1. 3

    Hmm, I wonder how things like JEXL Sandbox will work now that the SM is going away?

    1. 4

      Why does every vulnerability come with it’s own catchy acronym and slick webpage now?

      1. 8

        Generally easier to remember, identify, and communicate than CVE IDs.

        Are we vulnerable to ALPACA?

        versus

        Are we vulnerable to CVE-2021-31971?

        1. 6

          At least they’re getting more adorable over time!

          1. 6

            Why does every vuln with a name get at least one person asking this exact question?

            1. 3

              Why does every vuln with a name get at least one person asking the question of why every vuln with a name gets at least one person asking why every vuln needs a name now?

            2. 3

              A Bug With A Logo? It worked the first time…

              In fact, thinking back, this trick still worked for POODLE, in the sense of management-level people caring enough to ask about it and organising statements that “we’re now protected against POODLE” or “we’re unaffected by POODLE” etc. But no branded vuln since has had any real boost from its marketing, as far as I recall – nobody cares, just the way everyone discussing this aspect of Heartbleed could foresee right from the start. The marketing has just become this motion you go through because it’s what everyone does.

              1. 2

                Crypto bros are a very weird crowd worried a lot about publicity and street cred.

              1. 2

                Week 1 of (intentional) unemployment…. and I have a paper deadline on Friday. That being said, once I have that finished up, I have a long list of side projects I want to start (organized by silliest first).

                1. 1

                  What’s on top of that list?

                  1. 1

                    TiSH. A CLI/curses client for Tinder that renders all the pictures with an image to ascii art generator. My friend was joking it might actually improve my chances of someone swiping on me :P

                1. 15

                  I thought business news are off-topic here

                  1. 7

                    I don’t think it’s “business news”. Stream from conference is more like it, which I think is valuable content – if nothing else, then only for @calvin’s excellent summary.

                    1. 6

                      how are feature announcements for products of a publicly traded company not “business news”? I know Apple is loved by many, but if it was any other company, this article would be removed as off-topic very quickly. I think we should apply the same rules for all articles/companies.

                      1. 12

                        I’m reading because I develop for these platforms. It’s not just feature news for end users.

                        1. 9

                          Barring inflammatory threads, I think the users of the site, reflected in the votes, best decide what is valuable content.

                          1. 6

                            I really can’t wait for this ‘just let the market decide’ meme to die. Surely content and editorial policies are allowed on websites. Surely I can give my kids vegetables even if they just want fries and chocolate. Surely we can regulate fentanyl even if it proves popular with users. Is this a weird opinion now?

                            1. 6

                              Take it easy, it’s not like it’s my life principle or anything. Yeah, policies are fine. I’ve already said that I don’t think this is “business news”.

                              1. 1

                                Of course policies are allowed. And no, having policies isn’t weird. But it was nice back when Lobsters was smaller and we didn’t need policy*, when just community consensus was enough.

                                * except for extreme cases

                              2. 4

                                I had submissions removed that had 10+ up votes for being business news and therefore off topic. The moderation works differently here, well except if it is the fruit company, it seems.

                              3. 6

                                Something like an iphone announcement, sure. But wwdc is specifically the announcement of developer tools. “we’re adding async/await and the actor model to Swift” seems very much on-topic for this site and was one of the things they talked about today. “The new iphone will have NINE camera lenses” would be something that I would agree is off-topic, but that’s a separate event.

                                1. 3

                                  I agree with you regarding classification. But please take a look at the summary that Calvin posted. Does any of that text has developer related information, or has exactly the off topic info? “We improved maps”, “our watch can now do X”, and others are just plain marketing for end users, not useful information for developers. WWDC might be for developers, but this presentation ain’t :)

                                  1. 1

                                    Calvin’s post most definitely has information for developers. Sure, not all of it is really relevant to developers, but I think being able to make apps within the iPad, and using Xcode in the cloud on a non-MacOS device, is absolutely huge for enabling more people to develop Apple applications.

                                    There’s tons of APIs made available too now, which developers will need to start using in order to get on the App Store afaik (I think if you work around an API they disallow your app, but maybe that isn’t true?).

                                    All the other features might not be directly tied to code, but they are useful when looking at design decisions that devs may want to pick up on.

                                    1. 2

                                      I think this cuts deep into what people classify as relevant. For me, all the content from that presentation are news, something that I would normally find on the orange site. It doesn’t have any explanation how and why something works. Thus, I would disagree with your statement it is for making design decision, as no one would make design decisions based on the presentation alone, without going into documentation or some other relevant material to understand how the feature works(*). And that is the crux of my argument – the whole presentation is marketing for end users, some of which are developers.

                                      (*) now, that would be a great, relevant material to show up here, at least in my definition of relevant.

                                      1. 2

                                        That’s certainly a fair point to make, that it is just different classifications. I also wish they had gone more in depth into how certain features work (I’m looking at you, Private Relay and Email tracking protection [is it just on the mail client? what does it do if the tracked image is one that is visible to the reader?]).

                                        the whole presentation is marketing for end users, some of which are developers.

                                        I agree with this, and wish it were not the case :(

                                2. 4

                                  I disagree, we have an entire “releases” tag explicitly for announcements of products/features on both open source and proprietary technology.

