1. 9

    Sounds about right.

    Anyone ever used bcachefs in practice? I’ve been watching it off and on for a while now, but it seems slow to mature. Though it advertises itself as more or less stable, it’s not yet feature-complete and isn’t mainlined into the Linux kernel yet.

    1. 8

      While the work seems slow, Kent Overstreet is a very dedicated man. There’s a few commits to bcachefs a couple times a week at least. He’s not really advertising it, but continues to polish the code.

      I haven’t used it yet, (I did use bcache itself a lot) but I’m certainly hoping for the best and chipping in for the development. https://www.patreon.com/bcachefs

      1. 1

        I’m quite excited about it and have been meaning to give it a spin at some point. As soon as its in the linux kernel and easy enough to test drive for my rootfs I plan to switch. I can handle a little experimental if it seems like its at least heading toward being a rock solid FS.

      1. 2

        The author pronounces it [aɡe̞], like the Italian “aghe”.

        Does the author mean aghi? Aghe is not an Itailan word.

        Now I am confused. Is the pronunciation as ah-gee (as you would say aghi in Italian) or ah-geh (as you would pronounce aghe in Italian if that were a word)?

        1. 3

          It seems unlikely to me that the majority of people who encounter this library at its point of use will think to investigate how it’s pronounced. I expect most will assume it’s the English word. Naming things is hard; there are many pitfalls.

          1. 3

            I’m also confused. It links to google translate which translates it to “needles”, but I’ve never heard the word pluralized like that. I’m guessing it comes from FiloSottile’s dialect.

            1. 1

              I think I just got it. The link to google translate is there so you can play the pronunciation and not to translate it to English. I guess that’s helpful for everyone that is not Italian, lol.

            2. 2

              The latter. I’m sure he used to describe it as pronounced the Japanese way, but perhaps even fewer people understand that :-)

              1. 1

                I also thought was pronounced like in chicken karaage. However, I now suspect I pronounce that wrong also since I say “ah-hey” rather than “ah-geh”

                1. 3

                  Heh yeah, for the record you’re pronouncing it wrong - a mora consisting of a g followed by any vowel is always a hard G sound in Japanese.

                  So it’s kah-rah-ah-geh (more or less, in a standardish American accent, although with no aspiration because those Hs are just there to steer you towards the right vowel sound, and with the vowel sounds held for a somewhat shorter period of time than you might default to)

            1. 14

              Easier way to eavesdrop on Signal users : ask Google to send them a modified apk and update it silently (which android can do for Google Play apps). Or update signal from signal’s own update mechanism.

              Those huge weak points only exist because of signal’s insistence on not allowing open source builds to be distributed.

              1. 10

                It’s worse yet than “if google uploaded a poison APK”

                Google’s keyboard “GBoard” communicates with the internet for various reasons. You don’t need to poison a fake APK - you can spy on the keyboard directly.

                And it has rudimentary ML capacity since it can and will correct words that you type previously.

                1. 1

                  That’s why I use simple keyboard.

                  1. 3

                    Absolutely true that you can install different keyboards - however the defaults always retain a significant amount of power.

                    And Signal’s messaging is poor here as well. They never mention anything about GBoard and its ability to spy on every character you type and substitute. Using Signal with defaults can get you taken for a black van ride, if you’re not careful.

                    1. 6

                      Isn’t the point of signal to make mass surveillance too expensive via rock solid E2E for the masses? You don’t get a van ride if someone isn’t already seriously invested in your messages since mass interception is too difficult using the above methods. Your phone could just as easily be attacked by any other software attack surface. E2E encryption doesn’t solve device/OS level security problems.

                      1. 4

                        Really. A black van ride. I mean your not wrong but this escalated pretty quickly to “Signal is responsible for my abduction by not communicating that the dangerous GBoard is Google’s default in smart phones.”

                        1. 1

                          It’s certainly the outlier, but has happened. And it primarily happens with whistleblowers and similar leak-to-news-agencies.

                          And Naomi Wu (RealSexyCyborg) in China has reported similar with dissident friends who were black-bagged after talking about sensitive stuff on Signal.

                          Doing usual sensitive stuff like sexting or getting passwords isn’t going to have any real ramifications. But if you involve reporters or dissidents, your phone wont protect you.

