Python, where (in my perception) the absolute vast majority of OSS packages do not have a copyleft license already.

                                                                                    1. 3

                                                                                      Try shipping any remotely popular library on crates.io and people heckle you no end until they get to use your work under the license they prefer.

                                                                                      Lessons learned: I’ll never ship/relicense stuff under BSD/MIT/Apache ever again.

                                                                                      1. 2

                                                                                        this broad hatred of Rust comes from

                                                                                        Counter culture to the Rust Evangelism Strike Force: Rust evangelists were terribly obnoxious for a while, seems like things calmed down a bit, but the smell is still there.

                                                                                        1. 1

                                                                                          I think it’s beneath this site to make reactionary nonsense claims on purpose.

                                                                                          1. 2

                                                                                            How is criticizing a (subset) of a group for their method of communication “reactionary”?

                                                                                            1. 1

                                                                                              I’m saying soc’s claim about Rust pushing for liberal licensing is nonsense and probably reactionary to the Rust Evangelism Strike Force if @pgeorgi’s explanation is true. My point is that “counter culture” is not an excuse to make bad arguments or wrong claims.

                                                                                              1. 2

                                                                                                OK, that makes a bit more sense.

                                                                                            2. 2

                                                                                              reactionary nonsense claims

                                                                                              like talking about some “broad hatred of Rust” when projects left and right are adopting it? But the R.E.S.F. is really the first thing that comes to my mind when thinking of rust, and the type of advocacy that led to this nickname sparked some notable reactions…

                                                                                              (Not that I mind rust, I prefer to ignore it because it’s just not my cup of tea)

                                                                                        2. 7

                                                                                          I won’t belabor the point, but I’d suggest considering that some of those project/license decisions (e.g. OpenBSD and ISC) may be about maximizing the freedom (and minimizing the burden) shared directly to other individual developers at a human-to-human level. You may disagree with the ultimate outcome of those decisions in the real world, but it would be a wild misreading of the people behind my example as “corporate worshipping”.

                                                                                          As I have said before: “It’s important to remember that GNU is Not Unix, but OpenBSD userland is much more so. There isn’t much reason to protect future forks if you expect that future software should start from first principles instead of extending software until it becomes a monolith that must be protected from its own developers.”

                                                                                          Not all software need be released under the same license. Choosing the right license for the right project need not require inconsistency in your beliefs about software freedoms.

                                                                                          1. 6

                                                                                            The specific choice of MIT/Apache dual-licensing is so unprincipled and weird that it could only be the result of bending over backwards to accommodate a committee’s list of licensing requirements (it needs to compatible with the GPL versions 2 and 3, it needs a patent waver, it needs to fit existing corporate-approved license lists, etc). This is the result of Rust being a success at all costs language in exactly the way that Haskell isn’t. Things like corporate adoption and Windows support are some of those costs.

                                                                                            1. 3

                                                                                              I can’t speak directly to that example, as I don’t write Rust code and am not part of the Rust community, but it would not surprise me if there were different and conflicting agendas driving licensing decisions made by any committee.

                                                                                              I do write code in both Python and Go (languages sharing similar BSD-style licensing permissiveness), and my difficult relationship to the organization behind Go (who is also steward of its future) is not related in any way to how that language has been licensed to me. Those are a separate set of concerns and challenges outside the nature of the language’s license.

                                                                                      1. 8

                                                                                        I was initially worried that they dropped the “we will never break your old programs” promise but that is not the case.

                                                                                        https://github.com/golang/go/issues/40025

                                                                                        Obviously we cannot delete these three from io/ioutil. But we can move the implementations to io and leave wrappers behind. That will be easier for new users, and it lets more packages do general I/O without a dependency on os.

                                                                                        1. 1

                                                                                          Though I consider it to be a bit silly, it seems they plan to retain the package in a deprecated state (for forever?).

                                                                                          1. 1

                                                                                            I believe they will eventually remove it from newer versions as adoption gets wider spread.

                                                                                            1. 12

                                                                                              A future hypothetical “Go 2” might; the Go 1 compatibility promise is pretty clear that any program written in any version of Go 1 should always work with newer Go 1 versions (with a few exceptions that don’t apply here).

                                                                                              As I mentioned the other day, there are already a bunch of deprecated/frozen packages that aren’t removed for exactly this reason.

                                                                                              1. 3

                                                                                                Yeah, this is the problem with standard libraries. They have to stay on “semver v1” forever. You better get everything right on the first try, because everything has to be maintained forever.

                                                                                                I wish languages treated their standard library like every other package. 3rd party packages can exist in multiple versions, so semver-major changes are only a migration, and don’t have to break anyone.

                                                                                                1. 10

                                                                                                  I wish languages treated their standard library like every other package. 3rd party packages can exist in multiple versions, so semver-major changes are only a migration, and don’t have to break anyone.

                                                                                                  I am so glad Go doesn’t work this way. It means there aren’t “eras” of codebases that utilize totally different subsets of language features.

                                                                                                  1. 10

                                                                                                    Go absolutely has that. One prominent example is code written before the context package and code written after it.

                                                                                                    And tooling wise, there are projects before Go modules and projects after it.

                                                                                                    1. 3

                                                                                                      That’s missing the point. Code written before the context package will work when copied and pasted, patched, incrementally migrated, or otherwise mingled into code written after the context package.

                                                                                                      1. 7

                                                                                                        That’s a good difference to point out, sure. But I don’t think it means my comment has missed the point. There are still costs associated with shifting subsets of the language/std beyond the ability to copy & paste. Look at net/rpc. It is at best unwise and at worst unusable in the code that uses and relies on context cancellation. Because it is a package written in a different era of Go.

                                                                                                      2. 1

                                                                                                        Technically, yes; effectively, I don’t think so. Changes to the stdlib and tooling are infrequent, and almost always come as additions, rarely depreciations, and almost never iterations on existing idioms. Go code will still bit rot over time but I think it is categorically different than the e.g. Rust ecosystem.

                                                                                                        1. 2

                                                                                                          Rust code bitrots faster than Go code. Absolutely yes. But I don’t think there is a category difference. It’s a difference of degree. That’s a feature of Go that I appreciate, as the churn in the Rust ecosystem annoys me. And IMO, there is not nearly as much appreciation for the annoyance of churn in Rust’s culture as there is in Go’s culture. I would say the difference in philosophy here is probably a category change.

                                                                                                          But my point is that Go has eras too. Best not to thumb your nose at the idea. Maybe thumb your nose at the frequency or scale of changes instead. The point is that churn/eras still happens in the Go ecosystem. I’ve lived through it since Go 1.0.

                                                                                                      3. 3

                                                                                                        Just because you don’t name the “eras”, it doesn’t mean they don’t exist. You still have deprecated features. There will be “still using ioutil” codebases, and “moved off ioutil” codebases (and such implicit “era” for every other deprecated feature). There are always some laggards — that’s the reason why the no-breaking-changes promise exists.

                                                                                                      4. 4

                                                                                                        This isn’t a problem, it’s a benefit. I don’t want to have to rewrite my code to the flavor of the day if I want to use a new feature. Compatibility breaks in widely used libraries should come with a heavy burden of necessity.

                                                                                                        Even outside of the standard library, an attempt at compatible evolution is a big benefit.

                                                                                                        1. 1

                                                                                                          The reason that isn’t done is because the standard library contains a lot of glue, just like the language itself does. Major “non-standard” libraries with data structures that get used as API parts don’t want to make breaking changes for the same reason Python 3 was so painful. Everybody has to upgrade at once.

                                                                                                          This isn’t as much of a problem for Go interfaces, which are structurally typed, but it’s a serious problem for struct, which is nominally-typed. Plenty of Go functions, even in the standard library, accept struct parameters.

                                                                                                        2. 2

                                                                                                          Go (and Rust) seems to be rather amateurish in that regard.

                                                                                                          Having no actual removal policy is only one step above an “ignore compat” free-for-all.

                                                                                                          1. 6

                                                                                                            Wait, ‘maintain guaranteed compatibility’ is only one step above ‘ignore compatibility’? Sounds backwards to me.