                            1. 88
                              • Stream at idle point.

                              • Stream begins. WWDC hagiography/humour from developers begins.

                              • Tim on stage. Audience is “memoji”. Last WWDC had 25 million views. Diversity: Apple does it. There’s also some labs and developer 1-on-1, I guess. Everything developer-wise for free. Works in streaming video apps too. Siri privacy stuff even with HomePod, through P2P? Smart home interop standard called Matter. Supported in iOS 15.

                              • Craig for what’s new in iOS. iOS 15. FaceTime improvements. Goal is to make calling more natural, sensory wise. Spatial audio (positional). Voice isolation in microphone using ML to filter ambient noise. Wide spectrum for more range in recording. Grid view for group calls. Portrait mode (like the filter effect in iOS camera, for focus, not orientation). Links to calls…. seems obvious to me? I guess they’re making this a proper Zoom competitor. Windows/Android users can use the FaceTime links. Still E2EE even on those platforms. SharePlay. Add music or video to a call (watch movies together). Or share screen. Music app integrated, for example. Shared playlist for people in the call. Picture-in-Picture includes both the shared content and talking heads. Streaming to TV works too with it. Works with third-party applications, including API.

                              • Improvements to Messages. Mindy on stage. Easier photo sharing. “Shared with You” surfaces things posted from Messages into other apps (i.e News or Music, Safari, Podcasts, etc.), so you don’t have to follow up on it now. You can include pictures people send you in the photo library, including merging into appropriate sections of the library (i.e a trip). Pin to shared with you manually as well.

                              • Craig back. Focus. Notification improvements. Easier to identify them. Notification summary, on-device ML to summarize and create a digest. Ordered by priority. Messages from people are more important. They’re adding back away messages! AIM in 1999 was vindicated! It integrates into DND. Not just boundaries for others, but yourself. Focus is like a lite version of DND. Profiles use on-device ML to pick what to things matter. Even affects home screen so you pick things relevant to the situation. Focuses can be suggested. Focuses sync to other devices.

                              • Intelligence. Live text. OCR in camera. Text selection so you can copy and paste from camera (or dial numbers, URLs, etc.). Works for pictures already in the library. Or in the web. Seven languages. Works across all Apple platforms. Can recognize objects like dogs and flowers. Or paintings. Search for photos in Spotlight. Live text can be used for that too. Contact search with aggregating things relevant to that contact. Search also handles public things like i.e actors.

                              • Photo memories. Chelsea on stage. Music supported in generated memories. Navigate and pause of course. Edit them too (i.e pick pacing, music, etc.), with automatic adaptions to what you’ve done.

                              • Craig. Jennifer on wallet. Yeah, it supports a lot of bank and metro cards. Even theme parks. Or car keys (ultra-wideband?). Or buildings (home/corporate/hotel keycards). Now your ID too; scan your ID card/driver’s license in participating regions. Stored in secure element. Even in airports.

                              • Craig back. Weather app improvements for more information and animations that accurately represent world state. Weather maps.

                              • Meg on maps. Spain and Portugal, then Italy and Australia get improved maps. There’s a globe now. Details for districts, buildings, etc. Elevation and landmarks on the map. Night mode. Navigation that makes visualization for i.e medians, turn lanes, bus lanes, etc. It even renders spaghetti junctions (i.e overpasses). Nearby transit lines. Disembark notices. Helps with exchanging stations/lines; directions to next station. Only in some cities so far.

                              • Craig. Voice search in Safari, cross-app dragon drop.

                              • Gagan on AirPods. “Conversation boost” to try to make it easier to hear people…. IRL. Reduce ambient noise. Announcing notifications for what’s important (food delivery, grocery lists, etc). Focus integration. You can find your AirPods, even when you inevitably lose them, even somewhere far away. Proximity/sound. Separation alert. Spatial audio in tvOS, including dynamic head tracking. Also on M1 Macs. Atmos/Spatial audio on Apple Music.

                              • Craig. iPad OS. Home screen improvements. Widgets on iPad, finally. Works like an iPhone, of course. App library as well. It’s accessible from the dock. Multitasking. oh god please don’t be more gestures.

                              • Shubham. Tap the top to reveal multitasking menu. Split or fullscreen with slideover as needed. Even if apps have multiple windows. Swipe down to minimize to shelf (old Next term, eh?). It appears automatically when switching apps. Create split views more easy with DnD.

                              • Craig. Keyboard shortcuts for it. Notes app improvements. Mentions in Notes. Activity view. Tags. Tag browser. System-wide notes with quick note.

                              • Will on stage. Type or scribble. Annotate pages with it. i.e in Safari. Include links. Other apps supported? Link to content. Third-party apps supported.

                              • Craig. iPad and Mac supported, viewing supported on iOS. Translation. Now on iPad. Hand write text in translation. Auto translation for conversations. Live text translations. All platforms. All features are supported on-device ML.

                              • Swift playgrounds. You can now develop apps on iPad. SwiftUI. You can edit the projects in Xcode on Mac too. Autocomplete. Documentation inline (hahaha, Apple and docs, funny). Debug and submit to App Store on device. Build iPhone apps too.