                  2. 7

                    Easier way to eavesdrop on Signal users : ask Google to send them a modified apk and update it silently (which android can do for Google Play apps).

                    I think Google can’t do that, if Signal signs its app itself. (See android.com: Manage your own signing key) In this case Google could only give you a different app with the same name if it’s the initial installation of the app. But for updates this wouldn’t work. Also this would sooner or later be detected by the public since the signature can be compared manually after the fact.

                    Also you can download the APK directly from Signal.org. This way you still have to trust Signal and its TLS CA. The APK updates itself from then on (as far as I know). While the underlying OS is still Android from Google or iOS from Apple, IMO it gets silly to focus on Signal in that regard.

                    I’m happy that Signal exists and that it has the potential to appeal to the masses while providing the technical means to shield (legally acting) businesses from exploiting the chat data. Of course any improvement is welcome no the less.

                    1. 3

                      Who knows with Google, these days? They are known to force-install apps without notification or consent: https://news.ycombinator.com/item?id=27558500

                      1. 3

                        Who checks the signature of the app you’re running? It seems like it’d be pretty easy to have Android not check the signature on startup, if you’re considering Google acting against the user.

                        1. 2

                          If we go full paranoia: theoretically there is a possibility that the Google Play app installer service could secretly circumvent the whole “updates-with-same-certificate” model by e.g. replacing the cert in the package manager’s database, right? (Assuming Play has parts running as root which I think it did?)

                          1. 2

                            Even on rooted devices, a changed certificate will cause the device to first uninstall (and remove all associated data) the existing app.

                            If we assume Google is going to be complicit in a surveillance measure in the future, they will have had to add a covert option for the OS to not do that in the past.

                            But if we assume Google to be complicit, all bets are off anyways and you should probably side-load Signal to begin with. And replace the phone OS with one you built yourself after auditing all of its Millions lines of code

                        2. 3

                          Or update signal from signal’s own update mechanism.

                          That would require you to have Signal’s signing keys which I hope live in some HSM and which require manual physical interaction to make use of

                          ask Google to send them a modified apk and update it silently

                          This would work, but only for fresh installs. The system refuses to update an installed apk with one that’s signed by different keys.

                          You can force the install, but it will first uninstall the existing application with all of its data

                          1. 1

                            Those huge weak points only exist because of signal’s insistence on not allowing open source builds to be distributed.

                            Ironically, this insistence means that on Linux the only installation is via their third party apt repository rather than from an official distribution package source. It’s the exact opposite on Android, where the only installation is from Google, the “official” Android distribution package source. This is exactly the wrong way round to how I’d like it because in both cases more trusted sources are available.

                          1. 2

                            I’ve followed its development and tooling issues from the start. I love MVS and the overall design. I think the biggest pain points have been tooling UX (which has come a long way and is getting quite nice) and SIV (semantic import versioning). In hindsight, I think SIV causes people a lot of UX issues. I think possibly there could have been an alternative convention for breaking changes since SIV is really just a convention that tooling supports and library authors have to understand and remember to use correctly anyway.

                            1. 1

                              Company: Stellar Development Foundation

                              Company site: https://stellar.org (open source: https://github.com/stellar)

                              Position(s):

                              Engineering

                              Ecosystem

                              Product

                              Business Development

                              Legal & Policy

                              Location: SF, NY, Asia-Pacific, or Remote

                              Description: Stellar is a decentralized, fast, scalable, and uniquely sustainable network for financial products and services. It is both a cross-currency transaction system and a platform for digital asset issuance, designed to connect the world’s financial infrastructure.

                              The Stellar Development Foundation (SDF) is a non-profit organization that supports the development and growth of Stellar. The Foundation helps maintain Stellar’s codebase, supports the technical and business communities building on the network, and serves as a voice to regulators and institutions. The Foundation seeks to create equitable access to the global financial system, using the Stellar network to unlock the world’s economic potential through blockchain technology.

                              The Foundations work is open sourced under the Apache 2.0 license: https://github.com/stellar

                              Tech stack:

                              • C++ 11, Go, TypeScript, JavaScript
                              • Postgres, BigQuery
                              • Kubernetes

                              Contact: Apply here

                              1. 2

                                I tried to read the whitepaper a while back, correct me if I’m wrong here:

                                • Stellar is a fork of ripple?
                                • Stellar uses voting within subsets and has many overlapping subsets, the consensus is some convergence? I’d appreciate if you could explain this a bit.