                                                                                                            1. 0

                                                                                                              You think ‘ignore compatibility’ should be above ‘maintain guaranteed compatibility’?

                                                                                                              (I don’t really care, I think both are playing at roughly the same amateur level, i. e. we should do much better in the 21st century than that.)

                                                                                                              1. 1

                                                                                                                What do you propose? Which ecosystems out there do this right, in your opinion?

                                                                                                    1. 5

                                                                                                      The last straw for me for firefox was its auto update policy. It renders itself unusable (can’t open any new tabs) until you shut it down and restart, which is unbelievably user-unfriendly.

                                                                                                      1. 3

                                                                                                        That never happened to me ever. Strange.

                                                                                                        1. 1

                                                                                                          It depends on what package manager you used to install Firefox. If you installed it on Windows or Mac, or if you use a Portable install of Firefox on Linux, then the update will be installed only when Firefox is restarted, and the problem will be avoided.

                                                                                                          If you’re managing your Firefox install using RPM or DPKG, then it doesn’t get to delay the update like that.

                                                                                                          Source: I run Linux Mint, and use both their stock Firefox version and Tor Browser (which is effectively a portable Firefox install). I used to run Windows, which uses the same tactic.

                                                                                                          1. 1

                                                                                                            But it’s not like that for me (on Windows, Mac and Ubuntu) , as I never got forced to update.

                                                                                                            1. 1

                                                                                                              I did install via DPKG, so that’s good to know. That said, why does that make a difference? It’s auto updating, not waiting for me to update via apt, so I don’t see how the installation method matters.

                                                                                                          2. 2

                                                                                                            This is probably because of Electrolysis and the contentprocess system. Because Firefox runs separate processes to contain the Javascript VM, if you update while Firefox is running and it has to start a new content process it might cause broken behavior due to version incompatibilities. Does Chrome not experience this?

                                                                                                            1. 1

                                                                                                              Chrome doesn’t; I think it keeps a copy of the old version until you restart.

                                                                                                          1. 24

                                                                                                            Horrible, horrible article.

                                                                                                            However, here’s something to think about: while privacy preserving tech is commendable, does it have to come at the cost of user freedoms? Hint: it doesn’t, and it shouldn’t.

                                                                                                            What user freedoms are being trampled? Author does not seem to specify any.

                                                                                                            I don’t mean to sound conspiratorial, but what’s to say that the server in production hasn’t been backdoored? In fact, the Signal server code hasn’t even been updated since April 2020. You’re telling me it’s undergone no changes?

                                                                                                            Serious accusation. Completely unfounded one. Two points are made. First, that backdooring the server would achieve something. Hint, it would not. E2E is exactly for that. Contact list crosschecking is being done inside SGX enclave, and clients are validating if SGX enclave is running particular version of code. What would server backdooring achieve? Author is clueless. Second accusation. “You are telling me it’s undergone no changes?” For half a year? On a platform where almost everything happens client-side? Server just shuffles cryptotext around. Nothing to see here.

                                                                                                            1. 11

                                                                                                              What user freedoms are being trampled? Author does not seem to specify any.

                                                                                                              Two come to mind: Freedom to distribute software, eg. in the F-Droid store, even if this means that not everyone has the newest version. Freedom to use my own Server, instead of trusting someone else, at the conscious expense of my security.

                                                                                                              1. 5

                                                                                                                You can distribute the software in the F-Droid store. You can’t use their trademark (the name signal) or servers while doing it.

                                                                                                                You also can run your own server with your own build of the app in the F-Droid store.

                                                                                                                Presumably what you want is to use the network they’ve built with your own client. I agree that would be nice-to-have, but AFAIK not even Stallman wants OSS licensing to require it.

                                                                                                                1. 5

                                                                                                                  I can distribute, but I can’t actually cause people to use it. Like spam filters: I can send my email all right, it’s getting it received that’s more problematic. I can run my own server, but it won’t talk to the official one. It has to be a separate network, that, understandably, nobody will use.

                                                                                                                  So yes, using their network with different clients would be very nice.

                                                                                                              2. 14

                                                                                                                Ad hominem much? Seriously, it hurts any argument you’re trying to make.

                                                                                                                The problem they allude to is that we have to trust that moxie is running the server code that he claims to run. It does seem suspicious that the server code has seen 0 changes in almost 1 year.

                                                                                                                People like to point out that signal has e2ee, and that the server doesn’t have to be trusted, but they (conveniently?) forget that signal collects a fair amount of information from users (phone numbers, contacts, other meta data), and has the potential to collect a lot more on the server side.

                                                                                                                1. 6

                                                                                                                  Contact list crosschecking is being done inside SGX enclave, and clients are validating if SGX enclave is running particular version of code.

                                                                                                                  Could you expand more on that? If I’m sending my contact list to a Signal server for crosschecking, how can I trust that server to keep the list private?

                                                                                                                  1. 5

                                                                                                                    Signal’s own description of the problem and what they are doing with it: https://signal.org/blog/private-contact-discovery/

                                                                                                                    SGX page: https://en.wikipedia.org/wiki/Software_Guard_Extensions

                                                                                                                    Long story short - it’s guaranteed by Intel. It’s a piece of the processor that user can load with code, lock and burn the key. Metaphorically - since there was never a key. Next, external application can talk to https server running from the enclave, and validate enclave’s claims about code that it runs with a help from Intel’s service.

                                                                                                                    This tech has it’s limitations - it’s still buggy, exploits being published every year, but it will mature some day. It also has some limitations in it’s threat model - it does not cover de-capping and RAM page replay attacks.

                                                                                                                    1. 15

                                                                                                                      Signal’s own description of the problem and what they are doing with it:

                                                                                                                      The problem still exists, you have to trust that they are doing what they say they do, and since it’s 100% centralized you have no way of knowing for certain that the server code they are running is what they say they run. And you can’t run it yourself since moxie is 110% hostile towards any sort of decentralization of his baby.

                                                                                                                      1. 6

                                                                                                                        you have no way of knowing for certain that the server code they are running is what they say they run.

                                                                                                                        The server code is able to send a verification code derived from intels private key, the current time, and the hash of the built server code.

                                                                                                                        In order to do that, they’ve either A) somehow gotten hold of intels private SGX key, B) successfully used an SGX bypass, or C) run code with a hash matching the one they’ve published, which comes from a reproducible build.

                                                                                                                        I think that list is roughly in order of least to most likely.

                                                                                                                        1. 5

                                                                                                                          I’d say an SGX bypass is more likely than any other. Intel’s opsec regarding their keys was flawless so far, hash collisions are hard (I think SGX uses SHA256 which is still unbroken in the general case?), but SGX and every other bolt-on “security” technology that Intel implemented since protected mode has been an utter disaster.

                                                                                                                        2. 5

                                                                                                                          you have to trust that they are doing what they say they do

                                                                                                                          You’re trusting Intel OR Signal. That’s the whole point of SGX. A successful attack means they have to conspire together.

                                                                                                                  1. 13

                                                                                                                    …ultimately the geminiverse is lovely because it is underpopulated, slower-paced, and literate. It is difficult enough to access that those who can use it can be welcoming without worrying its smallness will be compromised.

                                                                                                                    Kinda like lobste.rs compared to Reddit or HN? Speaking of someone who used to browse both fairly regularly and now almost never does because it’s, you know, not very pleasant or fun.

                                                                                                                    1. 4

                                                                                                                      Note that the Reputation Problem applies. The Reputation Problem is a specialization of Conway’s Law; the way that services assign karmic resources to users will incentivize users to behave in certain ways. Lobsters is invitation-only, and that changes our incentives for behavior compared to HN; we wager not just karma on every post, but also potential permanent removal from a community.

                                                                                                                      The difference between this and Gemini compared to HTTP is that Gemini is open to anybody who can set up a server, which could eventually lead to a massive influx of users and content into the Gemini ecosystem. Lobsters cannot have such an influx, because of its reputation structure.

                                                                                                                      1. 3

                                                                                                                        Gemini is open to anybody who can set up a server

                                                                                                                        Isn’t that also true for HTTP?