                              • Privacy. Apple likes it, allegedly. The internet is a bad place for privacy because of adtech. Katie and Erik. Emails with tracking pixels. Mail privacy protection. Seems to block tracking pixels. Hiding IP from trackers - I guess they completely block it now? App privacy reports for native apps. See when they access sensitive resources. Third-party domain they’ve contacted list. Siri. 600M devices/month. Other voice options. Siri privacy update. As much as possible should be done on-device. On-device speech recognition. This makes more of Siri work offline and faster.

                              • Craig. iCloud. Mike. Better account recovery. Recovery contact list. No access to the account, but they can receive the recovery code if you forget your password. Legacy contacts for accessing your data when you die. Paid sub is now iCloud+. Jesus christ, is this a VPN? Private Relay sure sounds like it, but implied to be Safari only? Hide my email, for unique addresses that forwards back to you. Secure video for HomeKit. Doesn’t count against your storage. No price increase for the new paid iCloud features.

                              • Sumbul for health. Video about how being a medical professional sucks when it comes to relaying info. APIs for medical shit, then an app on Watch. Apple’s working on it, apparently, with the help of some medical people at JHU. When they left California, their medical trial did well?

                              • Adeeti on more health stuff. Mobility monitoring, so you don’t fall down like a baby. Makes sure you have proper balance and such. Based on real research, apparently. View the metrics.

                              • Sumbul again. View lab results. Describes them now too, so you can make sense of medical jargon. Trends and viewing them. Talk with your doctor (sorry Americans). Now easier to share specific data (private allegedly) with health providers. Integrates into EHRs. Family health. Share health data with family if you want. Is it socially acceptable to SMS someone about their heart rate? It might be now. Again, Apple says E2EE in rest/transport. Change sharing any time.

                              • Kevin on watch. Health app improvement, including breathing. Mindfulness (?) through reflection. Sleep tracking improvements; respiratory rate. Could be useful if someone needs a CPAP, I guess.

                              • Julz for fitness in watch. Tai chi. Pilates. Yeah, they have a subscription service for fitness too. There’s more workout experts I guess. Or music, I guess.

                              • Kevin. Portraits watch face. Adjust composition and time with pictures from photos. Shandra. Move the dial to zoom in. Photos app improvements. Easier to view messages. Improvements to using scribble to edit text on watch. GIFs on a watch? How far we’ve come.

                              • Craig. Home. Apple design philosophy. Yah. Home keys on phone, hands-free TV, etc. SharePlay again, so you can watch things with your friends. Aggregates recommendations from friends. Group taste aggregation playlist. HomePod stuff, including more regions, computation audio, voice recognition, etc. HomeKit on watch; for i.e doorbell video on watch. Package detection.

                              • Craig. In a car? Mac, and probably hardware. New macOS name. Monterey. Many of the same features you saw before. Continuity stuff. Universal control. Single mouse and keyboard across all devices, including iPads. Seems pretty automatic. MacBook cursor on your iPad. Even trackpad gestures. Or Alt+Tab. Drag and drop files too. More than two devices. Including their HID too. AirPlay. To a Mac this time. Scripting. Shortcuts on Mac? Yup. Automator and shortcuts integration. Safari. It’s pretty nice, they say. Simplified chrome. Single row browser, a la IE11. Vertical tabs with groups in a sidebar.

                              • Beth. Search field in active tab. Takes on the colour of the site. Groups sync to devices. Send a group as an email. Switch without the sidebar.

                              • Craig for more. iPad gets the same tab bar. iPhone has a tab bar available with a tap on the bottom. With gestures and grid view. Extensions. Web extensions on iPad and iOS. New start page.

                              • One more thing? Developer stuff. Susan. More APIs. More Swift stuff. More App Store stuff. You can use a lot of the features shown, i.e voice isolation as an API. AR, screen time, extra large widgets, lots of stuff. Object capture. Take multiple 2D pictures to turn into 3D models. They made most of those APIs in Swift, it seems.

                              • Ted. Concurrency in Swift. Async/await, but actors.

                              • Susan. App store. Ann. Really hammering home the narrative in case of lawsuit. 600M/weekly visitors. 230B$ paid out to devs. App product page. Show app from different perspectives. In-app events for dynamic content, both new and existing users. Like a Fortnite concert…

                              • Susan. Xcode cloud. Cloud build and CI. Automating parallel tests across multiple devices. Shows failures in Xcode. Automatically distribute to QA. Only artifacts are stored. TestFlight for Mac. Limited beta today. GA next year. Pricing and availability in autumn. More sessions.

                              • Tim. Thanks guys! OS betas today. Public beta next month. GA autumn. Platforms state of the union later today.

                              • End.

                              1. 43

                                So “the @calvin report” is my current favorite way to consume Apple announcements. Super appreciate it.

                                1. 2

                                  Same. I don’t even read other journos anymore.

                                2. 8

                                  Thanks for the summary @calvin! <3

                                  1. 3

                                    “Conversation boost” to try to make it easier to hear people…. IRL.

                                    Legacy contacts for accessing your data when you die.

                                    Mobility monitoring, so you don’t fall down like a baby. Makes sure you have proper balance and such.

                                    Sleep tracking improvements; respiratory rate. Could be useful if someone needs a CPAP, I guess.