                                Another thing I’m curious about:

                                • What does it take to become a validator?
                                • How are new tokens minted / distributed?
                                • How do you do oracles?
                                • How do you make sure that these “stable assets” (pegs to fiats or other things) track what they are pegging?

                                I was like 99.9999% sure this project was a scam when I looked at the paper, it tries so hard to obfuscate how it works and the ratio of claims to explanations is very bad. Seeing it here on lobsters is very surprising to me.

                                1. 2

                                  I was like 99.9999% sure this project was a scam when I looked at the paper, it tries so hard to obfuscate how it works and the ratio of claims to explanations is very bad. Seeing it here on lobsters is very surprising to me.

                                  I can’t comment on the project directly but I’ve met one of the people involved in it socially not knowing we both worked in tech and later briefly discussed Stellar. I don’t believe it’s a scam or that they would have anything to do with it if it were.

                                  1. 2

                                    A scam in the sense of whether they are actually a byzantine fault tolerant decentralized system in the first place (something they claim to be).

                                    The paper does not feel clear but rather obfuscated. The questions I asked are pretty important prerequisites for deciding if you want to throw your lot in with these people, whatever people think of blockchains, it is pretty clear that byzantine fault tolerance is an important property that is desirable in any political / economic system. Exploring how it can be achieved is a worthwhile research. However due to the perverse incentives there’s all sorts of outrageous claims.

                                    Another problem that would be desirable to avoid is the tragedy of the commons (the cause of climate change), which proof of stake is vulnerable to (as well as at least a large class of voting protocols, if not all), but the exploit would require co-ordination that seems to be implausible with current social networking technology (however I believe that the exploit would come in the form of something not vulnerable to tragedy of the commons, though I have yet to prove that).

                                    I am not saying this because I am fond of proof of work, quite the opposite, the environmental consequences mean we should be trying to find a better solution. However we should be truthful in that pursuit and respect mathematical facts (like PoS being vulnerable to ToC) - they have a tendency to predict the future.

                                  2. 2

                                    I think they misrepresent achieving the same distributed consensus projects like bitcoin do. Its ultimately obfuscated federated control.

                                    That said I think many blockchain projects are scams in that they misrepresent distributed consensus being the solution to problems when it really isn’t.

                                    1. 1

                                      @ilmu Great questions, thanks!

                                      The old Stellar network that launched in 2014 was using software (stellard) that was a modified fork of the Ripple node software (rippled). In 2015 the current Stellar network was launched with a new consensus model (SCP) and new stellar-core software that was written fresh. There are some blog posts about the network upgrade that go into more detail: 1, 2.

                                      For details about how the Stellar Consensus Protocol (SCP) works, I recommend these resources. The video talks about how the voting works.

                                      1. 1

                                        Thank you for answering, I just saw that you did due to the reply feature being back, I looked at these resources a bit (not through it yet) and it looks like the path you have chosen is interesting (to me at least, the model I am trying to figure out is similar in direction to yours). However I don’t think you can claim byzantine fault tolerance as-is.

                                  1. 1

                                    Jake! This is awesome. I really love the tooling UX for standing things up especially. Gonna play around with it later.

                                    One thought is that subnet associations might be a little inflexible. I could imagine that a user in an ENG subnet might wanna quickly give one (and only one) person in NON-ENG temp access to a service. Seems like this kind of thing would only work easily if both the user and the service were already in their own subnets of 1 peer. Then again, I often am the one arguing against more powerful primitives for the sake of simplicity in ux and implementation.

                                    1. 11

                                      As a language Rust is significantly better than Go, for any purpose.

                                      But a much better selection of libraries will be available to you if you use Go, and you’ll just have better community support in general.

                                      1. 15

                                        As a language Rust is significantly better than Go, for any purpose.

                                        Depends on the metric — how about time to productivity? ;)

                                        1. 3

                                          I picked up Go as a Python programmer, and it indeed was easy to get up to speed with, and start enjoying it for the added (compared to Python) benefits of static typing and concurrency.