                                                                                                                        1. 2

                                                                                                                          Yes, but Gemini needs to be 10x better than HTTP to be worth it, and the problem is that it’s not,

                                                                                                                          1. 1

                                                                                                                            You’re entirely correct. I did not use enough words and was ambiguous. I mean that the difference between the analogy between Lobsters compared to HN, and Gemini compared to HTTP, is that HN, Gemini, and HTTP are all open to anybody who wants to participate, while Lobsters is invitational.

                                                                                                                            1. 1

                                                                                                                              Thanks for expanding, I agree.

                                                                                                                      1. 21

                                                                                                                        These statements annoy me:

                                                                                                                        Heck, if you ask some people, Rust is less secure than a GC’ed language for web apps if you use any crates that have unsafe code - which includes Actix, the most popular web framework, because unsafe code allows things like deferencing raw pointers.

                                                                                                                        I can’t help but think calling the unsafe keyword unsafe was a potential marketing error. Actually, within the rust community it helps to keep the portions of unsafe -marked code lower.

                                                                                                                        But many people short circuit to the conclusion that code with the unsafe keyword must be, indeed, unsafe. Maybe, they should think of it as expert or free code that relaxes some constraints (and by far not all, you have still more checks than in normal C++).

                                                                                                                        In terms of Rust unsafe, Java/ruby is full of unsafe code since some crucial safety guarantees in these languages are weaker. Obviously, there is a lot of unsafe rust code in the Rust std lib and especially in low level libraries. If this code is carefully vetted, this is all good. Rust allows you to focus extra attention on the small blocks of unsafe code.

                                                                                                                        Will I avoid unsafe code when I can? Yes. Should popular libraries make prudent use of unsafe if it results in large benefits? Absolutely. Is that dangerous? Not more than in other languages without these restrictions but yeah, it requires great care that you can avoid if you avoid unsafe.

                                                                                                                        1. 8

                                                                                                                          It’s an especially annoying considering that performance-critical parts can always be written in unsafe ways, GC’d language or not. A prime example is uwsgi for Python.

                                                                                                                          1. 5

                                                                                                                            @matklad Thank you for pointing out weak parts in my post. I wanted to post this as a separate reply to your reply but lobste.rs prevents me from multiple replies in short succession??

                                                                                                                            Having to mark certain snippets of code as unsafe is a great tool – that not all languages have. The less unsafe you use, the easier it is to achieve the security, of course, without being a genius or having lots of people helping out.

                                                                                                                            We agree that unsafe code should be avoided and carefully weight against advantages. I personally thing that well-reviewed libraries are a good place for unsafe code with huge performace benefits: crossbeam, …

                                                                                                                            To quote from async-std security:

                                                                                                                            Writing a highly perfomant async core library is a task involving some instances of unsafe code.

                                                                                                                            To clarify my remarks on the comparison to “GC’d languages”:

                                                                                                                            A) The quote compares safety of Rust to “GC’d” languages and says that Rust is maybe less unsafe because it uses “unsafe” code in its libraries.

                                                                                                                            I’d argue that there is no completely “safe” web app stack in any language that I am aware of. (and then you’d have to deal with compiler errors, operating systems, …)

                                                                                                                            If you look at NodeJS or Ruby on Rails, the interpreters and the HTTPS stacks contain lots of native code that isn’t verified by a smart compiler for safety guarantees. Correct me if my assumptions are wrong. I’d not be surprised if a Rust web app with actix contained a lot less “unsafe” code (in the Rust meaning) than an app built with these other stacks.

                                                                                                                            Of course, maybe more importantly, counting unsafe code lines is only a proxy argument because we cannot measure security: One line of unsafe code can destroy the safety of the whole application in crucial ways as can a compiler or std library bug. And a library like actix with six usages of unsafe could be completely secure. Or not.

                                                                                                                            B) I didn’t say what I meant with “crucial safety guarantees”, it was misleading. What I had in mind was more than only basic memory safety. The initial quote was about security. The argument was that Rust was less secure than “GC’d’ languages. I don’t believe that Rust code is usually less secure than that of GC’d languages and the expressive type system and guarantees that go beyond basic memory safety contribute to that.

                                                                                                                            I hope that makes sense. I wish I could make my point clearer in less words ;)

                                                                                                                            1. 5

                                                                                                                              Thanks for the clarification! I think we are in a broad agreement here. In a narrow sense, unsafe is a sharp tool, easily misused, and dangerous even in the hands of an expert. However, it does improve the overall system’s security.

                                                                                                                              I violently agree with your point about full-stack safety of web apps. On the one hand, Rust’s unsafe (unlike Python’s ctypes) is available to “application programmer”, and pulls in the less safe direction. On the other hand, safe Rust is available to “systems programmer” (which again is unlike ctypes), and this massively improves the safety of lower levels of the stack, which feels like a bigger deal.

                                                                                                                              I also agree that Rust’s other type-system niceties improve application level correctness (and hence security) in comparison to current crop of popular static or dynamic languages.

                                                                                                                              That being said, I expect in the web domain specifically, application-level security (csrf tokens, protection against SQL injection, not storing passwords in plain text, etc) is a relatively bigger issue than execution-environment security. And here I expect a lot depends on maturity. I am not an expert in web dev, and, at this point I think I’ll be able to develop overall more secure web app with Django, as that should be much more hardened against misuse by web-security-naive programmers.

                                                                                                                              1. 1

                                                                                                                                Interesting point about what is “available” to the “application programmer.” I guess the “available” is in terms of convenience and just writing unsafe somewhere is very convenient.

                                                                                                                                I, for myself, was never tempted to use unsafe but I neither wrote a low-level lib nor should I assume that I am the standard… I might be overcareful. And I can already shoot myself in the foot with misunderstanding atomic variables in safe code already ;)

                                                                                                                            2. 4

                                                                                                                              But many people short circuit to the conclusion that code with the unsafe keyword must be, indeed, unsafe.

                                                                                                                              The short-circuiting might be wrong, but I personally don’t disagree with the conclusion. Unsafe code is hard, even widely battle tested things like SmallVec get CVEs. So, in practice, rust with unsafe does have memory safety issues due to bugs (although it’s important to keep in mind that Rust CVE have a somewhat lower bar, as theoretical, and not only practical, unsoundness counts).

                                                                                                                              In terms of Rust unsafe, Java/ruby is full of unsafe code since some crucial safety guarantees in these languages are weaker.

                                                                                                                              I am not sure I exactly understand what you are saying here. I think I agree with the general idea, but I disagree with the specific wording. In the context of Rust, unqualified safe/unsafe refers to memory safety, and, in terms of memory safety, Rust, Ruby, and Java are roughly equivalent (roughly because there’s extensions/ffi/native runtime angle). Things like iterator invalidation are not covered by the safety terminology.

                                                                                                                              1. 9

                                                                                                                                Frankly, if we hadn’t had years of the Rust Evangelion Strike Force shitting on C and C++ for their use of unsafe pointers and whatnot, this might fly.

                                                                                                                                This charity wasn’t extended to references and some of the nice pointer types in C++ that solve memory safety issues, so why should we give unsafe a pass now?

                                                                                                                                Sorry your language doesn’t actually match its marketing.

                                                                                                                                1. 24

                                                                                                                                  Your ax grinding is absurd. It is possible to entertain two different problems simultaneously:

                                                                                                                                  • People get too excited about new technology like Rust and oversell its benefits by stating misleading things like “Rust can’t have memory safety bugs.” (I personally have been pretty consistent and vocal about clarifying this particular point.)
                                                                                                                                  • People get too curmudgeony and undersell Rust’s benefits by pointing to existence of unsafe as proof positive that Rust is no better than [insert other language here].

                                                                                                                                  Really, it’s not difficult to see how both of these problems can exist simultaneously. Just because the first exists doesn’t mean we can’t also talk about the second.

                                                                                                                                  Your consistent anti-RESF ax grinding is really just as bad as RESF zealots, if not worse. And yours has been going on for years too.

                                                                                                                                  1. 7

                                                                                                                                    You didn’t say a damn thing when the user I replied to said “oh ho ho Rust is no less safe than Java or Ruby, if you just vet the code”. This is the same argument as neckbeards going “C is safe if you just write the code carefully!”. It’s pretty obvious when you give a pass to one but not the other.