                                    The earliest tech-literate generations are finally getting old. I did just get a kidney stone, so that seems to include me. 😅

                                    1. 6

                                      At least some company is discovering that not all their customers are 30-somethings with perfect eyesight and hearing…

                                    2. 1

                                      @calvin, I think you’re grumpy. Me too, though.

                                      1. 4

                                        Hey now, I find WWDC more interesting than most. Apple’s presentations even if aimed a bit more towards the average person, are well-executed. I do like to point out when the self-congratulation gets a bit too much though.

                                        1. 3

                                          And appreciate you for it! 🤗

                                    1. 4

                                      A solution to the problem said to exist with composition is to make variables context local, e.g. in Godot, position refers to relative position to the parent node, so it is clear where to handle it. Also, I think that it’s worth pointing out that ECS doesn’t remove dependencies, it just obscures them by removing them from the type system, since you will still inevitably have some systems depending on the behavior of other systems, but now the dependency isn’t represented in the type system.

                                      1. 1

                                        Can you elaborate? The parent post doesn’t make it clear, but entity in ECS normally is just an int64, I guess that’s what you mean? But the dependencies (and type) should be expressed as dependencies between systems in ECS, not on either entity or components?

                                        1. 1

                                          Hmmm, if the entity is just an id, then how does one keep track of which components are registered to an entity? Or is it usually the other way around, a component knows which entities it owns?

                                          EDIT: Looks like the answer to my second quesiton is yes based on http://bitsquid.blogspot.com/2014/08/building-data-oriented-entity-system.html

                                          1. 1

                                            With ECS there isn’t a good way to express that one system depends on the fact that the same entities must be processed by another system. The dependency is still there, but now it has no representation in type systems.

                                        1. 16

                                          There’s a lot of good stuff in here that we all think everyone knows and we say to each other in the pub but we don’t really say out loud to the people that need to hear it.

                                          The main one that comes to mind is about mobility. They said something like “if I get fired I’ll have a new job in two weeks.” The tech folks that don’t know this is true need to learn it. More importantly: the people who manage tech people need to learn it.

                                          1. 22

                                            if I get fired I’ll have a new job in two weeks.

                                            This has never been true for me. Job hunting has always been a relentless slog.

                                            1. 12

                                              Imma guess it depends on where you are. Silicon Valley, Seattle, NYC, London, you can basically put your desk stuff in a box, and throw it out a window and have it land in another tech company’s lobby.

                                              Other places, not so much.

                                              1. 9

                                                I agree living in a tech hub makes finding a job way easier, but I jump to temper the hyperbole just a bit. I know that I personally felt a lot of self-hatred when I tried to change jobs and it took months of applications and references and interviews to actually get one, even living in a tech hub.

                                                1. 6

                                                  Technology stacks don’t really matter because there are like 15 basic patterns of software engineering in my field that apply. I work in data so it’s not going to be the same as webdev or embedded.

                                                  It depends on what you do. The author is a database specialist, so of course they’re going to claim that SQL is the ultimate language and that jobs are plentiful. I’m an SRE, so my career path requires me to pick specific backend-ready languages to learn. I have several great memories of failed interviews because I didn’t have precisely the right tools under the belt:

                                                  • I worked on a Free Software library in Python along with other folks. They invited me to interview at their employer. Their employer offered me a position writing Lua for production backends. To this day, I still think that this was a bait-and-switch.
                                                  • I interviewed at a local startup that was personally significant in my life. I had known that it wasn’t a good fit. Their champion had just quit and left behind a frontend written with the trendiest JS libraries, locking their main product into a rigid unmaintainable monolith. I didn’t know the exact combination of five libraries that they had used.
                                                  • I interviewed at a multinational group for a position handling Kubernetes. I gathered that they had their own in-house monitoring instead of Prometheus, in-house authentication, etc. They also had a clothing line, and I’m still not sure whether I was turned down because I didn’t already know their in-house tools or because I wasn’t wearing their clothes.
                                                  1. 3

                                                    They also had a clothing line, and I’m still not sure whether I was turned down because I didn’t already know their in-house tools or because I wasn’t wearing their clothes.

                                                    Seems like a blessing in disguise if it was the clothes.

                                                  2. 3

                                                    I have this problem and I’m in a tech hub. Most of my coworkers and technical friends are in different countries I can’t legally work in, so I rarely get interviews through networking. Interviewing is also not smooth sailing afterwards.

                                                  3. 5

                                                    This has never been true for me. Job hunting has always been a relentless slog.

                                                    Same here, I also live in a city with many startups, but companies I actually want to work for, which do things I think are worthwhile, are very rare.

                                                  4. 7

                                                    There’s a lot of good stuff in here that we all think everyone knows and we say to each other in the pub but we don’t really say out loud to the people that need to hear it.

                                                    Interesting that you say that in the context of modern IT. It has been so with many things since ancient time.

                                                    https://en.wikipedia.org/wiki/In_vino_veritas

                                                    Perhaps the traditional after-work Friday beer plays a more important role in one’s career than most people think. Wisdom is valuable and not available ons course you can sign up to.

                                                    1. 1

                                                      Wisdom is valuable and not available ons course you can sign up to.

                                                      Which is ironic given wisdom is often what they’re being sold as providing.