                                          Of course, learning never stops if you keep yourself curious, so I wasn’t going to keep proclaiming that Go is the best. I happened to use and immensely enjoy Elm later, which – due to its shortcomings – lead to learning Haskell (now that had quite a learning curve). With that knowledge now in my belt, I’d certainly choose Rust over Go if presented a choice. In the end, I am far more productive in Haskell than Go or Python. I’m pretty sure Rust would fall in that spectrum.

                                          Now, in a team setting you are going to compromise and deal with what’s best for the team. Unless you change teams / companies, like I did when wanting to write Haskell by default. So, there are quite a range of factors – technical, social and personal – when it comes to someone choosing a programming language for use in a project.

                                          1. 1

                                            Maybe you’re an exception but that approximately no one is more productive in haskell than go seems easy to conclude from looking at what’s produced by each community.

                                            1. 1

                                              Just a note, but solo productivity by language probably doesn’t translate to group productivity by language in most cases.

                                            2. 2

                                              Depends on the meta-metric. There are definitely cases where focusing on the minimization of a fixed cost like time to productivity is strategically sound, but I don’t think those cases are anywhere near as common as one might guess from how often that metric is lauded.

                                              1. 1

                                                Fixed cost per developer on the project, sure, but healthy projects necessarily have a constantly rotating pool of developers, don’t they?

                                          1. 17

                                            I’m ambivalent on this post. On the one hand, I think it’s completely fair to say the Go team could/should do more to communicate how modules are supposed to work, especially if there’s widespread confusion. I don’t know if that confusion is widespread, but let’s be generous and assume it is. Adding warnings to Go’s tooling seems like a good suggestion, although I have some questions.

                                            On the other hand, the rest of this boils down to not liking the solution because it doesn’t work the way the author wants it to. It’s widely known that the Go team is very opinionated, and I’m honestly a bit tired of reading this sort of sniping.

                                            The closing paragraph also seems very poorly thought out. How does the optional versioning approach described work in practice? How do I as a module author indicate that I’m using (or not using) the standard versioning approach? How does that choice impact module consumers? The “best” option leaves so many unanswered questions that it’s not clear to me it’s a realistic option at all.

                                            So yeah, a frustratingly mixed read.

                                            1. 23

                                              It’s widely known that the Go team is very opinionated, and I’m honestly a bit tired of reading this sort of sniping.

                                              The problem seems to be that, increasingly, the Go team’s opinions aren’t working for people who actually use Go outside of Google. It’s not “sniping” to articulate why those opinions aren’t working and suggest alternatives.

                                              1. 10

                                                It’s sniping because, as I say above, beyond mere suggestion the author doesn’t wrestle at all with how his suggestions would actually work in practice. It’s sniping because it’s easy.

                                                1. 16

                                                  So you’re upset they took the easy route of dismissing an opinionated stance that didn’t work for them.

                                                  But to do so, you’re… taking the easy route of dismissing an opinionated stance that wouldn’t work for you.

                                                  Again, it’s OK for people not to like something the Go team did. It’s not automatically “sniping” or whatever other derogatory term.

                                                  1. 7

                                                    Cute wordplay aside, if you’re going to do something unidiomatic, then the burden of proof is on you to show that it’s an improvement. Otherwise I’m in my right not to take this seriously.

                                                    1. 16

                                                      I think the author’s point is that most people are not aware that not only what they are doing is considered “unidiomatic” by the team, but also that the “idiomatic” approach is not something they want to adopt.

                                              2. 3

                                                I wish the author separated the criticism of SIV from the old tired vgo/dep drama. I find that stuff tiring as well. I’ve been enthusiastic about modules from day 1 (after much suffering from godep, glide, and dep) however, overtime started to think that SIV probably wasn’t worth it compared to just telling people to rename on breaking changes. I’m sure had they gone without SIV that that choice would have garnered lots of cheap criticism too.

                                              1. 4

                                                I really don’t understand why people can’t just name their package like sqlite. Instead of:

                                                github.com/andrewchambers/somepkg/v2
                                                

                                                Why did they not opt for just:

                                                github.com/andrewchambers/somepkg2
                                                

                                                It seems to me this way would work without any special tools.