                                                                                                                                    Again, for context:

                                                                                                                                    In terms of Rust unsafe, Java/ruby is full of unsafe code since some crucial safety guarantees in these languages are weaker. Obviously, there is a lot of unsafe rust code in the Rust std lib and especially in low level libraries. If this code is carefully vetted, this is all good.

                                                                                                                                    Kettle meet pot, and you’re experienced enough (grats on ripgrep) that you should know when shilling is happening.

                                                                                                                                    Anyways: my grinding has been consistent, for years, because the RESF has been obnoxious, for years.

                                                                                                                                    I have observed no patterns of this behavior behind other C/C++ replacements. The D folks are underappreciated and chill. The Zig people don’t spam message boards and bug trackers asking to rewrite things in Zig. The Nim community, to my observation, don’t show up in every comment section to talk about how impossible is is to write safe software in C and how Nim is the answer, every time C shows up. Go people seemingly are too busy shipping useful utilities to even talk very much about Go being better than C–even at the height of Google’s shilling of it.

                                                                                                                                    And every time this gets brought up, people like you show up to motte-and-bailey it and go “oh no no, who are those other ruffians, we’re just a kind and inclusive and loving community, oh we’d never say anything bad about another language, perish the thought!” This is a real problem, and just because y’all either can’t or won’t acknowledge it doesn’t mean the damage hasn’t been done to people outside your blessed tribe.

                                                                                                                                    ~

                                                                                                                                    The hell of it is, I think Rust is a neat language with some neat features. I think it has some cool things going for it, even though the Rust talking-point bingo is predictable (almost as much as Elixir bingo). I can list the ideas I like from it, and if my workflow looked like it needed Rust more than what I’m already doing, I’d be excited to switch.

                                                                                                                                    I just don’t like a community whose evangelism seemingly requires pervasive and persistent propaganda and, at times, lying. It shows a lack of moral character and engineering rigor that makes me concerned for the long-term health of the ecosystem.

                                                                                                                                    1. 11

                                                                                                                                      You didn’t say a damn thing when the user I replied to said “oh ho ho Rust is no less safe than Java or Ruby, if you just vet the code”.

                                                                                                                                      Because that isn’t a sensational thing to say? It’s nowhere near the same as the “neckbeard C programmer” you alluded to.

                                                                                                                                      Kettle meet pot, and you’re experienced enough (grats on ripgrep) that you should know when shilling is happening.

                                                                                                                                      Anyways: my grinding has been consistent, for years, because the RESF has been obnoxious, for years.

                                                                                                                                      Is this some kind of joke? And you aren’t obnoxious? If that isn’t the kettle calling the pot black, then I don’t know what it is.

                                                                                                                                      It’s one thing to respond and clarify things said by the “RESF” (and other claims made by zealots), but you go far beyond that and consistently engage in this meta flame war.

                                                                                                                                      I have observed no patterns of this behavior behind other C/C++ replacements.

                                                                                                                                      Well, what patterns of behavior have you observed among C/C++ programmers? The D, Nim and Zig communities aren’t nearly as big as Rust’s. And Go doesn’t really bring any new big ideas to the mainstream, so I really wouldn’t expect people to get that excited about it. That’s a feature of Go IMO. You also have immense pressure against talking about Go anyway, lest you be shouted down by PL zealots. (Zealots zealots everywhere, yet you seem to love to grind against one particular group in particular. How… obnoxious?)

                                                                                                                                      And every time this gets brought up, people like you show up to motte-and-bailey it and go “oh no no, who are those other ruffians, we’re just a kind and inclusive and loving community, oh we’d never say anything bad about another language, perish the thought!” This is a real problem, and just because y’all either can’t or won’t acknowledge it doesn’t mean the damage hasn’t been done to people outside your blessed tribe.

                                                                                                                                      Given that I’m a moderator in the Rust community and that I have shut down PL flame war discussions in official Rust spaces, it would be pretty weird of me to say that we never say anything bad about another language, now wouldn’t it?

                                                                                                                                      And it has been acknowledged. That’s why I always do my best to clarify claims that are too bold. Do I get every single one? No. But then again, I don’t spend my time responding to every single one of your ridiculous comments either.

                                                                                                                                      I just don’t like a community whose evangelism seemingly requires pervasive and persistent propaganda and, at times, lying. It shows a lack of moral character and engineering rigor that makes me concerned for the long-term health of the ecosystem.

                                                                                                                                      This is a giant load of conspiracy-like bullshit. For someone who is so keen to call out bullshit and shilling, you sure do like to sling a lot of it yourself.

                                                                                                                                      1. 8

                                                                                                                                        I’m not sure the community is actively funded to evangelize. Could it just be that using rust makes people want to share their enthusiasm?

                                                                                                                                        1. 2

                                                                                                                                          It’s certainly possible. Maybe people just really liked Java, C#, and Go too.

                                                                                                                                        2. 5

                                                                                                                                          You didn’t say a damn thing when the user I replied to said “oh ho ho Rust is no less safe than Java or Ruby, if you just vet the code”. This is the same argument as neckbeards going “C is safe if you just write the code carefully!”. It’s pretty obvious when you give a pass to one but not the other.

                                                                                                                                          I mean, yes? @burntsushi is a member of the Rust community, of course it’s going to bother him a bit more when someone like you is attacking that community vs someone in that community (politely!) making a debatable claim. That’s basic human social skills, not him being a hippocrite.

                                                                                                                                          Kettle meet pot, and you’re experienced enough (grats on ripgrep) that you should know when shilling is happening. […] And every time this gets brought up, people like you show up to motte-and-bailey it and go “oh no no, who are those other ruffians, we’re just a kind and inclusive and loving community, oh we’d never say anything bad about another language, perish the thought!” This is a real problem, and just because y’all either can’t or won’t acknowledge it doesn’t mean the damage hasn’t been done to people outside your blessed tribe.

                                                                                                                                          I know you’ve been trying to be less angersock and more friendlysock, so I’m just going to say this straight: you’re being an obnoxious jerk right now.

                                                                                                                                          1. 4

                                                                                                                                            Agreed. This is like mom and dad fighting. Both are respected members of the community. Obviously it’s okay to disagree, but I expect both to be examples of what it means to be a good citizen.

                                                                                                                                            I have a bias here. However my commentary should be applied broadly. Let’s demonstrate an eagerness to give each other the benefit of the doubt. Our community is known for being effective and compassionate regardless of disagreements. I’m committed to that because of lobster leaders like you have both demonstrated that it works here.

                                                                                                                                            Thank you both for being candid. I look forward to the constructive conversation this exchange will lead to.

                                                                                                                                            1. 2

                                                                                                                                              Yeah, again, sorry for setting a bad example. :(

                                                                                                                                            2. 2

                                                                                                                                              I know you’ve been trying to be less angersock and more friendlysock, so I’m just going to say this straight: you’re being an obnoxious jerk right now.

                                                                                                                                              Yeah, you got me there–fair point. I’ll go cool off.

                                                                                                                                        3. 1

                                                                                                                                          I totally agree. There’s more than a little bit of trying to have it both ways here, and observers are too smart for that.

                                                                                                                                        4. 1

                                                                                                                                          I can’t help but think calling the unsafe keyword unsafe was a potential marketing error.

                                                                                                                                          Isn’t there a comparison to unsafe in C#? The same arguments were made back in the early 2000s about that and it made for many tirades and comments.

                                                                                                                                          I think Rust user’s domain requirements might provide longevity to the use of unsafe, it has disappeared from discussions in the C# space. It’s to the point where many C# programmers would give you a puzzled look if you mentioned unsafe existed.

                                                                                                                                        1. 5

                                                                                                                                          I see all of these articles about what messenger app to use. None of those address the real problem: they don’t work for the people I talk to.

                                                                                                                                          A lot of my friends are furries and we use telegram exclusively because it supports stickers. It’s impossible to understate how important stickers are for us.

                                                                                                                                          The Furry Writers’ Guild, moved our Slack server to Discord. It’s been hugely popular. We couldn’t get anyone to use Slack.

                                                                                                                                          My church uses Facebook. I’m not on it and I’ve effectively not been a member since March as a result.