                                                    2. 5

                                                      The main one that comes to mind is about mobility. They said something like “if I get fired I’ll have a new job in two weeks.” The tech folks that don’t know this is true need to learn it. More importantly: the people who manage tech people need to learn it.

                                                      Retention is a big problem. It can take up to a year to ramp up even a senior person to be fully productive on a complicated legacy code base. Take care of your employees and make sure they are paid a fair wage and not under the pressure cooker of bad management who thinks yelling fixes problems.

                                                      1. 2

                                                        That’s probably why the OP says their salary went up 50% while their responsibilities reduced by 50%. Onboarding.

                                                      1. 9

                                                        I mean, I believe many of us can relate to finding beer and as a result keeping going

                                                      1. 12

                                                        What ever happened with the dispute over attribution with regards to this and that third party package manager?

                                                        1. 9

                                                          Like a modern day David vs. Goliath, David lost.

                                                          1. 6

                                                            On the github:

                                                            We would like to thank Keivan Beigi (@kayone) for his work on AppGet which helped us on the initial project direction for Windows Package Manager.

                                                            IIRC Beigi at one point said that was enough for him.

                                                            1. 1

                                                              I feel like a hardened container with seccomp would go a long way towards achieving the same goal without having to crack into the systemd arcana.

                                                              1. 4

                                                                So instead of simple systemd unit you would bring all complexity of containers as seccomp? And what kind of “arcana” you are even talking about?

                                                                1. 1

                                                                  In my opinion, there are more resources available for understanding how to do this with a container (both the dtach part and the syscall sandboxing), than there are with dtach and systemd units. If you sat me down and asked me to do this, it would be much easier to find the resources I need for containers rather than trying to set up a systemd unit file.

                                                                  1. 7

                                                                    One reason there aren’t a plethora of different resources covering this in the systemd case is because their man pages have it covered so thoroughly there’s no need for some third party take.

                                                                    1. 3

                                                                      Well, you can look through blog posts utilising enormous amount of Google-fu and arcane ability of “what did the author meant by that” or you can just use man systemd.exec and read everything even offline.

                                                                      There are bad things in systemd, but for sure documentation isn’t one.

                                                                      Additionally you do not need to worry about:

                                                                      • running reaper within container to not be overcrowded with zombies
                                                                      • remembering to update all containers in case of security update
                                                                      • worry about proper configuration of runtime, like creating users within containers
                                                                      • running daemon with root (assuming Docker there, and while not required to do so anymore, this is still t most popular approach)

                                                                      And so on, and so on.

                                                                      With systemd all you need is simple text file with no more than 50 lines and additionally you can have more goodies like for example lazy activation of service only when needed instead of running all the time.

                                                                  2. 3

                                                                    You don’t need containers to do that. You can simply add them to the systemd unit.

                                                                    1. 1

                                                                      See point I made to @hauleth

                                                                    2. 2
                                                                      1. 1

                                                                        See point I made to @hauleth

                                                                      2. 2

                                                                        if you look at the actual .service file i deploy, you’ll find that I did try to enable some seccomp stuff, but it was pretty hard to achieve. would love to see your (working) seccomp configuration for irssi/dtach!

                                                                      1. 8

                                                                        I believe gcc for x86_64 does a similar thing when it detects a null pointer dereference. Ah the wonders of undefined behavior I guess.

                                                                        1. 3

                                                                          Is there a blog post/manual/book I can reference to get myself the background required for this, because it seems very cool, but I have no idea what’s going on?

                                                                          1. 3
                                                                            1. 1

                                                                              This is my understanding.

                                                                              Imagine a function zip which takes a tuple of lists and returns a list of tuples, for example:

                                                                              zip
                                                                                ([1, 2, 3, 4, 5], ['a', 'b', 'c', 'd', 'e']) =
                                                                                [(1, 'a'), (2, 'b'), (3, 'c'), (4, 'd'), (5, 'e')]
                                                                              

                                                                              unzip just does the opposite:

                                                                              unzip
                                                                                [(1, 'a'), (2, 'b'), (3, 'c'), (4, 'd'), (5, 'e')] =
                                                                                ([1, 2, 3, 4, 5], ['a', 'b', 'c', 'd', 'e'])
                                                                              

                                                                              Now, imagine zip takes a list of lists instead:

                                                                              zip
                                                                                [[1, 2, 3, 4, 5], ['a', 'b', 'c', 'd', 'e']] =
                                                                                [[1, 'a'], [2, 'b'], [3, 'c'], [4, 'd'], [5, 'e']]
                                                                              

                                                                              You can represent the argument list of lists as a 5x2 matrix, like so:

                                                                              1 2 3 4 5
                                                                              a b c d e
                                                                              

                                                                              and the returned list of lists as a 2x5 matrix, like so:

                                                                              1 a
                                                                              2 b
                                                                              3 c
                                                                              4 d
                                                                              5 e
                                                                              

                                                                              (I’ll treat matrix and list of lists as interchangeable in meaning.)

                                                                              That makes it clear that a zip which takes an arbitrary length list of lists instead of a fixed-size tuple (or triple, &c) of lists can simply be considered equivalent to transpose. transpose applied to a matrix returns a new matrix which returns the original matrix when applied to transpose again; i.e.