                                                1. 4

                                                  I agree with you, but it is Go modules’ position that treating different major versions of an artifact as completely different artifacts is so important that it should be mandatory for all artifacts in the ecosystem.

                                                  1. 1

                                                    If I’m understanding you correctly, that more sense - Thanks for explaining.

                                                  2. 1

                                                    I agree strongly with this. I think overall, the SIV (semantic import versioning) rule creates more work and problems then it solves. Simply renaming your package on breaking changes I think works out better overall though I understand the rational of SIV.

                                                  1. 3

                                                    This looks super cool! Thanks for posting it! I’d like to find an alternative to 1Password because they are an evil organization, so going to keep my eyes on this one! :)

                                                    I have a couple questions for anyone who may know and doesn’t mind!

                                                    When I enter the master password, does it go to the server or does it stay on the client? If it stays on the client, does that mean that all someone needs to download my encrypted data is my email address?

                                                    I’d like to use this but also think that the benefit 1Password has is either that the secret key is needed to grab someone’s encrypted data (which could be cracked at any future time) or that the master password is never sent to the server - but trying to figure out which model Bitwarden is taking here!

                                                    Thanks for any responses <3

                                                    1. 6

                                                      When you log in with Bitwarden, the client sends a request to /api/accounts/prelogin, which tells the client which key derivation function to use, and for how many rounds.

                                                      On registration, the Bitwarden server will accept a client-generated asymmetric keypair, with the private key encrypted with the master-password-derived key.

                                                      The client then:

                                                      1. Uses the KDF to derive a key from the master password,
                                                      2. Hashes the master password using this key
                                                      3. Sends the hashed password to the /api/identity/connect/token endpoint.

                                                      The server responds with the previously stored (encrypted!) keypair, which the user can decrypt using their master-password-derived key, and then use this private key to decrypt their passwords. This means that changing the master password only results in re-encrypting the private key, instead of the entire set of password entries that are stored.

                                                      1. 1

                                                        Cool! Thank you for the info! Seems pretty secure, I’m going to make the switch =^.^=

                                                      2. 5

                                                        1password has a very impressive and detailed security design document worth reading for anyone interested in this space. https://1password.com/files/1Password-White-Paper.pdf

                                                        What about 1p is evil btw?

                                                        1. 1

                                                          The organization itself has had questionable layoffs, has been called out by queer people for being a hostile work environment, etc.

                                                          1. 3

                                                            I was considering applying to 1Password, do you have any sources? A cursory web search doesn’t lead me anywhere useful.

                                                            1. 1

                                                              Hmm… Also can’t find them via search. My guess is that the Twitter feeds I have seen are private followers? If you end up working there, let us know how it goes =^.^=

                                                        2. 1

                                                          With all well known password managers, the master password stays on the client. Anything that did otherwise would be widely ridiculed on the internet.

                                                          Usually servers only give the encrypted data after authenticating (with a different hash of the master password, not the one that derives the encryption key). But IMO if you really trust your password manager, you should explicitly publish the encrypted vault.

                                                          1. 1

                                                            Not LastPass last time that I checked. You give them your password unhashed. It was widely ridiculed and people still use it. Their support team also won’t document their encryption process, saying it’s a “security risk”.

                                                        1. 4

                                                          To me it seems the most logical solution is to have a convention where all libraries that make backwards incompatible changes just change name.

                                                          sqlite3 is a perfect example of this, nobody worries or cares about sqlite1 or sqlite2. The system worked perfectly with no special support from the language.

                                                          The version suffix stuff being built into the tool seemed like a pointless complication to me.

                                                          1. 5

                                                            The version suffix stuff being built into the tool seemed like a pointless complication to me.

                                                            Yes.

                                                            Semantic Import Versioning is not only a complication, but actively user-hostile, in many circumstances.

                                                            1. 1

                                                              Also strong agree with this from me. I had a great time reading all design docs about modules when they we’re first happening and was and still am largely excited about them and their design approach. My main disappointment is SIV and some of the tooling changes and I think they are partially related. I thought maybe i’d get used to SIV but i’m less convinced then ever. I suspect SIV is responsible for the majority of significant hiccups and bugs people run into when adopting and understanding modules.

                                                              Adopting SIV seems more painful then the convention of just changing the import path. Additionally, I feel that the convention of changing your import path on major upgrades would result in more semver compliance from module authors then the world of SIV.