                                                                                                                                          A few of my friends use Twitter direct messages.

                                                                                                                                          My family uses SMS. (And my uncle keeps trying to push everyone to LinkedIn.)

                                                                                                                                          I know exactly one person on Earth who uses Signal. He’s on Telegram because he can’t get his friends to use Signal.

                                                                                                                                          1. 5

                                                                                                                                            I remember a time when it was MSN Messenger, YIM, AIM, ICQ or IRC and you could have one open source client that was able to provide a single interface for the lot.

                                                                                                                                            1. 1

                                                                                                                                              You can do the same thing with Matrix but it’s no where near as simple or accessible as Pidgin/Trillian/Audium/etc. Signal and Telegram have APIs, but Facebook and Google make it incredibly difficult to interface with their messengers.

                                                                                                                                            2. 2

                                                                                                                                              Signal has stickers. Though I guess that’s not super relevant to this discussion, since Delta Chat apparently doesn’t.

                                                                                                                                              1. 2

                                                                                                                                                The Signal folks, at least, seem to understand this. It supports sending emoji, has sticker packs, and makes it very easy to share photos (as in, UI in the mobile app for taking a photo and sending it, just like WhatsApp). The big missing feature is the ability to have video / audio calls with more than two people. That said, the Signal desktop clients (unlike WhatsApp) do support video calling. This is the killer feature for some of the non-technical folks I talk to - everyone has had to have the hardware for video conferencing on a laptop to be able to join work calls while working from home during the pandemic and going from a Teams or Zoom call on a laptop (with or without an external monitor) to having to use a tiny phone screen for WhatsApp calls is frustrating. With Signal, you can call directly from the desktop app and answer calls in it. We have used that feature with my mother quite a lot over the last year.

                                                                                                                                                1. 1

                                                                                                                                                  Signal supports video/audio calls with up to 8 people. The most recent release raised it from 5 to 8.

                                                                                                                                                  1. 1

                                                                                                                                                    Huh, looks like it was added in the middle of December. I’m a month out of date. Here’s the announcement.

                                                                                                                                              1. 35

                                                                                                                                                e-mail has a lot of legacy cruft. Regardless of the technical merits of e-mail or Telegram or Delta Chat, Signal, matrix.org or whatever, what people need to be hearing today is “WhatsApp and Facebook Messenger are unnecessarily invasive. Everyone is moving to X.” If there isn’t a clear message on what X is, then people will just keep on using WhatsApp and Facebook Messenger.

                                                                                                                                                It seems clear to me that e-mail is not the frontrunner for X, so by presenting it as a candidate for replacing WhatsApp and Facebook Messenger, I think the author is actually decreasing the likelihood that most people will migrate to a better messaging platform.

                                                                                                                                                My vote is for Signal. It has good clients for Android and iOS and it’s secure. It’s also simple enough that non-technical people can use it comfortably.

                                                                                                                                                1. 26

                                                                                                                                                  Signal is a silo and I dislike silos. That’s why I post on my blog instead of Twitter. What happens when someone buys Signal, the US government forces Signal to implement backdoors or Signal runs out of donation money?

                                                                                                                                                  1. 10

                                                                                                                                                    Signal isn’t perfect. My point is that Signal is better than WhatsApp and that presenting many alternatives to WhatsApp is harmful to Signal adoption. If Signal can’t reach critical mass like WhatsApp has it will fizzle out and we will be using WhatsApp again.

                                                                                                                                                    1. 12

                                                                                                                                                      If Signal can’t reach critical mass like WhatsApp has it will fizzle out

                                                                                                                                                      Great! We don’t need more silos.

                                                                                                                                                      and we will be using WhatsApp again.

                                                                                                                                                      What about XMPP or Matrix? They can (and should!) be improved so that they are viable alternatives.

                                                                                                                                                      1. 13

                                                                                                                                                        (Majority of) People don’t care about technology (how), they care about goal (why).

                                                                                                                                                        They don’t care if it’s Facebook, Whatsapp, Signal, Email, XMPP, they want to communicate.

                                                                                                                                                        1. 14

                                                                                                                                                          Yeah, I think the point of the previous poster was that these systems should be improved to a point where they’re just really good alternatives, which includes branding and the like. Element (formerly riot.im) has the right idea on this IMHO, instead of talking about all sorts of tech details and presenting 500 clients like xmpp.org, it just says “here are the features element has, here’s how you can use it”.

                                                                                                                                                          Of course, die-hard decentralisation advocates don’t like this. But this is pretty much the only way you will get any serious mainstream adoption as far as I can see. Certainly none of the other approaches that have been tried over the last ~15 years worked.

                                                                                                                                                          1. 7

                                                                                                                                                            …instead of talking about all sorts of tech details and presenting 500 clients like xmpp.org, it just says “here are the features element has, here’s how you can use it”.

                                                                                                                                                            Same problem with all the decentralized social networks and microblogging services. I was on Mastodon for a bit. I didn’t log in very often because I only followed a handful of privacy advocate types since none of my friends or other random people I followed on Twitter were on it. It was fine, though. But then they shut down the server I was on and apparently I missed whatever notification was sent out.

                                                                                                                                                            People always say crap like “What will you do if Twitter shuts down?”. Well, so far 100% of the federated / distributed social networks I’ve tried (I also tried that Facebook clone from way back when and then Identi.ca at some point) have shut down in one way or another and none of the conventional ones I’ve used have done so. I realize it’s a potential problem, but in my experience it just doesn’t matter.

                                                                                                                                                            1. 4

                                                                                                                                                              The main feature that cannot be listed in good faith and which is the one that everybody cares about is: “It has all my friend and family on it”.

                                                                                                                                                              I know it’s just a matter of critical mass and if nobody switches this will never happen.

                                                                                                                                                            2. 1

                                                                                                                                                              Sure, but we’re not the majority of people.. and we shouldn’t be choosing yet another silo to promote.

                                                                                                                                                            3. 5

                                                                                                                                                              XMPP and (to a lesser extent) Matrix do need to be improved before they are viable alternatives, though. Signal is already there. You may feel that ideological advantages make up for the UI shortcomings, but very few nontechnical users feel the same way.

                                                                                                                                                              1. 1

                                                                                                                                                                Have you tried joining a busy Matrix channel from a federated homeserver? It can take an hour. I think it needs some improvement too.

                                                                                                                                                                1. 2

                                                                                                                                                                  Oh, definitely. At least in the case of Matrix it’s clear that (1) the developers regard usability as an actual goal, (2) they know their usability could be improved, and (3) they’re working on improving it. I admit I don’t follow the XMPP ecosystem as closely, so the same could be the same there, but… XMPP has been around for 20 years, so what’s going to change now to make it more approachable?

                                                                                                                                                              2. 4

                                                                                                                                                                […] it will fizzle out

                                                                                                                                                                Great! We don’t need more silos.

                                                                                                                                                                Do you realize you’re cheering for keeping the WhatsApp silo?

                                                                                                                                                                Chat platforms have a strong network effect. We’re going to be stuck with Facebook’s network for as long as other networks are fragmented due to people disagreeing which one is the perfect one to end all other ones, and keep waiting for a pie in the sky, while all of them keep failing to reach the critical mass.

                                                                                                                                                                1. 1

                                                                                                                                                                  Do you realize you’re cheering for keeping the WhatsApp silo?

                                                                                                                                                                  Uh, not sure how you pulled that out of what I said, but I’m actually cheering for the downfall of all silos.

                                                                                                                                                                  1. 2

                                                                                                                                                                    I mean that by opposing the shift to the less-bad silo you’re not actually advancing the no-silo case, but keeping the status quo of the worst-silo.

                                                                                                                                                                    There is currently no decentralized option that is secure, practical, and popular enough to be adopted by mainstream consumers in numbers that could beat WhatsApp.

                                                                                                                                                                    If the choice is between WhatsApp and “just wait until we make one that is”, it means keeping WhatsApp.

                                                                                                                                                                2. 3

                                                                                                                                                                  They can be improved so that they are viable alternatives.

                                                                                                                                                                  Debatable.

                                                                                                                                                                  Great! We don’t need more silos.