                                                                              (transpose . transpose) matrix = matrix
                                                                              

                                                                              Or, for an example:

                                                                              transpose
                                                                                [[1, 2, 3, 4, 5], ['a', 'b', 'c', 'd', 'e']] =
                                                                                [[1, 'a'], [2, 'b'], [3, 'c'], [4, 'd'], [5, 'e']]
                                                                              
                                                                              # and
                                                                              
                                                                              transpose
                                                                                [[1, 'a'], [2, 'b'], [3, 'c'], [4, 'd'], [5, 'e']] =
                                                                                [[1, 2, 3, 4, 5], ['a', 'b', 'c', 'd', 'e']]
                                                                              

                                                                              So, when you think about it, you realise that unzip is simply zip, because zip is simply transpose and transpose applied to a once-transposed matrix simply returns the original matrix, i.e. transpose is equivalent to untranspose (which doesn’t exist named as such because it’s just transpose).

                                                                              Unfortunately, while this is the case mathematically, unzip is still needed because in practice, (AFAIK) most (statically typed?) programming language’s zip implementations (at least in stdlib) act on tuples of lists and return lists of tuples instead of heterogenous lists of lists.

                                                                            1. 12

                                                                              I have to wonder whether wide-spread adoption of Java applets might have led to an outcome qualitatively better than the modern web. I mean, the Java runtime was intended to be an application platform, whereas the web is a document delivery system abused and contorted to make do as an application platform.

                                                                              1. 12

                                                                                Except we had widespread adoption of java applets and the web platform turned out to be a better application platform. On the desktop we’re running VS Code (the web platform) rather than Eclipse (Java).

                                                                                I wrote Java applets professionally in the 90s and then web apps. Even back in the pre dynamic html days native web apps were better for most interesting stuff.

                                                                                1. 4

                                                                                  we had widespread adoption of java applets

                                                                                  We did?

                                                                                  My memory isn’t what it used to be but I can’t remember a single instance of seeing this in the wild.

                                                                                  1. 4

                                                                                    I recall Yahoo using these for apps/games and what not.

                                                                                    1. 4

                                                                                      Not widespread like today where a large fraction of websites run JS on load. But I did run across pages here and there that would present an applet in a frame on the page, and you’d wait for it to load separately.

                                                                                      1. 4

                                                                                        They were supported in all popular browsers. Java was widely taught and learned. There definitely were lots and lots of applets deployed but compared to the web they were bad for actually building the applications people wanted to use.

                                                                                        1. 4

                                                                                          I remember quite a few. Maybe you didn’t really notice them? Even today I occasionally run across a site with an applet that won’t load, especially older sites for demonstrating math/physics/electronics concepts. It also used to be a popular way to do remote-access tools in the browser, back when you couldn’t really do any kind of realtime two-way communication using browser APIs, but you could stick a vnc viewer in an applet.

                                                                                          1. 1

                                                                                            Aha; now that you mention it I do remember using a VNC viewer that was done as an applet, and also an SSH client. So I don’t think I ever used a Java applet on my own computer, but I did use a couple in university when I was stuck on a Windows machine and didn’t have anything better around.

                                                                                          2. 3

                                                                                            Runescape Classic xD

                                                                                        2. 9

                                                                                          I have to agree with ianloic. Applets just didn’t work very well. They weren’t part of the web, they were a (poorly designed) GUI platform shoehorned into a web page with very limited interconnection. And they were annoyingly slow at the time.

                                                                                          Flash was a much more capable GUI but still badly integrated and not web-like.

                                                                                          With HTML5 we finally got it right, absorbing the lessons learned.

                                                                                          1. 8

                                                                                            With HTML5 we finally got it right, absorbing the lessons learned.

                                                                                            Now, instead of a modular design with optional complexity (user installs/loads given module only when needed), we have bloated web browsers consisting of 20+ millions lines of code with complexity that is mandatory often even for simple tasks (e.g. submit a form with some data, read an article or place order in an e-shop).

                                                                                            1. 6

                                                                                              Very strongly agree.

                                                                                              Back when Flash was widespread, it didn’t seem that popular - it was a delivery mechanism for overzealous advertising that jumped all over content. People were happy to embrace the demise of Flash because Flash was a liability for users.

                                                                                              What we have today are synchronous dialog boxes that jump all over content which are very difficult to remove because they’re indistinguishable from the content itself. The “integration” has meant it can no longer be sandboxed or limited in scope. The things people hated about Flash have become endemic.

                                                                                              The web ecosystem is not doing a good job of serving users today. I don’t know the mechanism, but it is ripe for disruption.

                                                                                              1. 3

                                                                                                Flash was also a delivery mechanism for games and videos that entertained millions, and educational software that probably taught more than a few people. If you think games, videos, and education beyond what flat HTML can provide are not “valid” that’s fine, but Flash filled a role and it served users.

                                                                                                1. 3

                                                                                                  I didn’t mean to suggest that all uses of flash are not “valid”; if there was no valid use, nobody would intentionally install it. I am suggesting that it became misused over time, which is why Steve Jobs didn’t encounter too much resistance in dropping it.