                                                              Honestly, I’d just stay on v0/v1 forever with maybe minor breakages depending on the scope of the project and userbase. Then just make a new import path if I need to make significant breaking changes.

                                                            1. 5

                                                              There really needs to be a federated github.

                                                              1. 46

                                                                Like… git ?

                                                                1. 21

                                                                  So github but without the hub. May be on to something.

                                                                  1. 7

                                                                    Github is one of my favorite stories when I talk about how decentralized systems centralize.

                                                                    1. 7

                                                                      But did GitHub really centralize something decentralized? Git, as a VCS is still decentralized, nearly everyone who seriously uses it has a git client on their computer, and a local repository for their projects. That part is still massively decentralized.

                                                                      GitHub as a code sharing platform, that allows issues to be raised and discussed, patches/pull requests to be submitted, etc. didn’t previously exist in a decentralized manner. There seems to have always been some central point of reference, be it website or just a mailing list. It’s not as if whole project were just based around cc’ing email to one another all the time. How would new people have gotten involved if that were the case?

                                                                      The only thing I could see as centralising is the relative amount of project hosted on GitHub, but that isn’t really a system which can be properly described as “decentralized” or “centralized”..,

                                                                      1. 4

                                                                        It’s the degree to which people are dependent on the value-adds that github provides beyond git. It’s like a store having a POS that relies on communication with a central server. Sure, they can keep records on paper do sales but it’s not their normal course, so they don’t. This comment on HN sums it up: https://news.ycombinator.com/item?id=16124575

                                                                      2. 1

                                                                        Got any other examples?

                                                                        1. 3

                                                                          Email would be a prominent one. Most people (and I can’t say I am innocent) use gmail, hotmail, yahoo mail, etc. I belive there is some general law that describes this trend in systems, which can then be applied to the analysis of different topics, for example matter gathering in around other matter in physics or money accumulating itself around organization with more money, etc.

                                                                          On the other side you have decentralized systems which didn’t really centralized significantly, for whatever reason, such as IRC, but which had a decrease in users over time, which I also find to be an interesting trend.

                                                                          1. 4

                                                                            Many businesses run their own email server and also I don’t have to sign up to gmail to send a gmail user an email but I do have to sign up to github.

                                                                            1. 1

                                                                              A tendency towards centralisation doesn’t mean that no smaller email servers exist, I’m sorry if you misunderstood me there. But on the other hand, I have heard of quite a few examples where businesses just use gmail with a custom domain, so there’s that.

                                                                              And it’s true that you don’t have to be on gmail to send an email to a hotmail server, for example, but most of the time, if just a normal person were to set up their mail server, all the major mail providers automatically view this new host as suspicious and potentially harmful, thus more probably redirecting normal messages as spam. This wouldn’t be that common, if the procentual distribution of mail servers weren’t that centralised.

                                                                          2. 1

                                                                            Did a talk using them. This cuts to the chase: https://www.youtube.com/watch?v=MgbmGQVa4wc#t=11m35s

                                                                      3. 1

                                                                        Git has a web interface?

                                                                        1. 7

                                                                          … federation is about data/communications between servers.. but seeing as you asked, yes it does: https://manpages.debian.org/stretch/git-man/gitweb.1.en.html

                                                                          1. 10

                                                                            To be fair, whjms did say “a federated github”. The main feature of GitHub is its web interface.

                                                                            1. 2

                                                                              Right, and there are literally dozens of git web interfaces. You can “federate” git and use whichever web ui you prefer.

                                                                              1. 12

                                                                                But you then miss out on issue tracking, PR tracking, stats, etc. I agree that Git itself provides a decentralized version control system. That’s the whole point. But a federated software development platform is not the same thing. I would personally be very interested to see a federated or otherwise decentralized issue tracking, PR tracking, etc platform.

                                                                                EDIT: I should point out that any existing system on par with Gitea, Gogs, GitLab, etc could add ActivityPub support and instantly solve this problem.

                                                                                1. 4

                                                                                  Doesn’t give you access to all the issues, PRs and comments though.

                                                                                  1. 4

                                                                                    git-appraise exists. Still waiting for the equivalent for issues to come along.