                                                                                                                                                                  Domain-name federation is a half-assed solution to data portability. Domain names basically need to be backed by always-on servers, not everybody can have one, and not everybody should. Either make it really P2P (Scuttlebutt?) or don’t bother.

                                                                                                                                                                  1. 2

                                                                                                                                                                    I sadly agree, which is why logically I always end up recommend signal as ‘the best of a bad bunch’.

                                                                                                                                                                    I like XMPP, but for true silo-avoidance you need you run your own server (or at least have someone run it under your domain, so you can move away). This sucks. It’s sort of the same with matrix.

                                                                                                                                                                    The only way around this is real p2p as you say. So far I haven’t seen anything that I could recommend to former whatsapp users on this front however. I love scuttlebutt but I can’t see it as a good mobile solution.

                                                                                                                                                                3. 8

                                                                                                                                                                  Signal really needs a “web.signal.com”; typing on phones suck, and the destop app is ugh. I can’t write my own app either so I’m stuck with two bad options.

                                                                                                                                                                  This is actually a big reason I like Telegram: the web client is pretty good.

                                                                                                                                                                  1. 3

                                                                                                                                                                    I can’t write my own app either so I’m stuck with two bad options.

                                                                                                                                                                    FWIW I’m involved with Whisperfish, the Signal client for Sailfish OS. There has been a constant worry about 3rd party clients, but it does seem like OWS has loosened its policy.

                                                                                                                                                                    The current Whisperfish is written in Rust, with separate libraries for the protocol and service. OWS is also putting work into their own Rust library, which we may switch to.

                                                                                                                                                                    Technically you can, and the risk should be quite minimal. At the end of the, as OWS doesn’t support these efforts, and if you don’t make a fool of them, availability and use increases their brand value.

                                                                                                                                                                    Don’t want to know what happens if someone writes a horrible client and steps on their brand, so let’s be careful out there.

                                                                                                                                                                    1. 2

                                                                                                                                                                      Oh right; that’s good to know. I just searched for “Signal API” a while ago and nothing really obvious turned up so I assumed it’s either impossible or hard/hackish. To be honest I didn’t look very deeply at it, since I don’t really care all that much about Signal that much 😅 It’s just a single not-very-active chatgroup.

                                                                                                                                                                      1. 1

                                                                                                                                                                        Fair enough, sure. An API might sound too much like some raw web thing - it is based on HTTPS after all - but I don’t think all of it would be that simple ;)

                                                                                                                                                                        The work gone into the libraries has not been trivial, so if you do ever find yourself caring, I hope it’ll be a happy surprise!

                                                                                                                                                                    2. 2

                                                                                                                                                                      The Telegram desktop client is even better than the web client.

                                                                                                                                                                      1. 3

                                                                                                                                                                        I don’t like desktop clients.

                                                                                                                                                                        1. 4

                                                                                                                                                                          Is there a specific reason why? The desktop version of Telegram is butter smooth and has the same capabilities as the phone version (I’m pretty sure they’re built from the same source as well).

                                                                                                                                                                          1. 3

                                                                                                                                                                            Security is the biggest reason for me. Every other week, you hear about a fiasco where a desktop client for some communication service had some sort of remote code execution vulnerability. But there can be other reasons as well, like them being sloppy with their .deb packages and messing up with my update manager etc. As a potential user, I see no benefit in installing a desktop client over a web client.

                                                                                                                                                                            1. 4

                                                                                                                                                                              Security is the reason that you can’t easily have a web-based Signal client. Signal is end-to-end encrypted. In a web app, it’s impossible to isolate the keying material from whoever provides the service so it would be trivial for Signal to intercept all of your messages (even if they did the decryption client-side, they could push an update that uploads the plaintext after decryption).

                                                                                                                                                                              It also makes targeted attacks trivial: with the mobile and desktop apps, it’s possible to publish the hash that you get for the download and compare it against the versions other people run, so that you can see if you’re running a malicious version (I hope a future version of Signal will integrate that and use it to validate updates before it installs them by checking that other users in your network see the same series of updates). With a web app, you have no way of verifying that you’re running the same code that you were one page refresh ago, let alone the same code as someone else.

                                                                                                                                                                              1. 1

                                                                                                                                                                                A web based client has no advantages with regards to security. They are discrete topics. As a web developer, I would argue that a web based client has a significantly larger surface area for attacks.

                                                                                                                                                                                1. 1

                                                                                                                                                                                  When I say security, I don’t mean the security of my communications over that particular application. That’s important too, but it’s nothing compared to my personal computer getting hacked, which means my entire digital life getting compromised. Now you could say a web site could also hijack my entire computer by exploiting weaknesses in the browser, which is definitely a possibility, but that’s not what we hear every other week. We hear stupid zoom or slack desktop client containing a critical remote code execution vulnerability that allows a completely unrelated third party complete access to your computer.

                                                                                                                                                                              2. 1

                                                                                                                                                                                I just don’t like opening a new window/application. Almost all of my work is done with one terminal window (in tmux, on workspace 1) and a browser (workspace 2). This works very well for me as I hate dealing with window management. Obviously I do open other applications for specific purposes (GIMP, Geeqie, etc) but I find having an extra window just to chat occasionally is annoying. Much easier to open a tab in my browser, send my message, and close it again.

                                                                                                                                                                      2. 3

                                                                                                                                                                        The same thing that’s happening now with whatsapp - users move.

                                                                                                                                                                        1. 2

                                                                                                                                                                          A fraction of users is moving, the technically literate ones. Everyone else stays where their contacts are, or which is often the case, installs another messenger and then uses n+1.

                                                                                                                                                                          1. 2

                                                                                                                                                                            A fraction of users is moving, the technically literate ones

                                                                                                                                                                            I don’t think that’s what’s happening now. There have been a lot of mainstream press articles about WhatsApp. The technical users moved to Signal when Facebook bought WhatsApp, I’m now hearing non-technical folks ask what they should migrate to from WhatsApp. For example, one of our administrators recently asked about Signal because some of her family want to move their family chat there from WhatsApp.

                                                                                                                                                                            1. 1

                                                                                                                                                                              Yeah these last two days I have been asked a few times about chat apps. I have also noticed my signal contacts list expand by quite a few contacts, and there are lots of friends/family who I would not have expected to make the switch in there. I asked one family member, a doctor, what brought her in and she said that her group of doctors on whatsapp became concerned after the recent announcements.

                                                                                                                                                                              I wish I could recommend xmpp/OMEMO, but it’s just not as easy to set up. You can use conversations.im, and it’s a great service, but if you are worried about silos you are back to square one if you use their domain. They make using a custom domain as friction-free as possible but it still involves DNS settings.

                                                                                                                                                                              I feel the same way about matrix etc. Most people won’t run their own instance, so you end up in a silo again.

                                                                                                                                                                              For the closest thing to whatsapp, I have to recommend Signal. It’s not perfect, but it’s good. I wish you didn’t have to use a phone number…

                                                                                                                                                                        2. 2

                                                                                                                                                                          What happens when someone buys Signal, the US government forces Signal to implement backdoors or Signal runs out of donation money?

                                                                                                                                                                          Not supporting signal in any way, but how would your preferred solution actually mitigate those risks?

                                                                                                                                                                          1. 1

                                                                                                                                                                            Many different email providers all over the world and multiple clients based on the same standards.

                                                                                                                                                                            1. 6

                                                                                                                                                                              Anyone who has written email software used at scale by the general public can tell you that you will spend a lot of time working around servers and clients which do all sorts of weird things. Sometimes with good reasons, often times with … not so good reasons. This sucks but there’s nothing I can change about that, so I’ll need to deal with it.

                                                                                                                                                                              Getting something basic working is pretty easy. Getting all emails handled correctly is much harder. Actually displaying all emails well even harder still. There’s tons of edge cases.

                                                                                                                                                                              The entire system is incredibly messy, and we’re actually a few steps up from 20 years ago when it was even worse.

                                                                                                                                                                              And we still haven’t solved the damn line wrapping problem 30 years after we identified it…

                                                                                                                                                                              Email both proves Postel’s law correct and wrong: it’s correct in the sense that it does work, it’s wrong because it takes far more time and effort than it really needs to.