                                                                                                  But the real point from franta which I strongly agree with is being a plugin model it was relatively easy for users to enable when the content really needed it, and leave disabled in other cases. Personally I had two browser installs, one with flash and one without. That type of compartmentalization isn’t possible with HTML5.

                                                                                              2. 3

                                                                                                Optional complexity is not the right choice in this context. Nobody wants to design an experience where most users are just met with complex plug-in installation instructions. One of the best parts of the HTML5 ecosystem is that it’s largely possible to make websites which work on most of the browsers your users are actually going to use.

                                                                                                I agree that the complexity of “HTML5” is a problem. Maybe it would be nice to have two standards, one “simplified” standard which is basically Google’s AMP but good and standardized, and one heavy-weight standard. Simpler websites like news websites and blogs could aim to conform to the simplified standard, and simple document viewer browsers could implement only the simplified standard. But it definitely 100% wasn’t better when the “web” relied on dozens of random proprietary closed-source non-standard plug-ins controlled by single entities with a profit motive.

                                                                                              3. 2

                                                                                                I think that’s an overstatement. We haven’t gotten it right yet. Browser APIs are getting decent, but HTML+CSS is not a felicitous way to represent a UI. It’s a hack. Most everything to do with JavaScript is also a hack, although on that front we’ve finally started to break the “well, you have to write JS, or transpile to JS, because JS is the thing browsers have” deadlock with WASM, which finally offers what Java and Flash had a quarter century ago: compact bytecode for a fairly sensible VM.

                                                                                              4. 4

                                                                                                The biggest problem was that Java wasn’t integrated with the DOM. The applet interface was too impoverished.

                                                                                                jQuery had a nice tight integration that was eventually folded into the browser itself (document.querySelector). And if you look at modern frameworks and languages like React/preact, Elm, etc. you’ll see why that would continue to be a problem.

                                                                                                They use the DOM extensively. Although interestingly maybe the development of the virtual DOM would have been a shim or level of indirection for Java to become more capable in the browser.

                                                                                                The recent Brendan Eich interview has a bunch of history on this, i.e. relationship between Java, JavaScript, and the browser:

                                                                                                https://lobste.rs/s/j82tce/brendan_eich_javascript_firefox_mozilla

                                                                                                1. 3

                                                                                                  It was in fact perfectly possible to manipulate the DOM from an applet (although at some level you did still need to have the applet visible as a box somewhere; I don’t think it was possible or at least frictionless to have “invisible applets”).

                                                                                                  I would instead say the biggest problem was the loading/startup time; the JVM was always too heavy-weight; there was a noticable lag while applets started up; early on it would even freeze the whole browser. There were also a lot of security issues; the Java security model wasn’t great (it was fine in principle, but very difficult to get right in practice).

                                                                                                  Now, funnily enough, the JVM can be much more light-weight (the “modules” effort helps, along with a raft of other improvements that have been made in recent JDKs) and the startup time is much improved, but it’s too late: applets are gone.

                                                                                                  1. 2

                                                                                                    I don’t think it was possible or at least frictionless to have “invisible applets”

                                                                                                    it totally was. Make them 1x1 pixel large and use css to position them off screen. I have used that multiple times to then give the webpage access to additional functionality via scripting (applets could be made accessible to JS)

                                                                                                    Worse: the applets could be signed with a code signing cert which gave them full system access, including JNA to FFI call into OS libraries.

                                                                                                    Here is an old blog post of mine to scare you: https://blog.pilif.me/2011/12/22/grave-digging/

                                                                                                    1. 1

                                                                                                      It was in fact perfectly possible to manipulate the DOM from an applet

                                                                                                      How? I don’t recall any such thing. All the applets I used started their own windows and drew in them.

                                                                                                        1. 1

                                                                                                          OK interesting. It looks like this work was done in the early 2000’s. I think it must have lagged behind the JS implementations but I’m not sure. In any case jQuery looks a lot nicer than that code! :)

                                                                                                    2. 2

                                                                                                      In that interview, Brendan noted that JavaScript was async, which helped adoption in a UI world. It’s true, it made it nearly impossible to block a UI on a web request.

                                                                                                      1. 3

                                                                                                        Yes good point. IIRC he talks about how JavaScript was embedded directly in Netscape’s event loop. But you can’t do that with Java – at least not easily, and not with idiomatic Java, which uses threads. As far as I remember Java didn’t get async I/O until after the 2000’s, long after Javascript was embedded in the browser (and long after Python).

                                                                                                        So yeah I would say those are two absolutely huge architectural differences between JavaScript and Java: integration with the DOM and the concurrency model.


                                                                                                        This reminds me of this subthread with @gpm

                                                                                                        https://lobste.rs/s/bl7sla/what_are_you_doing_this_weekend#c_f62nl3

                                                                                                        which led to this cool experiment:

                                                                                                        https://github.com/gmorenz/async-transpiled-xv6-shell

                                                                                                        The question is “who has the main loop”? who can block? A traditional Unix shell wants to block because wait() for any process is a blocking operation. But that conflicts with GUIs which want to have the main loop.

                                                                                                        Likewise Java wants the main loop, but so does the browser. JavaScript cooperates better by allowing callbacks.

                                                                                                        When you have multiple threads or processes you can have 2 main loops. But then you have the problem of state synchronization too.