                                                                                    https://github.com/google/git-appraise

                                                                                    1. 4

                                                                                      huh git appraise is pretty cool.

                                                                                      I was going to suggest some kind of activitypub/ostatus system for comments. A bit like peertube does to manage comments. But a comment and issue system that is contained within the history of the project would be really interesting. Though it would make git repos take a lot more space for certain projects no?

                                                                                      1. 3

                                                                                        I’d assume that those could potentially be compressed but yes. It’s definitely not ideal. https://www.fossil-scm.org/index.html/doc/tip/www/index.wiki

                                                                                        ^^^^ Unless I’m mistaken, Fossil also tracks that kind of stuff internally. I really like the idea that issues, PRs, and documentation could live in the same place, mostly on account of being able to “go back in time”, and see when you go back to a given version, what issues were open. Sounds useful.

                                                                                    2. 3

                                                                                      BugsEverywhere (https://gitlab.com/bugseverywhere/bugseverywhere), git-issues (https://github.com/duplys/git-issues), sit (https://github.com/sit-it/sit) all embed issues directly in the git repo.

                                                                                      Don’t blame the tool because you chose a service that relies on vendor lock-in.

                                                                                      1. 4

                                                                                        If I recall correctly the problem here is that to create an issue you need write access to the git repo.

                                                                                        Having issues separated out of the repositories can make it easier, if the web interface can federate between services, that’s even better. Similar to Mastodon.

                                                                                        1. 1

                                                                                          There’s nothing to say that a web interface couldnt provide the ability for others to submit issues.

                                                                                    3. 3

                                                                                      Right, and there are literally dozens of git web interfaces.

                                                                                      Literally dozens of git web interfaces the majority of developers either don’t know or care about. The developers do use GitHub for various reasons. voronoipotato and LeoLamda saying a “federated Github” means the alternative needs to look like or work with Github well enough that those using Github, but ignoring other stuff you mentioned, will switch over to it. I’m not sure what that would take or if it’s even legal far as copying appearance goes. It does sound more practical goal than telling those web developers that there’s piles of git web interfaces out there.

                                                                                      1. 1

                                                                                        Im going to respond to two points in reverse order, deliberately:

                                                                                        or care about.

                                                                                        Well, clearly the person I replied to does care about a git web interface that isn’t reliant on GitHub.com. Otherwise, why would they have replied?

                                                                                        Literally dozens of git web interfaces the majority of developers either don’t know [about]

                                                                                        Given the above - The official git project’s wiki has a whole page dedicated to tools that work with git, including web interfaces. That wiki page is result 5 in google and result 3 in duckduckgo when searching for “git web interface”. If a developer wants a git web interface, and can’t find that information for themselves, nothing you, or I or a magic genie does will help them.

                                                                                2. 5

                                                                                  It’s not built-in, but Gogs and Gitea are both pretty nice.

                                                                                  1. 2

                                                                                    Hard agree. I run a personal Gogs site and it’s awesome.

                                                                              2. 7

                                                                                It would be enough if people stopped putting all their stuff on github.

                                                                                1. 8

                                                                                  It won’t happen for a while due to network effects. They made it easy to get benefits of a DVCS without directly dealing with one. Being a web app, it can be used on any device. Being free, that naturally pulls people in. There’s also lots of write-ups on using it or solving problems that are a Google away due to its popularity. Any of these can be copied and improved on. The remaining problem is huge amount of code already there.

                                                                                  The next solution won’t be able to copy that since it’s a rare event in general. Like SourceForge and Github did, it will have to create a compelling reason for massive amounts of people to move their code into it while intentionally sacrificing the benefits of their code being on Github specifically. I can’t begin to guess what that would take. I think those wanting no dependency on Github or alternatives will be targeting a niche market. It can still be a good one, though.

                                                                                  1. 2

                                                                                    I hear the ‘network effects’ story every time, but we are not mindless automatons who have to use github because other people are doing it. I’m hosting the code for my open source projects on a self-hosted gitlab server and i’m getting contributions from other people without problems. Maybe it would be more if the code was on github, but being popular isn’t the most important thing for everyone.

                                                                                    1. 1

                                                                                      Just look at sourceforge, if everyone had to set up their own CVS/SVN server back in the say do you think all those projects would have made it onto the internet?