                                                                                                                                                                              1. 2

                                                                                                                                                                                I hear you (spent a few years at an ESP). It’s still better than some siloed walled garden proprietary thing that looks pretty but could disappear for any reason in a moment. The worst of all worlds except all others.

                                                                                                                                                                                1. 2

                                                                                                                                                                                  could disappear for any reason in a moment

                                                                                                                                                                                  I’m not so worried about this; all of these services have been around for ages and I’m not seeing them disappear from one day to the next in the foreseeable future. And even if it does happen: okay, just move somewhere else. It’s not even that big of a deal.

                                                                                                                                                                                  1. 1

                                                                                                                                                                                    Especially with chat services. There’s not that much to lose. Your contacts are almost always backed up elsewhere. I guess people value their chat history more than I do, however.

                                                                                                                                                                        3. 11

                                                                                                                                                                          My vote is for Signal. It has good clients for Android and iOS and it’s secure. It’s also simple enough that non-technical people can use it comfortably.

                                                                                                                                                                          I’ve recently started using it, and while it’s fine, I’m no fan. As @jlelse, it is another closed-off platform that you have to use, making me depend on someone else.

                                                                                                                                                                          They seem to (as of writing) prioritize “security” over “user freedom”, which I don’t agree with. There’s the famous thread, where they reject the notion of distributing Signal over F-Droid (instead having their own special updater, in their Google-less APK). What also annoys me is that their desktop client is based on Electron, which would have been very hard for me to use before upgrading my desktop last year.

                                                                                                                                                                          1. 6

                                                                                                                                                                            My vote is for Signal. It has good clients for Android and iOS and it’s secure. It’s also simple enough that non-technical people can use it comfortably.

                                                                                                                                                                            What I hate about signal is that it requires a mobile phone and an associated phone number. That makes it essentially useless - I loathe mobile phones - and very suspect to me. Why can’t the desktop client actually work?

                                                                                                                                                                            1. 2

                                                                                                                                                                              I completely agree. At the beginning of 2020 I gave up my smartphone and haven’t looked back. I’ve got a great dumb phone for voice and SMS, and the occasional photo. But now I can’t use Signal as I don’t have a mobile device to sign in to. In a word where Windows, Mac OS, Linux, Android, and iOS all exist as widely used operating systems, Signal is untenable as it only as full featured clients for two of these operating systems.

                                                                                                                                                                              Signal isn’t perfect.

                                                                                                                                                                              This isn’t about being perfect, this is about being accessible to everyone. It doesn’t matter how popular it becomes, I can’t use it.

                                                                                                                                                                              1. 1

                                                                                                                                                                                What I hate about signal is that it requires a mobile phone and an associated phone number.

                                                                                                                                                                                On the bright side, Signal’s started to use UUIDs as well, so this may change. Some people may think it’s gonna be too late whenever it happens, if it does, but at least the protocols aren’t stagnant!

                                                                                                                                                                                1. 1

                                                                                                                                                                                  They’ve been planning on fixing that for a while, I don’t know what the status is. The advantage of using mobile phone numbers is bootstrapping. My address book is already full of phone numbers for my contacts. When I installed Signal, it told me which of them are already using it. When other folks joined, I got a notification. While I agree that it’s not a great long-term strategy, it worked very well for both WhatsApp and Signal to quickly bootstrap a large connected userbase.

                                                                                                                                                                                  In contrast, most folks XMPP addresses were not the same as their email addresses and I don’t have a lot of email addresses in my address book anyway because my mail clients are all good at autocompleting them from people who have sent me mail before, so I don’t bother adding them. As a result, my Signal contact list was instantly as big as my Jabber Roster became after about six months of trying to get folks to use Jabber. The only reason Jabber was useable at all for me initially was that it was easy to run an ICQ bridge so I could bring my ICQ contacts across.

                                                                                                                                                                                  1. 1

                                                                                                                                                                                    Support for using it without a phone number remains a work in progress. The introduction of PINs was a stepping stone towards that.

                                                                                                                                                                              1. 5

                                                                                                                                                                                Debian has to figure out how to co-operate with other package managers. By painstakingly repackaging every npm dependency they’re not adding any value. From perspective of an npm user it is very weird. The Debian versions are installed in places that npm doesn’t recognize, so I can’t use them even if I wanted to.

                                                                                                                                                                                1. 1

                                                                                                                                                                                  On the bright side, the places where they are packaged are out of your way so they won’t unpredictably break things for you.

                                                                                                                                                                                  1. 0

                                                                                                                                                                                    Debian has no problems co-operating with, say, pip. Python packages installed using Debian package manager is visible to pip. Perhaps it’s npm that should figure out how to co-operate with system package managers, not Debian.

                                                                                                                                                                                    1. 5

                                                                                                                                                                                      Debian has no problems co-operating with, say, pip.

                                                                                                                                                                                      Yes it does.

                                                                                                                                                                                      I’ve seen tons of Python projects that basically start their setup instructions with “create a virtualenv and use pip to install the dependencies.” The whole point of virtualenv is to avoid the distribution-packaged pip libraries in favour of whatever the latest one is. Projects that do get redistributed by Debian, like Mercurial, have to go out of their way to avoid pulling in pip dependencies.

                                                                                                                                                                                      https://gregoryszorc.com/blog/2020/01/13/mercurial's-journey-to-and-reflections-on-python-3/

                                                                                                                                                                                      In April 2016, the mercurial.pycompat module was introduced to export aliases or wrappers around standard library functionality to abstract the differences between Python versions. This file grew over time and eventually became Mercurial’s version of six. To be honest, I’m not sure if we should have used six from the beginning. six probably would have saved some work. But we had to eventually write a lot of shims for converting between str and bytes and would have needed to invent a pycompat layer in some form anyway. So I’m not sure six would have saved enough effort to justify the baggage of integrating a 3rd party package into Mercurial. (When Mercurial accepts a 3rd party package, downstream packagers like Debian get all hot and bothered and end up making questionable patches to our source code. So we prefer to minimize the surface area for problems by minimizing dependencies on 3rd party packages.)

                                                                                                                                                                                      1. 1

                                                                                                                                                                                        I mean, yes. kornel doesn’t like Debian because Debian packages are not visible to npm. notriddle doesn’t like Debian because upstreams don’t want Debian packages to be visible to pip. Two are in contradiction. This is not a solvable problem.

                                                                                                                                                                                        1. 3

                                                                                                                                                                                          It’s not a contradiction. Debian is just failing both types of users by doing a half-assed thing. It’s neither leaving packages alone, nor providing a set large and compatible enough to be useful.

                                                                                                                                                                                  1. 3

                                                                                                                                                                                    Incidentally, here is a piece of advice: if you are ever agonising over some design detail that is not core to what makes your language special, and all options seem equally reasonable, just go with whatever Rust does. Odds are that whatever Rust decided was preceded by significant debate, and that whatever they picked has few gotchas. Lexical syntax is one area where this is particularly good (and easy) advice to follow.

                                                                                                                                                                                    Questionable.

                                                                                                                                                                                    1. 10

                                                                                                                                                                                      I think it’s a good idea if you want to avoid having your language called weird or academic. Rust is very conscious about its “weirdness budget”, and carefully threads the needle between looking familiar and fixing old problems. It managed to get traction as a C-family language despite being influenced by ML-family and other “exotic” languages.

                                                                                                                                                                                      There are many similarities between Rust, Swift and TypeScript. All of them are here to stay, so it’s likely that they are influencing what the evolution of preferred “C-like” syntax and set of features is going to be.

                                                                                                                                                                                      1. 1

                                                                                                                                                                                        fixing old problems

                                                                                                                                                                                        Which specifically?