                                                                                                  1. 1

                                                                                                    I am a tortured soul that literally thinks in terms of Vim motions.

                                                                                                    I mean, you can just @ me next time xD

                                                                                                    1. 7

                                                                                                      I’m not sure if they actually read the manual page and pretended they didn’t, or just got really lucky with their pick of return. But by returning 0, they actually successfully informed the program that nothing had any extended attributes. Also, this line will keep me up at night:

                                                                                                      Q: Is the return value of 0 important?

                                                                                                      A: Yes. I originally tried 1, but that caused some games to allocate all available memory and crash once none was left.

                                                                                                      1. 1

                                                                                                        Is there any countermeasure applications can take to avoid this kind of “hack”? The fact that anyone with write access to DYLD_LIBRARY_PATH can override a system call or a library function sounds like a huge vulnerability to me.

                                                                                                        1. 6

                                                                                                          The fact that anyone with write access to DYLD_LIBRARY_PATH can override a system call or a library function sounds like a huge vulnerability to me.

                                                                                                          Yep. That’s why the UNIX ideas of users/groups/permissions is woefully inadequate for our modern use cases, where the sole user is trusted but the code may not be.

                                                                                                          1. 2

                                                                                                            the sole user is trusted but the code may not be

                                                                                                            I don’t follow. These type of dynamic linker overrides allow the user to control the code. If the user is trusted, that’s not a problem.

                                                                                                            I think the real problem is “trusted” (locked down) code that doesn’t trust the user. In that case, these options run counter to that goal. However, it’s also not clear to me that it’s a desirable goal - it’s a goal to keep users dependent on vendors, but not a security goal.

                                                                                                            1. 4

                                                                                                              These type of dynamic linker overrides allow the user to control the code. If the user is trusted, that’s not a problem.

                                                                                                              I think we’re conflating two different ideas of “user” here, and my comment could certainly have been written more clearly.

                                                                                                              The first definition is the machine operator. That person should definitely be able to do whatever they want on the machine, and should be able to override dynamic libraries as much as they want.

                                                                                                              The second definition is as a permission boundary; the UNIX sense. If I download an application from the internet, it should not have the same permissions as me, the machine operator, by default. But it does, and it’s able to override DYLB_LIBRARY_PATH and exec whatever it wants. There’s no good reason my text editor should have internet access. macOS’s approach to this is an improvement, but I agree that being reliant on a centralized source of trust is extremely problematic.

                                                                                                              As an aside, I interviewed for Apple’s security engineering and architecture team back in late 2019, so I had the opportunity to talk with their engineers about some of this. I didn’t get the position in the end, but it was an interesting experience. One of the biggest threats they wanted to protect against is phishing and fake apps. I was told that any off-switch is an off-switch that a user can be socially engineered into toggling. Teams inside of Apple seemed to be somewhat isolated, so while Vendor lock-in does seem to be a goal of Apple’s iOS/iPadOS App Store, I don’t think it’s the only goal.

                                                                                                          2. 3

                                                                                                            So the short answer to this is yes this is a major issue, and there are kind of countermeasures. There’s a whole world of “dylib hijacking” and “dll hijacking” (the Windows equivalent which is even more sketchy) that I highly recommend you look up, because it’s awesome and super hacky and so much fun to play with.

                                                                                                            1. 3

                                                                                                              On OS X, if the app turns on library validation DYLD_LIBRARY_PATH and DYLD_INSERT_(something? I can’t recall) and similar are all disabled at the dyld level - it isn’t bypassable

                                                                                                            1. 1

                                                                                                              This tool looks really cool, I just really wish the code had comments.

                                                                                                              1. 1

                                                                                                                There’s definitely some tech debt I should really pay off. TBH, I wanted to get feedback on the concept as soon as possible, because I wasn’t sure if people would find this useful.

                                                                                                                1. 1

                                                                                                                  Definitely make sense, I’m currently trying to hack it into running on my Intel-based Macbook, sorry if I off-gassed any of that on you. Looking forward to using this tool :)

                                                                                                                  1. 2

                                                                                                                    Having support for Hypervisor.framework on x86_64 would be great! It’s no easy feat, thought. While KVM provides (mostly) the same API for all arches, Hypervisor.framework (being a thin layer on top of the processor’s virtualization capabilities) does not. It doesn’t provide support for arch devices (such as LAPIC or Timer), so that needs to be implemented in userspace too. Also, while on ARM64 we can get away without emulating any instruction, on x86_64 we would probably need a minimal translator for processing some of the exists.

                                                                                                                    But I don’t want to discourage you, I honestly think this could be a fun and rewarding project with lots of learning opportunities.

                                                                                                              1. 6

                                                                                                                Work on making a video game, celebrate another journey around the sun.

                                                                                                                1. 1

                                                                                                                  Congrats on making it, it’s been a rough time round this one :)

                                                                                                                1. 43

                                                                                                                  So there’s been a string of Nagle’s Algorithm posts on Lobsters recently, and I was getting ready to make a comment accordingly. But no, this is just another bug that happens to have the same timestamp. What a world.

                                                                                                                  1. 9

                                                                                                                    My exact same thought. I was surprised that CTRL+F Nagle did not get any results in that article!