                                                                                      Now we have a similar situation with got, if GitHub/Bitbucket/etc. didn’t exist I’m sure most people would have stuck with sourceforge (Or not bothered if they had to self host).

                                                                                      You can also look at Googlecode to see the problem with not reaching critical mass (IMHO). There were some high profile projects there, but then I’m sure execs said, why are we bothering to host 1% (A guess) of what is on GitHub?

                                                                                      1. 1

                                                                                        ‘Network effects’ doesn’t mean you’re mindless automatons. It means people are likely to jump on bandwagons. It also means that making it easy to connect people together, esp removing friction, makes more of them do stuff together. The massive success of Github vs other interfaces argues my point for me.

                                                                                        “Maybe it would be more if the code was on github”

                                                                                        That’s what I telling you rephrased. Also, expanded to the average project as some will get contributions, some won’t, etc.

                                                                                    2. 4

                                                                                      Heck even I won’t move off of it until there is a superior alternative, sorry.

                                                                                    3. 3

                                                                                      I thought about a project along these lines a while ago. Something along the lines of cgit, which could offer a more or less clean and consistent UI, and a easy to set up backend, making federation viable in the first place. Ideally, it wouldn’t even need accounts, instead Email+GPG could be used, for example by including an external mailing list into the repo, with a few addition markup features, such as internal linking and code highlighting. This “web app” would then effectively only serve as an aggregator of external information, onto one site, making it even easier to federate the entire structure, since the data wouldn’t even be necessarily bound to one server! If one were to be really evil, one could also use GitHub as a backend…

                                                                                      I thought about all of this for a while, but the big downsides from my perspective seemed to be a lack of reliability on servers (which is sadly something we have come to expect with tools such as NPM and Go’s packaging), asynchronous updates could mess stuff up, unless there were to be a central reference repo per project, and the social element in social coding could be hard to achieve. Think of stars, followings, likes, fork overviews, etc. these are all factors which help projects and devs display their reputation, for better or for worse.

                                                                                      Personally, I’m a bit sceptical that something along these lines would manage to have a real attractiveness, at least for now.

                                                                                      1. 3

                                                                                        Lacks a web interface, but there are efforts to use ipfs for a storage backend.

                                                                                        https://github.com/cryptix/git-remote-ipfs

                                                                                        1. 3

                                                                                          I think there have been proposals for gitlab and gitea/gogs to implement federated pull request. I would certainly love it since I stuff most of my project into my personal gitea instance anyway. Github is merely a code mirror where people happen to be able to file issues.

                                                                                          1. 3

                                                                                            I think this would honestly get the work done. Federated pull request, federated issue discussion

                                                                                            1. 1

                                                                                              I’m personally a bit torn if a federated github-like should handle it like a fork, ie, if somebody opens an issue they do it on their instance and you get a small notification and you can follow the issue in your own repo

                                                                                              Or if it should merely allow people to use my instance to file issues directly there like with OAuth or OpenID Connect. Probably something we’ll have to figure out in the process.

                                                                                              1. 2

                                                                                                just make it work like gnusocial/mastodon. username@server.com posted an issue on your repo. You can block server, have a whitelist, or let anyone in the world is your oyster.

                                                                                            2. 1

                                                                                              Would be nice if I could use my gitlab.com account to make MRs on other gitlab servers.

                                                                                            3. 1

                                                                                              I always thought it would be neat to try to implement this via upspin since it already provides identity, permissions, and a global (secure) namespace. Basically, my handwavy thoughts are: design what your “federated github” repo looks like in terms of files. This becomes the API or contract for federation. Maybe certain files are really not files but essentially RPCs and this is implemented by a custom upspin server. You have an issue directory, your actually git directory, and whatever else you feel is important for managing a software project on git represented in a file tree. Now create a local stateless web interface that anyone can fire up (assuming you have an upspin user) and now you can browse the global upspin filesystem and interact with repos ,make pull requests, and file issues.

                                                                                              I was thinking that centralized versions of this could exist like github for usability for most users. In this case users’ private keys are actually managed by the github like service itself as a base case to achieve equal usability for the masses. The main difference is that the github like service exports all the important information via upspin for others to interact with via their own clients.