                                                                                                                                                                                        1. 12

                                                                                                                                                                                          If we’re talking about syntax and comparing with C-family languages as a baseline:

                                                                                                                                                                                          • Making variable declarations unambiguous
                                                                                                                                                                                          • Making types unambiguous – AFAIK, you can always look at an arbitrary identifier and from a minimum amount of context know whether it is a type or a variable
                                                                                                                                                                                          • Relatedly, getting rid of (foo) bar as a way to cast expression bar to type foo, which in my experience is a great way to make parsing hard
                                                                                                                                                                                          • Making generics use <> (yeah yeah I don’t like it either) but making it unambiguous with regards to the greater-than and less-than operators
                                                                                                                                                                                          • If’s are expressions, removing the need for a ternary operator
                                                                                                                                                                                          • Almost everything is an expression, actually
                                                                                                                                                                                          • Curly braces after if/while/etc are mandatory, removing a source of errors
                                                                                                                                                                                          • Parentheses after if/while/etc are absent, removing a source of noise
                                                                                                                                                                                          • Basically everything has a literal syntax of some kind or another
                                                                                                                                                                                          • Optional trailing commas everywhere you could want them, making code generation easier

                                                                                                                                                                                          I could go on. There are a few warts that are widely acknowledged as such I think, and you can do some outright painful things with pattern matching if you try hard enough (I recently had occasion to write if let Ok((&mut mut foo,)) = bar {...} and it made me rethink my life), but all in all if you want something that looks kinda like C++, Rust’s syntax is pretty good. If you don’t want something that looks kinda like C++, you can make some fairly superficial alterations and get something that looks more like a typed Lua.

                                                                                                                                                                                          1. 1

                                                                                                                                                                                            I don’t think there is a lot in that list in terms of “fixing old problems”.

                                                                                                                                                                                            It reads more like “don’t be stupid, don’t be C” … welll d’oh!

                                                                                                                                                                                            1. 1

                                                                                                                                                                                              Well, C and C++ are still the most popular languages for low-level development, so just being “a better and safer but more powerful C” is actually a great pitch.

                                                                                                                                                                                              1. 1

                                                                                                                                                                                                Yeah, just not one that supports the original claim.

                                                                                                                                                                                            2. 1

                                                                                                                                                                                              Parentheses after if/while/etc are absent,

                                                                                                                                                                                              One of the saddest choices…

                                                                                                                                                                                              1. 3

                                                                                                                                                                                                I think this one contributes to Rust looking “ugly” to some people, but as a syntax it works fine. Optional braces were proven to be dangerous (goto fail bug), and once you fix that by making braces required, the parens are unnecessary.

                                                                                                                                                                                                 if (foo) bar();
                                                                                                                                                                                                 if foo {bar();}
                                                                                                                                                                                                

                                                                                                                                                                                                is the same number of characters and the same number of shift presses (at least on a US-layout keyboard).

                                                                                                                                                                                                1. 1

                                                                                                                                                                                                  That’s disingenous, usual style uses whitespaces around {}, so if foo { bar(); }. Two characters longer, and I believe I am not alone when I say it’s still uglier even with two characters more.

                                                                                                                                                                                                2. 2

                                                                                                                                                                                                  Why? They are not functions

                                                                                                                                                                                                  1. 1

                                                                                                                                                                                                    gratuitous incompatibility with parsers already installed in many, many human brains for no benefit

                                                                                                                                                                                                    1. 4

                                                                                                                                                                                                      Eh, I thought it was weird at first, but it very quickly goes from weird to normal. I actually think it reads much more clearly than with parens.

                                                                                                                                                                                                      1. 1

                                                                                                                                                                                                        Wait until you discover that it isn’t Java you’re parsing. 🤯

                                                                                                                                                                                                        It’s not gratuitous at all, unlike languages which keep all of C’s defects for sentimental reasons.

                                                                                                                                                                                                        1. 1

                                                                                                                                                                                                          since this one isn’t a defect, but merely an arbitrary choice, going with the existing popular choice seems good. There are dozens of languages sharing the parenthesized if/for/while/etc syntax

                                                                                                                                                                                                    2. 1

                                                                                                                                                                                                      Gets rid of single-line ifs, which is a great way to cut down bugs. You can still put the whole thing with braces on one line, too.

                                                                                                                                                                                                    3. 1

                                                                                                                                                                                                      Regarding garnet research, I’m curious if you had a look at Nim too? I didn’t notice it mentioned in your notes there, at least at a glance. One of the things I find interesting about it, is that from what I read somewhere, its author’s original intention was to try and build it all based on macros, with as minimal core as possible. He claimed there that he kinda failed at that (sorry, I don’t have a link), but I think it leaves Nim with a rather powerful macros system, that (together with Rebol, which I see Nim as a kinda typed variation of) made me start to understand how powerful can macros probably be in Lisp. Other than that, I like how it manages to look nearly like Python, but be statically typed, and that the type declarations tend to nearly disappear. Though, similar as with OCaml, I find it somewhat of a language more focused on being practical than being “pretty from CompSci perspective”, with quite a number of seemingly somewhat sketchy, weird and randomly slapped on features here and there, that surprisingly tend to work together quite well. Sorry for the ode, I just like this language for some time recently :)

                                                                                                                                                                                                      edit: uh, and one more thing related to modules, where I believe Go struck gold and Nim does rather poorly (though that’s understandable given it has “universal function call syntax” and operator overloading), is with naming and “avoiding stutter” - in that module names give mental context to their contents, and can be assumed as part of the name, but then in quite many places can be thus omitted (esp. inside a module). So you don’t need “newRegex” but just “regex.New” (IIRC Lua indeed also enables a similar approach (in fact, when I was trying to write a Lua interpreter for Go long time ago, I got super challenged by the “uncanny valley” of many “parallel evolution” similarities between them, such that I found it extremely difficult to write code in both languages in a single file)).

                                                                                                                                                                                                    4. 2

                                                                                                                                                                                                      Declarations always start with a keyword (particularly fn). This neatly avoids the Most Vexing Parse from C++, and it allows function declarations to be nested inside other function declarations.

                                                                                                                                                                                                      But more importantly, it will make writing a Rust REPL in the future so much easier, because you’ll be able to type items into a prompt that expects an expression, and it’ll just work. Joe Armstrong complained bitterly about how Erlang can’t do that, because the item grammar and the expression grammar in Erlang aren’t compatible. He flat-out said “Erlang has a bug” because of this, and he’s right.

                                                                                                                                                                                                  2. 4

                                                                                                                                                                                                    I think Rust made a big mistake of choosing <> for generics instead of [], but if you are to follow X by default, Rust is probably not a bad choice of X (compared to, say, Scala). Futhark uses ML-style module for generics so does not need generics bracket anyway.

                                                                                                                                                                                                    1. 3

                                                                                                                                                                                                      I’d say that Scala 2 would be an excellent choice to follow.

                                                                                                                                                                                                      The language is way more regular than Rust in the parts that are likely to be of relevance/copied/shared¹.

                                                                                                                                                                                                      ¹ i. e. not the “emulating compile-time Prolog with implicits” part

                                                                                                                                                                                                    2. 1

                                                                                                                                                                                                      This section got my attention as well.

                                                                                                                                                                                                      I’m curious if folks who do compiler / plt here work feel similarly.

                                                                                                                                                                                                      1. 2

                                                                                                                                                                                                        Rust did a good job with its string literal syntax, so I chose to copy it for a byte string interchange format for Oil called QSN:

                                                                                                                                                                                                        http://www.oilshell.org/release/latest/doc/qsn.html

                                                                                                                                                                                                        It’s very similar to JSON except it can express arbitrary byte strings, and doesn’t need surrogate pairs.

                                                                                                                                                                                                        They got rid of the legacy from C like \v and octal, and the unnecessary ambiguity of \u1234 and \U00001234, in favor of \u{1234}.


                                                                                                                                                                                                        But I think the advice is a little too “extreme” overall. I would say if you are designing a language that looks roughly like C or JavaScript, then Rust and Go are good places to look. Swift has made some good choices too. I think Go designers put just as much thought into it, and came up with similar if not identical conclusions (even though I don’t really use Rust or Go myself).

                                                                                                                                                                                                        Though in the case of string literals, Go seems to inherit the legacy from C, which makes it slightly more annoying to implement.

                                                                                                                                                                                                        It does feel like that kind of syntax is “winning”, i.e. ALGOL style with curly braces. Most popular languages now seem to converge on something that looks familiar to C or JavaScript users (e.g. Kotlin). There are definitely limitations to that but on the whole I don’t think it’s bad.